Internet separation 'could and should have' been implemented in public healthcare system: DPM Teo
Read more at https://www.channelnewsasia.com/news/singapore/internet-separation-should-have-been-implemented-teo-chee-hean-10558584

By Benjamin Ho

24 Jul 2018 06:47PM (Updated: 24 Jul 2018 07:33PM)

Ricky Lim

Internet surfing separation “could and should have” been implemented in the public healthcare system, just as it had been done in the public sector, according to Deputy Prime Minister and Coordinating Minister for National Security Teo Chee Hean.
---
Posted on :- 20 Jul 2018

Ricky Lim
This sounds like an Advanced Persistent Attack (APT) - by hijacking a legitimate workstation through remote access, steal the password (at least the administrator password of the database) and do a sweeping copies of the database for eg. via SQL.

SingHealth network infrastructure that run independently seems to be independent from the Ministry - and may lack the security rigour of the more protected IT infra.
Like · Reply · 1m · Edited

Like · Reply · 1m

Ricky Lim

He disclosed that front-end devices at SingHealth were capable of thwarting “ordinary, run-of-the-mill” attacks. They had existing antivirus and anti-intrusion software that could keep out “many of such attempts”.

Internet surfing separation “could and should have” been implemented in the public healthcare system, just as it had been done in the public sector, according to Deputy Prime Minister and Coordinating Minister for National Security Teo Chee Hean.
If those steps had been taken, the "cyber kill-chain" for the hacker would have been disrupted and the surface area exposed to the attack would have been reduced, Mr Teo added.

However, the Internet-linked workstations used by thousands of users from the medical and academic community provided a large “attack surface” for the “sophisticated and persistent intruder”, he said.

Mr Teo revealed that the intruders managed to circumvent security barriers in the "intermediate layer that manages and screens user requests from the outer user layer to access IT database servers".

As a result, the attacker was able to gain access into a segment of the database and obtain and exfiltrate the data to overseas servers, Mr Teo said.
---
Posted on:- 20 Jul 2018

Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.

2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.

3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.

4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.

5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.

6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.

The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).

All these will prevent the singhealth APT hacking.
Reply · 1d · Edited
Like · Reply · 1m

Ricky Lim
Most important, ensure that in-band (front-end) network must not be routable to the out-of-band (back-end) network.

Ensure this mistake must not be made - else 佛都保不到你。。。。。
Like · Reply · 1m

Like · Reply · 1m

Ricky Lim

Posted on:- 20 Jul 2018
Ricky Lim
(1) An APT is a highly sophisticated stealth hacking technique that not a single or a group of hackers can pull off.
It require a large pool of very skillful hackers who are familiar with virtually all network devices, security devices, computer devices, OS, system software, security measures, applications, database, TCP/IP, remote access, encryption, decryption etc.
Only a State resources of easily 50 or 100 or 1000 or more varied experts in the relative specialised areas can pull off such a sophisticated and targeted attack - without being detected.

(2) Also noticed that out of hundreds, thousands or even millions of such varied IT resources, servers, equipment, apps software, system software etc - this group of hackers manage to identify just one weak workstation through reconnaisance (without detection) - to break its password, take control of it remotely via remote desktop access protocol or other form of remote control and hacked into the database by breaking the database admin password.

(3) You have to note that every device, server, system software, or security devices - you will need an expert of each hardware and software to be able to break its security, know how they store record and store their security logs - so that they can skillfully remove all the digital footprint or security trace of their illegal access.

If there is few hundred specialised IT hardware and software - you will easily required at least a few hundred experts in the respective fields to break through and clean it up.

If this is not State Sponsored hacking attacks (commiting a full national resources of IT experts) - you think a disparate few expert hackers can pull off such an attack?

Eg. you will need :-
(1) a router expert - and there are so many types of routers out there - eg. cisco router, juniper router, alcatel routers etc - you will need to know each and every commands, its security features, how it logs its security traces etc and how to break its security to gain access and take over it as the administrator to control and manage it.

(2) a firewall expert - juniper firewall, cisco firewall, WAF firewall, palo alto firewall, etc - same thing you need to have experts in each type of firewall to break it.

(3) an OS expert - unix expert, linux expert, windows expert etc - and you need expert in each OS.

(4) a database expert - eg. Oracle expert, MS SQL database expert, DB II expert etc.

(5) Host IPS expert - eg. Symantec SCSP Host IPS, Trend Micro host IPS etc.

(6) L2/L3 LAN switches expert - eg. Cisco expert, Alacatel expert, Huawei expert etc.

(7) Cloud - eg. VMware, Amazon, MS Azure, HP cloud, IBM cloud etc

(8) Wireless LAN - eg. Cisco WLAN, Alcatel WLAN etc

(9) Programming languages - eg. Python, C programming, C++, Java etc.

(10) SIEM - eg. HP Arcsight, Symantec etc.

(11) APT - eg. Fireeye, Palo Alto, Trend Micro etc.

(12) DLP - eg. Symantec DLP, Trend Micro DLP etc.

(13) Storage system - eg. IBM Storage Subsystem, HP storage, HDS, etc - SCSI, FC, FCOE etc.

(14) SAN switch - eg. Brocade , Cisco MDS SAN switch etc.

(15) Hyperconverge - eg. Nutanix etc

(16) Server - eg. dell, ibm, hp, etc

etc etc etc --- do i still need to go on listing ?????

etc etc etc

Anyone can claim he is an expert in everything listed here?

