COI Report – Part III Page 83 of 425 servers as being part of this mission-critical system. Citrix servers were instead viewed simply as a means by which a mission-critical system is accessed, but are not themselves part of that system. This mindset on the lower criticality of the Citrix servers may have indirectly resulted in the vulnerabilities listed above. In addition, this mindset was expressed in the following two facts as well a) The SGH Citrix servers were not monitored for real-time analysis and alerts of vulnerabilities and issues arising from these servers. b) Vulnerability scanning, which was carried out for mission-critical systems, was not carried out for the SGH Citrix servers. Vulnerability scanning is an inspection of the potential points of exploit on a computer to identify gaps insecurity. In the context of IHiS, the rules prescribed invulnerability scanning included their internal security policies on issues such as minimum password lengths. Thus, if vulnerability scanning of the SGH Citrix servers had been carried out, the fact that the LA. had a weak password that did not comply with IHiS’ password policies would have been identified. Ina similar vein, the SA. account would have been detected as an unused account. 246. There are also clear indications of poor cyber hygiene and alack of security consciousness on the part of the Citrix administrators. This is clearly seen in examples such as failing to change the password for the LA. account, and the deliberate use of alternative methods to avoid PAM when logging into the Citrix servers. Further examples evincing poor cyber hygiene and alack of security consciousness will be covered in section 15.7 (pg 89) below, where the Committee presents its findings in respect of other weaknesses that were identified in the FY H-Cloud Pen-Test.
