Culture of complacency the greatest 'virus' in Singapore's battle against cyberattacks

Culture of complacency the greatest 'virus' in Singapore's battle against cyberattacks

Stanislaus Jude Chan
10/10/18, 11:44 pm

SINGAPORE (Oct 8): Singapore has been investing heavily into cybersecurity amid its Smart Nation drive. But as details of the events leading to the cyberattack on Singapore Health Services’ patient database system in June emerge, so too do signs of a worrying trend: Has a culture of complacency seeped into the people and organisations tasked with defending the nation against cyber threats? And will these human-related weaknesses prove to be the chink in the armour that will lead to the collapse of “Fortress Singapore” — a term coined to describe the nation’s favourable position as a data centre hub due to its physical security and political stability?

“Technology is only one-third of the solution to cybersecurity,” says Justin Hammond, regional director for Asia-Pacific at Synopsys. “The others are processes and people.”

“Your overall cybersecurity defence will be only as good as your weakest point, so having the latest technology and comprehensive processes will not be effective if the human aspect of cybersecurity is lacking,” he adds.

The first tranche of public hearings convened by the Committee of Inquiry (COI) into the SingHealth cyberattack was held over two weeks from Sept 21 to Oct 5, with subsequent tranches expected. Already, the revelations have been nothing short of stunning.

According to Solicitor-General Kwek Mean Luck, a series of staff missteps and gaps in SingHealth’s mission-critical IT systems had contributed to the worst data breach in Singapore’s history. It involved the personal data of 1.5 million patients and outpatient prescription records of 160,000 people, including Prime Minister Lee Hsien Loong.

“[The SingHealth cyberattack] was a harsh reminder that cyberspace is not a benign environment, and we have to do much better in keeping our IT systems and data safe and secure,” Lee says at the inaugural Stack 2018 Developer Conference organised by the Government Technology Agency of Singapore (GovTech) on Oct 2.

To Lee, the incident revealed internal weaknesses and lapses in Singapore’s IT systems and organisations. “We have to improve and put these right. We have to train up our people, institute robust processes, inculcate the right mindsets and enforce accountability,” he says.

Indeed, the COI revealed that Integrated Health Information Systems (IHiS), the IT arm of the Ministry of Health that managed SingHealth’s database, had been made aware of a possible vulnerability in the system as far back as four years ago.

Initial remark ignored

Former IHiS employee Zhao Hainan had in 2014 mentioned to his project manager, Angela Chen, about security concerns he had regarding the system design of SingHealth’s Sunrise Clinical Manager (SCM) software. However, Chen was either out of office or on leave over the next few days, and did not follow up on the issue.

Zhao then contacted a rival vendor over the loophole in the system. When then-CEO Chong Yoke Sin was alerted to Zhao’s email containing the alleged vulnerability, she quickly dismissed him for the “ethical breach”. However, the former CEO did not conduct any formal investigation into the possible vulnerability in the system. Essentially, the flaw in the system was never fixed.

“The human factor will always be an aspect of security breaches. The extent of the human factor is dependent on the organisation and the systems and processes they have in place,” says Gary Gardiner, head of security engineering for Check Point Software Technologies in Asia-Pacific, Middle East and Africa.

The COI also heard that an old server had not had security software updates for 14 months. This became one of the pathways used by hackers to reach SingHealth’s critical systems where the data breach occurred.

Citing findings from the Cyber Security Agency of Singapore (CSA), the Solicitor-General revealed that the cyberattacker had managed to gain an initial presence in SingHealth’s network as early as August 2017 by “infecting workstations”.

Between December 2017 and May 2018, the attacker then moved sideways in the network, making use of malware planted in one of the initially infected workstations to gain remote access to and control of the workstation, before using that computer to distribute malware to infect other computers.

“Patch management is a challenge for most organisations, and it is a balance of technology and process to be successful,” Gardiner says. “In this attack, the threat actor used an unpatched system to gain access. To prevent such attacks, the simple solution would be to monitor the patch levels of the systems and have a patch management strategy to ensure the system is up to date.”

The way Tom Kellermann, chief cybersecurity officer at Carbon Black, sees it, the incident was very much preventable.

