COI Report – Part VII
Page
300 of
425 to-day
operations, it remained in the system with full administrator privileges, and was eventually exploited in the Cyber Attack. The SA. account is yet another example – it was
an inactive service account, that had full administrator privileges although there was no real reason for its existence. This too was exploited in the Cyber Attack. Although the SMD was responsible for the periodic review of user-IDs to identify and disable dormant accounts, this was not done.
873. Policies in relation to the management of
accounts are laid out in the HITSPS. HITSPS policy requires that user-IDs in the IT system be reviewed periodically to identify unused or dormant accounts. Unused user-IDs should be disabled to prevent them from being used for unauthorised activities. This was not done, as evidenced by the eventual abuse of the LA. and SA. accounts, dormant and unused accounts, respectively, which had not been identified.
874. It is recommended that the number of IT staff who
have administrator privileges, and the number and nature of privileged accounts on the network should be reviewed as there maybe scope for rationalisation to adhere to the principle of least privilege,
75
maintain system integrity and reduce the attack surface for privileged accounts to be compromised.
Share with your friends: 
