Table of contents exchange of letters with the minister executive summary



Download 5.91 Mb.
View original pdf
Page324/329
Date27.11.2023
Size5.91 Mb.
#62728
1   ...   321   322   323   324   325   326   327   328   329
Report of the COI into the Cyber Attack on SingHealth 10 Jan 2019

COI Report – Part VII
Page 418 of 425

1206. Ernest clearly failed to carryout any of the SIRM’s responsibilities listed above, during the course of the Cyber Attack. Vivek further observed that time and again Ernest failed to not only apply his knowledge, but also failed to properly follow the IR-SOP: a) Ernest said that malware infections are not reportable if the malware is detected and cleaned without any network propagation. However, he seems to have done nothing to validate whether the network propagation indeed occurred. This was a failure to implement the IR-SOP. b) As one of the reasons to not report the January 2018 incident, Ernest said that “suspected malware infection of a workstation are
a very common occurrence” even though Benjamin has indicated that he had never dealt with an advanced malware like this before. This was either a failure to correctly take stock of the incident, or a complete lack of understanding of malware infections. c) Per the IR-SOP, it is the responsibility of SIRM to lead and coordinate activities during an incident response. However, there was virtually no formal coordination happening between the different teams. The communication during the incident response was ad-hoc at best, and at worst counterproductive to the investigation because it wasted valuable time without making any real progress. d) Per the IR-SOP, the SIRM needs to report the incident up the command chain so a formal incident can be declared, and all available resources can be deployed/redeployed to respond to the incident. However, no formal incident was declared and therefore key experts and stakeholders kept operating in silos, which significantly hampered the incident response.



COI Report – Part VII
Page 419 of 425

(e) The IR-SOP requires that post-incident reviews are conducted by the Cluster ISO. However, for these to happen, the incidents must be reported first. The incident in January 2018 was not reported up, and therefore never reviewed. A post-facto review, even if it was done later in February 2018, may have uncovered the need for taking additional action and may have helped prevent the incidents in June/July 2018.
1207. The IT Security team should be helmed by an individual who is motivated and interested in learning, as the field of information security is constantly evolving, and complacency leads to weakness.
1208. Detecting and effectively responding to incidents requires strong management processes, and managing an incident response team requires specific skills and knowledge. A background in information security management or security engineering would be ideal. The following competencies should be considered when filling the position of SIRM: a) Critical reasoning and analysis – The SIRM must be clear about the criteria to be applied from the various security policies and have the ability to apply those criteria to the situation presented to him b) Gathering evidence – The SIRM must know what the relevant evidence is and how to preserve, collate, and analyse it c)
Problem-solving and creative thinking – The SIRM must be able to come up with solutions on the fly, to counter the cyber attackers and d) Communication and leadership – Above all, the SIRM is the person responsible for managing the boots on the ground, and must be a master communicator, ensuring that information flows in an orderly, efficient, and comprehensive manner to all the relevant individuals.



Download 5.91 Mb.

Share with your friends:
1   ...   321   322   323   324   325   326   327   328   329




The database is protected by copyright ©ininet.org 2024
send message

    Main page