Lack of cybersecurity awareness, weak passwords, unpatched software, staff who fell prey to phishing attacks and an IT team that could not even identify a security incident, let alone mitigate it. These are just some of the fundamental shortcomings that left the back door open to the worst data breach in Singapore’s history.
Between late June and early July 2018, state-sponsored hackers breached SingHealth’s Sunrise Clinical Management (SCM) database with a “deliberate, targeted and well planned” cyber attack. The attack accessed the data of approximately 1.5 million patients, including that of Prime Minister Lee Hsien Loong.
A subsequent report, published Thursday, January 3rd, 2019, described state-sponsored hackers involved in last year’s cyber-attack, on SingHealth, as “skilled and sophisticated,” with commonalties matching “state-linked cyber attackers who conduct extended, carefully planned cyber campaigns, to steal information or disrupt operations.”
“The attackers had a clear goal in mind, namely, the personal and outpatient medication data of Prime Minister in the main, and also that of other patients,” the report describes.
The report acknowledges that the attacker, although stealthy, was not “silent” and signs of the attack were observed by IHiS staff. Notwithstanding their observations, IHiS employees were unable to recognize and correlate that an attack was taking place, and had they been able to make the connection, and take the appropriate actions; the attackers could have been stopped long before they were successful.
Hence, despite the attackers being “sophisticated,” the Committee of Inquiry (COI) said, the data breach could have been prevented if not for “a blanket of middle-management mistakes” at IHiS, Singapore’s central IT agency for the healthcare sector.
For example, a middle manager of cybersecurity at IHiS had misunderstandings of what constitutes a cyber-security incident and delayed reporting the network invasions out of concern that additional pressure would be put on him and his team.
The 454-page report highlights five key findings:
Integrated Health Information Systems (IHiS) staff did not have adequate levels of cybersecurity awareness, training and resources to appreciate the security implications of their findings and to respond effectively to the attack.
Certain IHiS staff, holding key roles in IT security incident response and reporting failed to take the appropriate, effective or timely action resulting in multiple missed opportunities to prevent the theft and exfiltration of data.
There were many vulnerabilities, weaknesses and misconfigurations in the SingHealth network and SCM system that contributed to the attacker’s success in obtaining and extracting the data, most of which, could have been remedied before the attack.
The attackers were skilled and sophisticated in their attack, bearing the telling characteristics of an Advanced Persistent Threat group.
Where cyber defenses will be completely impenetrable, especially from Advanced Persistent Threat breaching their networks, the success of the attackers in obtaining and extracting the data was NOT inevitable.
The report extends to recommend several steps the healthcare provider should take to plug the gaps, much of its suggested remedies, ironically, already should have been part of the standard security practices for an essential services provider, including careful maintenance of “an enhanced security structure”, improving staff awareness to detect and respond to cyber-attacks, and the need to perform cybersecurity system checks.
The Committee of Inquiry (COI) summarized a total of sixteen key recommendations, including seven Priority Recommendations, these include:
An enhanced security structure and readiness must be adopted by IHiS and Public Health Institutions.
The cyber stack must be reviewed to assess if it is adequate to defend and respond to advanced threats.
Staff awareness on cybersecurity must be improved to enhance capacity to prevent, detect, and respond to security incidents.
Enhanced security checks must be performed, especially on Critical Information Infrastructure (CII) systems.
Privileged administrator accounts must be subject to tighter control and greater monitoring.
Incident response processes must be improved for a more effective response to cyber-attacks.
Partnerships between industry and government to achieve a higher level of collective security.
Additional Recommendations Include: IT security risk assessments (penetration testing) and audit processes must be treated seriously and carried out regularly.
First and foremost, the committee noted that “an enhanced security structure and readiness” must be implemented by IHIS and all public health institutions, incorporating a “defence-in-depth” methodology, and policies and procedures to tackle existing gaps in security. “Cybersecurity must be viewed as a risk management issue and not merely a technical issue,” it noted.
Privileged admin accounts must be subject to tighter controls and greater monitoring. These should include upholding an inventory of administrative accounts and the use of two-factor authentication when executing any administrative tasks. Password policies also should be implemented, and enforced, for both domain and local accounts. In addition, employee’s cybersecurity awareness must be improved so they may assist in the prevention, detection, and response to security incidents.
Lastly, there also should be routine security checks, and these should include regular vulnerability assessments, safety reviews and certification of vendor products, as well as regular penetration testing.
When to Perform a Penetration Test
Ideally, organizations should be performing penetration testing at least annually to ensure consistent security. In addition to this, penetration tests may also be performed when an organization:
Adds network infrastructure or applications.
Makes upgrades or modifications to its application or infrastructure.
Establishes new office locations.
Applies new end-user policies.
Our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.
We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.