Singapore health system hit by ‘most serious breach of personal data’ in cyberattack; PM Lee's data targeted
A total of 1.5 million SingHealth patients’ non-medical personal data were stolen, while 160,000 of those had their dispensed medicines’ records taken too, according to MCI and MOH.
(Updated: )
The vendors which develop the software and database should be sued. Together with vendor that provide the infrastructure
Are you suggesting sueing microsoft, cisco, oracle, symantec etc?
I think this is crazy because IT security is not product or software per se.
It is also about design, implementation, user usage etc.
You notice that a workstation is compromised to gain access.
The moment you sue as what you suggest, those vendors will sue you back.
I think this is crazy because IT security is not product or software per se.
It is also about design, implementation, user usage etc.
You notice that a workstation is compromised to gain access.
The moment you sue as what you suggest, those vendors will sue you back.
I do noit believe this is a state sponsored attack. What is so important about Singapore in the world stage. It is only a little red dot. Just bluffing oneself in search of a reason. It is just ordinary hacker trying to steal data. Since they are in, they might as well look at our PM out of curosity. Simple as that.
(1) An APT is a highly sophisticated stealth hacking technique that not a single or a group of hackers can pull off.
It require a large pool of very skillful hackers who are familiar with virtually all network devices, security devices, computer devices, OS, system software, security measures, applications, database, TCP/IP, remote access, encryption, decryption etc.
Only a State resources of easily 50 or 100 or 1000 or more varied experts in the relative specialised areas can pull off such a sophisticated and targeted attack - without being detected.
(2) Also noticed that out of hundreds, thousands or even millions of such varied IT resources, servers, equipment, apps software, system software etc - this group of hackers manage to identify just one weak workstation through reconnaisance (without detection) - to break its password, take control of it remotely via remote desktop access protocol or other form of remote control and hacked into the database by breaking the database admin password.
(3) You have to note that every device, server, system software, or security devices - you will need an expert of each hardware and software to be able to break its security, know how they store record and store their security logs - so that they can skillfully remove all the digital footprint or security trace of their illegal access.
If there is few hundred specialised IT hardware and software - you will easily required at least a few hundred experts in the respective fields to break through and clean it up.
If this is not State Sponsored hacking attacks (commiting a full national resources of IT experts) - you think a disparate few expert hackers can pull off such an attack?
Eg. you will need :-
(1) a router expert - and there are so many types of routers out there - eg. cisco router, juniper router, alcatel routers etc - you will need to know each and every commands, its security features, how it logs its security traces etc and how to break its security to gain access and take over it as the administrator to control and manage it.
(2) a firewall expert - juniper firewall, cisco firewall, WAF firewall, palo alto firewall, etc - same thing you need to have experts in each type of firewall to break it.
(3) an OS expert - unix expert, linux expert, windows expert etc - and you need expert in each OS.
(4) a database expert - eg. Oracle expert, MS SQL database expert, DB II expert etc.
(5) Host IPS expert - eg. Symantec SCSP Host IPS, Trend Micro host IPS etc.
(6) L2/L3 LAN switches expert - eg. Cisco expert, Alacatel expert, Huawei expert etc.
(7) Cloud - eg. VMware, Amazon, MS Azure, HP cloud, IBM cloud etc
(8) Wireless LAN - eg. Cisco WLAN, Alcatel WLAN etc
(9) Programming languages - eg. Python, C programming, C++, Java etc.
(10) SIEM - eg. HP Arcsight, Symantec etc.
(11) APT - eg. Fireeye, Palo Alto, Trend Micro etc.
(12) DLP - eg. Symantec DLP, Trend Micro DLP etc.
(13) Storage system - eg. IBM Storage Subsystem, HP storage, HDS, etc - SCSI, FC, FCOE etc.
(14) SAN switch - eg. Brocade , Cisco MDS SAN switch etc.
(15) Hyperconverge - eg. Nutanix etc
(16) Server - eg. dell, ibm, hp, etc
etc etc etc --- do i still need to go on listing ?????
etc etc etc
Anyone can claim he is an expert in everything listed here?
If not a State Sponsored National resources of all IT experts congregate here ---- which hackers can be so "EXPERT", so "POWERDERFUL" to pull off an APT?
It require a large pool of very skillful hackers who are familiar with virtually all network devices, security devices, computer devices, OS, system software, security measures, applications, database, TCP/IP, remote access, encryption, decryption etc.
