Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019
COI Report – Part VII Page 375 of 425 posting cycle, with emergency or critical security patches, such as the WannaCry patch, applied as soon as possible, outside the patch cycle. 1092. A specific posting cycle in deploying patches is essentially patch bundling, which has a downside – it lengthens the time from when a patch becomes available to the time the vulnerability is fixed on the unpatched systems. If an attacker exploits the same vulnerability before the patch is installed, the delayed patching is clearly detrimental. The attacker effectively has a longer window of opportunity to exploit the vulnerability because of the delay in installing the patch. This is all the more so as the release of a patch may provide attackers with the information that they need to exploit the corresponding vulnerability (e.g. reverse engineer the vulnerability from the patch, meaning that a newly released patch might need to be applied immediately to avoid the vulnerability it is designed to address from being exploited. 1093. It is imperative that timelines for deploying patches are actually adhered to on the ground. The policy cannot simply be a theoretical framework. The importance of timely patch management cannot be overstated. The draft HITSPS Version 4.0 prescribes a two-week timeline for implementation of patches for endpoint machines. If this had been in place in 2017, Workstation A would have been patched against the publicly available hacking tool well before the malicious code was executed in December 2017. 46.1.4 Risk assessment and prioritisation 1094. The policy should acknowledge limited resources, which make it unfeasible to roll-out all patches immediately, and address the fact that administrators will need to prioritise the deployment of new patches, by performing a risk assessment to determine which systems, and which software, should be patched first.
