DPCR Lec 2 Anki PDF
Document Details
Uploaded by AthleticSilver740
NUS Faculty of Law
Tags
Summary
This document is a case study on a major cyberattack in Singapore. The case details the actions taken by hackers, the response of the affected organization, and the investigation. The case study focuses on cybersecurity incidents
Full Transcript
#separator:tab #html:false Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd What were the facts of this case (in brief)? This case concerns the worst breach of personal data in Singapore’s history. In an unprecedented cyber attack on the Singapore Health Services...
#separator:tab #html:false Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd What were the facts of this case (in brief)? This case concerns the worst breach of personal data in Singapore’s history. In an unprecedented cyber attack on the Singapore Health Services Pte Ltd’s (“SingHealth”) patient database system, the personal data of some {{c1::1.5 million patients and the outpatient prescription records of nearly 160,000 patients were exfiltrated in a cyber attack}} (the “Data Breach”). Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd What was the relationship between SingHealth and IHiS ? IHiS and SingHealth are {{c1::wholly-owned subsidiaries of MOH Holdings Pte Ltd}} (“MOHH”), the holding company through which the Singapore government owns the corporatised institutions in the public healthcare sector. MOH determines the {{c1::policies and structures within the healthcare sector}}. Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd What were the steps / actions taken by the hacker to gain access to the system and data? Initial Access: In August 2017, the attacker gained initial access to the SCM network by infecting a user's workstation, likely through an email phishing attack. This led to the installation and execution of malware and hacking tools on the user's workstation. {{c1::Remote Access and Control}}: Between December 2017 and May 2018, the attacker used customized malware to infect and gain remote access to other workstations. From these compromised workstations, the attacker gained access to two user accounts: a local administrator account and a service account. {{c1::Access to Citrix Servers}}: Through the compromised accounts, the attacker gained access to the Citrix servers located at SGH. Although the attacker managed to log in to the Citrix servers, they did not have the credentials to log in to the SCM database. Failed Login Attempts: Between end-May to mid-June 2018, the attacker made multiple failed attempts to access the SCM database using invalid credentials or accounts with insufficient privileges. {{c1::Credential Theft}}: On 26 June 2018, the attacker obtained login credentials for the SCM database from the H-Cloud Citrix server due to an inherent coding vulnerability in the SCM client application. {{c1::Data Exfiltration}}: Between 27 June and 4 July 2018, the attacker used the stolen SCM database login credentials to access and run numerous bulk queries on the SCM database. The data was then exfiltrated through the compromised workstations to the attacker's overseas Command and Control (C2) servers Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd How did SingHealth and IHiS staff respond in the course of the incident? From your document: The response of SingHealth and IHiS staff during the incident can be summarized as follows: Initial Detection: On 11 June 2018, an IHiS database administrator discovered multiple failed attempts to log in to the SCM database. She noticed that some user IDs were used on separate occasions to log in to the SCM database, but they could not log in because they were non-existent user IDs or were not granted access. {{c1::Investigation and Reporting}}: On 13 June 2018, a few members of the staff from the IHiS Delivery Group met with the Security Management Department (SMD) over these login attempts. A chat group was created; members included the Security Incident Response Manager (SIRM), the SingHealth CISO, and members of the SMD. {{c1::Remediation Efforts}}: On 4 July 2018, an IHiS Assistant Lead Analyst observed alerts generated by a performance monitor which was programmed to monitor database queries. He commenced investigations into the unusual queries on the SCM database. When the Assistant Lead Analyst was unable to trace the user launching the queries or make sense of the queries on his own, he alerted his colleagues from the IHiS Application, Citrix, and Database teams to assist in the investigations. An automated script was then developed and implemented on