Only a State resources of easily 50 or 100 or 1000 or more varied experts in the relative specialised areas can pull off such a sophisticated and targeted attack - without being detected.
(2) Also noticed that out of hundreds, thousands or even millions of such varied IT resources, servers, equipment, apps software, system software etc - this group of hackers manage to identify just one weak workstation through reconnaisance (without detection) - to break its password, take control of it remotely via remote desktop access protocol or other form of remote control and hacked into the database by breaking the database admin password.
(3) You have to note that every device, server, system software, or security devices - you will need an expert of each hardware and software to be able to break its security, know how they store record and store their security logs - so that they can skillfully remove all the digital footprint or security trace of their illegal access.
If there is few hundred specialised IT hardware and software - you will easily required at least a few hundred experts in the respective fields to break through and clean it up.
If this is not State Sponsored hacking attacks (commiting a full national resources of IT experts) - you think a disparate few expert hackers can pull off such an attack?
Eg. you will need :-
(1) a router expert - and there are so many types of routers out there - eg. cisco router, juniper router, alcatel routers etc - you will need to know each and every commands, its security features, how it logs its security traces etc and how to break its security to gain access and take over it as the administrator to control and manage it.
(2) a firewall expert - juniper firewall, cisco firewall, WAF firewall, palo alto firewall, etc - same thing you need to have experts in each type of firewall to break it.
(3) an OS expert - unix expert, linux expert, windows expert etc - and you need expert in each OS.
(4) a database expert - eg. Oracle expert, MS SQL database expert, DB II expert etc.
(5) Host IPS expert - eg. Symantec SCSP Host IPS, Trend Micro host IPS etc.
(6) L2/L3 LAN switches expert - eg. Cisco expert, Alacatel expert, Huawei expert etc.
(7) Cloud - eg. VMware, Amazon, MS Azure, HP cloud, IBM cloud etc
(8) Wireless LAN - eg. Cisco WLAN, Alcatel WLAN etc
(9) Programming languages - eg. Python, C programming, C++, Java etc.
(10) SIEM - eg. HP Arcsight, Symantec etc.
(11) APT - eg. Fireeye, Palo Alto, Trend Micro etc.
(12) DLP - eg. Symantec DLP, Trend Micro DLP etc.
(13) Storage system - eg. IBM Storage Subsystem, HP storage, HDS, etc - SCSI, FC, FCOE etc.
(14) SAN switch - eg. Brocade , Cisco MDS SAN switch etc.
(15) Hyperconverge - eg. Nutanix etc
(16) Server - eg. dell, ibm, hp, etc
etc etc etc --- do i still need to go on listing ?????
etc etc etc
Anyone can claim he is an expert in everything listed here?
If not a State Sponsored National resources of all IT experts congregate here ---- which hackers can be so "EXPERT", so "POWERDERFUL" to pull off an APT?
No "ONE" person will ever acquire the "Expert" knowledge of everything.
Unless he is a "Buddha" or a "God"?
Unless he is a "Buddha" or a "God"?
Gen Huang - Ha ha ha ha ha ......
“菩提本无树”是我国佛教禅宗六祖惠能大师著名的四句偈中的一句。意在说明一切有为法皆如梦幻泡影,教人不要妄想执着,才能明心见性,自证菩提。
"Everything is Nothing but a dream" ......
Where Emptiness is Form.
And Form is Emptiness.
What is Virtual is Physical.
What is Physical is Virtual.
“菩提本无树”是我国佛教禅宗六祖惠能大师著名的四句偈中的一句。意在说明一切有为法皆如梦幻泡影,教人不要妄想执着,才能明心见性,自证菩提。
"Everything is Nothing but a dream" ......
Where Emptiness is Form.
And Form is Emptiness.
What is Virtual is Physical.
What is Physical is Virtual.
do Singaporean have right to say that those affect can sue Singhealth or MOH for failing to safe guard personal data? Do we stand a chance winning a case against the gahmen? Will MOH / Singhealth compensate those affected?
Oliver Weng - I think you can sue the hackers who steal the data if you can prove it. But to prove it will require highly sophisticated forensic evidence of digital footprint.
You will need not only capable lawyers who are conversant with IT tech and all its technical intricacy. You will also need a slew of IT experts to support your forensic evidence of digital footprint to ensure you can successfully prosecute the hackers.
