Read more at https://www.channelnewsasia.com/news/singapore/singhealth-cyberattack-committee-of-inquiry-hearings-aug-28-10597206
(Updated: )
The Committee of Inquiry (COI) that was convened to look into the cyberattack on SingHealth's IT systems will hold its first hearing on Aug 28.
Expert witnesses will be called upon to give evidence on cybersecurity measures, and the COI will conduct a site visit to SingHealth to be briefed on the network architecture of the affected IT systems.
"The COI will also receive public submissions and will advise the public when and how these submissions should be submitted," said the press release.
--
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure using SIEMs whereby online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
"The COI will also receive public submissions and will advise the public when and how these submissions should be submitted," said the press release.
--
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure using SIEMs whereby online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
Reply · 1d · Edited
Like · Reply · 1m
Ricky Lim
Ricky Lim
Most important, ensure that in-band (front-end) network must not be routable to the out-of-band (back-end) network.
Ensure this mistake must not be made - else 佛都保不到你。。。。。
Like · Reply · 1m
LikeReply1m
Ricky Lim
Posted on :- 06 Aug 2018 03:17PM (Updated: 06 Aug 2018 03:27PM)
Ricky Lim
He also spoke about the possibility of a virtual browser solution as an alternative to the ISS.
--
Virtual browser solution will be like the VMWare VDI (Virtual Desktop Infrastructure) ThinApp or Citrix thin client - whereby it inherit the following security features :-
(1) It operates with a virtual server.
(2) The virtual server will maintain a golden virtual desktop clone.
(3) When the desktop client login to the virtual server, the virtual server will download a virtual desktop clone to the client.
(4) the virtual desktop client - come with its operating system and web browser - that is logically segregated from the client physical desktop.
(5) It means that users can make use of the virtual client to browse the internet - but any files cannot be saved into the desktop physical client and vice versa.
Thus any attack from the internet via the virtual client will be limited to the virtual client and cannot take over the physical client that connect to the intranet.
(6) When user logout from the virtual server, its virtual client will disappear.
This is a safe approach to browse internet without physical separation from the internet.
Like · Reply · 1m · Edited
Ricky Lim
This is the same concept of :-
色即是空,空即是色。
"Physical is Virtual, Virtual is Physical".
Like · Reply · 1m
Ricky Lim
He also spoke about the possibility of a virtual browser solution as an alternative to the ISS.
--
Virtual browser solution will be like the VMWare VDI (Virtual Desktop Infrastructure) ThinApp or Citrix thin client - whereby it inherit the following security features :-
(1) It operates with a virtual server.
(2) The virtual server will maintain a golden virtual desktop clone.
(3) When the desktop client login to the virtual server, the virtual server will download a virtual desktop clone to the client.
(4) the virtual desktop client - come with its operating system and web browser - that is logically segregated from the client physical desktop.
(5) It means that users can make use of the virtual client to browse the internet - but any files cannot be saved into the desktop physical client and vice versa.
Thus any attack from the internet via the virtual client will be limited to the virtual client and cannot take over the physical client that connect to the intranet.
(6) When user logout from the virtual server, its virtual client will disappear.
This is a safe approach to browse internet without physical separation from the internet.
Like · Reply · 1m · Edited
Ricky Lim
This is the same concept of :-
色即是空,空即是色。
"Physical is Virtual, Virtual is Physical".
Like · Reply · 1m
No comments:
Post a Comment