“SingHealth must make cybersecurity a priority and the security officer must be given greater authority and budget to mitigate future cyber intrusions with technology designed to prevent, detect and respond to attacks,” he says.

Human-related mistakes greater than technology-related ones

In light of the revelations from the COI into the SingHealth cyberattack, there seem to be more human-related errors than actual IT-related weaknesses. For one, Chester Wisniewski, principal research scientist at cybersecurity firm Sophos, believes that IHiS’ cybersecurity practices could be “above average”.

“They were able to detect the intrusion within a few days and take decisive action to contain the attack. This is unusual and a sign that they are reasonably well prepared for this type of attack,” Wisniewski says.

But beyond IHiS and SingHealth, Singapore will need to avoid a mindset of complacency when it comes to cybersecurity. When news of the SingHealth cyber breach first broke, fingers were quickly pointed outwardly at state-sponsored actors. After all, Singapore has invested significantly in cybersecurity, and any breach would have to be well-coordinated and backed by significant resources.

The underlying assumption, however, was that our cybersecurity system was formidable, and that any breach would in no way have been due to our own weaknesses — but the COI has proven otherwise.

Curiously, CSA CEO David Koh was quick to allay fears that the SingHealth breach could cause some serious damage. In the wake of the cyberattack, Koh referred to the data accessed as “only basic demographic data” with “no strong commercial value”. Ironically, the CSA was created in 2015 to strengthen Singapore’s cybersecurity posture in support of the country’s Smart Nation push.

But the threat is very real. The types of information stolen — such as name, NRIC number, address, gender, race and date of birth — are commonly used, for example, for customer verification in accessing online financial services.

The Monetary Authority of Singapore (MAS) on July 24 ordered banks and -other financial institutions to tighten their customer verification processes. MAS directed all financial institutions not to rely solely on the types of information stolen for customer verification in accessing online financial services.

Instead, MAS said additional information must be used for verification before undertaking transactions for the customer. This may include the use of one-time passwords, personal identification numbers, biometrics and last transaction date or amount.

According to MAS, these measures are to address any risk that the information stolen from SingHealth may be used by fraudsters to impersonate customers and perform unauthorised financial transactions.

“Human beings are certainly the biggest weakness in securing complex systems,” says Sophos’ Wisniewski. “We can’t study why humans are tricked and then provide a patch. We have to build resilience into our systems that accept and recover from human failures.”

And for Singapore to remain a cybersecurity fortress resilient to cyberattacks, we might certainly need to patch the complacency.

This story appears in The Edge Singapore (Issue 851, week of Oct 8) which is on sale now. Subscribe here

Hyflux gets non-binding letter of intent from China suitor

SINGAPORE (June 15): Hyflux has received another non-binding letter of intent (LOI) for a potential investment in the group by an investor based in China. In a Friday night filing, Hyflux says the investor is a subsidiary of a state-owned enterprise in the industrial field which works on a global scale to provide comprehensive power services. “Other fields of expertise of the investor’s holding company include wind and solar energy solutions, nuclear industry, medical technology and agriculture,” says Hyflux. See: Rags-to-riches tale goes sour for Hyflux founder Olivia Lum Se....

Hong Kong suspends China extradition bill

(June 15): Hong Kong’s leader suspended efforts to pass a bill allowing extraditions to China, in a dramatic reversal that she said was necessary to restore order in the Asian financial hub and avoid further violence and mass protests. Carrie Lam, Hong Kong’s chief executive, announced the legislative “pause” at a news conference Saturday, even as activists asked hundreds of thousands of residents who marched in protest last weekend to return to the streets and demand her resignation. Lam acknowledged that debate had shattered a period of relative calm in the former British colony, ....

Chip Eng Seng in joint $47.5 mil investment of China distressed property company

SINGAPORE (June 15): Chip Eng Seng and controlling shareholder Haiyi Investment are jointly investing RMB240 million ($47.5 million) in a distressed property company based in Taicang city in Jiangsu province, China. Chip Eng Seng says the investment will enable the project company to discharge its outstanding liabilities such that its assets will be unsealed and restart a project involving the development and construction of a residential development on a land area of 38,000 sqm, with a gross floor area of 111,111 sqm. The project company, effective controlled by local shareholder Ren We....