the SCM database to terminate the queries, log the queries, and send alerts to them when such queries are identified. The Citrix Team Lead also took steps to block access to the SCM database from any SGH Citrix Server. {{c1::Escalation}}: IHiS senior management and the SingHealth GCIO were only alerted to the attack on the evening of 9 July 2018. The SingHealth GCIO promptly escalated the matter and informed the CEO of IHiS that there was suspected unauthorized access into the SCM database. Concurrently, the SingHealth GCIO informed the SingHealth Deputy Group Chief Executive Officer (Organisational Transformation and Informatics) of the suspected unauthorized access. {{c1::Containment Measures}}: From 10 July 2018, IHiS and the Cyber Security Agency of Singapore (CSA) worked jointly to put in place containment measures to isolate the immediate threat, eliminate the attacker’s foothold, and prevent the attack from recurring. These measures included resetting system accounts, placing the IHiS Security Operations Centre on high alert, tightening firewall rules, reloading all Citrix servers with clean images, mandating password changes for all users, and extensive monitoring of all administrator accounts. "Singapore Health Services Pte Ltd and Integrated Health Information Systems Pte Ltd What were the specific security shortcoming identified by the Personal Data Protection Commission in its decision? From your document: The Personal Data Protection Commission identified several specific security shortcomings in its decision: {{c1::Weak Passwords}}: The local administrator account was secured with an easily deduced password (""P@ssw0rd""), and the service account had a self-generated password during the installation of the services. {{c1::Dormant Accounts}}: The attacker was able to gain access to and control of two dormant accounts that were not ordinarily used for day-to-day operations. {{c1::Decommissioning Delay}}: The SGH Citrix servers, which were planned for decommissioning following the migration of the SCM database and Citrix servers to H-Cloud in June 2017, remained operational and part of the SCM network while the decommissioning process was ongoing. {{c1::Coding Vulnerability}}: There was an inherent coding vulnerability in the SCM client application, which allowed the attacker to retrieve the SCM database login credentials from the H-Cloud Citrix server. {{c1::Lack of Formal Activation}}: The Security Incident Response Team (SIRT) was not formally activated at any point, which was not in accordance with IHiS' Healthcare IT Security Incident Response Framework and Cluster IT Security Incident Response SOP." Clause 7(1) Part 3 of the CSA, in relation to {{c3::Critical Information Infrastructure}}: The Commissioner may, by written notice to the owner of a computer or computer system, {{c1::designate the computer or computer system as a critical information infrastructure}} for the purposes of this Act, if the Commissioner is satisfied that — If the computer system procides {{c2::essential service in Singapore}}; and The computer system is {{c2::wholly or partly in Singapore}}. A designation under s 7(1): – must inter alia inform the owner of the CII of the owner’s duties and responsibilities under the CYSA that arise from the designation (s 7(3)) – is valid for {{c4::5 years (s 7(3))}} s19(2) Part 4 of the CSA, CSA has the power to investigate cyber security incident and request for {{c1::signed statement}} and {{c1::produce document/ electronic records relevant to the investigation}}. s24(1) Part 5 of the CSA, No person shall provide cyber security service without license under s26. A fine not exceeding {{c1::$50,000}} or to imprisonment for a term not exceeding {{c2::2 years or to both.}} CII: a computer or a computer system designated under s 7(1) - as {{c3::designated by the CSA}}. Computer: “an electronic, magnetic, optical, electrochemical, or other {{c1::data processing device}} performing logical, arithmetic, or storage functions, and includes any data storage facility or communications facility directly related to or operating in conjunction with such device …” – Excludes {{c1::prescribed devices}} (none at present) Computer System: an arrangement of interconnected computers and includes: – “{{c2::an information technology system}}” – “an operational technology system such as an industrial control system, a programmable logic controller, a supervisory control and data acquisition system, or a distributed control system” Key Defintions under Section 3 Cybersecurity: The state in which a computer or computer system is protected from