Read more at https://www.channelnewsasia.com/news/singapore/singhealth-cyberattack-data-breach-public-give-recommendations-10704422
(Updated: )
Ricky Lim
"Recommending ways to better protect SingHealth’s patient database system against similar attacks, and suggesting measures to reduce the risk of such cybersecurity attacks on public sector IT systems."
---
PROTECTION OF PUBLIC WEB SERVICE AND WEB ACCESS
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure using SIEMs whereby online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
Reply · 1d · Edited
Like · Reply · 1m
Ricky Lim
Ricky Lim
Most important, ensure that in-band (front-end) network must not be routable to the out-of-band (back-end) network.
Ensure this mistake must not be made - else 佛都保不到你。。。。。
Like · Reply · 1m
---
PROTECTION OF PUBLIC WEB SERVICE AND WEB ACCESS
Posted on:- 20 Jul 2018
Ricky Lim
Protecting IT resources to minimise hacking are not that scary.
1. IT design to segregate back-end oob (out of band) mgt from front end internet fronting (in band) will definitely minimise internet hacking attack of such scale. The reason being, front end (in-band) is internet facing, out-of-band (back end) is segregated from front-end (inband) - and when hackers attack from front-end (in-band) - it cannot get into the back end (out-of-band) as the front end network is separated from back-end network. Breaching the front probably may get access to one or the most a few transactions --- but will not be able to do a mass copy of data - using backend admin with powerful rights.
2. Proactive security incidents and event management of all critical information infrastructure using SIEMs whereby online real-time will trigger alarms and alerts the moment when stealth hacking occurs. Even stealth reconnaissance, the beginning of hacking by probing through network discovery, tcp port scanning, icmp ping, traceroute etc will be picked up.
3. APT advanced persistence threat or maybe dlp (data loss protection) protection can be put in place to filter known, unknown, zero day attack, virtual patching and sandbox unknown but anomaly threat.
4. 2 FA authentication for administrator to be installed for login before allowing management of network device, software, database. Hackers may be able to steal the admin id and password, but without 2FA, hackers cannot administer and manage network device, edit software, access data in database.
5. Remove all remote access by hardening and removing or shutting down all remote access capability to all network devices, software and database. Lockdown and identify dedicated jump host to administer all network devices, software, database by local access workstation or virtual machine that are securely protected. Any other workstation that are not identified as jump host for administration are not allowed to manage and administer supervisor function over the network devices, software and database. Remote management must be disallowed. By doing so, hacker compromising a weak front end workstation will not be able to mass copy the database - as it is not a dedicated jump host and will not be allowed to do so - also a security alarm and alert will be triggered to the sms and email to administrator that can quickly respond to the hacking.
6. Encryption of data storage, encryption key management and encryption of database maybe required. This ensure that even when the data is mass copied by the hackers, the data are encrypted and hackers will take a hard time to decrypt the data.
The above measures are recommended on top and above the below:-
(Assuming that all traditional security measures are put in place like firewall, segregration of web, apps, database, network IPS, host IPS, WAF - web application firewall, vpn ipsec, digital cert, encryption, authentication, directory service, desktop security features like personal firewall, anti-virus, latest security patches etc that have undergone security posture assessment such as BYOD, port authentication, secured shell for admin management, ssl etc have been put in place).
All these will prevent the singhealth APT hacking.
Reply · 1d · Edited
Like · Reply · 1m
Ricky Lim
Ricky Lim
Most important, ensure that in-band (front-end) network must not be routable to the out-of-band (back-end) network.
Ensure this mistake must not be made - else 佛都保不到你。。。。。
Like · Reply · 1m
Ricky Lim
Ricky Lim
PROTECTION OF STAFF INTERNET SURFING
Posted on :- 06 Aug 2018 03:17PM (Updated: 06 Aug 2018 03:27PM)
Ricky Lim
He also spoke about the possibility of a virtual browser solution as an alternative to the ISS.
--
Virtual browser solution will be like the VMWare VDI (Virtual Desktop Infrastructure) ThinApp or Citrix thin client - whereby it inherit the following security features :-
(1) It operates with a virtual server.
(2) The virtual server will maintain a golden virtual desktop clone.
