SINGAPORE — The roles and responsibilities of a security incident response manager and his/her team needs to be clearly understood, with all members “empowered” enough to know what to do when a cyber-security incident strikes, said a senior of a cyber-security firm on Tuesday (Nov 13).

Testifying as an expert witness in front of the Committee of Inquiry (COI) set up to investigate the cyber attacks on national healthcare cluster SingHealth, Mr Vivek Chudgar added that a centralised and “proper” incident management and tracking system to trace all incidents and investigations will help beef up cyber defences.

Mr Chudgar, who is a senior director of Mandiant Consulting, a unit of cyber-security company FireEye Inc, said he observed that the role of the security incident response manager from the Integrated Health Systems (IHiS) was “not adequately performed” and that it was “not staffed” when the assigned individual went on leave.

While his testimony did not mention names, he was referring to Mr Ernest Tan, a senior manager of the security management department at IHiS, the info-technology arm of the Ministry of Health (MOH).

During the cyber attack in June, 1.5 million patients had their personal data stolen, and 160,000 of them — including Prime Minister Lee Hsien Loong — also had their outpatient medication data extracted.

On Tuesday, Mr Chudgar suggested issuing an incident response standard operating procedure to all in the security incident response team. This would ensure everyone understands his/her role and the protocol.

He noted that he “did not see evidence of (the team) being made aware of their roles” at IHiS, and “valuable opportunities” to stop the attack were lost.

On Mr Tan’s role, Mr Chudgar said it was an “empowered” role, and that organisations need to “have someone who is willing to take decisions”. The function is “pivotal” and “joins all the dots” together to calibrate a response.

“Find the person that is willing to take the responsibility (for decisions),” he added, noting that organisations can “compensate” for wrong decisions made by having checks and balances.

Mr Tan, during his testimony earlier this month, said he decided against reporting the cyber-security incident to higher management — despite being informed by a junior staff member about it — for fear of being pressed to deliver answers, and working “non-stop” to answer for it.

Mr Chudgar also told the committee that IT staff members would benefit from having regular training sessions, along with simulated attacks, to get them up to scratch with the latest threats, as well as to be aware of each person’s role.

DISORGANISED COMMUNICATION HAMPERED RESPONSE

Mr Chudgar made the observation that “ad hoc” communication contributed to a delay in responding to the cyber attack.

In the wake of the attacks, staff members used a range of different platforms including WhatsApp, email, phone calls, as well as Excel sheets to communicate.

Not only did this hamper response time, valuable details about the attack were lost, Mr Chudgar said. “Because communication was ad hoc … (the) dots were not connected."

Mr Chudgar added that communication problems also meant that important action items were not tracked and followed up. For this, he suggested having a proper tracking system in the short term to better track incidents and subsequent investigations, which he called “a formal way of capturing the facts of investigations”.

In the long run, he proposed having a “management dashboard” to track and report all cyber-security incidents at periodic intervals. This includes incidents that have not been tended to or are overlooked, and the approach offers “an opportunity for review… (and) oversights can be rectified”, he said.

2FA NOT ENTIRELY FOOLPROOF

On Tuesday, Mr Chudgar also pointed out that while two-factor authentication (2FA) — an idea proposed by other expert witnesses — is helpful in providing a layer of security and is “easy to implement”, it should be monitored closely because it is not immune to vulnerabilities.

He suggested having 2FA “without any exceptions” for all remote access into the network — which means that every employee will be required to go through 2FA for access. It will also be useful to have alerts to flag any attempts at bypassing the platform — and that these should be “treated with highest priority”.

He said that 2FA is “not a magic bullet”, and is an “additional area” that needs to be monitored. There have been past instances where attackers targeted the 2FA system and bypassed or infiltrated it.

The COI hearings will continue on Wednesday.