Strictly Private and Confidential

Cyber Security Assessment for KGL and PYL

Assessment Strategy

30th Oct 2023

1
17th May 2023 Ransomware Attack Compromise Assessment (CA) & Digital
Forensic Incident Response (DFIR) Recap

1. 327 asset identified for CA, only 189 was analysed due to
a. Asset not accessible, due to fully compromised by ransomware
b. Installed CrowdStrike agent not able to connect to CrowdStrike Endpoint Detection and Response (EDR) console
c. Findings, 3 High Category (H), 1 Medium Category (M), 3 Low Category (L)

2. DFIR sampled 8 assets/evidence including VM servers, firewall (FW) logs, VM host servers, workstations,
AD VM server.
a. Finding indicates, an initial Remote Desktop Protocol (RDP) event from SERD Exchange VM server to SERD AD VM
server on 17th May 2023. This is based on available and provided logs to FIRMUS.
b. SERD VM exchange server and FW logs, 1-2 months prior to 17th May 2023 is required for further investigation.
Possibly to find out actual point of attack.
Compromise Assessment (CA) Findings Summary
FIRMUS CA & DFIR Exercise Limitation Summary
FIRMUS Recommendation & Next Action Plan

Next Action Plan:

PRASARANA GDD will arrange an alignment
meeting with Rapid Rail and MRTC
(working level/operation) on the
recommendation for the People, Processes
and Technology.

Tentative date: This week (TBC)

Draft Cyber Security Assessment Strategy
# Assessment Activity KGL PYL

Scope Definition
a. Networks
1
b. Systems/Applications
c. Data

Asset Inventory Listing Required During Assessment

a. Hardware
2
b. Software
c. Data Assets

3 Identify Stakeholders & PICs

4 Consultant/Vendor Selection & Appointment

5 Assessment Timeline

6 Review Assessment Report Outcome

7 Identify and Prioritise Assessment Outcome Items

8 Assessment Rectification Works

9 Re-assessment After Rectification

10 Produce Cyber Security Health Report for Stakeholders

Draft Cyber Security Assessment Outcome & Enhancement Goals
# Assessment Outcome KGL PYL
Determine Possible Threats
a. Malware
1 b. Insider Threats
c. Social Engineering
d. Physical Attacks
Reexamine Security Policies & Procedures
2
Verify completeness, up to date, and in accordance with industry best practices and regulatory standards.
Access Controls
3 Examine the effectiveness of access restrictions such as user authentication, authorisation, and privilege
management.
Network Security
4 Discover possible vulnerabilities, examine network architecture, firewall configurations, intrusion detection and
prevention systems, and network segmentation.
Data Protection
5 Examine the controls in place to protect sensitive data, such as encryption, data categorization, data loss
prevention, and secure data handling processes.
Security Monitoring & Logging
6 Examine the security monitoring tools, log management processes, and incident detection capabilities. Look for
monitoring coverage gaps and opportunities for improvement.
Incident Response
7 Examine the incident response strategy, including procedure for identifying, reacting to, and recovering from
security issues as well as PICs for each role