COI Report – Part IV
Page
151 of
425 25.2 Assessment of IHiS’ incident response from 27 June to 3 July 2018 462. It is important to note that in this period, the attacker was in fact making SQL queries on the SCM database and exfiltrating the stolen patient records. However, there is no evidence that IHiS staff had detected any suspicious activities in this period. As discussed in section 15.2 (pg 74) above, this was because of alack of monitoring at the SCM database for unusual queries and access.
463. Benjamin’s investigations into Workstation Band his identifying of unusual processes were steps in the right direction. Unfortunately, he was unable to fully appreciate the security
implications of his findings, or to associate them with earlier findings. It is likely that this was due to the limited training and experience that he had. It also did not help that his reporting officer, Ernest, similarly lacked the necessary technical knowledge and experience, and did not take any steps to find out more about the findings which Benjamin presented to him.
464. The above clearly illustrates the importance of timely reporting and escalation. Had the matter been escalated to a level which could
provide effective leadership, and which possessed the appropriate resources and technical expertise, it may have been possible to determine, from all the
suspicious activities to-date, that the attacker was targeting the SCM database and sought to exploit the open network connection between the SGH Citrix Servers and the
SCM database. With timely action, the attack could have
been detected and contained, minimising the damage caused. Unfortunately, the matter was not escalated and valuable time was wasted. On the facts, further suspicious activity was only discovered on 4 July 2018, eight days after the attacker first began querying the database.
Share with your friends: 
