Ransomware & HSE

Leftwaffe

Out of curiosity, what kind of people carry out these attacks? Organised groups or some nerd in his mothers basement?

Turtwig

ineedeuro wrote: »

I think you should remember the proverb "You can lead a horse to water but you can't make him drink"

Most companies have learned over the years from previous attacks, the wannacry attack was huge and most companies made huge changes after this
https://www.zdnet.com/article/ransomware-how-the-nhs-learned-the-lessons-of-wannacry-to-protect-hospitals-from-attack/
This was released yesterday which is bad timing for the HSE.

If you ask the question did the HSE learn anything from wannacry I think we have the answer today.

What's the answer?

[Deleted User]

[Deleted User] wrote: »

Could be wrong but had in the back of my mind it was Accenture that looked after the HSE IT systems in terms of support.

Used be (could still be) Fujitsu who looked after a lot of the other Public Sector IT stuff, the Dail etc.

From memory Accenture do a lot of government I.T. work including providing contractors at very high daily rates to a lot of government departments.

They are also contracted by Microsoft for their customer support functions.

paddyisreal

SouthWesterly wrote: »

Your saying win7. There's a lot of xp machines being use due to software incompatibility with newer versions of Windows.

There is serious questions to be asked of any organisation running xp or Windows 7 on a large scale in this day and age. It would also make you question that there other infrastructure such as firewalls,switch stack etc are behind the curve not to mention security practices such as patching, vulnerability scanning, security information and event management. Serious questions need to be answered.

irelandpride

Leftwaffe wrote: »

Out of curiosity, what kind of people carry out these attacks? Organised groups or some nerd in his mothers basement?

Dedicated groups who constantly swarm the internet for vulnerabilities. Banks and government agenecies are constantly under attacks.

This could be something as simple as an email that got through their filtering system and the user had an account with elevated privilege's and clicked the attachment or link in the email.

Could also be as something as some hacker got the login info of a users account through their helpdesk and knew how to get access to their email from this and sent out a load of emails which people clicked.

Personally myself its simple to get to the online access email for a lot of companies and to get their online infrastructure login.
If i had a username and a password I'd be in.

skimpydoo

fael wrote: »

Really? What you got from my post is that I believe you can protect yourself from every 0day?

I think you are misreading my posts and think I'm saying the HSE is doing a bad job. I can't know because I don't know what is going on in the HSE. I can't form an opinion, because I don't have knowledge about the HSE IT infrastructure.

The point I was trying to make was that ransomware is common and you should have a plan in place. I did not say that the HSE does not have that.

Like someone above said, pulling the plug on the network in the middle of the night can indicate seems like they have a detection mechanism in place.

It's happened because nothing is 100% secure. Legacy software and hardware is being used by the HSE, which is one of the reasons why they are attacked. If that legacy software and hardware is replaced over night, more issues will occur.

Blowfish

irelandpride wrote: »

I did it just shows that how inept they are to be honest.

If they had to emergency support for Windows 7 God only knows how old their Routers, Switches, equipment, servers, Hosts and databases are.

I doubt they even have firewalls between the business side and the Operating side of the hospital. Wouldn't surprise me.

So, coming from someone who works in InfoSec, have you any concept of just how difficult it is to justify and quantify why budget should be spent on IT and even more specifically security? Security can be ****ing expensive. It can be difficult enough to justify in a standard business, but in a public healthcare system with limited budget, how do you justify spending 6/7 figures extra a year for a new Security tool rather than say a more modern medical scanner which is guaranteed to save multiple lives per year?

The risk decisions that have to be made in healthcare are in no way easy and I don't envy anyone who has to make those calls.

magicbastarder

also, there won't (shouldn't!) be an interdependency on the actual network infrastructure, and the scanning equipment, say.
an MRI machine might be hooked up to a Win7 system because that's what the software runs on, but this doesn't mean the rest of the infrastructure has to stay at 10 year old tech.

VinLieger

Dempo1 wrote: »

Clearly your not aware of historical issues with the HSE antiquated IT systems, reports done as far back as early 2019 and before and a report earlier today n the examiner about an expert stating quite clearly whilst participating in the Web summit, that the HSE is very exposed

You seem quite the expert albeit you didn't put much thought into your absurd response, take some time to do a Google search or check your facts before claiming conspiracy theories.

Reid on now, spouting more nonsense, not disclosing amount being sought and claiming the attackers have picked the wrong people. I'm sure the perpetrators are sitting somewhere in Russia shaking in their boots.

Of course I'm aware of all the HSE It issues you would need to be living under a rock to not know about them so you can drop the patronizing condescending attitude.

Your claim that the ransom would be paid and we would never find out is the dictionary definition of an unfounded conspiracy theory. Do you honestly believe in a place as poorly run as the HSE that if the ransom was paid they would be able to keep it a secret?

irelandpride

Blowfish wrote: »

So, coming from someone who works in InfoSec, have you any concept of just how difficult it is to justify and quantify why budget should be spent on IT and even more specifically security? Security can be ****ing expensive. It can be difficult enough to justify in a standard business, but in a public healthcare system with limited budget, how do you justify spending 6/7 figures extra a year for a new Security tool rather than say a more modern medical scanner which is guaranteed to save multiple lives per year?

The risk decisions that have to be made in healthcare are in no way easy and I don't envy anyone who has to make those calls.

There specific stuff you can upgrade like proper web filtering proxy, proper email filtering , switches and Routers, upgrade ESX hosts that can be patched, Migrate databases to newer versions which can be patched, Good Antivirus, ensure Windows patching is up to date, good antivirus, ensure helpdesk are educated on password resets, proper firewall setup between business side and hospital equipment that run off the network.
Also penetration testing and reviews of users that have logged in and their location.

Its generally people who look after budgets and have no clue about IT make the budget calls unfortunately.

AndrewJRenko

paddyisreal wrote: »

There is serious questions to be asked of any organisation running xp or Windows 7 on a large scale in this day and age. It would also make you question that there other infrastructure such as firewalls,switch stack etc are behind the curve not to mention security practices such as patching, vulnerability scanning, security information and event management. Serious questions need to be answered.

Serious questions like - who's going to pay to replace all the dated medical equipment, like x-rays, scanners, critical care equipment, brain surgery equipment with software that only operates on Win 7 and similar.

Leftwaffe wrote: »

Out of curiosity, what kind of people carry out these attacks? Organised groups or some nerd in his mothers basement?

Possibly hostile governments.
https://www.bbc.co.uk/news/world-us-canada-42407488

ineedeuro wrote: »

I think you should remember the proverb "You can lead a horse to water but you can't make him drink"

Most companies have learned over the years from previous attacks, the wannacry attack was huge and most companies made huge changes after this
https://www.zdnet.com/article/ransomware-how-the-nhs-learned-the-lessons-of-wannacry-to-protect-hospitals-from-attack/
This was released yesterday which is bad timing for the HSE.

If you ask the question did the HSE learn anything from wannacry I think we have the answer today.

You do understand 'zero day exploit', don't you?

irelandpride wrote: »

I did it just shows that how inept they are to be honest.

If they had to emergency support for Windows 7 God only knows how old their Routers, Switches, equipment, servers, Hosts and databases are.

I doubt they even have firewalls between the business side and the Operating side of the hospital. Wouldn't surprise me.

You've missed the target here by a long way.

Deleted User wrote: »

Could be wrong but had in the back of my mind it was Accenture that looked after the HSE IT systems in terms of support.

Used be (could still be) Fujitsu who looked after a lot of the other Public Sector IT stuff, the Dail etc.

Accenture may well be in there, but they don't have full ownership. HSE own them, and have recruited steadily for their CIO office over the past 5 years or so. They have internal ICT leaders, and I'd be very surprised if they don't have a SOC of maybe 5-10 staff or similar.

AndrewJRenko

irelandpride wrote: »

There specific stuff you can upgrade like proper web filtering proxy, proper email filtering , switches and Routers, upgrade ESX hosts that can be patched, Migrate databases to newer versions which can be patched, Good Antivirus, ensure Windows patching is up to date, good antivirus, ensure helpdesk are educated on password resets, proper firewall setup between business side and hospital equipment that run off the network.
Also penetration testing and reviews of users that have logged in and their location.

Its generally people who look after budgets and have no clue about IT make the budget calls unfortunately.