unauthorised access or attach such that the following is maintained (note: the “CIA” of cybersecurity): – {{c1::Confidentiality}} of information processed, etc. by the computer or computer system (what about the computer / system itself?) – {{c1::Integrity}} of the computer or computer system or the information it processes, etc. – {{c1::Availability}} of the computer or computer system (and information?) {{c2::Cybersecurity Threat}}: “an act or activity (whether known or suspected) carried out on or through a computer or computer system, that may {{c2::imminently jeopardise or affect adversely}}, without lawful authority, the cybersecurity of that or another computer or computer system” {{c3::Cybersecurity Incident}}: “an act or activity carried out without lawful authority on or through a computer or computer system that {{c3::jeopardises or adversely affects}} its cybersecurity or the cybersecurity of another computer or computer system” Key Definitions under s3 CSA {{c1::Essential Servic}}e: “any service essential to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore, and specified in the First Schedule” Essential services in the {{c1::First Schedule}} include: – Aviation, Land Transport or Maritime – Banking and Finance – Energy or Water – Info-communications or Media – Functioning of Government – Security and Emergency Services – Healthcare (I) Designation of CII (s 7) The Commissioner may obtain information from a person who appears to be exercising control over a computer or computer system for the purpose of ascertaining whether it is fulfills the criteria of a CII (s 8(2)) – Failure to comply {{c3::is an offence (s 8(4))}} – Same exception for {{c4::legal privilege as s 19}} The Commissioner may designate a computer or computer system as CII if both of the following apply (s 7(1)): – the computer or computer system is {{c1::necessary for the continuous delivery of an essential service,}} and the loss or compromise of the computer or computer system will have a debilitating effect on the availability of the essential service in Singapore – the computer or computer system is {{c2::located in Singapore}} (Q: what about cloud-based services?) (II) Obtaining Information Relating to a CII (ss 10, 12 & 13)The Commissioner may require the owner of a CII to furnish the following information (s 10(1)):– Information on the design, {{c2::configuration}} and security of the CII or any other computer or computer system under the CII owner’s control that is interconnected or communicates with that CII– Information relating to the {{c2::operation}} of that CII or other computer or computer system– Any other information in order to ascertain the level of cybersecurity of the CII Material changes to the design, configuration, security or operation are to be updated within {{c1::30 days (s 10(5))}} Any change in the {{c3::beneficial or legal ownership}} must be notified to the Commissioner with 7 days by the former owner, if the whole ownership is transferred, or otherwise any owner of the CII (s 13(1)) Failure to comply with any of the above is {{c4::an offence (ss 10(2), 10(7) & 13(2)) - fine and/or imprisonment}} Same exception for {{c5::legal privilege, etc. as s 19}} (III) Codes of Practice and Standards of Performance (s 11) The Commissioner may issue or approve one or more codes of practice or standards of performance for the regulation of the owners of CII with respect to measures to be taken by them to ensure the cybersecurity of the CII (s 11(1)(a)) Every owner of a CII {{c1::must comply with the codes of practice and standards of performance}} that apply to their CII (following publication of a notice relating to the code or standard) unless otherwise waived by the Commissioner under s 11(7) (s 11(6)) The Commissioner may amend or revoke any {{c2::code of practice or standard of performance (s 11(1)(b)))}} The Commissioner must publish a notice of the issuance, approval, amendment or revocation of a code of practice or standard of performance (s 11(3)) failing which it does not take effect (s 11(4)) A code of practice or standard of performance {{c3::does not have legislative effect (s 11(5))}} and any of its provisions that is inconsistent with the CYSA does not have effect (to the extent of the inconsistency) (s 11(2)) The Commissioner for Cybersecurity / CSA issued the Cybersecurity Code of Practice for Critical Information Infrastructure on 4 July 2022, last updated 12 Dec 2022 (IV) Directions to Ensure Cybersecurity of a CII (s 12) The Commissioner may issue a direction to the owner(s) of a CII in order to ensure the cybersecurity