Story image

Gartner analyses the SingHealth cyber attack: 'Now What?'

24 Jul 18

With many Singaporeans reeling from the country's worst ever data breach that hit SingHealth and IHiS last week, Gartner research director Sid Deshpande has put together a commentary to address the impact of this serious breach of personal data and what Singapore needs to do to move forward.

1.          What happened?

Initial statements from authorities in the aftermath of SingHealth security incident indicate that a front end workstation was compromised, followed by privileged access credentials being used to access a database. Attackers are usually after administrator credentials because these often enable direct access to sensitive data.

Who are these cyber attackers and what do they want?

Medical records contain sensitive data that can be used for identity fraud, insurance fraud or tax fraud. So it is plausible that there was a financial incentive to it. Generally, information contained in medical records is more ‘permanent’ than financial information like credit card numbers – so this type of information likely fetches higher payouts on the dark web.

It could also be sponsored by nation states that have interests inimical to Singapore’s. Ultimately, the identity of the attackers isn’t that important in the bigger picture. Attribution is really difficult as far as security incidents are concerned and resources are better utilized in preventing such incidents from happening in the future rather than trying to accurately pinpoint which group did it.

3.          What needs to be done

Incidents like these highlight the importance of having defense in depth, or security controls at various layers of the technology infrastructure. An equal emphasis needs to be applied on application security, endpoint security, data security, web/email security and identity/access management to prevent or reduce the number of security incidents.

Preventative approaches need to be supplemented with good detection and response capabilities. Attackers usually intend to stay dormant in systems to avoid detection and cause further damage, so the fact that the breach was detected this early actually shows that the security teams in this case were actively monitoring systems to detect incidents.

4.          What does this major breach signal for a country like Singapore, where the government has already put a strong focus on security?

This breach reinforces the need for a continued focus on operational security best practices. Improving security maturity of a nation and its critical systems is not a one-time activity. Other nations have been affected by bigger breaches so Singapore is not alone in that respect.

One key takeaway is that placing the onus of responsibility on the end users or non-technical staff for poor security is not enough. Security teams need to put in place processes that can mitigate risks associated with intentional and unintentional violation of security best practices by technology users.

5.          Balancing Singapore’s need to become a Smart Nation and fighting the bands of cyber attackers

Security preparedness needs to be baked into every single digital project initiated by the government and critical industries. There has to be a realization that despite our best efforts, security incidents will happen and 100% prevention is impossible. Therefore, investments need to be made in improving detection and response capabilities, in addition to strengthening prevention.

Limiting the damage after a security incident occurs is critical – this is both in terms of quickly denying attackers access to sensitive resources once the breach has been detected and also in terms of protecting citizens from scams.

In the aftermath of a major breach involving citizen data it is very likely that malicious actors will try to capitalize on the general panic to try to get citizens to reveal even more personal information by way of impersonating authorities over the phone, SMS or email. Therefore, clear communication from authorities are extremely critical.

6.          What Singaporeans need to watch out for

The most immediate threats people will face is that of identity fraud, financial fraud and tax fraud. Data contained in healthcare records is more permanent than credit card information for example so citizens need to be alert to scams resulting from social engineering efforts.

Twitter suspects state-sponsored ties to support forum breach
One of Twitter’s support forums was hit by a data breach that may have ties to a state-sponsored attack, however users' personal data was exposed.
How McAfee aims to curb enterprise data loss
McAfee DLP aims to help safeguard intellectual property and ensure compliance by protecting sensitive data.
2018 sees 1,500% increase in coinmining malware - report
This issue will only continue to grow as IoT forms the foundation of connected devices and smart city grids.
2019 threat landscape predictions - Proofpoint
Proofpoint researchers have looked ahead at the trends and events likely to shape the threat landscape in the year to come.
Mac malware on WatchGuard’s top ten list for first time
The report is based on data from active WatchGuard Firebox unified threat management appliances and covers the major malware campaigns.
Bin 'em: Those bomb threat emails are complete hoaxes
A worldwide spate of spam emails claiming there is a bomb in the recipient’s building is almost certainly a hoax.
Marriott sets up call centres to answer questions on data breach
Marriott has released an update on the breach of the Starwood guest reservation data breach which affected 500 million guests.
Why there will be a battle for the cloud in 2019
Cloud providers such as AWS, Azure, and Google will likely find themselves in a mad scramble to gain additional enterprise customers.