COI Report – Part VI
Page
209 of
425 Part VI – Key Findings of the Committee on TORs #1 and #2 664. The Committee’s findings in respect of TORs #1 and #2
have been set out in Parts III, IV, and V of this Report. From these findings, the Committee has identified five Key Findings.
Key Finding #1: IHiS staff did not have adequate levels of cybersecurity awareness, training, and resources to appreciate the security implications of their findings and to respond effectively to the attack
A number of IHiS’ IT administrators are commended by the Committee for their vigilance in
noticing suspicious activity, such as unauthorised logins to the Citrix servers, suspicious attempts at logging into the SCM database, presence
of unauthorised software, and suspicious queries being run on the SCM database. However, these same IT administrators could not fully appreciate the security implications of their findings, and were unable to co-relate these findings with the tactics,
techniques, and procedures (“
TTPs”) of an advanced cyber attacker. They were also not familiar with the relevant IT security policy documents and the need to escalate the matter to CSA. There was also no incident reporting framework in place for the IT administrators. Members of the Security Management Department, Computer Emergency Response Team, and senior members of IHiS’ management were similarly unable to fully appreciate the security implications of the findings.
