COI Report – Part VII Page 370 of 425 provide protection against new and emerging threats, which more up-to-date versions of the software may have addressed. 1076. Software infrastructure (and critical server infrastructure, in particular) must be modernised in order to attain adequate levels of protection – not just once as in the case of Y2K, but continuously. Continued reliance on older, and more easily compromised computer infrastructure running OS versions that cannot be patched to address critical vulnerabilities, creates an unacceptable level of risk where infrastructure supporting CII systems is concerned. Methods to hack and compromise older systems are well documented and widely distributed through the internet, social media, and hacking forums. Continuing to use such OSes exposes the domain controllers to targeted exploits. 1077. It is acknowledged that upgrading is a time- and resource-intensive process. Resource constraints notwithstanding, the pace of upgrading is really a question of assessment of risk, prioritisation, and management buy-in. This makes it important that such issues are also raised to the attention of senior management, so that appropriate appreciation of risk can be made, and support given where needed to push through with upgrading. Given the severity of the risk involved, it is incumbent on IHiS management to make time and allocate the required resources to ensure that domain controller OSes are kept up to date. 45.2 The attack surface for domain controllers should be reduced by limiting login access 1078. During the Cyber Attack, the attacker accessed domain controllers from the SingHealth end-user zone using RDP. The fact that domain controllers were accessible via RDP unnecessarily increased the attack surface. In general, insufficient network segregation increases the surface that can be exploited by attackers, and correspondingly increases the risk level of the network. 1079. This problem should be addressed by prohibiting remote connections to the domain controllers via RDP and other remote management solutions. Access to domain controllers should be limited to dedicated workstations, which would
|