COI Report – Part VII
Page 240 of 425
and was being locally managed by an NCC employee, Tan Aik Chin, since January 2016 by happenstance. As a result, patches that would typically be rolled out automatically for other servers under
IHiS’ care, were not similarly rolled out to the NCC server. As it turned out, the NCC server was used used by the attacker as a point of distribution for malware, to infect other computers in the network. b) SP. server This server was a dual-use server, that functioned both as a web server hosting SGH websites accessible from the internet, and as an intranet server for SGH users to store documents. In fact, Director of the Delivery Group, Leong Seng, did not even know that the server had two functions, and could not explain why it was located in the local server zone. As it turned out, the SP. server was compromised by the attacker and was used on 19 July 2018 in an attempt to regain access to the SingHealth network.
696. The above examples show the real security implications if assets (even lower-priority ones) are forgotten. Hence, as part of the defence-in-depth strategy, IHiS should regularly review all its systems comprehensively to ensure that the necessary security and mitigation measures are in place across both higher-priority and lower-priority assets. This means, for example, that all assets must be identified and centrally managed to ensure that they meet IT security requirements, and are subject to periodic review. This is consistent with the recommendations of the experts who have explained the importance of inventorying all hardware and software assets and having “full visibility of the IT
assets that are added to or removed from the networks”.
697. CEO, IHiS Bruce has explained that there are two exercises currently being conducted in IHiS and the Clusters to achieve this (i) an asset reconciliation exercise whereby the Infrastructure Services Division is checking the list of devices connected to the network against the inventory of devices managed by IHiS; and (ii) a Ministry-led exercise whereby the Clusters are inventorying their own assets, with a specific emphasis on biomedical equipment.
|
