Ransomware & HSE

Annoyedseller

irelandpride wrote: »

Ever here of a firewall?

Anything thats IP or serial based in the hospital on machinery should be behind a firewall and not directly on their business network. I doubt the HSE even have dedicated VLANS setup with specific rules on the PC's that control the hospital equipment and the equipment itself.

The assumptions you are making here are crazy. They absolutely do have VLANS set up and are behind firewalls.

irelandpride

Annoyedseller wrote: »

The assumptions you are making here are crazy. They absolutely do have VLANS set up and are behind firewalls.

Are the firewalls setup correctly and correct setup of switches in places?

I very much doubt it if it caused this much disruption.

whippet

irelandpride wrote: »

Are the firewalls setup correctly and correct setup of switches in places?

I very much doubt it if it caused this much disruption.

You have no idea at all … there is no mention of medical equipment being down … you are talking absolute nonsense

VinLieger

irelandpride wrote: »

Are the firewalls setup correctly and correct setup of switches in places?

I very much doubt it if it caused this much disruption.

If it was a zero day exploit as the HSE claimed earlier then it absolutely makes sense how much disruption was caused and your uninformed theorising is pointless

derekgine3

Pandiculation wrote: »

Usually they’re often not an obvious email. They’ll be something that looks very believable.

Unfortunately, some of this stuff isn’t preventable at the human factors level.

In this case this is very much a targeted attack. It’s not likely to be a simply phishing expedition.

Can nearly guarantee it wasn't targeted.



Some goofball in the HSE probably left remotely accessible ports open on an internet facing asset and they walked in with a password spray or using compromised credentials from a pw dump.

fael

irelandpride wrote: »

Are the firewalls setup correctly and correct setup of switches in places?

I very much doubt it if it caused this much disruption.

Even if everything was set up 100% correctly. It still makes sense to shut it down temporarily if another section of your network is infected. You have to understand what is infected first and how.

Otherwise one scenario could be that in the infected section they gain access to credentials to manage the networking equipment elsewhere. So they can use that to move through the network laterally to new uninfected areas. It's safer to shut it down, until you understand the threat more thoroughly.

DessieJames

Isnt it ironioc that CEO Paul Reid earns in exess of 400k per year, yet the HSE didnt feel it prudent to spend any sort of real money on cyber security:rolleyes:

DessieJames

DessieJames wrote: »

Isnt it ironioc that CEO Paul Reid earns in exess of 400k per year, yet the HSE didnt feel it prudent to spend any sort of real money on cyber security:rolleyes:

Another baseless claim.

mrjoneill

C.O.Y.B.I.B wrote: »

A HSE hospital was hit with Petya in 2017 and there was a private hospital in Dublin that got hit with a different Ransomware in 2016. In both cases it was a user who clicked a link in an email.

or a disgruntled employee who can go on-line and order a ready made one or tailored one and completely bypass the intrusion protection system. Access to the internet changed everything in security protection. Employers once worried of the "cleaning lady" bringing in a floppy-disk playing games on the PC while cleaning the office.

DessieJames

Deleted User wrote: »

Another baseless claim.

so are you saying that Reid doesnt earn in excess of 400k per year

https://www.irishtimes.com/news/health/hse-chief-paul-reid-s-salary-increases-to-420-103-1.4506164#:~:text=Mr%20Reid%20and%20the%20top,a%20salary%20of%20%E2%82%AC350%2C000.

whippet

DessieJames wrote: »

Isnt it ironioc that CEO Paul Reid earns in exess of 400k per year, yet the HSE didnt feel it prudent to spend any sort of real money on cyber security:rolleyes:

Utter scutter …. How much do you think the HSE spent on cyber security ? How much should they have spent ? And if they spent it would it have avoided an attack?

Unless you know 100% the answers to these questions you are talking nonsense

Covid brought a swade of internet epidemiology experts … now this seems to have brought out the best of Facebook it security experts

derekgine3

mrjoneill wrote: »

or a disgruntled employee who can go on-line and order a ready made one or tailored one and completely bypass the intrusion protection system. Access to the internet changed everything in security protection. Employers once worried of the "cleaning lady" bringing in a floppy-disk playing games on the PC while cleaning the office.

Or the attacker just walked in through RDP and ran ransomware.


Not targeted or "sophisticated".



Yawn

whippet

DessieJames wrote: »

so are you saying that Reid doesnt earn in excess of 400k per year

https://www.irishtimes.com/news/health/hse-chief-paul-reid-s-salary-increases-to-420-103-1.4506164#:~:text=Mr%20Reid%20and%20the%20top,a%20salary%20of%20%E2%82%AC350%2C000.

