<Prev | [Index] | Next>


rmstein@ieee.org
Date: Wed, 3 Oct 2018 10:53:25 +0800

P.M. Lee, Straits Times

The public post-mortem following Singapore's largest data breach in its 53 year old history finds that certain IT governance and deployment practices require redress. This breach rattled the city-state. https://www.straitstimes.com/singapore/coi-on-singhealth-cyber-attack-alarm-bells-did-not-ring-for-key-cyber-security-employee

Among the recommendations from the "four-member Committee of Inquiry" https://www.straitstimes.com/singapore/failings-in-judgement-organisation-exposed-as-cyber-attack-coi-grills-singhealth-risk-man is adoption of the "Singapore Government Technology Stack" (SGTS) to enable
"cheaper and faster" e-service roll-out. The SGTS contents is TBD.

If a stack's publication viability (fitness to release for deployment) possesses an attribute governing "Trust" qualification, it must be shown to be immune/hardened against surreptitious access, and generate non-repudiated results, etc. The "Trust" attribute needs to be applied across the full ecosystem (including the carbon components), not just the SGTS, as the weakest security link is the easiest to penetrate, and often requires the broadest mitigations/countermeasures to harden.

Metasploit cleanliness, OWASP.org compliance, and fuzz stimulus evaluation findings can contribute to trust qualification measurement by revealing vulnerabilities to prioritize for repair prior to deployment.

Since the NSA's TOA toolset was involuntarily published, perhaps it should be applied as a "kitchen sink" qualification tool for SGTS? https://www.washingtonpost.com/world/national-security/powerful-nsa-hacking-tools-have-been-revealed-online/2016/08/16/bce4f974-63c7-11e6-96c0-37533479f3f5_story.html


<Prev | [Index] | Next>