(3) When the desktop client login to the virtual server, the virtual server will download a virtual desktop clone to the client.
(4) the virtual desktop client - come with its operating system and web browser - that is logically segregated from the client physical desktop.
(5) It means that users can make use of the virtual client to browse the internet - but any files cannot be saved into the desktop physical client and vice versa.
Thus any attack from the internet via the virtual client will be limited to the virtual client and cannot take over the physical client that connect to the intranet.
(6) When user logout from the virtual server, its virtual client will disappear.
This is a safe approach to browse internet without physical separation from the internet.
Like · Reply · 1m · Edited
Ricky Lim
This is the same concept of :-
色即是空,空即是色。
"Physical is Virtual, Virtual is Physical".
Like · Reply · 1m\
Ricky Lim
It should be noted that :-
(1) The Virtual Server that dish out virtual clients to the desktop users - should be hosted in a Public DMZ - protected by the following slew of security measures :-
a. Firewall - where ACL is to filter inbound and outbound internet traffic restricted to Public DMZ only and not allow to enter the Intranet.
b. SSL Decryptor - to decrypt web content to allow for deep packet inspection.
b. APT (Advanced Persistent Threat) - to perform Virtual Patching for zero-day attack, deep inspection on content, application and user, sandbox detonation for unknown threat, flag, display and alert known threat.
c. Full Web Reverse Proxy, and Forward Proxy.
d. WAF - Web Application Firewall to protect against SQL injection, Cross scripting.
e. IPS - Intrusion Prevention System to monitor, detect, alert, respond, protect against known threat and unknown threat.
Like · Reply · 1m · Edited
PROTECTION OF STAFF INTERNET SURFING
Posted on :- 06 Aug 2018 03:17PM (Updated: 06 Aug 2018 03:27PM)
Ricky Lim
He also spoke about the possibility of a virtual browser solution as an alternative to the ISS.
--
Virtual browser solution will be like the VMWare VDI (Virtual Desktop Infrastructure) ThinApp or Citrix thin client - whereby it inherit the following security features :-
(1) It operates with a virtual server.
(2) The virtual server will maintain a golden virtual desktop clone.
(3) When the desktop client login to the virtual server, the virtual server will download a virtual desktop clone to the client.
(4) the virtual desktop client - come with its operating system and web browser - that is logically segregated from the client physical desktop.
(5) It means that users can make use of the virtual client to browse the internet - but any files cannot be saved into the desktop physical client and vice versa.
Thus any attack from the internet via the virtual client will be limited to the virtual client and cannot take over the physical client that connect to the intranet.
(6) When user logout from the virtual server, its virtual client will disappear.
This is a safe approach to browse internet without physical separation from the internet.
Like · Reply · 1m · Edited
Ricky Lim
This is the same concept of :-
色即是空,空即是色。
"Physical is Virtual, Virtual is Physical".
Like · Reply · 1m\
Ricky Lim
It should be noted that :-
(1) The Virtual Server that dish out virtual clients to the desktop users - should be hosted in a Public DMZ - protected by the following slew of security measures :-
a. Firewall - where ACL is to filter inbound and outbound internet traffic restricted to Public DMZ only and not allow to enter the Intranet.
b. SSL Decryptor - to decrypt web content to allow for deep packet inspection.
b. APT (Advanced Persistent Threat) - to perform Virtual Patching for zero-day attack, deep inspection on content, application and user, sandbox detonation for unknown threat, flag, display and alert known threat.
c. Full Web Reverse Proxy, and Forward Proxy.
d. WAF - Web Application Firewall to protect against SQL injection, Cross scripting.
e. IPS - Intrusion Prevention System to monitor, detect, alert, respond, protect against known threat and unknown threat.
Like · Reply · 1m · Edited
Like · Reply · 1m
Ricky Lim
Recommending measures to enhance "incident response plans",
---
(1) Put Singhealth under CII (Critical Information Infrastructure Plan).
- Install SIEM & agents and agentless to Singhealth network infrastructure.
- Install Central logger to collect all syslog and security log.
- 24x7x365 security monitoring
- SMS, email alert for security incidents and events.
(2) Disconnect Web front access from backend access (apps and database access) upon detection of security breach attempt. This is to eliminate hackers from accessing the backend and database. If possible, redirect hacker access into a "honeypot".