That’s not the baseless claim you made

HalfAndHalf

irelandpride wrote: »

Explain to me please why hospital equipment connected to the network and PC's controlling this equipment should be on the same switch as a business network and not a separate switch with a firewall inbetween with specific rules between the two switches and Vlans?

If you want to get into more detail the PC's controlling the hospital equipment should be on separate domain and not the business domain with certain trusts setup between the two domains and a fireall between the business and hospital equipment and computers controlling them.

Eagerly awaiting your reply.

Firewalls between switches!?! Separate domains with trusts?!? What are you even on about.

You’d just VLAN off these separate subnets and use ACLs, then route to a Firewall with rule based access controls between the LAN and DMZ or Internet.

Firewalls between switches, I’ve heard it all now! Plus it would make no difference at all anyway!

mrjoneill

derekgine3 wrote: »

Or the attacker just walked in through RDP and ran ransomware.


Not targeted or "sophisticated".



Yawn

Networks are constantly under external attacks.
The means are endless of getting access but an internal threat presents the most esp with a large employee base. That's why sacked employees computer access is terminated before they get sacked.
https://www.independent.ie/irish-news/courts/it-might-be-wise-to-delete-data-former-bothar-chiefwas-advised-40326305.html

mrjoneill

HalfAndHalf wrote: »

Firewalls between switches!?! Separate domains with trusts?!? What are you even on about.

You’d just VLAN off these separate subnets and use ACLs, then route to a Firewall with rule based access controls between the LAN and DMZ or Internet.

Firewalls between switches, I’ve heard it all now! Plus it would make no difference at all anyway!

The wealth and the utility of system is its information database. Controlled access to this is the functionality of a system. If the restrictions are too great then it will lose its functionality. Its a constant battle to make the sys usable and control the access.

PukkaStukka

whippet wrote: »

Utter scutter …. How much do you think the HSE spent on cyber security ? How much should they have spent ? And if they spent it would it have avoided an attack?

Unless you know 100% the answers to these questions you are talking nonsense

Covid brought a swade of internet epidemiology experts … now this seems to have brought out the best of Facebook it security experts

100% correct. Many reputable organisations have been badly hit by ransomware in recent times including the NHS in the UK. The acid test will be how quickly the HSE can recover.

piplip87

Ah I see all the armchair epidemiologists are now fully qualified armchair cyber security experts

HalfAndHalf

mrjoneill wrote: »

The wealth and the utility of system is its information database. Controlled access to this is the functionality of a system. If the restrictions are too great then it will lose its functionality. Its a constant battle to make the sys usable and control the access.

Yep you don’t need to tell me, tell the person I responded to that wants firewalls daisy chained with switches. LOL!

Talking of which, what happened to irelandpride, looks like they’ve left the site, probably locked themselves behind so many firewalls and switches they can’t even get on the internet anymore.

mrjoneill

SouthWesterly wrote: »

I go into one of the hospitals for a cardiac echo. The machine is xp 5 years on.

Worked on an upgrade of a certain banks systems. They were going to win 7 but found a lot of their software wouldn't work on it. They had to keep a lot of xp machines

Most of the banks IT systems are antiquated and there are a lot of businesses using old system because they have antiquated software on it written in Cobol. I would imagine the hospital equipment would be running on PLC rather than PC based.

schrodinger

This wasn't a case of the HSE had some Windows NT, ME (Remember ME? ) or even XP systems exposed to the Internet, winking suggestively at ransomware operators. You could be operating a network of systems all running the absolute latest of supported operating system version and patched to the hilt and still get ransomware. People don't understand that. The question is really "What was the initial compromise that allowed the ransomware operators to establish a foothold in the HSE network?" This is usually a well crafted phishing email that in the end was someone, innocently and mistakenly, executing on their system.

Queue the hordes of experts who want to talk about user education. (yawn)

Now, an effective AV or an endpoint agent should have caught this and prevented it - 100% This should be reviewed and hopefully will be, post-incident-response, during the remediation phase and lessons learned phase.

Queue someone with another hot take and asking who's first against the wall when the accountability police show up.

Now once inside a network, yeah, there was probably some systems that need patching and the model of trust is in place because "the Internet can't reach those" A common mistake, the perimeter doesn't really exist nor protect you anymore. Also, having been on both sides of the defensive and offensive infosec fence, the way Windows networks operates - once you're on them, oh my - it's fingers in the pie and who's your sister territory.

