How Well Prepared Are You For a Breach?

The official report on the breach of 1.5 million patient records at SingHealth was released today and it offers a roadmap for what not to do. The good news is that the breach was in Singapore. The bad news is that it compromised the medical information of the Prime Minister along with 149,999,999 of his closest friends.

Use this checklist to see how prepared you are for a breach. This is a very brief synopsis of the 400+ page report.

The IT staff lacked adequate cybersecurity awareness, resources and training to properly respond to the attack. These are your cyber first responders. If they are not prepared for a fight, they will not only lose the battle, they will lose the war.
The did not take action when properly identified suspicious activity around database logins was seen.
They failed to categorize the attempts as a cyberattack.
They lacked an incident reporting framework.
Staff was unfamiliar with security policies including to which authorities the incident needed to be reported.
The attackers got in via a significant coding vulnerability and that vulnerability allowed them to make database queries. Periodic (at least annual) expert penetration testing of BOTH the network and publicly facing applications helps detect this flaws.
The organization’s public facing Citrix servers were not sufficiently “hardened” against attack. Hardening of ALL infrastructure – networks, databases, servers, firewalls, etc. is key to keeping bad people out. This hardening needs to be formal, documented and enforced religiously.
Two factor authentication needs to be implemented and enforced without exception. Apparently the SingHealth peops forgot about the enforcement part. This is especially true for anyone with elevated permissions such as network administrators and also application administrators. If you allow login options that do not require two factor, the bad guys will gravitate to that path.
Religiously respond to the results of the annual penetration tests and quarterly vulnerability assessments. Apparently the nice people at SingHealth botched the response and, in our experience, this is not unusual. This needs to be a quarterly Board level report, the Board needs to understand the implications of not dealing with this and hold management responsible. This is part of the Board’s fiduciary responsibility.
The report called for enhanced threat intelligence. Without this the IT staff is in the dark about attacks that the organization faces.
Security needs to be seen as a risk management issue. It is not an IT issue, but rather an enterprise wide management issue.
IT staff must be equipped with sufficient knowledge to recognize the signs of a security incident in a real world context.
An inventory of administrative accounts should be created to facilitate the rationalization of such accounts. In English, this means they didn’t know who had administrative permissions and some people that did should not have.
Local administrator accounts must be centrally managed across the network.

How well did you do?

I recommend reviewing this, creating a short report on it and sharing it with your Board of Directors. Then the BOARD needs to take action.

You will notice that I put a lot of responsibility on the Board of Directors. This is appropriate as the Board is ultimately responsible for managing risk to the organization – not at the detailed level but at the resource level and at the priority level.

In this case, the breach wasn’t in the US, but look at the Equifax breach report and you will see many of the same issues.

This is definitely a pay me now or pay me later problem and the cost of waiting until later is significantly larger than dealing with it now.

While this was a healthcare breach, the issues go across all industries.

Source: HealthITSecurity.