Page:Ransomware Attack on the Servers of The Hong Kong Institute of Bankers.pdf/7

  The regular penetration test conducted by HKIB did not cover network infrastructure and defence capabilities against specific cyberattack;

The antivirus software installed in its system only had basic protection capabilities and could not effectively defend against ransomware attacks;

Data loss prevention system was not installed in the system to detect and prevent sensitive data from being stored in external storage devices, or transmitted to external parties through email systems or the internet;

Passwords strength of some accounts in the system was insufficient and the passwords were not changed regularly, which made the relevant accounts vulnerable to attacks or intrusions by hackers; and

Other deficiencies in information security.

The Commissioner considered that all of the above showed that the personal data security management of HKIB was unsatisfactory, lacked stringent measures to regulate staff behaviour and review system settings timely, so that the security of information system which contained personal data was ineffective in addressing risks and threats.</li>

<li>Prolonged Implementation of Multi-factor Authentication: Back in May 2019, the Firewall manufacturer noted that attackers could bypass security restrictions and directly obtain SSL VPN account names and passwords to execute any programme in the target system through exploiting the Vulnerability. The Firewall manufacturer therefore urged users to immediately disable SSL VPN until the operating system was updated and all account passwords were reset. It also recommended that multi-factor authentication be enabled. </li></ol></li></ol>