Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page318/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   314   315   316   317   318   319   320   321   ...   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 406 of 425

49.3.2
Suspicious Outbound Traffic
1178. Staff need to have regard to the traffic that goes out of the network. In particular, staff need to be aware that hackers often make use of C servers to enable and maintain threat persistence. Staff should be able to spot and report any unusual patterns of outbound network traffic.
49.3.3
Anomalous login failure
1179. Staff need to be informed that signs of repeated failed logins to an account, or attempting to login to an account that no longer exists, are clear signs that someone is up to no good.
49.3.4
Spikes in Database Activity
1180. Staff should closely monitor any spikes in database activity, as that could bean indicator that the database has been compromised.
49.3.5
Anomalous registry changes
1181. Staff should be made aware that one of the ways APTs are able to establish persistence and remain covert is by making changes to the system registry. Staff should be informed that should they become aware of registry settings deviating from its typical state, they should report the matter to minimise the potential damage caused by the attack.
49.3.6
Unusual port usage
1182. Staff should be sensitised to the fact that attackers will often use obscure port numbers in order to circumvent firewalls. Record must be kept of which ports are being used legitimately, and for what purpose. Should a port be used that is not in the ‘whitelist’, staff must be informed to report the matter immediately.



COI Report – Part VII
Page 407 of 425

49.3.7
Suspicious File and Folder Activity
1183. Staff should be alerted that activity such as suspicious file or folder creation, modification or deletion, maybe indicative of an ongoing attack. Large amounts of data in the wrong place should also be reported.
1184. Ultimately, the IR plan must be as comprehensive and practical as possible. It should be user-friendly and easy to absorb. Nonetheless, there will inevitably be situations which cannot be provided for in advance. It is therefore important for the IR plan to also promote a culture of proactive and early reporting – if in doubt, it is far better for employees to report and seek help than to stay silent.

Download 5.91 Mb.

Share with your friends:
1   ...   314   315   316   317   318   319   320   321   ...   329



The database is protected by copyright ©ininet.org 2024
send message
    Main page
united states
total number
vast majority
federal government
other side
next generation
supreme court
information contained
current state
executive director
national association
middle east
east coast
general assembly
private sector
same time
west coast
united kingdom
united nations
total amount
full range
highest level
soviet union
european union
national academy