When companies get breached, there is not only a risk to their proprietary information, but also to the information they hold on their customers. This data is often far more valuable to thieves than any corporate secrets. They can be sold on the Dark Web or black market. Credit card numbers go for a few dollars, whereas personal information can fetch hundreds of dollars when sold to the right buyers.
Take for example one of the latest data breaches – Singapore’s largest ever – SingHealth, the largest healthcare group in Singapore.
What was taken? Personal information on 1.5 million patients who visited SingHealth’s clinics and polyclinics from 1 May 2015 to 4 July 2018. These records contained personally identifiable information including name, NRIC number, address, gender, race and date of birth. 160 000 of those records had data relating to dispensed medicines.
It has been disclosed that Singapore’s Prime Minister, Lee Hsien Loong was among the patients whose records were stolen and this included his dispensed medicine records.
Personal identifiable information is a treasure trove for attackers. It can be used to impersonate people and steal their identities. It does not even need to be used immediately to be effective. Bank accounts can be opened, identity documents can be forged, loans can be taken out – all these and more, unless proven otherwise, will end up being the responsibility of the person whose identity was stolen.
Initial investigations showed that a front-end workstation was infected with malware, which was used by the hackers to gain access to the database between 27 June and 4 July.
From the level of sophistication of the attack, there is speculation that it may have been state sponsored. The Singapore government and Cybersecurity Agency of Singapore (CSA) were praised for their quick detection and prompt action to stem the exfiltration of information. This attack was mitigated and extra security measures put in place in just over a week. Notification was made soon thereafter. Many intrusions take months or even years to be detected and many companies fail to notify customers at all.
The initial attack vector, via a workstation, reinforces the philosophy of defence in depth. Workstations should have good and sophisticated anti-virus programs installed, which report into a central console where alerts can be raised. These alerts are monitored by staff who are trained to identify threats. A user might see a warning pop up and dismiss it because it was in the way, but when IT security staff see one alert, they investigate. If more start arriving, event management plans can be put into action.
Another layer of defence is end-user awareness. They are the human firewall. They can be trained to spot potential malware threats as well as phishing scams. A trained user can understand the threats that they may encounter and alter their browsing patterns to browse safely. They are also more likely to browse safely at home and understand the risks of not having an anti-virus program. They will learn to avoid copying data from their home computers to their work computers via portable media devices (USB memory sticks). These are also entry points for malware.
There are many ways that a workstation can be infected:
- An infected USB device brought in from home;
- A drive-by attack from visiting an infected website;
- A disgruntled employee deliberately stealing information;
- A deliberate infection by a third party on an unattended or unlocked workstation;
- An infection across the network through unpatched vulnerabilities;
- A malware laden email that someone reads and then executes the attachment.
In some cases, anti-virus software may not be enough. These should be good at detecting anomalies and virus-like behaviour. However, a trained user can spot emails that seem out of place, and they can work according to IT policies that enlist safe browsing habits.
Prevention is always better than a cure.