COI Report – Part VII
Page
372 of
425 46 RECOMMENDATION #11: A ROBUST PATCH MANAGEMENT PROCESS MUST BE IMPLEMENTED TO ADDRESS SECURITY VULNERABILITIES #PREVENTION VIGILANCE GOVERNANCE
1082. The initial entry to SingHealth’s network was likely byway of a phishing email containing malicious code. The attacker was able to compromise Workstation A that was running Microsoft Outlook (
“Outlook”), which was vulnerable to a publicly available hacking tool. The attacker then used the tool to drop
malware onto Workstation A, which was subsequently used to escalate the attack. CSA assessed Workstation A to have been a key pivoting point in the overall scheme of the attack.
1083. In fact, a patch
99
for Outlook, that would have rendered the hacking tool ineffective, had been made available by Microsoft in late. However, this patch was not installed on workstation A as at 1 December 2017, when the malicious code was executed.
The failure to patch in a timely fashion essentially led to the success of this phase of the attack. This constituted a missed opportunity for IHiS which,
if addressed, would have stopped or significantly arrested the progress of the attack.
1084. To avoid attacks through known issues or vulnerabilities, systems should be fully up to date with the latest security patches. A robust security patch management process must be implemented as a critical component in maintaining the security of SingHealth IT systems. Patching is of critical importance in a networked environment. Patches do not only ensure the security of individual devices, but also that of the network as a whole. This is because the security of a network is only as strong as its weakest link – it only takes one unpatched device for an
attacker to get into a network, and from thereto move laterally through the network towards his objective. As such, a failure to patch A patch is apiece of code that can be applied to a software program after it has been installed.
