Gartner analyses the SingHealth cyber attack: 'Now What?'
With many Singaporeans reeling from the country's worst ever data breach that hit SingHealth and IHiS last week, Gartner research director Sid Deshpande has put together a commentary to address the impact of this serious breach of personal data and what Singapore needs to do to move forward.
1. What happened?
Initial statements from authorities in the aftermath of SingHealth security incident indicate that a front end workstation was compromised, followed by privileged access credentials being used to access a database. Attackers are usually after administrator credentials because these often enable direct access to sensitive data.
Who are these cyber attackers and what do they want?
Medical records contain sensitive data that can be used for identity fraud, insurance fraud or tax fraud. So it is plausible that there was a financial incentive to it. Generally, information contained in medical records is more ‘permanent' than financial information like credit card numbers – so this type of information likely fetches higher payouts on the dark web.
It could also be sponsored by nation states that have interests inimical to Singapore's. Ultimately, the identity of the attackers isn't that important in the bigger picture. Attribution is really difficult as far as security incidents are concerned and resources are better utilized in preventing such incidents from happening in the future rather than trying to accurately pinpoint which group did it.
3. What needs to be done
Incidents like these highlight the importance of having defense in depth, or security controls at various layers of the technology infrastructure. An equal emphasis needs to be applied on application security, endpoint security, data security, web/email security and identity/access management to prevent or reduce the number of security incidents.
Preventative approaches need to be supplemented with good detection and response capabilities. Attackers usually intend to stay dormant in systems to avoid detection and cause further damage, so the fact that the breach was detected this early actually shows that the security teams in this case were actively monitoring systems to detect incidents.
4. What does this major breach signal for a country like Singapore, where the government has already put a strong focus on security?
This breach reinforces the need for a continued focus on operational security best practices. Improving security maturity of a nation and its critical systems is not a one-time activity. Other nations have been affected by bigger breaches so Singapore is not alone in that respect.
One key takeaway is that placing the onus of responsibility on the end users or non-technical staff for poor security is not enough. Security teams need to put in place processes that can mitigate risks associated with intentional and unintentional violation of security best practices by technology users.
5. Balancing Singapore's need to become a Smart Nation and fighting the bands of cyber attackers
Security preparedness needs to be baked into every single digital project initiated by the government and critical industries. There has to be a realization that despite our best efforts, security incidents will happen and 100% prevention is impossible. Therefore, investments need to be made in improving detection and response capabilities, in addition to strengthening prevention.
Limiting the damage after a security incident occurs is critical – this is both in terms of quickly denying attackers access to sensitive resources once the breach has been detected and also in terms of protecting citizens from scams.
In the aftermath of a major breach involving citizen data it is very likely that malicious actors will try to capitalize on the general panic to try to get citizens to reveal even more personal information by way of impersonating authorities over the phone, SMS or email. Therefore, clear communication from authorities are extremely critical.
6. What Singaporeans need to watch out for
The most immediate threats people will face is that of identity fraud, financial fraud and tax fraud. Data contained in healthcare records is more permanent than credit card information for example so citizens need to be alert to scams resulting from social engineering efforts.