When Singapore rolled out its Digital Government Blueprint in June 2018, building reliable, secure and resilient systems was earmarked as a key priority. Aware of the risks from digitalising government systems—especially with the push for cloud-centric services—the Cybersecurity Agency of Singapore and the Government Technology Agency of Singapore (GovTech) have been keeping a close eye on the global cyber threat landscape and are working with government agencies to bolster defences and prevent security breaches.
TechNews spoke to Mr Shane Woo, an associate cybersecurity analyst at GovTech, to learn about some key trends in cybersecurity, as well as highlight how individuals and organisations can stay safe online.
If 2017 was the year of ransomware—malicious software that ‘locks up’ victims’ computer files until a ransom is paid, then cryptojacking was the cyberthreat flavour of the year in 2018, said Mr Woo.
The rise of cryptocurrencies such as Bitcoin has seen cybercriminals surreptitiously installing what is known as cryptocurrency mining bots on vulnerable computers. These bots basically tap on the combined processing power of infected computers to generate revenue for the hacker. According to cybersecurity firm Kaspersky, cybercriminals can earn as much as US$30,000 a month using a single cryptocurrency mining botnet.
How do you know if you may be a victim? Your device may be slowing down, heating up or its battery may be draining faster than usual. To remedy a cryptojacking situation, try purging your browser extensions, performing a scan of your device with updated antivirus software and using web filtering tools to block suspicious pages.
2. Social engineering
Even as new cyberattack strategies emerge, others like social engineering persist. A typical social engineering attack goes like this: you receive an email that appears to be from a legitimate source, perhaps from a company or an organisation that you’ve interacted with before.
You click on the link, and you’re redirected to a website requesting for personal information. Only after you’ve keyed in the information do you realise that the website is not secure (not HTTPS) or has its URL misspelt—you’ve just fallen for a phishing attack and surrendered confidential information into the hands of an unknown entity.
“Social engineering (which includes phishing) has been a consistent trend in the last few years and remains one of the top threats in many different countries,” said Mr Woo, adding that “email is, by large, the most popular delivery vector globally.”
Individuals are therefore advised to read messages or emails carefully before clicking on any links or downloads. Additionally, personal information should never be divulged without first verifying the identity of the requester.
3. Vulnerabilities in the cloud
As individuals and organisations move towards data storage and processing on the cloud, Mr Woo highlighted that the convenience of the cloud comes with risks.
For example, cloud computing makes it inexpensive and simple for a company’s personnel to provide additional services or software from the cloud service provider without the approval of the company’s IT department. This could inadvertently introduce vulnerabilities to the company’s IT systems. Mr Woo also noted that incorrectly configured access controls are a major cause of cloud breaches globally.
Another risk associated with the cloud is the fact that the hardware and the infrastructure is under the control of the cloud provider. “Although currently the service providers are doing quite well in enforcing security and this does not seem to have resulted in any problems, compromise of the cloud provider or of shared hardware could result in a breach,” Mr Woo said.
Therefore, organisations migrating their processes to the cloud will need to re-evaluate their cybersecurity landscape and put in place systems to constantly monitor and log information about its cloud-based applications, services, data and users.
4. Dirty flash drives
Data transfers within organisations still often occur via portable storage media such as USB flash drives. These devices represent a weak link in the cybersecurity chain, said Mr Woo.
“There isn’t anything inherent about the USB itself that prevents malware from being stored on it. So if you’re using a thumb drive and you plug it into a machine connected to the internet, suspicious files can be transferred onto it [and spread to another machine later],” Mr Woo explained.
He shared that within the Singapore government, detected and blocked malware were mostly from external hard disk drives or flash drives. Aside from an outright ban on the use of portable storage media, organisations can consider issuing personnel with authorised storage devices, setting up secure channels for file transfers, and educating individuals on file-sharing hygiene.
5. Poor password practices
Finally, Mr Woo highlighted that “a very common thing that hackers like to do is to take credentials exposed during previous data breaches and try to reuse them.” This is known as credential stuffing and is particularly dangerous when individuals use the same username and password combinations for private and official accounts.
Protecting yourself from credential stuffing is simple—just use a unique password for each new account created. While it can be tedious to remember multiple pairs of usernames and passwords, this problem is easily solved with reputable password manager software.
