back to article If you wanna learn from the IT security blunders committed by hacked hospital group, here's some weekend reading

The theft of 1.5 million patient records, including those of Singapore's Prime Minister, from the city state's SingHealth hospital group by hackers could probably have been stopped had the IT department not been so useless, an inquiry has found. In July, citizens were notified that miscreants had siphoned massive amounts of …

  1. Inventor of the Marmite Laser Silver badge

    So where did the BOFH go for his holiday?

  2. Walter Bishop Silver badge
    Terminator

    Detailed report into the hack

    having an extensive command and control network, the capability to develop numerous customised tools, and a wide range of technical expertise

    Four hundred and fifty four pages to say someone opened a compromised email attachment, containing a word document, that ran a VB macro, that installed remote control software on a ‘computer’

    1. Paul Crawford Silver badge
      Trollface

      Re: Detailed report into the hack

      MS Word macros, the gift that keeps on giving!

  3. Anonymous Coward
    Anonymous Coward

    show me the money

    MFA for admin accounts might be a fine and proper security measure, it might even be mandated for some security standards such as PCI but getting money from management to pay for that measure (especially as recurring OPEX) is a very different story.

    1. Anonymous Coward
      Anonymous Coward

      Re: show me the money

      Getting IT staff to use it would be hard too. Many of mine would agree with it on principle but then spit the dummy when it's implemented.

      I can't even get the nod to block access to internet/email from admin accounts (required for our audits.)

      1. Anonymous Bullard

        Re: show me the money

        Just keep a paper trail of your recommendations, suggested workarounds, and potential outcomes if nothing is done (in plain language), along with their refusals.

        Document these known issues in your infra docs, with reasons why they exist. Increase monitoring+logging in those areas. Prepare for the post-incident audit before it happens.

        Arse covering.

        1. Anonymous Coward
          Anonymous Coward

          Re: show me the money

          Yeah, because that really matters when you go for your next job and the reputation of the last place is still dripping all over you.

          1. steviebuk Silver badge

            Re: show me the money

            It might not but it stops you ending up fired or jail time. If they still fire you, a nice wrongful dismal can be thrown at them.

          2. Alan Brown Silver badge

            Re: show me the money

            "because that really matters when you go for your next job"

            Actually it does, because you can document that you warned them and they ignored you.

      2. Amos1

        Re: show me the money

        The opposite of security is not insecurity. The opposite of security is overly convenient.

        The issues described in this article probably apply to 99.9999% of all IT systems operators in the world.

        When I do interviews of prospective vendors I always ask the question "Do you have staff dedicated 100% to operational security (not including compliance) or is security everyone's responsibility?"

        The competent ones answer "Both."

        The dumb ones enthusiastically respond "No. Security is everyone's responsibility!"

        When something is everyone's responsibility it's no one's responsibility.

      3. Anonymous Coward
        Anonymous Coward

        Re: show me the money

        "Getting IT staff to use it would be hard too. Many of mine would agree with it on principle but then spit the dummy when it's implemented."

        Demand management implement it and if they won't then I'd find somewhere else to work 'cos if you stay there much longer you'll be looking for another job anyway, especially when the company gets hacked and goes up the swanny!

        Trust me, it's usually a load of people generally whinging for no good reason. If you force security tighenting most of them will shut up after a week or so anyway. You're failing at your job is you don't enforce it, or at least make a proper recommendation in writing to management to implement. I'm sure you'll find a governing body that will demand your company protect the data it has, and of course there's always GDPR. In in the finance industry is an offence to not comply plus your company's reputation can be downgraded by various agencies if external auditors determine you have not secured your company data enough.

        Trust me this is more important than a few whingers, do it before you find yourself holding a P45!

        1. Alan Brown Silver badge

          Re: show me the money

          "and of course there's always GDPR. In in the finance industry is an offence to not comply"

          In both cases: Unless criminal/civil responsibilty falls _personally_ on manglement, they're unlikely to care.

          It's the threat of finding _themselves_ in the dock which works the best at betting things fixed.

          1. John Stirling

            Re: show me the money

            If management say 'no' then they become the ones where the liability sits personally. That is the beauty of GDPR

    2. Graham 2
      Pirate

      Re: show me the money

      I'd be prepared to bet that getting said managers to cough up the money won't be hard this quarter.

  4. Anonymous Coward
    Anonymous Coward

    From personal experience, security is just a box ticking exercise

    Often by security employees who don't understand real security.

    When you see companies allowing their employees to send password encrypted zip files with the password in the same email, or web censoring software that prevents access to innocuous sites but fails to block dangerous ones, you realise it's just lip service.

    And generally, lessons aren't learnt. They're just covered up.

    1. Anonymous Coward
      Anonymous Coward

      Re: From personal experience, security is just a box ticking exercise

      As you rightly suggest security is not simply implementing a few systems to protect other systems, it's a whole system of changing minds, changing attitudes, implementing tools, utilities, implementing reporting and making people responsible for implementing and maintaining security as a company wide blanket, not just a few band-aids.

      It all falls apart because PHBs think security is simply forking out for a couple of copies of Kaspersky on PCs and everything is cosy again, that's usually a company you don't want to put your money in!

  5. GnuTzu Bronze badge
    Mushroom

    Not a Fan of Citrix

    It's too damn difficult to enable Citrix services over the Internet through a web proxy--without mucking up security, and no one ever seems to have Citrix support to address that garbage--so I'm always having to reverse engineer that crap. No wonder that was part of the problem. Yeah, I'm a proxy admin, and Citrix is a serious thorn in my side, and I wish policy out-and-out forbade it. Time to grow up and get your sh*t in order Citrix.

    1. Alan Brown Silver badge

      Re: Not a Fan of Citrix

      "I wish policy out-and-out forbade it."

      In sensible places (ie: not yours) policy DOES.

      Along with a bunch of other "convenience" services which compromise OUR security whilst increasing your convenience or allow other organisations to maintain their security facades.

  6. sanmigueelbeer Silver badge

    And here's the good news

    There's a silver lining to this: The vulnerable system wasn't managed by Capita or IBM.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2019