of the CII or it is necessary or expedient for the administration of the CYSA (s 12(1)) Without limitation, a direction may include the following (s 12(2)):– the {{c1::action to be taken by the owner(s) in relation to a cybersecurity threat}}– {{c1::compliance with any code of practice or standard of performance}} applicable to the owner(s)– {{c1::appointment of an auditor approved by the Commissioner to audit the owner(s) on}} their compliance with the CYSA or any code of practice or standard of performance applicable to the owner(s) Process for issuance of a direction includes giving the owner an opportunity to make representations (s 12(4) & (5)) Failure to comply is {{c2::an offence (s 12(6))}} (V) Duty to Report Cybersecurity Incident in respect of CII (s 14) The owner of a CII must notify the Commissioner upon the occurrence of any of the following (s 14(1)):– a {{c1::prescribed cybersecurity incident}} in respect of the CII or any other computer or computer system under the CII owner’s control that is interconnected with or that communicates with the CII– any other type of cybersecurity incident in respect of the CII that the Commissioner has {{c1::specified by written direction}} to the owner The owner of a CII must establish such {{c2::mechanisms and processes for the purposes of detecting cybersecurity}} threats and incidents in respect of the CII, as set out in any applicable code of practice (s 14(2)) Failure to comply is {{c3::an offence (s 14(3))}} (VI) Cybersecurity Audits and Risk Assements (s 15) The owner of a CII must comply with the following (s 15(1)): – at least {{c1::once every 2 years}}, cause an audit to be carried out of the compliance of the CII with the CYSA and the applicable codes of practice and standards of performance (to be done by an auditor approved or appointed by the Commissioner) – at least {{c1::once a year}}, conduct a cybersecurity risk assessment of the CII The owner of a CII must furnish a {{c3::copy of the audit report or risk assessment to the Commissioner within 30 days of completion (s 15(2))}} See the rest of the section for further details Failure to comply is {{c2::an offence (s 15(7) & (8))}} (VII) Cybersecurity Exercises (s 16) The Commissioner may conduct cybersecurity exercises for the purpose of {{c1::testing the state of readiness of owners}} of different CII in responding to significant cybersecurity incidents. An owner of a CII must participate in a cybersecurity exercise if directed in writing to do so by the Commissioner Failure to comply {{c2::is an offence (s 15(7) & (8))}} (I) Investigation (s 19) The Commissioner may {{c1::investigate any cybersecurity threat or incident}} for the following purposes (s 19(1)):– assessing the impact or potential impact of the cybersecurity threat or incident– preventing harm arising from the cybersecurity incident– preventing a further cybersecurity incident from arising from that cybersecurity threat or incident The Commissioner’s {{c2::powers of investigation (s 19(2))}} may be applied as against any person (e.g. to compel attendance and obtain information) and failure to comply is an offence (s 19(8)) Legal Privilege, etc.: Disclosure of information that is subject to any right, {{c3::privilege or immunity}} conferred, or obligation or limitation imposed, by or under any law or rules of professional conduct in relation to the disclosure of such information is not required, except that the {{c3::performance of a contractual obligation is not an excuse for not disclosing the information (s 19(6))}} (II) Elimination of Serious Threats and Incidents (s 20) The Commissioner has additional powers in relation to any cybersecurity threat or incident that meets any of the following criteria (s. 20(3)):– it creates a risk of significant harm being caused to a CII– it creates a risk of disruption to the provision of an essential service– it creates a threat to the national security, defence, foreign relations, economy, public health, public safety or public order of Singapore– it is of a severe nature, in terms of the severity of the {{c1::harm that may be caused to persons}} in Singapore or the {{c1::number of computers}} or {{c1::value of the information}} put at risk, whether or not the computers or computer systems put at risk are themselves CII The Commissioner may investigate any such serious cybersecurity threat or incident for the following purposes (s 20(1)):– assessing the impact or potential impact of the cybersecurity threat or incident– {{c2::eliminating the threat}} or preventing harm arising from the cybersecurity incident– preventing a further