Servers Left Running Without Security Updates Can be Your Organization’s Weakest Link

The revelation that the server used by attackers as a passageway in Singapore’s biggest cyberattack hadn’t been updated for more than a year shows how a failure to update a server can be your organization’s weakest link.

The circumstances surrounding the failure to update the server used by attackers in ultimately reaching Singapore Health Services (SingHealth)’s critical system were revealed during the recent hearing conducted by the Committee of Inquiry (COI), the body tasked to investigate Singapore’s biggest cyberattack, the SingHealth cyberattack.

Last July 20, Singapore’s Ministry of Communications and Information and Ministry of Health issued a joint statementdisclosing that attackers stole non-medical related personally identifiable information of more than 1.5 million patients who visited SingHealth’s outpatient clinics and polyclinics from May 1, 2015 to July 4, 2018.

Singapore’s Ministry of Communications and Information and Ministry of Health also said that medical-related information of more than 160,000 SingHealth’s patients for the same period was illegally copied and transferred by attackers.

During the recent COI hearing, Tan Aik Chin, senior manager of cancer service registry and development at the National Cancer Centre Singapore (NCCS), testified that while on paper, he wasn’t responsible for the server in question; in reality, he became one out of convenience.

Tan said that former employees of Singapore’s Integrated Health Information Systems’ (IHiS), the body responsible of managing the server on paper, gave him access details to the server in question in case his help was needed as the server was located where he works, at the NCCS.

Since 2014, when these former IHiS employees left, Tan said he became the custodian of the server in question despite the fact that he wasn’t trained in cybersecurity or server management. He added that the only time he updated the server in question since taking over in 2014 was 14 months before the cyberattack happened.

Tan added that the last update happened after he received the circulated instructions from IHiS to update all Windows servers in response to the WannaCry ransomware, which disrupted healthcare and other sectors’ operations worldwide in May 2017.

Serena Yong, newly appointed to the role of director of IHiS infrastructure services division, testified before the COI that she wasn’t aware that the server in question wasn’t being managed by IHiS in practice.

Keeping Your Organization’s Server Up-to-Date

One of the top security best practices is keeping your organization’s server up-to-date. Lessons from WannaCry and the recent attack at SingHealth showed us the importance of keeping servers up-to-date.

WannaCry, which locked down hundreds of thousands of computers in 150 countries in less than 24 hours on May 12, 2017, was a result of the failure of many organizations to update their server. WannaCry exploited a security vulnerability in Windows servers. Microsoft fixed this security vulnerability exploited by WannaCry attackers via its March 2017 security update. This specific update, however, was limited to Microsoft-supported Windows software. Failure to install this March 2017 update left many Windows servers vulnerable to WannaCry attack.

Here are some basic steps in keeping your organization’s server up-to-date:

Install Latest Software Update As Soon As Feasible

There are valid reasons why many organizations don’t update their servers’ software immediately after every software update release. A software update is a disruptive process. Whenever an update is undertaken, the system has to reboot, momentarily preventing your organization’s staff or clients in accessing your organization’s IT system.

Software update also has to be tested as some updates aren’t compatible with the server and other software, causing system failure. This software update testing takes time and adds to disruption time.

This disruption time, however, is the payoff for the security provided by the software update. Many software updates aren’t just meant to improve functionalities. Many are, in fact, meant to fix known security vulnerabilities. Cybercriminals find it convenient to attack corporate servers by simply looking for its weakest link –  known security vulnerabilities that software vendors already issued a patch or security update, knowing that many organizations fail to update their server in a timely manner.

To minimize the effects brought about by the disruption time caused by a software update, notify your staff and clients before the scheduled system update so as to forewarn them about the system downtime.

The convenient time to conduct the software update is different in every organization. For instance, the update can be done during the time of the day or days when staff or clients least use your IT system. This can mean few hours or few days after the release of the security update. Fourteen months like the software update delay of SingHealth’s server, however, is unacceptable.

Assign Specific Qualified Person or Team Responsible for Managing the Server

It isn’t unusual for many organizations to assign the server management to existing staff like the communications officer, finance officer or any staff not specifically trained in cybersecurity and server management. Giving the task of managing a server to an unqualified person or team is a big security risk for your organization.

An unprotected server can be your organization’s weakest link. Contact us today at (416) 920-3000if your organization needs assistance in regularly updating your organization’s server. At GenX, we offer server operating system services, including:

  1. On-site physical deployment of server equipment
  2. Setup of new operating system on company server, or upgrading previous ones
  3. Implementation of virtual spaces for increased server operation efficiency
  4. Testing and verification of system data post-upgrade

Leave a Reply

Your email address will not be published. Required fields are marked *