Read more at https://www.channelnewsasia.com/news/singapore/singhealth-cyberattack-internet-surfing-delinked-all-public-10555094
(Updated: )
Ricky Lim
Temporary Internet Surfing Separation (ISS) - one of the measures used to step up security following the cyberattack on SingHealth's IT system - has been implemented at the National Healthcare Group (NHG) and National University Health System (NUHS), the health ministry said in a press release on Monday (Jul 23).
In addition to ISS, other measures that have been put in place to improve IT security include additional controls on workstations and servers, reset of user and systems accounts, and the installation of additional system monitoring controls on IT systems, according to MOH's release.
---
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
Reply · 1d · Edited
In addition to ISS, other measures that have been put in place to improve IT security include additional controls on workstations and servers, reset of user and systems accounts, and the installation of additional system monitoring controls on IT systems, according to MOH's release.
---
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
Reply · 1d · Edited
No comments:
Post a Comment