Podcast
Questions and Answers
What was a specific containment measure implemented to protect against future attacks?
What was a specific containment measure implemented to protect against future attacks?
Which of the following security shortcomings involved an aspect of account management?
Which of the following security shortcomings involved an aspect of account management?
What inherent problem allowed an attacker to retrieve sensitive login credentials?
What inherent problem allowed an attacker to retrieve sensitive login credentials?
Which of the following was not identified as a security shortcoming by the Personal Data Protection Commission?
Which of the following was not identified as a security shortcoming by the Personal Data Protection Commission?
Signup and view all the answers
What may the Commissioner designate under Clause 7(1) Part 3 of the CSA?
What may the Commissioner designate under Clause 7(1) Part 3 of the CSA?
Signup and view all the answers
Which measure was explicitly mentioned as part of the containment measures to isolate threats?
Which measure was explicitly mentioned as part of the containment measures to isolate threats?
Signup and view all the answers
What consequence arose from the failure to formally activate the Security Incident Response Team (SIRT)?
What consequence arose from the failure to formally activate the Security Incident Response Team (SIRT)?
Signup and view all the answers
What constitutes a notifiable data breach under section 24?
What constitutes a notifiable data breach under section 24?
Signup and view all the answers
What is the required timeframe for notifying the PDPC of a notifiable data breach?
What is the required timeframe for notifying the PDPC of a notifiable data breach?
Signup and view all the answers
In the context of a data intermediary, what must the organization do upon detecting a data breach?
In the context of a data intermediary, what must the organization do upon detecting a data breach?
Signup and view all the answers
What is the minimum threshold of individuals affected for a data breach to be considered of significant scale?
What is the minimum threshold of individuals affected for a data breach to be considered of significant scale?
Signup and view all the answers
What obligation does a public agency have regarding data breaches in relation to a data intermediary?
What obligation does a public agency have regarding data breaches in relation to a data intermediary?
Signup and view all the answers
What characterizes a Cybersecurity Incident?
What characterizes a Cybersecurity Incident?
Signup and view all the answers
Which of the following is essential for designating a computer system as Critical Information Infrastructure (CII)?
Which of the following is essential for designating a computer system as Critical Information Infrastructure (CII)?
Signup and view all the answers
What is required of a CII owner if there is a change in beneficial or legal ownership?
What is required of a CII owner if there is a change in beneficial or legal ownership?
Signup and view all the answers
What is the maximum timeframe allowed for reporting material changes to a CII's configuration?
What is the maximum timeframe allowed for reporting material changes to a CII's configuration?
Signup and view all the answers
Which of these options does NOT classify as an essential service under the First Schedule?
Which of these options does NOT classify as an essential service under the First Schedule?
Signup and view all the answers
What happens if a person fails to comply with information requests by the Commissioner regarding CII?
What happens if a person fails to comply with information requests by the Commissioner regarding CII?
Signup and view all the answers
What defines a Cybersecurity Threat?
What defines a Cybersecurity Threat?
Signup and view all the answers
Which essential service category deals with national security and public order?
Which essential service category deals with national security and public order?
Signup and view all the answers
Under what circumstance can the Commissioner designate a computer as CII?
Under what circumstance can the Commissioner designate a computer as CII?
Signup and view all the answers
What is a key factor that an organisation should consider when adopting security measures for personal data?
What is a key factor that an organisation should consider when adopting security measures for personal data?
Signup and view all the answers
Which type of measure includes physical locks and privacy filters in an organisation's security arrangements?
Which type of measure includes physical locks and privacy filters in an organisation's security arrangements?
Signup and view all the answers
What should organisations implement to ensure appropriate security levels for personal data of varying sensitivity?
What should organisations implement to ensure appropriate security levels for personal data of varying sensitivity?
Signup and view all the answers
What is considered a 'data breach' under the relevant laws?
What is considered a 'data breach' under the relevant laws?
Signup and view all the answers
Which responsibility falls on the data intermediary in the context of personal data protection?
Which responsibility falls on the data intermediary in the context of personal data protection?
Signup and view all the answers
What does 'reasonable and appropriate' security arrangements refer to in the context of personal data?
What does 'reasonable and appropriate' security arrangements refer to in the context of personal data?
Signup and view all the answers
How should organizations be prepared to respond in the event of an information security breach?
How should organizations be prepared to respond in the event of an information security breach?
Signup and view all the answers
What role do administrative measures play in securing personal data?
What role do administrative measures play in securing personal data?
Signup and view all the answers
What potential impact should an organisation consider regarding personal data security?
What potential impact should an organisation consider regarding personal data security?
Signup and view all the answers
Which aspect is NOT typically a part of technical measures in securing personal data?
Which aspect is NOT typically a part of technical measures in securing personal data?
Signup and view all the answers
What is the requirement for owners of Critical Information Infrastructure (CII) regarding compliance with codes of practice and standards of performance?
What is the requirement for owners of Critical Information Infrastructure (CII) regarding compliance with codes of practice and standards of performance?
