COI Report –
Part IIIPage
76 of
425 15.3.1 Privileged Access Management was not the exclusive means for accessing the SGH Citrix servers, and logins to the servers by other means without factor authentication were possible 223. Privileged Access Management (“
PAM”) is a means for organisations to restrict access to critical systems by privileged users, such as system administrators. As at
the time of the Cyber Attack, PAM was implemented for both H-Cloud Citrix servers and SGH Citrix servers. This implementation required administrators to use factor authentication (“
2FA”) in order to access servers.
224. In an internal risk assessment conducted by Wee and the IHiS Infrastructure and Applications teams around the end of 2016, “
Unauthorised Access and Account Theft (e.g. Stealing of Admin/User Accounts and Passwords)” was listed as a threat or risk with a medium likelihood of occurring, and a high impact to business operations. The implementation of PAM was identified as an additional means of controlling this threat or risk.
225. However, the actual effectiveness of PAM was however severely undermined by the fact that it was not enforced as the exclusive means by which administrators could login to the SGH Citrix servers.
Even after PAM was implemented, IHiS’ Citrix administrators were able to login through an alternative route not requiring FA, and in fact preferred to do so.
226. Having less secure alternative routes would defeat the
purpose of implementing PAM, as an attacker would simply exploit such alternative routes without having to concern itself with FA. Had PAM been the exclusive means of logging into the SGH Citrix servers, the need for FA would have made it significantly more difficult for the attacker to move laterally and to gain privileged access to the Citrix servers.
227. The Committee has not heard any compelling reason why the alternative route was kept open. It is also of serious concern to note that IHiS Citrix administrators not only were aware
of this alternative route, but knowingly made