And you're still left stuck with very expensive medical equipment with very specific control systems, possibly from suppliers that no longer exist, that can't be moved to current platforms.

irelandpride

AndrewJRenko wrote: »

And you're still left stuck with very expensive medical equipment with very specific control systems, possibly from suppliers that no longer exist, that can't be moved to current platforms.

Ever here of a firewall?

Anything thats IP or serial based in the hospital on machinery should be behind a firewall and not directly on their business network. I doubt the HSE even have dedicated VLANS setup with specific rules on the PC's that control the hospital equipment and the equipment itself.

ineedeuro

Blowfish wrote: »

So, coming from someone who works in InfoSec, have you any concept of just how difficult it is to justify and quantify why budget should be spent on IT and even more specifically security? Security can be ****ing expensive. It can be difficult enough to justify in a standard business, but in a public healthcare system with limited budget, how do you justify spending 6/7 figures extra a year for a new Security tool rather than say a more modern medical scanner which is guaranteed to save multiple lives per year?

The risk decisions that have to be made in healthcare are in no way easy and I don't envy anyone who has to make those calls.

Most companies will do a Security Assessment which will provide a roadmap to get from current risk rating to an acceptable rating. The target rating would be based on what similar organisations would be at. As part of this assessment they should have an analyse of risk v budget.

This is then fed into overall budgets etc and then everyone knows exactly what the costs of projects are, what happens if they dont spend the money and if the decision is made to buy something else then they are aware of the risk.

I would love to see the HSE's version of these documents and decisions made over the last 5 years in Security

Blowfish

irelandpride wrote: »

There specific stuff you can upgrade like proper web filtering proxy, proper email filtering , switches and Routers, upgrade ESX hosts that can be patched, Migrate databases to newer versions which can be patched, Good Antivirus, ensure Windows patching is up to date, good antivirus, ensure helpdesk are educated on password resets, proper firewall setup between business side and hospital equipment that run off the network.
Also penetration testing and reviews of users that have logged in and their location.

Yep, and the budget for doing that in somewhere the size and complexity of the HSE would be in the tens of millions per year. What's your business case for spending it on that, rather than more beds, consultants or covid services?

Like I said, these are not easy decisions to make.

is_that_so

Seems they hope to be back up and running in some form on Monday.

Blowfish

ineedeuro wrote: »

Most companies will do a Security Assessment which will provide a roadmap to get from current risk rating to an acceptable rating. The target rating would be based on what similar organisations would be at. As part of this assessment they should have an analyse of risk v budget.

This is then fed into overall budgets etc and then everyone knows exactly what the costs of projects are, what happens if they dont spend the money and if the decision is made to buy something else then they are aware of the risk.

I would love to see the HSE's version of these documents and decisions made over the last 5 years in Security

That's fine for a standard business as it's expected loss is quantifiable, in fact it's some thing I've actually been involved in.

For the healthcare budget setters though, how do you quantify the expected loss in IT/InfoSec vs the expected gain of saving peoples lives?

paddyisreal

AndrewJRenko wrote: »

Serious questions like - who's going to pay to replace all the dated medical equipment, like x-rays, scanners, critical care equipment, brain surgery equipment with software that only operates on Win 7 and similar.

If it


Possibly hostile governments.
https://www.bbc.co.uk/news/world-us-canada-42407488



You do understand 'zero day exploit', don't you?


You've missed the target here by a long way.


Accenture may well be in there, but they don't have full ownership. HSE own them, and have recruited steadily for their CIO office over the past 5 years or so. They have internal ICT leaders, and I'd be very surprised if they don't have a SOC of maybe 5-10 staff or similar.

Serious questions like - who's going to pay to replace all the dated medical equipment, like x-rays, scanners, critical care equipment, brain surgery equipment with software that only operates on Win 7 and similar.

I can't imagine it is the medical equipment that runs on windows 7 but the backend Mgmt system holding the patient/customer data.
They have 58,000 computers on Windows 7 in 2019 so I would imagine workstations etc.

That is a large upgrade but considering everyone knows since 2014 that windows seven is the end cycle it tells me the HSE are actually incompetent to have that many still on windows 7 in 2019. God only knows what the rest of the infrastructure is like.

MrMusician18

So according to Reid on the 6.1 patient data doesn't appear to have been compromised at this point. That was probably the biggest fear.

Should government be thinking now about building its own segregated network. One that could effectively be standalone from the internet.

