Lessons learned from the SingHealth Data Breach COI Report
•
4 likes•1,226 views
16 recommendations for better cybersecurity, digested from the 454 page COI (Committee of Inquiry) report on Singapore's biggest data breach to date (1.5 million patients' records), presented at Cyber Resilience and Risk Forum 2019, Singapore. Useful info for board directors, managers, CSOs, CISOs, cybersecurity professionals
Recommended
Recommended
More Related Content
What's hot
What's hot (20)
Similar to Lessons learned from the SingHealth Data Breach COI Report
Similar to Lessons learned from the SingHealth Data Breach COI Report (20)
More from Benjamin Ang
More from Benjamin Ang (20)
Recently uploaded
Recently uploaded (20)
Lessons learned from the SingHealth Data Breach COI Report
- 1. PreviousNext 1 LESSONS LEARNED FROM THE SINGHEALTH BREACH Benjamin Ang Head Cyber and Homeland Defence Centre of Excellence for National Security RSIS, NTU Twitter @benjaminang
- 2. PreviousNext 2 ICYMI W h a t h a p p e n e d 1.5 million patients' non-medical personal data stolen 160,000 dispensed medicines' records taken Including the Prime Minister Singapore’s most serious breach of public data to date
- 3. PreviousNext 3 COMMITTEE OF INQUIRY 22 days 37 witnesses 26 written submissions 454 page report
- 5. PreviousNext 5 The next time, it could be you
- 6. PreviousNext 6 It’s also an opportunity for you to get things done Budget Process Urgency
- 11. PreviousNext 11 #1 R e c o m m e n d a t i o n • View Cybersecurity as a risk management issue, and not only a technical issue • Get top management to balance between security, operational requirements, and cost. • Adopt “defence-in-depth” • Address gaps between policy and practice Enhance security structure and readiness
- 12. PreviousNext 12 #2 R e c o m m e n d a t i o n • Identify gaps - map layers of the IT stack • Get endpoint and network forensics • Enhance network security to disrupt the ‘Command and Control’ and ‘Actions on Objective’ phases of the Cyber Kill Chain. • Improve application security for email Review the cyber stack
- 13. PreviousNext 13
- 14. PreviousNext 14 #3 R e c o m m e n d a t i o n • Improve cyber hygiene • Security Awareness Programme • Give IT staff with sufficient knowledge Improve staff awareness
- 15. PreviousNext 15 #4 R e c o m m e n d a t i o n • Conduct vulnerability assessments • Safety reviews, evaluation, and certification of vendor products • Penetration testing • Red teaming • Threat hunting Conduct enhanced security checks
- 16. PreviousNext 16 5 Monitor privileged Admin Accounts 7 Partner between industry and government 6 Improve Incident Response Process 7 Critical Recommendations
- 17. PreviousNext 17 #5 R e c o m m e n d a t i o n • inventory • two-factor authentication • passphrases instead of passwords • Password policies • Centrally manage server local administrator accounts across the IT network. • Control service accounts with high privileges Monitor privileged admin accounts
- 18. PreviousNext 18 #6 R e c o m m e n d a t i o n • Test regularly • Define modes of communication • Balance containment, remediation, and eradication, and monitor the attacker, and preserving evidence • Set up Advanced Security Operation Centre or Cyber Defence Centre Improve incident response
- 19. PreviousNext 19 #7 R e c o m m e n d a t i o n • Share threat intelligence Partner between industry and government
- 20. PreviousNext 20 9 Additional Recommendations Security risk assessments and audit processes Protect electronic records Secure domain controllers Patch regularly 8 9 10 11
- 21. PreviousNext 21 #8 R e c o m m e n d a t i o n Take security risk assessments and audit processes seriously
- 22. PreviousNext 22 #9 R e c o m m e n d a t i o n • Create a clear policy on confidentiality, integrity, and accountability of sensitive records • Monitor databases • Restrict access to sensitive data Protect sensitive records
- 23. PreviousNext 23 #10 R e c o m m e n d a t i o n Secure domain controllers • Harden operating system • Limit login access • Use two-factor authentication
- 24. PreviousNext 24 #11 R e c o m m e n d a t i o n • Patch regularly • Patch regularly • Patch regularly Patch regularly
- 25. PreviousNext 25 9 Additional Recommendations Upgrade software with security in mind Consider your internet access Have clear incident report plans Improve skills of your staff 12 13 14 15
- 26. PreviousNext 26 The incident response plan must clearly state that an attempt to compromise a system is a reportable security incident. What is the problem here: People, Process, or Technology?
- 27. PreviousNext 27
- 28. PreviousNext 28 “(I)n my view, when a security incident is reported, this is not a trivial matter, and it activates a whole team, including the Cluster ISO, GCIO and senior management. Everyone will have to attend to the security incident. If a security incident is declared when it turns out there is no security incident, this may look bad on the person who made the declaration.” Hann Kwang (Ernest’s reporting officer)
- 29. PreviousNext 29 “as mentioned, we need to isolate, contain and defend first...our tightening by infra is not strong enough.. even if we report now bring down the experts, they'll say our tightening is not well done...once we escalate to mgt, there will be no day no night... everyone I meant everyone in IHiS will be working non-stop on this case...” Ernest the SIRM
- 30. PreviousNext 30 “In fact, I thought to myself, “If I report the matter, what do I get?” If I report the matter, I will simply get more people chasing me for more updates. If they are chasing me for more updates, I need to be able to get more information to provide to them.” Ernest the SIRM
- 31. PreviousNext 31 “I avoided reporting the matter as soon as it occurred to me to report it, because the clock will start ticking. Having to provide these updates on these timelines puts a lot of pressure on my team - CSA, CSG, MOH, IHiS and SingHealth senior management, GCIO and CISO will all want more information, and all of this pressure will be on my team…” Ernest the SIRM
- 32. PreviousNext 32 People: Why did they do (or not do) what they did? Firewalls Updates Detection & monitoring Technology Passwords Incident reporting Process
- 33. PreviousNext 33 This covers Risk, but Resilience?
- 34. PreviousNext 34 RESILIENCE • Availability • Switch to back up systems? • Integrity • Restore your back up data? • Confidentiality • How to restore Confidentiality? • How will your BUSINESS bounce back? Can you bounce back?
- 35. PreviousNext 35 LESSONS LEARNED FROM THE SINGHEALTH BREACH Benjamin Ang Head Cyber and Homeland Defence Centre of Excellence for National Security RSIS NTU Twitter @benjaminang