On the SingHealth COI

Everyone and their dog seem to have something to say about the SingHealth COI. As someone who is certified and I hope, qualified, to comment on such matters, here is my piece. As usual, if you are able to read between the lines, the media reports unintentionally reveal quite a bit about the inner workings of iHiS. For reference, here are the reports I read. Since this is a developing case, I will update the article as more details are made public.

    The intrusions, which began undetected on June 27, were eventually discovered on July 4 and terminated by Ms Katherine Tan, a database administrator at IHiS.    

Interesting that the database administrator first discovered the breach. Normally, it is the Security Operations Centre (SOC) which makes the discovery. The SOC has a bigger picture of the entire estate. Servers, end user devices, network devices as well as the alerts and output from monitoring software and can correlate the information to determine if a breach had occurred.

    She later went home to develop a script to stop more of such "unusual activity" and completed it at midnight, July 5.    

Why the emphasis on "went home"? Did she develop the script on her personal computer at home? That is a big no-no. There is no way for the company to know if her personal computer has been infected by malware, if it is, it could spread via thumbdrive when she transfers the script to the company's computer. Secondly, there is an intellectual property rights issue at hand, she developed the script outside company hours without using company resources, technically she owns the rights to that script.

    Mr Tan said he became the "convenient" custodian of the server in question. On paper, he was not supposed to manage the server, but had been doing so since 2014... These counterparts later left the organisation, and no one else took over the management of the server.    

Ah, the good old shadow IT issue. If a company cannot account for its assets in the estate, their servers or laptops might end up on Carousell. More disturbingly, malicious actors can connect rogue devices to the network and use it to pivot to high value targets. There are multiple solutions, port security if you really need strict control. For starters, look at your DHCP logs and your MAC address tables and see which devices you recognise.

    Automatic anti-virus software updates could not be made to the server as the software was too old... At the time, we had just upgraded the SCM’s system architecture, so we thought it would render any vulnerability discovered by Zhao irrelevant, Dr Chong said.    

Just so you know, it is possible that a software is so old that it is not vulnerable to a specific exploit, patching it to a slightly more recent version might actually make it vulnerable. Don't patch blindly and make assumptions, always do a vulnerability scan again to confirm that the patch fixes the issue.

    Even after Mr Tan read the e-mails, he did not appreciate the severity of the situation, or followed up to seek clarifications. He said he was busy clearing e-mails and other work...Alarm bells also did not ring for Mr Tan even when attempts were made to connect to the EMR system...Even after realising that two workstations and one Citrix server, which is linked to the EMR database, were being forensically examined, alarm bells also did not ring for him..."It was still not a confirmed security incident," said Mr Tan.    

Just plain incompetence. This is obviously lateral movement. Mr Tan is senior manager (Infra Services-Security Management) at IHiS. Cyber Security is not even an individual department by itself, it is parked together with Infra services. There is a blatant conflict of interest, Infra's role is to keep things running for as long as possible, if it ain't broke, don't fix it. Security management involves bringing services offline for patching if required. Obviously, the management does not place much emphasis on security.

    (Mr Arianto's) second thought was that a staff was “mischievously” accessing the database.    

Mature organizations have a 3rd line of defence. An internal audit function which reviews commands executed by administrators to ensure that it was ran for a legitimate business purpose. Some security products out there let you tag your actions or queries with a specific case or incident ID. When the audit logs are reviewed, the actions are checked to ensure that they are relevant to the case ID specified.

    The Cluster Information Security Officer (CISO)'s responsibilities include ensuring that standard operating procedures for incident response are complied with, and escalating security incidents to higher management.    

The Business Information Security Officer (BISO), in this case CISO's role is to provide input from the business perspective and assess the loss from a particular breach to the organization. There is usually one BISO/CISO for each business line or cluster. He is supposed to have domain knowledge, to know the value of the various assets in his cluster, so he can allocate sufficient resources to secure high value assets. He is not technically trained and should not be the one making the call. The incident manager/SOC manager has experience handling security incidents across multiple clusters and should be the one deciding if it should be upgraded to a security incident.

    the CISO - Mr Wee - could activate the response team to investigate and analyse the situation.    

Wait, what do you mean activate the response team? You mean the response team is a hodgepodge of people with other day jobs? The response team should be the SOC, which monitors security events on a 24/7 basis.

This is a timely reminder that security professionals have an ethical obligation to take their job seriously. If a company is not doing things right, we need to flag it out or even whistleblow if management is not taking it seriously. If the culture is too deeply ingrained, it would be better to leave quickly. If you choose to take things easy and go with the flow, you will need to answer to the COI when shit hits the fan. If IT were a profession, these guys would have been struck off the register and barred from working in this field.