(3) Monitor illegal access between Internet and web front - to trace and track hackers.
Collect forensic information.
(4) Inform public of security breach - when sufficient information is collected.
---
(1) Put Singhealth under CII (Critical Information Infrastructure Plan).
- Install SIEM & agents and agentless to Singhealth network infrastructure.
- Install Central logger to collect all syslog and security log.
- 24x7x365 security monitoring
- SMS, email alert for security incidents and events.
(2) Disconnect Web front access from backend access (apps and database access) upon detection of security breach attempt. This is to eliminate hackers from accessing the backend and database. If possible, redirect hacker access into a "honeypot".
(3) Monitor illegal access between Internet and web front - to trace and track hackers.
Collect forensic information.
(4) Inform public of security breach - when sufficient information is collected.
Like · Reply · 1m
Like · Reply · 5h
Facebook Comments Plugin
Ricky Lim
Singhealth is under a "State sponsor attack" - which has IT resources multiple time of Singapore.
Thus there is a need to pool all the best IT brain available - whether it is R&D, service providers, local enterprises, foreign enterprises, vendors, SMEs, etc that have the expertise to provide ideas, suggest solutions to prevent future attack.
Thus there is a need to pool all the best IT brain available - whether it is R&D, service providers, local enterprises, foreign enterprises, vendors, SMEs, etc that have the expertise to provide ideas, suggest solutions to prevent future attack.
Francis Ong
This type of highly technical area and they are getting public feedback? Seriously, what are we paying million for ? Moron ?? Imagine a Kopi uncle or aunty give feedback on suggestion on how to prevent cyber hacking ..... "upgrade" to use 555 "notebook" to keep records...
Jive Jones
Why does the authority now believe that the ordinary public will have more knowledge than the overpaid scholars to come up with solutions? If anybody is so talented and skillful to have any solution, what makes you think s/he will provide it for free? The gov often tell us, there is no free lunch, then how can they themselves expect free lunch? I can give you one foolproof solution though, disconnect all computer systems from the internet. This way you can never get hacked. Now pay me my million dollar consultation fees!
Joseph Nathan
When the information of 1.5 million patients was stolen from SingHealth, our government quickly assure Singaporeans that they are working on the matter to prevent another similar breach.
It was a major setback for our Smart Nation initiative and further threatened to undermine all of our investment & effort to tap on technology to power future public adminisrtration as envisioned by our leaders.
When this article was published by Nikkei Asian Review last month, naming the Chinese as being the mastermind behind our breach, l find it strange that there was no media follow up. If there is any truth or falsehood in the article?
The mention that "stolen medical information could be used to blackmail prominent politicians or business leaders who have embarrassing conditions such as sexually transmitted diseases" sound troubling to me.
Hope this cyber-hack and the repel of 337A is not related otherwise it can lead to even more speculation.
It is always better to hear some official clarifications on all these matters.
https://asia.nikkei.com/.../Suspected-China-cyberhack-on...
It was a major setback for our Smart Nation initiative and further threatened to undermine all of our investment & effort to tap on technology to power future public adminisrtration as envisioned by our leaders.
When this article was published by Nikkei Asian Review last month, naming the Chinese as being the mastermind behind our breach, l find it strange that there was no media follow up. If there is any truth or falsehood in the article?
The mention that "stolen medical information could be used to blackmail prominent politicians or business leaders who have embarrassing conditions such as sexually transmitted diseases" sound troubling to me.
Hope this cyber-hack and the repel of 337A is not related otherwise it can lead to even more speculation.
It is always better to hear some official clarifications on all these matters.
https://asia.nikkei.com/.../Suspected-China-cyberhack-on...
Like · Reply · 7h
Whyboon Yeo
Aiyah mai kay kay lah dun just use this issue to deviate from the many issues that have pop up lately hor. Who knows maybe they just throw some bogeyman in to stir for sympathy lor and escape answering to citizens queries.
Joseph Nathan
When the information of 1.5 million patients was stolen from SingHealth, our government quickly assure Singaporeans that they are working on the matter to prevent another similar breach.
It was a major setback for our Smart Nation initiative and further threatened to undermine all of our investment & effort to tap on technology to power future public adminisrtration as envisioned by our leaders.