Mr Woo also emphasised the importance of changing passwords periodically. Quoting tech geek Chris Pirillo, he said, “Passwords are like underwear: you don’t let people see it, you should change it very often, and you shouldn’t share it with strangers.”
This article was first published by the Government Technology Agency of Singapore on Jan 2, 2020. The opinions expressed in this publication are those of the authors. They do not purport to reflect the opinions or views of Bank of Singapore Limited or its affiliates.Disclaimer applicable to recommendation
The contents of this document have not been prepared or reviewed by Bank of Singapore Limited (the “Bank”). The Bank is not responsible for the accuracy or completeness of the information contained in this document which may change without prior notice. This communication may contain views which are not representative of the views of the Bank, and such views may have been derived without discussion, consultation or agreement with the Bank. You will need to decide as to whether or not the contents are suitable for you. When you are in doubt, please seek your own independent financial, legal, tax or other advice as you deem fit. Neither the Bank nor any of its officers accept any liability for any loss whatsoever arising out of or in connection with your use of the information in the document.
Brunei: This document has not been delivered to, licensed or permitted by the Autoriti Monetari Brunei Darussalam, the authority as designated under the Brunei Darussalam Securities Markets Order, 2013 and the Banking Order, 2006; nor has it been registered with the Registrar of Companies, Registrar of International Business Companies or the Brunei Darussalam Ministry of Finance. The products mentioned in this document are not registered, licensed or permitted by the Autoriti Monetari Brunei Darussalam or by any other government agency or under any law in Brunei Darussalam. Any offers, acceptances, sales and allotments of the products shall be made outside Brunei Darussalam. Hong Kong SAR: Bank of Singapore Limited is an Authorized Institution as defined in the Banking Ordinance of Hong Kong (Cap 155), regulated by the Hong Kong Monetary Authority in Hong Kong and a Registered Institution as defined in the Securities and Futures Ordinance of Hong Kong (Cap. 571), regulated by the Securities and Futures Commission in Hong Kong. Indonesia: The offering of the investment product in reliance of this document is not registered under the Indonesian Capital Market Law and its implementing regulations, and is not intended to constitute a public offering of securities under the Indonesian Capital Market Law and its implementing regulations. According, this investment product may not be offered or sold, directly or indirectly, within Indonesia or to citizens (wherever they are domiciled or located), entities or residents, in any manner which constitutes a public offering of securities under the Indonesian Capital Market Law and its implementing regulations. Japan: The information contained in this document is for general reference purposes only. It does not have regard to your specific investment objectives, financial situation, risk tolerance and particular needs. Nothing in this document constitutes an offer to buy or sell or an invitation to offer to buy or sell or a recommendation or a solicitation to buy or sell any securities or investment. We do not have any intention of conducting regulated business in Japan. You acknowledge that nothing in this document constitutes investment or financial advice or any advice of any nature. Malaysia: Bank of Singapore Limited does not hold any licence, registration or approval to carry on any regulated business in Malaysia (including but not limited to any businesses regulated under the Capital Markets & Services Act 2007 of Malaysia), nor does it hold itself out as carrying on or purport to carry on any such business in Malaysia. Any services provided by Bank of Singapore Limited to residents of Malaysia are provided solely on an offshore basis from outside Malaysia, either as a result of “reverse enquiry” on the part of the Malaysian residents or where Bank of Singapore Limited has been retained outside Malaysia to provide such services. As an integral part of the provision of such services from outside Malaysia, Bank of Singapore Limited may from time to time make available to such residents documents and information making reference to capital markets products (for example, in connection with the provision of fund management or investment advisory services outside of Malaysia). Nothing in such documents or information is intended to be construed as or constitute the making available of, or an offer or invitation to subscribe for or purchase any such capital markets product. Myanmar: This document and information herein is made available by Bank of Singapore Limited, which is not licensed or registered under the Financial Institutions Law (Law No. 20/2016) or other Myanmar legislation to carry on, nor do they purport to carry on, any regulated activity in Myanmar. The provision of any products and services by Bank of Singapore Limited shall be solely on an offshore basis. You shall ensure that you have and will continue to be fully compliant with all applicable laws in Myanmar when entering into discussion or contracts with Bank of Singapore Limited. Oman: This document does not constitute a public offer of investment, securities or financial services in the Sultanate of Oman, as contemplated