It started as a phishing expedition and ended up being the largest data breach in the history of Singapore. It was June 2018. The FIFA World Cup was in full swing, Jurassic World hit theaters worldwide, and a low-level administrator with SingHealth, the country’s largest healthcare network, clicked on a seemingly innocent link in an email.
Unbeknownst to the user and the organization’s cybersecurity team, the link installed custom malware on the user’s computer, which gave attackers access to the SingHealth system. After several months, the attackers started distributing malware and stealing credentials, including those that gave them access to the electronic medical record (EMR) database where they were able to steal the personal data of more than 1.5 million patients—even prescription data for the prime minister. Throughout the attack, the attackers avoided secondary targets that could have given them away, and they destroyed evidence of their presence. The breach wasn’t discovered until months later, and by then, it was too late.
To its credit, SingHealth worked with the government’s cybersecurity agency to investigate who committed the largest breach in the nation’s history and how the attackers were able to circumvent the organization’s defenses. A Committee of Inquiry (COI) released a report in January 2019 that outlined 16 recommendations that SingHealth and other organizations can put into practice to mitigate future attacks. Five of the recommendations can be implemented with Internet isolation technology.
1. Staff awareness of cybersecurity must be improved to better prevent, detect, and respond to security incidents.
Internet isolation ensures that phishing attacks are mitigated and users are educated on identifying the characteristics of a phishing website. Whenever a user clicks on a link in an email, the browsing session is started in an isolated remote cloud environment. Once the phishing site is isolated, a custom banner can warn users about it. Administrators can also prevent users from submitting data via a web form.
2. Domain controllers must be better secured against attacks.
Internet isolation isolates all browser traffic from the domain controller. No active content, whether good or bad, is executed locally. As a result, malware doesn’t have a chance to execute on the domain controller.
3. Improve incident response processes for a more effective response to cyberattacks.
Internet isolation prevents web-based threats from reaching the network perimeter, the point when an alert is typically generated. As a result, the Internet isolation cloud platform significantly reduces the number of false positives that incident response teams need to investigate. Incident response teams benefit from reduced alert fatigue and more time to focus on actual threats.
4. A robust patch management process must be implemented to address security vulnerabilities.
Internet isolation helps reduce the overhead associated with patch management. Because active web content is executed away from the endpoint, attackers are unable to exploit vulnerabilities on the endpoint’s web browser. Security organizations can thus deprioritize browser patching and focus on more-urgent vulnerabilities first.
5. An Internet access strategy that minimizes exposure to external threats should be implemented.
Internet isolation ensures that all web-based user activity is executed in a secure, trusted environment in the cloud. Since no web pages are actually executed on the device, users cannot inadvertently unleash malware on their own device or on any devices they’re connected to throughout the network.Given the severity of the SingHealth data breach and the effectiveness of Internet isolation in preventing phishing attacks, it’s likely that other federal governments will consider adopting similar recommendations. In the interest of protecting the privacy of their citizens, it’s even likely that the recommendations will become regulatory requirements.