cybersecurity incident (II) Elimination of Serious Threats and Incidents (s 20, continued) For such serious cybersecurity threats and incidents, the Commissioner may: – in addition to the powers under s 19(1) – direct, (by written notice ) any person to carry out {{c1::remedial measures}}, or to cease carrying on certain activities in relation to a computer or computer system that […] is or was affected by the cybersecurity incident, in order to minimise cybersecurity vulnerabilities in the computer or computer system – require the owner of a computer or computer system to take any action to assist with the investigation (examples in the Act) – enter premises, perform scans, obtain records, etc. Examples of remedial measures (under s 20(2)) include the following:– {{c2::removal of malicious software}} from the computer; – {{c2::installation of software updates}} to address cybersecurity vulnerabilities; – {{c2::temporarily disconnecting}} infected computers from a computer network until the above is carried out – {{c2::redirection of malicious data traffic}} towards a designated computer or computer system Key requirements in the COP, Section 3 Governance Requirements: – {{c1::Leadership and oversight}} Adequate resources to cybersecurity strategy and application to CII Effective leadership from the board and senior management – {{c1::Risk management}} Risk management framework to identify, analyse, evaluate and address (respond to) cybersecurity risks in a cost-effective manner Maintain a risk register for each CII – {{c1::Policies, Standards, Guidelines and Procedures}} Policies and standards for (internal) compliance Guidelines on best practices Procedures with specific actions to be taken Key requirements in the COP, Section 3 Governance Requirements: – Use of Cloud {{c1:Organisation remains responsible}} for maintaining oversight of cybersecurity and managing cybersecurity risks to CII even if CII is wholly or partly implemented using cloud computing systems – {{c1::Outsourcing and vendor management}} Organisation remains responsible for cybersecurity even if it engages an external party to perform any functions with respect to the CII Controls must be implemented to minimise cybersecurity risks Under {{c1::s24 of the}} PDPA, all organisations are required to protect personal data by making {{c2::reasonable security arrangements}} to prevent the following ({{c1::s 24}}):– unauthorised access, collection, use, disclosure, copying, modification, disposal or similar risks– loss of any storage medium or device on which personal data is stored Requirements:– Covers personal data in the possession or under the control of the organisation– “{{c2::reasonable security arrangements}}” – not defined (Side note: This kind of wording is found in many other countries law including, e.g. EU and US)– Two key elements, measures are to prevent: {{c3::unauthorised access}}, etc. to personal data {{c3::loss of storage media}} / devices containing personal data PDPC’s Advisory Guidelines on Key Concepts in the PDPA, para 17 – “There is no ‘on size fits all’ solution for organisations to comply with the Protection Obligation. Each organisation should consider adopting security arrangements that are reasonable and appropriate in the circumstances …” – Factors to take into consideration: {{c1::Nature}} of the personal data {{c1::Form in which the personal data}} was collected (e.g. electronic or physical) Possible {{c1::impact to the individual concerned}} if an unauthorised person obtains, modifies or disposes of the personal data PDPC’s Advisory Guidelines on Key Concepts in the s24 of the PDPA, para 17 (continued):– In practice, an organisation should: Design and organise its security arrangements to {{c1::fit the nature}} of the personal data held by the organisation and the possible harm that may result from a security breah Identify reliable and well-trained personnel responsible for ensuring information security Implement {{c1::robust policies and procedures}} for ensuring appropriate levels of security for personal data of varying levels of sensitivity Be prepared and {{c1::able to respond}} to information security breaches promptly and effectively – Security arrangements include: {{c2::Administrative}} measures (e.g. confidentiality obligations, robust policies, staff training) {{c2::Technical}} measures (e.g. network security measures, access control, use of encryption) {{c2::Physical}} measures (e.g. physical locks, privacy filters, proper disposal of physical documents s24 Personal Data Protection Act In relation to data intermediaries and the