by the Commercial Companies Law of Oman (Royal Decree No. 4/1974), Banking Law of Oman (Royal Decree No. 114/2000) or the Capital Market Law of Oman (Royal Decree No. 80/1998) and the Executive Regulations of the Capital Market Law (Ministerial Decision No. 1/2009) or an offer to sell or the solicitation of any offer to buy non-Omani investment products, securities or financial services and products in the Sultanate of Oman. This document is strictly private and confidential. It is being provided to a limited number of sophisticated investors solely to enable them to decide whether or not to make an offer to invest in financial products mentioned in this document, outside of the Sultanate of Oman, upon the terms and subject to the restrictions set out herein and may not be reproduced or used for any other purpose or provided to any person other than the original recipient. Additionally, this document is not intended to lead to the making of any contract within the territory or under the laws of the Sultanate of Oman. The Capital Market Authority of Oman and the Central Bank of Oman take no responsibility for the accuracy of the statements and information contained in this document or for the performance of the financial products mentioned in this document nor shall they have any liability to any person for damage or loss resulting from reliance on any statement or information contained herein. Russia: The investment products mentioned in this document have not been registered with or approved by the local regulator of any country and are not publicly distributed in Singapore or elsewhere. This document does not constitute or form part of an offer or invitation to the public in any country to subscribe for the products referred to herein. South Korea: The document does not constitute an offer, solicitation or investment advertisement to trade in the investment product referred to in the document. The Philippines: The information contained in this document is not intended to constitute a public offering of securities under the Securities Regulation Code of the Philippines. Dubai International Financial Center (DIFC): Bank of Singapore Limited has a branch registered in the Dubai International Financial Centre ("DIFC") which is regulated by the Dubai Financial Services Authority (“DFSA”). Bank of Singapore Limited (DIFC Branch) is not a financial institution licensed in the United Arab Emirates outside of the DIFC and does not undertake banking or financial activities in the United Arab Emirates nor is it licensed to do so outside of the DIFC. This material is provided for information purposes only and it is general information not specific in any way to any particular investor, investor type, strategy, investment need or other financial circumstance. As such this information is not financial advice or a financial promotion, nor is it intended to influence an investor's decision to invest. It is not to be construed as an offer to buy or sell or solicitation of an offer to buy or sell any financial instruments or to participate in any particular trading strategy in any jurisdiction. The material is only intended for persons who fulfill the criteria to be classified as “Professional Clients” as defined under the DFSA rules and should not be reviewed, received, provided to or relied upon by any other person. United Arab Emirates (U.A.E): The information contained herein is exclusively addressed to the recipient. The offering of certain products in this document has not been and will not be registered with the Central Bank of United Arab Emirates or Securities & Commodities Authority in the United Arab Emirates. Any products in this document that are being offered or sold do not constitute a public offering or distribution of securities under the applicable laws and regulations of the United Arab Emirates. This document is not intended for circulation or distribution in or into the UAE, other than to persons in the UAE to whom such circulation or distribution is permitted by, or is exempt from the requirements of, the applicable laws and regulations of the United Arab Emirates. The distribution of the information contained herein by the recipient is prohibited. Where applicable, this document relates to securities which are listed outside of the Abu Dhabi Securities Exchange and the Dubai Financial Market. The Bank of Singapore Limited is not authorized to provide investment research regarding securities listed on the exchanges of the United Arab Emirates which are outside of the DIFC. United Kingdom: In the United Kingdom, this document is being made available only to the person or the entity to whom it is directed being persons to whom it may lawfully be directed under applicable laws and regulations of the United Kingdom (such persons are hereinafter referred to as ‘relevant persons’). Accordingly, this document is communicated only to relevant persons. Persons who are not relevant persons must not act on or rely on this document or any of its contents. Any investment or investment activity to which this document relates is available only to relevant persons and will be engaged in only with relevant persons. Relevant persons in receipt of this document must not distribute, publish, reproduce, or disclose this document (in whole or in part) to any person who is not a relevant person. United States of America: This product may not be sold or offered within the United States or to U.S. persons.
© 2019 Bank of Singapore Limited. All rights reserved.
Version: December 2019