This must be some kind of mistake. IT managers axed, CEO and others' wallets lightened in patient hack aftermath The Singaporean government-owned biz responsible for that country's patient database has fined senior executives, including the CEO, and dismissed two managers, after blunders allowed hackers to siphon off private records. The punishments were meted out by Integrated Health Information Systems (IHiS), which run a patient …
Indeed, and the western world should probably follow Singapore in removing Internet access from most public service accounts. They committed to this in mid 2016. See this commentary related to this incident:
https://www.gov.sg/news/content/internet-separation-could-and-should-have-been-implemented-in-public-healthcare-system
Cutting off Internet access is all benefits, as I see it.
1. Less employee time wasted (supposedly)
2. Saves $$$ on Internet access costs
3. More secure (as the incident here shows).
I really, really don't understand why isn't it standard practice. Can anybody give pointers?
If sh*it means Facebook/$ANTISOCIAL_NETWORK/eBay/Amazon/Reddit/... then no, shit won't ever get done.
Instead of using a heavyweight web filter to block websites (nearly every one I had seen could be bypassed using an obscure proxy "as opposed to a popular one"), Internet access could be completely cut off from lusers' desktops. Updates are network-distributable.
"2. Saves $$$ on Internet access costs
3. More secure (as the incident here shows).
I really, really don't understand why isn't it standard practice. Can anybody give pointers?"
Because point #2 is false. It is much cheaper to use internet/vpn than to build a national private network.
No arguments about security - but costs are the main reason.
Most British people (even in IT) wouldn't know what the N3 is either.
Simplistically*, it's the NHS National Network. The connections don't connect to the internet directly, but to the NHS national VPN. Thus, connections between two NHS sites are secured by the national level VPN, even if they aren't secured directly at the sites.
There is (obviously) a connection to the internet via N3, however it's secured against the internet being able to directly access things on the N3.
It's expensive because the NHS is the worlds 5th largest organisation by number of staff, beaten only by the US & Chinese armies, McDonalds and the Wallmart group. Out of those, only the US military has a secured physical network along the lines of the NHS and their network would crash and burn under the traffic loads on the NHS network.
*Please note the setup has been simplified for clarity to the point it's accuracy could be challenged by an pedant suffering from OCD.
I read that as in "why does an end user need full unfettered internet access"?
To which the answer is "they don't".
From there the question is how much restriction you do. Pretty much every firm in existence is running a small blacklist of sites end users shouldn't be accessing. (eg, porn sites etc) some other firms have a larger blacklist also containing sites that aren't work related but that people spend time on during working hours.
I don't think many firms identify specifically which websites employees need to do their jobs and block everything but those sites on the employers network though, if that was what you meant.
" Pretty much every firm in existence is running a small blacklist of sites end users shouldn't be accessing."
Mine has blocked IBM and Oracle's main libraries of downloadable manuals. This pretty much encompasses all the products we use and support.
Which is why I have my own internet hotspot and laptop on my desk.
I reckon that qualifies as shooting oneself in both feet myself, but no doubt I have missed the point.
But I assume you are prevented from joining your private equipment to the network.
That is equivalent to bringing your own books to work.
I also assume you are prevented from joining memory sticks to your office equipment. Remember the days when floppy disks were the way in for malware?
@Peter2
As far as I understand it they segment the network so that if Internet access is required for work purposes then you (the employee) have internet access. if Internet access is not required for work purposes then no access. This includes email. Devices with Internet access do not have access to the protected segment.
There are many roles that do not require Internet access in an organisation. Technical roles are often considered an exception but there are ways that this can be minimised.
Cutting off Internet access is all benefits
I worked in a place that had this policy in place. It was a fun place (sarcasm intended).
Staff wanted internet access, and because upper management refused, each business unit had a DSL installed. Nearly each business unit had a DSL modem, with WiFi turned on (and with default username/password). Staff reasoned that the DSL lines were "operational necessity".
But here's the kicker: Some enterprising fellow then CONNECTED the said DSL modems to the corporate LAN.
When we tried to shut down the port, we were told (angrily) to turn it back on because it was "operational necessity".
Fun times that was. I didn't last long. I left a few months later.
Recently, we had a client who had Corporate and Guest SSID (open authentication) enabled. The client kept asking "why are staff using the Guest SSID". Same thing as above. Corporate SSID had internet restrictions while Guest SSID wasn't. So guess what the staff preferred to use?
each business unit had a DSL installed.
So basically your problem seems to be a luser coup d'état.
This is called unauthorized equipment and Security should be summoned to remove it. (Dunno if that is even possible, but if it were me, this is what I would do).
When we tried to shut down the port, we were told (angrily) to turn it back on because it was "operational necessity".
Tell him to f*uck off. Would he be permitted to get his bed, place it next to his desk, and sell his house? Because it's an operational necessity? (also see BOFH operational euphemisms? Operational necessity in this case meaning that one couldn't "operate" without enough sleep or something?)
I really doubt the CEO of the company could agree to this.
Recently, we had a client who had Corporate and Guest SSID (open authentication) enabled. The client kept asking "why are staff using the Guest SSID". Same thing as above. Corporate SSID had internet restrictions while Guest SSID wasn't. So guess what the staff preferred to use?
I'd either apply the same restrictions to both (but not connect them together), or just do away with the Guest SSID. Everybody and their pet now has mobile data plans. (I stand corrected though).
When users en masse in your company are doing things that fly flat in the face of IT policy, it is a sign that IT policy is absolutely not fit for purpose.
Any IT policy must meet business needs *first*. That is what users tell you they need. You can negotiate alternatives, but you cannot simply arbitrarily enforce steps that impede their work, simply to derisk your end of things.
Asking Guests to use their own phone data plan is a poor show. A potential customer that is going to be the source of IT staff salaries. And they shouldn't be watching how much data or battery they are using.
IT has a service role where the services need to work for the employees of the company. A just like other service industries, the customer is king as they say.
What you say is a wish list of things should happen, it will never fly in practice, so I can only assume you do not currently do this job in real life.
steps that impede their work
There's a fine distinction that needs to be made here.
If their work really demands Internet access, then of course they should have it.
When users en masse in your company are doing things that fly flat in the face of IT policy, it is a sign that IT policy is absolutely not fit for purpose.
This. In @sanmigueelbeer's post, it was said that the users wanted Internet access. Does it say that they needed it for work? It didn't, so I assumed that what they wanted was Facebook access, not real business Internet access.
Asking Guests to use their own phone data plan is a poor show. A potential customer that is going to be the source of IT staff salaries. And they shouldn't be watching how much data or battery they are using.
IT has a service role where the services need to work for the employees of the company. A just like other service industries, the customer is king as they say.
So basically greasing the right palms.
What you say is a wish list of things should happen, it will never fly in practice, so I can only assume you do not currently do this job in real life
Your assumption is correct ... I'm a medical student, but I consider myself well-versed in matters of IT.
"Executives held to account? And three underlings thanked for their work? What is this madness?"
I thought the same, until this rather illuminating bit of the story...
"Miscreants...stole 1.5 million citizens' health records, including those of prime minister Lee Hsien Loong, who is presumed to be the ultimate target of the attack."
He's basically the Patrician, after all. It'd be rather more shocking if the miscreants had only stolen the records of a few "regular" people and the same punishment had happened...
This post has been deleted by its author
but were given letters of commendation for “diligence in handling the incident beyond their job scope and responsibilities.”
It may not be much but that is a big deal. Singaporeans (particularly management) don't hand out commendation unless one really, really, really deserves it.
The problem may now be that of the two managers that were fired: They may not be able to find jobs in Singapore and may have to go elsewhere.
This post has been deleted by its author
I would have thought that the CEO should have sought advice from the Climate Scientists Job Preservation & Judgement Obscurant Association.
No, seriously. The work environment is replete with arz-covering and whitewash strategies that obviate censure.
Headline sarcasm, once again, noted, gratefully.
Like many interpretations of Biblical texts, there's more than one possible answer.
If you follow the link (Religeous Tolerance) you can find some physics-based joke answers.
Even if a top politician was involved, it just needed someone to get fired.. it didn't have to be management, scapegoats have always sufficed.. It's like the Gatwick drone thing, it just needs to be shown that action has been taken.
The difference here is that the right action has been taken; The commendation is gratuitous too, but has happened so this cannot be just because a politician was the target..
I cannot say if it is cultural or they have some other checks to ensure such investigative outcomes. It is a worthwhile case study.
Super On Point.
Usually some poor schmuck would get taken out back and shot, the body delivered unto The Powers, with Promises to never fail again.
This was, whoever was involved, handled in a Really Classy Way... and no, you just don't see that very damned often.
Although perhaps unusual in its own right anyway, I believe the key bits here are "government-owned biz". Not sure how this works in Singapore, but high-ranking officials of _state owned_ organizations around here are basically in a permanent open season - there to be blamed for something and swiftly fired (or even criminally charged) each time the political power lines shift...