When this article was published by Nikkei Asian Review last month, naming the Chinese as being the mastermind behind our breach, l find it strange that there was no media follow up. If there is any truth or falsehood in the article?
The mention that "stolen medical information could be used to blackmail prominent politicians or business leaders who have embarrassing conditions such as sexually transmitted diseases" sound troubling to me.
Hope this cyber-hack and the repel of 337A is not related otherwise it can lead to even more speculation.
It is always better to hear some official clarifications on all these matters.
https://asia.nikkei.com/.../Suspected-China-cyberhack-on...
It was a major setback for our Smart Nation initiative and further threatened to undermine all of our investment & effort to tap on technology to power future public adminisrtration as envisioned by our leaders.
When this article was published by Nikkei Asian Review last month, naming the Chinese as being the mastermind behind our breach, l find it strange that there was no media follow up. If there is any truth or falsehood in the article?
The mention that "stolen medical information could be used to blackmail prominent politicians or business leaders who have embarrassing conditions such as sexually transmitted diseases" sound troubling to me.
Hope this cyber-hack and the repel of 337A is not related otherwise it can lead to even more speculation.
It is always better to hear some official clarifications on all these matters.
https://asia.nikkei.com/.../Suspected-China-cyberhack-on...
Khin Maung Nyein
If list down tech savy people names first & narrow it down with the some criterias to trace their involvement in the localised processes in the past few months would give some idea. Perhaps some of them might have already left the country by now. However, It may be worth doing to clear some doubts.
用李
Info of whom attack us can not share w Singaporeans?
We can not complete defense next round while pushing for open up our network?
We do not had the ability to counter attack the attacker?
There is basically nothing we can do. May b remove PM data frm system as it look like it only wanted his info only? Someone mighty had sold state secret out. I dun even kn PM data was in there till news broadcasted.
We can not complete defense next round while pushing for open up our network?
We do not had the ability to counter attack the attacker?
There is basically nothing we can do. May b remove PM data frm system as it look like it only wanted his info only? Someone mighty had sold state secret out. I dun even kn PM data was in there till news broadcasted.
William Loh
Don't you find it a bit strange to solicit recommendations from the public even before COI committee has done the complete investigations ? They have the CSA under their disposal and their job is to come up with good recommendations to prevent a similar attack. If we sustain another major attack, then we know who is not doing a good job !
William Loh
The internal working of the computer network system requires the internal people to come up with effective control measures because they are the people who knows the system well. If the public were to give recommendations, then we might get questions on how we get accessed to the privileged or classified information to solve the specific loop holes in cybersecurity. I won't be surprised if anyone would want to get into trouble after giving the recommendations.
Reply · 3h
Lucas Lim Hk
The best way to alleviate one's lack of talent in preventive provision is to seek recommendation from general public? We employed talented people to ask everybody for advice?? No wonder this talented group of people rather b in civil service than in private sector.
Petjay Catarbas
I wish the public is also given the opportunity to share thoughts on whether to return cpf monies to members when they retire.
This cyber security thingy needs expert consultations and needs to pay.
Paid so much still want free lunch?
This cyber security thingy needs expert consultations and needs to pay.
Paid so much still want free lunch?
Paul Tan
1. Just make sure everything is encrypted . Latest IBM machine encrypt everything and you should consider , it will not be cheap .
2. Perform data sharding to distribution into many nides in the cloud .
3. Also make that you thoroughly scrutinize the profile of all IT personnel including those of the vendors .
4. Don't hire any person whose country is involved in state sponsored hacking and espionage, you know which countries .
5. Access to computing resources and data should be granted base on need to know basis .
6. Vendors rotation is important . Best is to in-source not outsource . As outsourcing contract could be complicated due to cross borders.
2. Perform data sharding to distribution into many nides in the cloud .
3. Also make that you thoroughly scrutinize the profile of all IT personnel including those of the vendors .
4. Don't hire any person whose country is involved in state sponsored hacking and espionage, you know which countries .
5. Access to computing resources and data should be granted base on need to know basis .
6. Vendors rotation is important . Best is to in-source not outsource . As outsourcing contract could be complicated due to cross borders.
Facebook Comments Plugin
No comments:
Post a Comment