organisations that engage them (data controllers), note that section 24 applies to both (per S. 4(2) & (3)) Scope of responsibility depends on extent of tasks to be done by each: – Processing by the {{c1::data intermediary (implement necessary technical, physical and administrative measures) }}– Governance by the {{c2::data controller (implement, typically via contract, measures to govern the data intermediary’s protection of personal data)}} Definition/Concepts (Ss 26A & 26B):– Data Breach: (a) {{c1::unauthorised}} access, collection, use, disclosure, copying, modification or disposal of personal data, or (b) {{c1::loss}} of any storage medium or device on which personal data is stored in circumstances where the unauthorised access, collection, use, disclosure, copying, modification or disposal of the personal data is likely to occur Cf. s 24 – Notifiable Data Breach: A data breach that (a) results in, or is likely to result in, {{c3::significant harm}} to an affected individual or (b) is, or is likely to be, of a {{c3::significant scale}} A data breach is deemed to result in significant harm and is deemed to be of significant scale in prescribed circumstances (s 26B(2) & (3)) Significant harm: see Personal Data Protection (Notification of Data Breaches) Regulations 2021 (“DBN Regulations”), reg. 3 and Schedule (see next slide) Significant scale: {{c2::500}} (see DBN Regulations, reg. 4) Notwithstanding the above, a data breach within an organisation is not notifiable (s 26B(4)) (I) Conduct an Assessment of a Data Breach Where an organisation has reason to believe that a data breach has occurred affecting personal data in its possession or under its control: – If the organisation is a data intermediary and the affected data is data it is processing for the data controller, the organisation (DI) must {{c1::notify the data controller of the data breach without undue delay (s 26C(3))}}– If the organisation is a data controller, in must conduct, in a reasonable and expeditious manner, {{c2::an assessment of whether the data breach is a notifiable data breach (s 26C(2))}} Q: Timeframes? No timeframe is prescribed but the attitude of the data processor/ organisation is a determining factor in determination of penalties (The Cellar Door) Also note obligation of a data intermediary of a public agency (s 26E): {{c3::Must inform the public agency.}} (II) Notification to PDPC Where an organisation assess that a data breach is notifiable, it must notify PDPC as soon as practicable and, in any case, {{c1::within 3 calendar days (s 26D(1))}} Notification to PDPC is to be made via the PDPC website (www.pdpc.gov.sg) The notification must contain the {{c2::prescribed information}}, to the best of the knowledge and belief of the organisation when the notification is made (s 26D(3))– The specific information required is set out in the {{c3::DBN Regulations (reg.5)}} and the relevant webform on the PDPC website Notification to PDPC (and affected individuals – see next slide) apply concurrently with any other obligation of the organisation to notify any other person (e.g. CSA) of the occurrence of a data breach (III) Notification to Affected Individuals Where an organisation assess that a data breach is notifiable and it results, or is likely to result, in {{c1::significant harm to the affected individuals}}, it must also {{c1::notify the affected individuals}} on or after notifying PDPC (s 26D(2)) Notification to the affected individuals is to be made in any manner that is {{c2::reasonable in the circumstances}} (s 26D(2)) The notification must contain the prescribed information, to the best of the knowledge and belief of the organisation when the notification is made (s 26D(3))– The specific information required is set out in the {{c3::DBN Regulations (reg. 6)}} (III) Notification to Affected Individuals (continued) Exceptions to this requirement:– If the organisation, on or after assessing that the data breach is a notifiable data breach, takes any action, in accordance with any prescribed requirements, that renders it unlikely that the notifiable data breach will result in {{c2::significant harm to the affected individual (s 26D(5)(a))}} – If the organisation had implemented, prior to the occurrence of the notifiable data breach, any {{c2::technological measure}} that renders it unlikely that the notifiable data breach will result in significant harm to the affected individual (s 26D(5)(b)) – If a prescribed law enforcement agency {{c3::so instructs or PDPC so directs (s 26D(6))}} – PDPC, on application by the organisation, {{c1::waives this requirements (s 26D(7))}}