Because most of the digital footprint - are not readable by normal people - as they are bits and bytes, technical jargon such as IP address, mac address, URL, source address, destination address, network address resolution, tcp ports, encryption keys, encrytion algorithms, digital certificate, SQL, index, field, files, database 1st normal form, 2nd normal form, mpls, ospf, vpn ipsec, arp etc ---- are you familiar with those terms and present it to the Judge by your lawyer to successfully prosecute the hackers?
You can't sue IT vendors who have put in "limited liability" clause - when they sell their products.
Government also can't be sued (based on practices worldwide) from cyber hacking based on research.
The most difficult part is, you will have plenty of problem proving that if certain securities are deployed - it will be invincible - and data will never be lost. (Because no IT experts that you employed to support you - will ever put his neck down to say this). So wonder how you will win in your lawsuit against the Government as long as the Government can prove that it has done the best within reasonable means to protect the data.
This is especially so if the Government has done reasonable job of using security to protect the data.
An analogy, the Government has used a metal lock to lock the cabinet.
But a thief come in, break open the lock with a plier and steel your data.
Then you challenge the Government in Court - saying that the Government has not used a strong security measure to lock the cabinet to protect my data - that why Government is liable for your data loss.
Then the Government say, what security measure you think is enough?
You say my security expert say must use lock plus long metal chain to chain the cabinet will be a good security measure.
Then the Government challenge you, what happen if the thief bring a blowtorch to break the chain and a plier to break the lock - then does that mean security is enough and Government cannot be sue?
Then you say, my serucity expert tell me to use armor proof cabinet will be good security.
Then Government say if the thief use C4 explosive to blow up the armor proof cabinet and steal your data is it good enough.
Then where is the end?
You will definitely lose your lawsuit.
不是 - 只许官家放火,不许百姓点灯。
就算让你随身所欲,你也黔驴技穷 无能为力 对峙公堂。
The Court, the Judge only look at evidence and strong argument in their judgement.
You will need not only capable lawyers who are conversant with IT tech and all its technical intricacy. You will also need a slew of IT experts to support your forensic evidence of digital footprint to ensure you can successfully prosecute the hackers.
Because most of the digital footprint - are not readable by normal people - as they are bits and bytes, technical jargon such as IP address, mac address, URL, source address, destination address, network address resolution, tcp ports, encryption keys, encrytion algorithms, digital certificate, SQL, index, field, files, database 1st normal form, 2nd normal form, mpls, ospf, vpn ipsec, arp etc ---- are you familiar with those terms and present it to the Judge by your lawyer to successfully prosecute the hackers?
You can't sue IT vendors who have put in "limited liability" clause - when they sell their products.
Government also can't be sued (based on practices worldwide) from cyber hacking based on research.
The most difficult part is, you will have plenty of problem proving that if certain securities are deployed - it will be invincible - and data will never be lost. (Because no IT experts that you employed to support you - will ever put his neck down to say this). So wonder how you will win in your lawsuit against the Government as long as the Government can prove that it has done the best within reasonable means to protect the data.
This is especially so if the Government has done reasonable job of using security to protect the data.
An analogy, the Government has used a metal lock to lock the cabinet.
But a thief come in, break open the lock with a plier and steel your data.
Then you challenge the Government in Court - saying that the Government has not used a strong security measure to lock the cabinet to protect my data - that why Government is liable for your data loss.
Then the Government say, what security measure you think is enough?
You say my security expert say must use lock plus long metal chain to chain the cabinet will be a good security measure.
Then the Government challenge you, what happen if the thief bring a blowtorch to break the chain and a plier to break the lock - then does that mean security is enough and Government cannot be sue?
Then you say, my serucity expert tell me to use armor proof cabinet will be good security.
Then Government say if the thief use C4 explosive to blow up the armor proof cabinet and steal your data is it good enough.
Then where is the end?
You will definitely lose your lawsuit.
不是 - 只许官家放火,不许百姓点灯。
就算让你随身所欲,你也黔驴技穷 无能为力 对峙公堂。
The Court, the Judge only look at evidence and strong argument in their judgement.
If what Adam Png said is true that there is no way to prevent cyberattacks on our system, then the authorities have to consider seriously whether so much confidential data are used to push ahead with the so-called Smart Nation concepts is a wise thing to do. Perhaps, all it takes maybe just a highly gifted, disgruntled and rebellious lone wolf, not necessarily state-sponsered cyber intrusions could potentially bring down our systems. If there is no solid safeguards in place to protect our confidential data, how could we trust the people in charge of them. We do not want to hear any more sorries because sorry no cure ...our confidential data have been compromised and it is up to our imagination to think what the perpetrator(s) could do with our information. Very scary indeed !
