Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 373 of 425 has ramifications that extend well beyond the security of any individual unpatched device. 46.1 A clear policy on patch management must be formulated and implemented 1085. Patch managementis the process of identifying, acquiring, installing, and verifying patches for software and systems. Patches correct security and functionality problems in software and firmware. From a security perspective, patches serve to mitigate software vulnerabilities. Applying patches to eliminate these vulnerabilities can significantly reduce the risk of exploitation. 1086. A detailed policy must be formulated to put in place a rigorous and timely patching regime. In doing so, reference maybe made to best practice documents such as the NIST Guide to Enterprise Patch Management Technologies 100 and technical reference papers issued by other jurisdictions. The Solicitor-General referred to the Government of the Hong Kong Special Administrative Region’s (“HKSAR”) paper on Patch Management 1087. Organisations should have clear and stringent patch management timelines, and adhere to these timelines to ensure that security patches for IT systems are tested and implemented in a timely manner. This will minimise the window of opportunity in which attackers can exploit system vulnerabilities to perform malicious activities. The written policy should make clear that patch management is not merely operational in nature but is integral to a defence-in- depth 102 strategy, where patching represents one layer of a multilayered 100 NIST.SP.800-40r3. This paper provides a core set of principles and methods that can be used as a reference inputting together an effective patch management programme. The fundamental principle behind defence-in-depth is that no single security product is foolproof and that an organisation should be required to have several layers of security in place. This was also discussed earlier under Recommendation #1.
