Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page304/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   300   301   302   303   304   305   306   307   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
Vulnerability – A vulnerability signifies the absence of, or a weakness in, a safeguard which could be exploited by an attacker. c)
Criticality – This is a measure of how important or valuable a system is to business operations. For example, OSes on domain controllers would be considered more critical to network security.
1121. Software facing more threats, or that are more vulnerable, or are mission- critical should be accorded a higher priority in the upgrade process. The outcome of this exercise would be to rate each individual piece of software in terms of priority (High, Medium or Low) for upgrades, as assessed from a security standpoint. For example, email software, which by its very nature involves communication with the internet, and which is a common attack vector for malicious exploitation, should berated as High Risk. A standalone software system which is not connected to the Local Area Network would berated as Low Risk.



COI Report – Part VII
Page 385 of 425

47.1.5
Upgrade timelines
1122. The general (unwritten) policy of upgrading software at EOL should be reviewed. IHiS’ approach was to consider factors like cost, user needs, proximity to EOL, and compatibility with existing environment, when deciding whether to upgrade software. Security was not one of the main considerations. This strategy may have been acceptable six or seven years ago. It is not today. This approach emphasises cost and operational ease over defence, and is at best nave in the current cybersecurity environment.
1123. The longer apiece of software has been released, the longer malicious actors and security researchers will have to find vulnerabilities that can be exploited. Often, the exploitable entry points for commercial software are made public by researchers so that users can be made aware, and so that software companies can take steps to fix them. Software companies then release anew version of their software to address these security issues. Many cybercriminals track information about vulnerabilities. Once they find anew vulnerability, the criminals work as quickly as possible to develop an exploit to abuse the vulnerability. Using such an exploit, hackers can then target victims who have yet to update their software.
1124. Ideally, all information technology software applications should generally reflect the most recent version of the application software that is properly vendor- supported. Where this is not possible, as a rule of thumb, the installed version of the software should be no more than two versions behind the most recent commercially available version. This is because the longer software goes without upgrades, the longer the list of accumulated exploits to which it maybe vulnerable.
1125. Separately, Vivek testified that recent years have seen software evolving with an increased focus on the escalating cybersecurity threats, and versions released recently are far more secure than those deployed eight, nine or ten years ago, when the constant threat did not exist.


Download 5.91 Mb.

Share with your friends:
1   ...   300   301   302   303   304   305   306   307   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy