After Mobile Guardian: How can we do better?
How should we evaluate the next vendor for cybersecurity?
After Mobile Guardian, how can we better evaluate the next vendor for good cybersecurity?
Earlier this week, MOE confirmed that it has terminated its contract with Mobile Guardian, effective end-August.
Mobile Guardian troubles
If you can recall, some 13,000 users across 26 secondary schools were affected by a cyber security breach at Mobile Guardian earlier in August.
Mobile Guardian offers a feature-rich service created to manage devices for learning institutions. Its capabilities include the ability to:
- Filter Web and YouTube content.
- Blank out screens or distribute content.
- Track device activity and enforce usage hours.
Unfortunately, hackers gained unauthorised access and remotely formatted some devices. The global breach was so bad, Mobile Guardian pulled the plug on its servers.
You can read about it here.
What now
Legal action has been taken against contractors involved in various incidents related to Mobile Guardian, reported the Straits Times.
MOE is currently studying options for an alternative device management application (DMA). A new service to manage students’ devices will be rolled out by Jan 2025.
While the Aug breach was the largest, it turns out there were several incidents before that fateful day
- April: Poor password management led to data leak.
- 30 May: Security flaw reported by member of public.
- 30 July: App glitch affected over 1,000 students
- 04 August: Global cybersecurity breach.
Evaluating vendors
Notably, forensic investigations after the Aug 4 incident by GovTech and CSA found a new vulnerability - likely the vector used by the attacker.
A document on Reddit - written a day before the August hack, called on MOE to urgently terminate its contract with Mobile Guardian for multiple security malpractices:
- Client-side privilege escalation flaws.
- Ignoring of bug report emails.
- Misconfigured servers.
But it was already too late.
Which brings us to the question: How should MOE evaluate the next vendor for good cybersecurity?
- Cyber experts I talk to often joke that the only truly secure computer is unplugged from the network, powered down, and locked up at a safe location.
- But while perfect security is not reasonable, what are some minimal standards to establish and considerations to bear in mind for the next DMA vendor?
What do you think?