Mistakes happen and the information security industry exists because these things happens and it isn't the Olympic Destroyer of the HSE. Would proper firewalls policies and content scanning proxies have worked? Probably - another thing on the Todo Scroll for the HSE and the teams they have in place to perform the incident response investigation and remediation.

skimpydoo

schrodinger wrote: »

This wasn't a case of the HSE had some Windows NT, ME (Remember ME? ) or even XP systems exposed to the Internet, winking suggestively at ransomware operators. You could be operating a network of systems all running the absolute latest of supported operating system version and patched to the hilt and still get ransomware. People don't understand that. The question is really "What was the initial compromise that allowed the ransomware operators to establish a foothold in the HSE network?" This is usually a well crafted phishing email that in the end was someone, innocently and mistakenly, executing on their system.

Queue the hordes of experts who want to talk about user education. (yawn)

Now, an effective AV or an endpoint agent should have caught this and prevented it - 100% This should be reviewed and hopefully will be, post-incident-response, during the remediation phase and lessons learned phase.

Queue someone with another hot take and asking who's first against the wall when the accountability police show up.

Now once inside a network, yeah, there was probably some systems that need patching and the model of trust is in place because "the Internet can't reach those" A common mistake, the perimeter doesn't really exist nor protect you anymore. Also, having been on both sides of the defensive and offensive infosec fence, the way Windows networks operates - once you're on them, oh my - it's fingers in the pie and who's your sister territory.

Mistakes happen and the information security industry exists because these things happens and it isn't the Olympic Destroyer of the HSE. Would proper firewalls policies and content scanning proxies have worked? Probably - another thing on the Todo Scroll for the HSE and the teams they have in place to perform the incident response investigation and remediation.

It just takes one person to click a link on email to cause this to happen.

schrodinger

skimpydoo wrote: »

It just takes one person to click a link on email to cause this to happen.

Exactly! "Run this, it'll make your day better" "OK" BAM.

• Do we blame the user?
• Do we blame the AV?
• Do we blame the SPAM filtering that didn't detect the malicious link or the attachment?
• Do we blame the security controls in place that (maybe) allowed the user to download a link if it wasn't an attachment?
• Do we blame the network security engineers and whomever is responsible for the firewall policies that might have allowed access to attacker infrastructure?

It's an absolute mess with blame all around but at the end of the day none of the above caused this. Some ****ing **** douche bag criminal caused this and need to have their eyes gouged out and their throat slit.

jammiedodgers

DessieJames wrote: »

Isnt it ironioc that CEO Paul Reid earns in exess of 400k per year, yet the HSE didnt feel it prudent to spend any sort of real money on cyber security:rolleyes:

I don't think you understand the meaning of irony.

TomOnBoard

Deleted User wrote: »

Definitely post of the week.

And that from a lad who only started posting on Boards today!!

Jesus, he'll own the feckin internet by Monday!!

TomOnBoard

Kiith wrote: »

Having worked at a company who went through a randomware attack, i feel sorry for all the IT staff in the HSE right now.

Unbelievably stressful trying to deal with it. And certainly not helped by assholes online throwing **** at them when they have no idea what they are talking about.

Believe me, the folks in HSE IT have a bit more to do right now than be looking at what gob****es on Boards are saying about them!!

Corruptedmorals

Sofa King Great wrote: »

I see all appointments cancelled in Crumlin on Monday and Tuesday - surely they can just ask people to bring their appointment confirmation letters?

That's not the problem. The problem is a lot of hospitals have transferred patient notes onto EMR - electronic medical records. The charts are not on-site and are probably not even intact after being scanned and taken apart.

My department is the only clinic in the hospital that can still run because we are still on paper charts. That was doable today and is okay for Monday. I don't even know who is coming in on Tuesday and Wednesday because I can't access the lists and I don't have charts for most of the week. The big fear is it will be gone for the rest of the week. So even workarounds will collapse.

TomOnBoard

irelandpride wrote: »

I did it just shows that how inept they are to be honest.

If they had to emergency support for Windows 7 God only knows how old their Routers, Switches, equipment, servers, Hosts and databases are.

I doubt they even have firewalls between the business side and the Operating side of the hospital. Wouldn't surprise me.

Give it a rest, Man.. You're not a wet week posting on Boards and already your posts are hitting 9.9 on my fully-fledged BS meter..

:mad:

AndrewJRenko

Edward has great solution that no one in the it security industry ever thought of

https://twitter.com/Edward__Burke/status/1393293543704252418?s=19

TomOnBoard

piplip87 wrote: »

Ah I see all the armchair epidemiologists are now fully qualified armchair cyber security experts

Aaand some of the most 'expert' experts are just hours or days posting anything on Boards!

Why oh why have these folks not been sharing their great wisdom before this week?