Table of contents exchange of letters with the minister executive summary
Download 5.91 Mb. View original pdf
|
- Navigate this page:
- COI Report – Part IIIPage 80 of 425
| COI Report – Part III Page 79 of 425 could remotely logon to the SGH Citrix servers from any workstation in any medical institution under SingHealthwithout FA or any other form of restriction on access. This was in spite of the known security risks, and the stated intent to remedy the specific risks identified in the FY GIA Audit Report. 15.3.3 Weak controls over and inadequate monitoring of local administrator accounts 235. As explained above, the password to the LA. account was ‘P@ssw0rd’, which is easily cracked, and it is possible that the attacker gained control over the account by cracking the password. The LA. account was also considered a dormant account, which meant that it was an account that has been used before, but has not been logged into for the last 183 days 236. The weak password and the fact that the attacker was able to use the dormant account to access Citrix Server 1 were in spite of three relevant IHiS policies a) First, the HITSPS states that user passwords are to be changed periodically. However, the password to the LA. account was first set manually in 2012, and remained the same until it was changed on 11 June 2018. b) Second, in 2017, IHiS instituted a policy under which administrators were required to have more complex passwords. This policy applied to the LA. account, but its password remained unchanged. c) Third, inline with paragraph the HITSPS, dormant or unused accounts should be identified and disabled, in order to prevent More than 183 days had passed since the last legitimate use of the LA. account in Citrix Server 1 on 13 October 2017, and the first instance of unauthorised use by the attacker on 17 May 2018. COI Report – Part III Page 80 of 425 usage in unauthorised activities. However, this was not done in the case of the LA. account. 237. The issue of weak passwords for domain or privileged user accounts was flagged-up in the FY GIA Audit Report as a ‘High H Priority issue, which in IHiS’ risk classification framework meant that it was of a High severity of impact, and had a High likelihood of occurrence. In fact, one of the weak passwords identified in the course of the H-Cloud Pen-Test was the same “P@ssw0rd”, which was used for another account. The password policy in paragraph b) above was also instituted in response to this audit finding. 238. The management response from IHiS to the FY GIA Audit Report finding included a comment that passwords for active directory administrator accounts had been changed inline with the new password policy by 21 March 2017. Both Lum and Woon Lan have recognised that there was no explicit mention of the need to change the local administrator account passwords to meet the new requirement, explaining that it did not occur to them at the time the management response was being discussed 239. On 21 March 2017, Woon Lan sent an email to the then-System Management Department, which included the Citrix administrators, directing recipients to change passwords for their privileged accounts. Once again, there was no explicit mention of the need to change all local administrator account passwords. Likewise, in subsequent followups with the GIA, the issue of local The Committee notes that Lum has stated in his conditioned statement that he had “instructed Ping Hai and Ji Han to change the local admin password”, through an email. This email was sent in March 2017. The relevant section reads “As mentioned this morning to all of you, we need to immediately clean up” those password things that were flagged up. As a precaution, please reset your individual Citrix admin password and also the local admin password that we have exposed due to our own negligence.” Viewed in context of the FY H-Cloud Pen-Test, the local admin password in question was an account belonging to a Citrix administrator. This direction does not appear to be a direction for all local administrator account passwords to be changed, and does not clearly indicate the Lum had in fact specifically considered applying the new password policy to the local admin accounts. |