If not a State Sponsored National resources of all IT experts congregate here ---- which hackers can be so "EXPERT", so "POWERDERFUL" to pull off an APT?
Like · Reply · 1m · Edited

Ricky Lim
No "ONE" person will ever acquire the "Expert" knowledge of everything.

Unless he is a "Buddha" or a "God"?
Like · Reply · 2m

Like · Reply · 1m

Haziq Rosli

Why call it 'public healthcare system' if its not part of the 'public sector'?

All those machines should have already been cut off from the internet in 2016.

Like · Reply · 6h

Ricky Lim

Some hospitals are :-
"The Government has restructured all its acute hospitals and specialty centres to be run as private companies wholly-owned by the government. This is to enable the public hospitals to have the management autonomy and flexibility to respond more promptly to the needs of the patients."
-- They are not really "public sectors" - and thus are not cover under the Ministry stringent IT protected infra.

They can decide on how they plan, design and operate their IT infra.

Like · Reply · 1m

Ricky Lim

But with the setting up of CSA in 2015, motion is set in place - to monitor 11 Economy sectors that have been identified as the Nation CII (Critical Information Infrastructure).

Healthcare group is identified as 1 of the 11 CII - to be monitored, but probably have yet to come in - before the Singhealth hacking.

But priorities have been alloted to more critical services such as banking, critical national infra that will crippled our Economy to be put under CII first.

Like · Reply · 1m

Ricky Lim

Bear in mind, when an Economic sector is identified as CII to be come under monitoring - even private sectors enterprises are involved not only Government related enterprises.

Private sector enterprises will have very different ways of implementing their IT - and to get them on board is a very massive challenges.

Public sector enterprises IT infrastructure are more standardised across the board. Thus easier to implement.

Private sector enterprises IT infrastructure will have very challenging diversity - come in all shapes, sizes, standards and patterns more than badminton.

To get all of them on board is a massive operation.

You are talking about millions of IT devices, infrastructure, systems and software - not only for public sectors plus also the private sectors.

You will have to involved many talents, resources, surveys, meetings, connectivities etc to get everyone on board.

Every enterprises will have to add, modified their existing systems to get on board - and this cannot be done overnight.

Like · Reply · 1m · Edited

Unker Will

There should be an immediate alert as soon as some unauthorised attempt to hack into the system repeatedly and trigger the system to auto shut-down. Is not that the basic requirement for any server? Looks like in this case, it depended on some personel to detect or notice and determine whether is a cyber attack or not and it took way too long!

Like · Reply · 4h · Edited

Freddy Chin

We are not sure how the ihis database administrator detected the intrusion. Maybe...Just a guess.. he found out that someone has used his credential to login into database at unearthly hours when he is not there... Also I would think that detection using AI has not been implemented widely in the infrastructure yet.

Reply · 5h

Ricky Lim

Host IPS if installed will have detected the illegall access and trigger the alarm.

But unless if the admin user id and password are cracked, then using the valid admin user id and password will not have trigger an alarm - as they are legitimate access with supervisor rights.

But illegitimate hacking by reconnaissance, anomaly, illegal maneouvering (eg. network discovery, tcp scanning, icmp ping, traceroute etc) within the network eg. bypassing web -> apps -> database hit ----- will have trigger alarms by firewall, ips, host ips or SIEMs (Security incidents and Event Management) if they are installed and properly deployed.

Like · Reply · 1m

Ricky Lim

When the DPM mention :-
"He disclosed that front-end devices at SingHealth were capable of thwarting “ordinary, run-of-the-mill” attacks. They had existing antivirus and anti-intrusion software that could keep out “many of such attempts”.

--- DPM Teo seems to know his stuff.
He is refering to installation of Host IPS (Intrusion Prevention System) - to detect illegal cracking of userid and password, multiple login to break password - where the OS if properly configured according to corporate security policies will have detected multiple tried attempt and locked out the account and alert the IT administrator.

Also anti-virus software - to prevent planting of malware, spyware or virus.

And personal firewall - if properly configured will have detected illegal attempt to take over the workstation by using remote access desktop which is a dangerous function that should be disabled.

This is a corporate desktop policy that is normally enforce on all workstation, mobile devices, wireless devices when connected to the corporate network failing which it will not be able to access the corporate network - as it will fail the security posture assessement and will be thrown into a quarantine vlan rather than an authenticated vlan.

Like · Reply · 1m

Ricky Lim

Similarly, the database server or virtual machine - should also have similar security feature like the workstation - ie. host IPS, OS security protection, firewall protection and anti-virus software protection - to detect illegal attempt to crack the multiple attempt to break the database server or virtual machine admin password.

In addition, database security will also have detect illegal attempts to crack the multiple attempts to break the supervisor password.

That is why the hackers are very skilful and highly sophisticated to be able to break all those - if those security are in place ---- almost unimagineable --- without triggering alarm or get itself lockout.

Like · Reply · 1m · Edited

Ricky Lim

To summarise, if all the above security are implemented, the hacking will not be successful, else any just one or few vulnerabilites, the hacking can get through.

But if front-end internet facing is properly segregated from the back-end - without the above security, internet hackers cannot get through - unless if it is an inside job.

Like · Reply · 1m · Edited

Unker Will

Ricky Lim, that is why I thought so too..I am not an IT expert but I can imagine that there must be something to lockout the system with all these high- tech security system inplaced. .thanks!!!

Like · Reply · 15m