Ricky Lim
This is akin to saying, when a man was rob once in the street, he vow stay at home not to work, not to eat, not to play to avoid being rob again and then die of hunger.
The economy will quickly decelerate, digital economy become limbo and many people lose their jobs if we go back to paper and pen.
IT, Telecom, bank, online retail, manufacturing, logistic, govt service, transport - every sector of the economy will sink multiple fold.
We can go back to farming and hawking.
Many companies will come after you. microsoft, google, apple, banks, etc...
The economy will quickly decelerate, digital economy become limbo and many people lose their jobs if we go back to paper and pen.
IT, Telecom, bank, online retail, manufacturing, logistic, govt service, transport - every sector of the economy will sink multiple fold.
We can go back to farming and hawking.
Many companies will come after you. microsoft, google, apple, banks, etc...
Reply · 2h
Ricky Lim
Kids that cannot play instagram, you tube, online computer games, political leaders cannot facebook will come after you.
Ladies and gentlemen who like to shop online in Lazada, Alibaba, Amazon, carousell, qoo10 etc will come after you.
People cannot do online banking, ecommerce, book travel online, book hotel, logistics, do online courses etc will come after you.
Addicted online social media like you and me who like to solve national problems, world problem, and some who like to air their personal grievances in policies or their personal problems will come after you.
Ladies and gentlemen who like to shop online in Lazada, Alibaba, Amazon, carousell, qoo10 etc will come after you.
People cannot do online banking, ecommerce, book travel online, book hotel, logistics, do online courses etc will come after you.
Addicted online social media like you and me who like to solve national problems, world problem, and some who like to air their personal grievances in policies or their personal problems will come after you.
Reply · 42m
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
Reply · 21m
Ricky Lim
(1) We cannot stop to be a Smart Nation - because our Economy - every sectors are using IT pervasively as not only enabler of business, but also a very part of the business - for without it business cannot take place.
If this hacking stop us from becoming a Smart Nation - it means it has successfully bring our Economy down - and make every Singaporeans poorer, business loss, people out of jobs.
(2) We cannot sue our Government over the hacking - because it will prevent civil service from coming out with ideas to employ and deploy IT pervasively to boost our Economy via IT and to open up new areas to create business and jobs.
Civil servants in order to save themselves will stop and delay implementing new IT services - to prevent them from being sued.
(3) We can help to minimise our chances of being hacked - by improving IT security as best as we can - and to counter any challenges posed by the hackers.
(4) Singaporeans must also be measured and be careful in our response to support our Government - and not create internal disharmony, anyhow "shoot", "sue", "discredit" our Government - as this is what hackers exactly want Singaporeans to do - by launching virtual "cyber sneak attack" to bring our Government down - without commiting physical army to do so.
(5) At this point in time, we must unified and muster together to prevent hackers from bringing our Government down, our Economy down, our Country down - and not let the hackers succeed in this virtual invasion and virtual war.
This is a war but a virtual one........
That is why social media psychological defense is so important to ensure all the above can be salvage without succumb to the after effects of the cyberattacks.
(6) We can and must think of a way to muster the National IT resources, talents and expertise collectively as a whole - to protect, secure and defend our National IT resources in every sector of the Economy.
One way is through the pet project SOC CII security monitoring, detection, response, protection and prevention.
More also can be done once the above all CII sectors are in place - by actively auditing, grading each and every sector's IT infrastructure's security readiness like the hawker centre environment status :- eg. A, B, C etc. (my suggestion lah.......) - so different grade will be put under different security structure in the CII etc. --- so that centralised security hub can have different class of IT protection based on A grade, B grade, C grade ..... (howdee ????)
This in effect become a fortress National Intranet segregated from front-end Internet facing Internet Public DMZ .........
So the ingress from Internet will be only "logically 1 conduit gateway" --- where a slew of security deep packet inspection, content scanning, intrusion prevention, advanced persistent threat scanning, sensor, alarms, alerts etc technologies can be employed to monitor, detect, response and protect against cyber hacking........
foot for thought leh ...........
Legend :- CII - Critical Information Infrastructure
If this hacking stop us from becoming a Smart Nation - it means it has successfully bring our Economy down - and make every Singaporeans poorer, business loss, people out of jobs.
