Ransomware & HSE

JibJabWibWab

topdecko wrote: »

You cannot blame the individual here - as pointed out several times in the thread so far even directly after Phishing training people are vulnerable. We get many emails every day and any of them could be a trojan attack. It is futile and pointless to blame the individual here - the system must be built with the assumption that malicious actors are going to try and bring it down for monetary gain.
With that in mind how do you create a system that is more resilient? One of the issues i have working in health service/primary care is the lack of interconnectedness - labs, radiology, referrals all very clunky in comparison to EMIS in the UK. However this is likely a big bonus in terms of this ransomware attack as some services not as exposed??

Have you been offered, or had, any training on how not to click on suspicious emails?

magicbastarder

political analyst wrote: »

The individual doesn't need intensive training to understand the likelihood that a strange e-mail contains malware. What happened to common sense?

i work for a large multinational. you should see some of the emails which are sent, pretending to be from us; you'd need to be really on your game to spot them. the guys who craft these are a hell of a lot more practiced at making them than a normal HSE staff member would be at spotting them.

JibJabWibWab

magicbastarder wrote: »

yes, as the quote suggests, it's for techies; not for non-technical staff.

There's 120,000 "techies" working in the HSE? :rolleyes:

Over 120,000 HSE staff to get cybersecurity training

https://www.irishexaminer.com/news/arid-40187691.html

JibJabWibWab

magicbastarder wrote: »

i work for a large multinational. you should see some of the emails which are sent, pretending to be from us; you'd need to be really on your game to spot them.

There's one simple rule. "Don't click on any link/attachments"...

magicbastarder

are you saying that they're going to get 120k staff to each do 65 hours of training to learn not to click on suspicious links? seriously?
a rough back of the envelope calculation would cost that at a couple of hundred million, just in staff time alone.

the article says staff will 'have access' to the courses. not that they will be made do them.

ineedeuro

magicbastarder wrote: »

yes, as the quote suggests, it's for techies; not for non-technical staff.

All staff in all companies should get cyber training. Most of this training now is provided online, very easy to follow and gets the point across.
Interactive options is the norm now, so XYZ send you something. Pick A, B, C
Then after the training they should have 1-2 trials. Normally this is email, if someone clicks on it then you get a warning, told to resit the training and email sent to manager.

This is basic stuff, doesn't cost a fortune and is very easy for all staff. Technical and non technical.

Not sure where the 65 hours is coming from, most of these interactive trainings are a 15 min max.

Darkglasses

magicbastarder wrote: »

are you saying that they're going to get 120k staff to each do 65 hours of training to learn not to click on suspicious links? seriously?
a rough back of the envelope calculation would cost that at a couple of hundred million, just in staff time alone.

And you can guarantee that someone will still make a mistake. That's just how people are

Is there any evidence that this was caused by a malicious email?

JibJabWibWab

Darkglasses wrote: »

And you can guarantee that someone will still make a mistake. That's just how people are

Is there any evidence that this was caused by a malicious email?

It's Conti ransomware. That is distributed by email...

ED E

We have no reporting as to how the initial RAT was delivered. Email is likely but not the only way.

ED E

JibJabWibWab wrote: »

It's Conti ransomware. That is distributed by email...

Cobalt was the original IoC not Conti..

ineedeuro

JibJabWibWab wrote: »

There's one simple rule. "Don't click on any link/attachments"...

Very easy to install a system which stops attachments, they are auto removed and if you need them contact IT. This can be down to the extension, e.g. all .exe files blocked.

Danonino.

magicbastarder wrote: »

i work for a large multinational. you should see some of the emails which are sent, pretending to be from us; you'd need to be really on your game to spot them. the guys who craft these are a hell of a lot more practiced at making them than a normal HSE staff member would be at spotting them.

^^ This
Some of the more recent phishing emails I’ve seen have been fantastically convincing. Things have progressed very fast in that area imo.

kippy

ineedeuro wrote: »

Very easy to install a system which stops attachments, they are auto removed and if you need them contact IT. This can be down to the extension, e.g. all .exe files blocked.

The majority of government departments have invested significantly in email scanning and security. Not foolproof mind you but neither is employee training or any other host of technologies.


Again, I am interested in knowing what exactly happened here once the dust settles.

FileNotFound

kippy wrote: »

The majority of government departments have invested significantly in email scanning and security. Not foolproof mind you but neither is employee training or any other host of technologies.


Again, I am interested in knowing what exactly happened here once the dust settles.

Yeah its all assumption at the moment.

My only experience of it was a file attachment downloaded onto a shared drive/server.

Geuze

JibJabWibWab wrote: »

There's one simple rule. "Don't click on any link/attachments"...

I understand your point, but I often need to send e-mails with hyperlinks in them, to my colleague.

I want the colleague to see the webpage that I am referring to.

Is there any other way, other than sending an e-mail with the link inside?


I understand an alternative to sending emails with attached files is a shared drive?

dubrov

JibJabWibWab wrote:

There's one simple rule. "Don't click on any link/attachments"...

Even better, just keep all staff away from computers altogether

CIARAN_BOYLE

Geuze wrote: »

I understand your point, but I often need to send e-mails with hyperlinks in them, to my colleague.

I want the colleague to see the webpage that I am referring to.

Is there any other way, other than sending an e-mail with the link inside?


I understand an alternative to sending emails with attached files is a shared drive?

If often send an email.Hey I'm sending you an email with an attachment to it. Normal antivirus can be aggressive at filtering out attachments so I feel a need to have a separate email to confirm delivery.

Links and attachments are fine if you know where they come from.

My rule is don't open any links or attachments if I don't know where they come from.

kippy

Geuze wrote: »

I understand your point, but I often need to send e-mails with hyperlinks in them, to my colleague.

I want the colleague to see the webpage that I am referring to.

Is there any other way, other than sending an e-mail with the link inside?


I understand an alternative to sending emails with attached files is a shared drive?

Enhanced and increased security isn't necessarily a good thing for business process speed or the ease of doing something - tis always a balancing act.

MrMusician18

CIARAN_BOYLE wrote: »

If often send an email.Hey I'm sending you an email with an attachment to it. Normal antivirus can be aggressive at filtering out attachments so I feel a need to have a separate email to confirm delivery.

Links and attachments are fine if you know where they come from.

My rule is don't open any links or attachments if I don't know where they come from.

The problem is that these often do come from trusted senders. A cursory look through a hacked email account will let you see who that persons been in contact with, what about and how often. Very easy to craft a spear phishing attack with that knowledge.

Flinty997

CIARAN_BOYLE wrote: »

...

My rule is don't open any links or attachments if I don't know where they come from.

Unfortunately, you get staff, at all levels even senior ones who will click on everything.

kippy

Flinty997 wrote: »

Unfortunately, you get staff, at all levels even senior ones who will click on everything.

This is very true.

In security best practices you need to use a multilayer approach to stop the end user doing something they shouldn't while at the same time allowing them to do their job.

runawaybishop

Flinty997 wrote: »

Unfortunately, you get staff, at all levels even senior ones who will click on everything.

you'll also get disgruntled employees who dont give a hoot and will click anyway so they can spend the next few hours doing nothing.

HalfAndHalf

JibJabWibWab wrote: »

It's Conti ransomware. That is distributed by email...

It is mainly used via email however it is also used via malicious URL links, compromised websites and through OS vulnerabilities on internet facing clients mainly on the RDP port.

So unless the HSE come out and say how it got in anything else is speculation.

dingding

CIARAN_BOYLE wrote: »

My rule is don't open any links or attachments if I don't know where they come from.

Even when you do, emails can be crafted to come from trusted addresses, or addresses similar to the actual address.

Potatoeman

[Deleted User] wrote: »

Or you doubt it do you?

36,000 servers in a datacentre and you doubt they had 'a' firewall?

Doesn’t matter if you don’t have protection at the user level and at entry/exit points.

magicbastarder

ineedeuro wrote: »

Not sure where the 65 hours is coming from, most of these interactive trainings are a 15 min max.

JibJabWibWab was referring to the Cisco courses in the examiner article. which i suspect was erroneous/misleading about all staff doing them; i googled the three courses mentioned and combined they've a stated length of 65 hours.

HalfAndHalf

JibJabWibWab wrote: »

It wasn't an "attack", it was caused by a careless idiot clicking a link in a phishing email... :rolleyes:

So you know this as a fact do ya?

kippy

Potatoeman wrote: »

Doesn’t matter if you don’t have protection at the user level and at entry/exit points.

Who said they "don't have protection at the user level and ingress/egress points"?
If the didn't do you think they'd have managed this long without a breach of this type?
These types of organisations are the main targets of lots of hacks/malware - they have to get it right all of the time and it's just not feasible in the modern world - doesn't mean you don't try but an acceptance has to be realised.

JibJabWibWab

HalfAndHalf wrote: »

So you know this as a fact do ya?

Conti ransomware is a known method and previous events are recorded online.
All previous events have been via phishing campaigns. It's not rocket surgery to figure it out...

HalfAndHalf

JibJabWibWab wrote: »

Conti ransomware is a known method and previous events are recorded online.
All previous events have been via phishing campaigns. It's not rocket surgery to figure it out...

So that’s a no then. Thanks.