Pandiculation

Seems the vaccines portal is back

VelaSupernova

Having had the unfortunate experience of working in infosec in three similar instances,
In all three cases it happened because users had the ability to run executables on their workstations. Privileged user ran ransomware with escalated privileges. Bang.

User behaviour is almost always the problem and I would be surprised if this wasn’t the same with the HSE. As for preventing these..user training but also config group policy to disable EXEs from running in AppData was what I did and haven’t had a recurrence but I know it’s a matter of time.

Better hope and pray that the backups were not involved, the threat actor is able to touch heir backups as an admin It’s game over.

I bet they will end up paying the ransom.

paddyisreal

ineedeuro wrote: »

Most companies will do a Security Assessment which will provide a roadmap to get from current risk rating to an acceptable rating. The target rating would be based on what similar organisations would be at. As part of this assessment they should have an analyse of risk v budget.

This is then fed into overall budgets etc and then everyone knows exactly what the costs of projects are, what happens if they dont spend the money and if the decision is made to buy something else then they are aware of the risk.

I would love to see the HSE's version of these documents and decisions made over the last 5 years in Security

You won't because I can't imagine they were ever done. As you say it's a risk analysis that every company undertakes and in the last 5 years in all large companies I do work for security is number 1.

whippet

irelandpride wrote: »

Ever here of a firewall?

Anything thats IP or serial based in the hospital on machinery should be behind a firewall and not directly on their business network. I doubt the HSE even have dedicated VLANS setup with specific rules on the PC's that control the hospital equipment and the equipment itself.

You seem to have inside info on what the infrastructure is like in the HSE .. can you fill us in on your insights ? Or are you just making assumptions based on nothing ?

dasdog

paddyisreal wrote: »

There is serious questions to be asked of any organisation running xp or Windows 7 on a large scale in this day and age.

Lockheed Martin were using XP on a corporate level until a few years ago. I'm working in fintech and most of the VDI's are running Windows 7 even though we are running services in Kubernetes with ISTIO to a degree that even if a personal identifier like a phone number gets leaked in to an Elastic Search log we have to report it to a regulator.

irelandpride

irelandpride wrote: »

Ever here of a firewall?

Anything thats IP or serial based in the hospital on machinery should be behind a firewall and not directly on their business network. I doubt the HSE even have dedicated VLANS setup with specific rules on the PC's that control the hospital equipment and the equipment itself.

You have no idea what you are talking about and just making your self look foolish.

Maybe give it a rest.

irelandpride

Deleted User wrote: »

You have no idea what you are talking about and just making your self look foolish.

Maybe give it a rest.

Explain to me please why hospital equipment connected to the network and PC's controlling this equipment should be on the same switch as a business network and not a separate switch with a firewall inbetween with specific rules between the two switches and Vlans?

If you want to get into more detail the PC's controlling the hospital equipment should be on separate domain and not the business domain with certain trusts setup between the two domains and a fireall between the business and hospital equipment and computers controlling them.

Eagerly awaiting your reply.

Stihl waters

conor_mc wrote: »

And don’t even get me started on the stupidity of burning millions of tons of coal to “mine” the stuff in the midst of an existential climate crisis.

It’s a cancer on global society.

Can someone explain this to me, how does a cryptocurrency burn millions of tons of coal???

Sofa King Great

I see all appointments cancelled in Crumlin on Monday and Tuesday - surely they can just ask people to bring their appointment confirmation letters?

DecTenToo

Stihl waters wrote: »

Can someone explain this to me, how does a cryptocurrency burn millions of tons of coal???

https://www.bbc.com/news/technology-56012952

https://www.theguardian.com/technology/2021/feb/27/bitcoin-mining-electricity-use-environmental-impact

Or google "bitcoin mining energy consumption" for more articles

SouthWesterly

paddyisreal wrote: »

There is serious questions to be asked of any organisation running xp or Windows 7 on a large scale in this day and age. It would also make you question that there other infrastructure such as firewalls,switch stack etc are behind the curve not to mention security practices such as patching, vulnerability scanning, security information and event management. Serious questions need to be answered.

I go into one of the hospitals for a cardiac echo. The machine is xp 5 years on.

Worked on an upgrade of a certain banks systems. They were going to win 7 but found a lot of their software wouldn't work on it. They had to keep a lot of xp machines