(2) We cannot sue our Government over the hacking - because it will prevent civil service from coming out with ideas to employ and deploy IT pervasively to boost our Economy via IT and to open up new areas to create business and jobs.
Civil servants in order to save themselves will stop and delay implementing new IT services - to prevent them from being sued.
(3) We can help to minimise our chances of being hacked - by improving IT security as best as we can - and to counter any challenges posed by the hackers.
(4) Singaporeans must also be measured and be careful in our response to support our Government - and not create internal disharmony, anyhow "shoot", "sue", "discredit" our Government - as this is what hackers exactly want Singaporeans to do - by launching virtual "cyber sneak attack" to bring our Government down - without commiting physical army to do so.
(5) At this point in time, we must unified and muster together to prevent hackers from bringing our Government down, our Economy down, our Country down - and not let the hackers succeed in this virtual invasion and virtual war.
This is a war but a virtual one........
That is why social media psychological defense is so important to ensure all the above can be salvage without succumb to the after effects of the cyberattacks.
(6) We can and must think of a way to muster the National IT resources, talents and expertise collectively as a whole - to protect, secure and defend our National IT resources in every sector of the Economy.
One way is through the pet project SOC CII security monitoring, detection, response, protection and prevention.
More also can be done once the above all CII sectors are in place - by actively auditing, grading each and every sector's IT infrastructure's security readiness like the hawker centre environment status :- eg. A, B, C etc. (my suggestion lah.......) - so different grade will be put under different security structure in the CII etc. --- so that centralised security hub can have different class of IT protection based on A grade, B grade, C grade ..... (howdee ????)
This in effect become a fortress National Intranet segregated from front-end Internet facing Internet Public DMZ .........
So the ingress from Internet will be only "logically 1 conduit gateway" --- where a slew of security deep packet inspection, content scanning, intrusion prevention, advanced persistent threat scanning, sensor, alarms, alerts etc technologies can be employed to monitor, detect, response and protect against cyber hacking........
foot for thought leh ...........
Legend :- CII - Critical Information Infrastructure
Like · Reply · 1m
McKhay Han
Ricky Lim For one you got it right, there's no guarantee of zero attack, not even a disconnected system. It's rather how fast a system can detect and react on it.
An entire attack including wiping clean digitialfoot print can be achived in a matters of seconds (the actual attack excluding the infiltration process, depending on attack type - this based on a deface attack). For this scenario that include exporting the large amount of database records would take a lot longer, still it's pretty fast.
Also, like Ozy Lee pointed out, security has to be by design, and beside the infrastructure don't forget that people is also part of the system and people is the most challenging part of the security design.
Here's the thing, a lot of time it's known there are potential security weakness that aint equal to having action in place, in a lot of context the conveniences "win".
An entire attack including wiping clean digitialfoot print can be achived in a matters of seconds (the actual attack excluding the infiltration process, depending on attack type - this based on a deface attack). For this scenario that include exporting the large amount of database records would take a lot longer, still it's pretty fast.
Also, like Ozy Lee pointed out, security has to be by design, and beside the infrastructure don't forget that people is also part of the system and people is the most challenging part of the security design.
Here's the thing, a lot of time it's known there are potential security weakness that aint equal to having action in place, in a lot of context the conveniences "win".
Ricky Lim
McKhay Han - You mention that "An entire attack including wiping clean digitialfoot print can be achived in a matters of seconds" - this may not be true.
(1) When an activity takes place, a network, security, apps, database etc will usually log the activity in a syslog (or system log) - normally an ascii file or text file.
(a) Archiving or piping into a syslog server - is not a given if during implementation such function is not planned ahead. Even though if this is plan ahead, archiving of syslog file into the syslog server happen at the end of the day when it collects all the syslog records of the entire system.
It does not archive in a matters of seconds.
(b) For syslog records not archive to a syslog server, it will accumulate in the various system devices - and old records maybe overwritten or even may cause the devices to experience insufficient disk space.
(c) If you are saying all syslog records will be backup - it is also wrong.
Backup are normally schedule for backing up user data and files - not system files like syslog.
(d) For illegal activities such as hacking, each devices may log the illegitimate activites in other log files such as access logs, security logs, temp logs, internet temp logs, security violation logs etc.
All these logs will not be pipe or archive into the syslog server.
Normally if SIEMs are used to monitor illegal or hacking activities - it will have plant agents or agentless into individual devices - who will be able to pick up illegal activities from all these security logs as well as from syslog and archive into the central loggers - so that SIEMs can correlate all these logs to detect suspected hacking activities.