Signup and view all the answers
What happens if the Commissioner fails to publish a notice regarding changes in a code of practice or standard of performance?
What happens if the Commissioner fails to publish a notice regarding changes in a code of practice or standard of performance?
Signup and view all the answers
What must the owner of a CII establish as part of their duty to report cybersecurity incidents?
What must the owner of a CII establish as part of their duty to report cybersecurity incidents?
Signup and view all the answers
How often must an audit of compliance with the CYSA be conducted by the owner of a CII?
How often must an audit of compliance with the CYSA be conducted by the owner of a CII?
Signup and view all the answers
What is the consequence of failing to comply with the regulations set forth for CIIs?
What is the consequence of failing to comply with the regulations set forth for CIIs?
Signup and view all the answers
What may the directions issued by the Commissioner include for CII owners?
What may the directions issued by the Commissioner include for CII owners?
Signup and view all the answers
What is the minimum frequency for conducting a cybersecurity risk assessment by CII owners?
What is the minimum frequency for conducting a cybersecurity risk assessment by CII owners?
Signup and view all the answers
What does a code of practice or standard of performance NOT possess?
What does a code of practice or standard of performance NOT possess?
Signup and view all the answers
Who has the authority to appoint auditors for cybersecurity compliance audits?
Who has the authority to appoint auditors for cybersecurity compliance audits?
Signup and view all the answers
What type of incidents must CII owners report to the Commissioner?
What type of incidents must CII owners report to the Commissioner?
Signup and view all the answers
Study Notes
Singapore Health Services Data Breach
- Massive Data Breach: The breach affected nearly 1.5 million patients, impacting their personal data and prescription records of nearly 160,000 patients.
- Subsidiaries of MOH Holdings: Singapore Health Services (SingHealth) and Integrated Health Information Systems (IHiS) are wholly-owned subsidiaries of MOH Holdings Pte Ltd, a company that holds the Singapore government's healthcare institutions.
- Initial Access (August 2017): Attackers gained initial access to the SCM network by infecting a workstation likely through email phishing.
- Remote Access & Control (Dec 2017 - May 2018): Attackers used customized malware to gain remote access to workstations and two user accounts (local admin and service).
- Citrix Server Access (May-June 2018): From compromised workstations, attackers accessed Citrix servers at the SGH (but couldn't access SCM database).
- Login Attempts & Credential Theft (June 2018): Multiple failed login attempts using invalid credentials. Attackers obtained SCM database login credentials from the H-Cloud Citrix server through a vulnerability
- Data Exfiltration (June-July 2018): Hackers exfiltrated data through compromised workstations to external C2 (Command and Control) servers.
- Initial Detection (June 2018): An IHiS database administrator discovered failed login attempts to the SCM database.
- Investigation and Reporting (June 2018): Staff initiated investigation, involving the Security Incident Response Manager (SIRM), SingHealth CISO and members of the SMD. Meeting held to discuss failed logins.
- Remediation Efforts (July 2018): An IHiS Assistant Lead Analyst noticed unusual queries and developed an automated script to terminate them, logging queries and alerting teams. Blocking access done to the SCM database from external sources (SGH Citrix Server).
- Senior Management Escalation (July 2018): SingHealth and IHiS senior management alerted to the attack much later in the evening of July 9, 2018.
- Containment Measures (July 2018): Collaboration ensued with Cyber Security Agency of Singapore to isolate the threat, reset accounts, adjust firewall, and monitor administrators.
- Security Shortcomings: Issues like weak passwords, dormant accounts, and delayed decommissioning of systems, and inherent vulnerabilities in SCM client application.
Cybersecurity Issues & Regulations
- Critical Information Infrastructure (CII): Singapore's Cybersecurity Act (CSA) designates and regulates computer systems providing essential services (like healthcare) as critical.
- Commissioner's Powers: The Commissioner can investigate cyber security incidents, issue directions for improving systems, set codes of practice for cybersecurity, and obtain information about systems.
- Penalty (Fine/Imprisonment): Failure to comply with the CSA can result in fines up to $50,000 or up to 2 years in prison.
- Cybersecurity Code of Practice:
- Codes of Practice: The Cybersecurity Code of Practice focuses on preventative measures and incident response for various organizations.
- Cybersecurity Audits & Risk Assessments: Organisations must comply with cybersecurity audits and risk assessment procedures every two years.
- Notification of Data Breaches: A notifiable data breach is considered a breach with significant harm to an individual, or of a large scale, which needs reporting to the Personal Data Protection Commission(PDPC).
- Notification to Affected Individuals: Organisations need to inform affected individuals of breaches potentially causing significant harm within 3 days.
Studying That Suits You
Use AI to generate personalized quizzes and flashcards to suit your learning preferences.
Related Documents
Description
This quiz examines the significant data breach affecting Singapore Health Services, revealing how nearly 1.5 million patients were impacted. It explores the breaches' timeline, methods of unauthorized access, and the implications on personal data security. Test your knowledge on this critical incident in healthcare data management.