For eg. hackers when trying to penetrate into the database, they will have to break into a router from the internet, a L2 switch, a firewall, an IPS, a core switch, an edge switch, a workstation (take over a workstation), hacked through the various layers of firewall to reach the server and the database.
Imagine how many devices they will have to hack through clean up all the various digital footprint in the various devices (which can be hundreds of logs?) and ensuring it did not trigger any alarms or alerts by the firewall, IPS etc who are configure to detect illegal hacking activities and copy out all the data from the database?
If not "powerderful" highly skilled hackers --- how to pull off such an APT attack?
(1) When an activity takes place, a network, security, apps, database etc will usually log the activity in a syslog (or system log) - normally an ascii file or text file.
(a) Archiving or piping into a syslog server - is not a given if during implementation such function is not planned ahead. Even though if this is plan ahead, archiving of syslog file into the syslog server happen at the end of the day when it collects all the syslog records of the entire system.
It does not archive in a matters of seconds.
(b) For syslog records not archive to a syslog server, it will accumulate in the various system devices - and old records maybe overwritten or even may cause the devices to experience insufficient disk space.
(c) If you are saying all syslog records will be backup - it is also wrong.
Backup are normally schedule for backing up user data and files - not system files like syslog.
(d) For illegal activities such as hacking, each devices may log the illegitimate activites in other log files such as access logs, security logs, temp logs, internet temp logs, security violation logs etc.
All these logs will not be pipe or archive into the syslog server.
Normally if SIEMs are used to monitor illegal or hacking activities - it will have plant agents or agentless into individual devices - who will be able to pick up illegal activities from all these security logs as well as from syslog and archive into the central loggers - so that SIEMs can correlate all these logs to detect suspected hacking activities.
For eg. hackers when trying to penetrate into the database, they will have to break into a router from the internet, a L2 switch, a firewall, an IPS, a core switch, an edge switch, a workstation (take over a workstation), hacked through the various layers of firewall to reach the server and the database.
Imagine how many devices they will have to hack through clean up all the various digital footprint in the various devices (which can be hundreds of logs?) and ensuring it did not trigger any alarms or alerts by the firewall, IPS etc who are configure to detect illegal hacking activities and copy out all the data from the database?
If not "powerderful" highly skilled hackers --- how to pull off such an APT attack?
Like · Reply · 1m
Ricky Lim
To summarise,
(1) it is possible for hackers to clean up the digitial footprint - such as network, apps, database, os before they are archive into syslog server - and even if archive into syslog server, hackers can hack into the syslog server to remove all the syslog records.
Unless the archiving of the syslog activities happen in the out-of-band backend and not front-end (in band) where the hackers hack in.
(2) as for security devices such as IPS, or maybe firewall not to mention SIEMs (which is design to trigger alerts and alarms on illegal hacking from periodic polling and pulling of security logs) - alarms and alerts will be trigger the moment correlation of suspected activities determined that a hacking has taken place.
Hackers may not be able to react fast enough to prevent this from happening.
Also SIEMs functions has many "sensors", happen in the back-end (out of band) not in-band where the hackers come in and are well protected, thus it may not be possible for hackers to disable SIEMs detection and reporting of hacking activities.
So public does not need to fear, to panic - it is not true that IT systems are indefensible.
It is how to do it, do it correctly, and do not be complacent .........
不要怕,有金宝。。。。。。
(1) it is possible for hackers to clean up the digitial footprint - such as network, apps, database, os before they are archive into syslog server - and even if archive into syslog server, hackers can hack into the syslog server to remove all the syslog records.
Unless the archiving of the syslog activities happen in the out-of-band backend and not front-end (in band) where the hackers hack in.
(2) as for security devices such as IPS, or maybe firewall not to mention SIEMs (which is design to trigger alerts and alarms on illegal hacking from periodic polling and pulling of security logs) - alarms and alerts will be trigger the moment correlation of suspected activities determined that a hacking has taken place.
Hackers may not be able to react fast enough to prevent this from happening.
Also SIEMs functions has many "sensors", happen in the back-end (out of band) not in-band where the hackers come in and are well protected, thus it may not be possible for hackers to disable SIEMs detection and reporting of hacking activities.
So public does not need to fear, to panic - it is not true that IT systems are indefensible.
It is how to do it, do it correctly, and do not be complacent .........
不要怕,有金宝。。。。。。
No comments:
Post a Comment