Ransomware & HSE

jmayo

irelandpride wrote: »

Out of the all the PC's in HSE do you actually think all of them have their patches and are fully 100% up to date?

No organization can get to 100%

Big difference with Windows 7 and Windows 10 not been fully patched.

Yeah Win7 works whereas Win10 latest patch broke something.

magicbastarder wrote: »

also, there won't (shouldn't!) be an interdependency on the actual network infrastructure, and the scanning equipment, say.
an MRI machine might be hooked up to a Win7 system because that's what the software runs on, but this doesn't mean the rest of the infrastructure has to stay at 10 year old tech.

Issue is the networks are connected to facilitate the transfer of data.

irelandpride wrote: »

Ever here of a firewall?

Anything thats IP or serial based in the hospital on machinery should be behind a firewall and not directly on their business network. I doubt the HSE even have dedicated VLANS setup with specific rules on the PC's that control the hospital equipment and the equipment itself.

Oh wippee you know some IT buzzwords.
Congrats.
You don't know what you are talking about.
Yes the HSE have heard of VLANs, but maybe you should call them up to really explain them. :rolleyes:

irelandpride wrote: »

Explain to me please why hospital equipment connected to the network and PC's controlling this equipment should be on the same switch as a business network and not a separate switch with a firewall inbetween with specific rules between the two switches and Vlans?

If you want to get into more detail the PC's controlling the hospital equipment should be on separate domain and not the business domain with certain trusts setup between the two domains and a fireall between the business and hospital equipment and computers controlling them.

Eagerly awaiting your reply.

The HSE have one switch and one domain.
Everyone is connected to it.
They are waiting for you to show them how to do it. :rolleyes:

Also what is this shyte you keep blathering on about operational and business networks.
Which one should doctors be on or should they have two different machines, one for their emails, business correspondence and one for patient data ?
Which one should the patient data be on?
Which one should the stock management system be on?

political analyst wrote: »

I'm puzzled as to how Ireland would even register on Russian hackers' radar, to be honest.

Yeah the country with massive HQs for Microsoft, Dell, Facebook, Google, Apple, VMWare, etc.

JDxtra

Do we have any official statement or evidence indicating that this was a zero day exploit and a targeted attack?

From what I can gather, elevated user credentials were obtained and this allowed the virus to spread itself across a network of Windows machines indiscriminately. It then initiated a data encryption routine, presumably then showing some "send bitcoins here" type message on the machines.

magicbastarder

jmayo wrote: »

Which one should doctors be on or should they have two different machines, one for their emails, business correspondence and one for patient data ?

i have two work laptops, one standard and one secure. it's a pain in the swiss. that said, i'm not a doctor, my job does require it.

magicbastarder

jmayo wrote: »

Issue is the networks are connected to facilitate the transfer of data.

as far as i can remember, my comment was a reaction to someone who seemed to assume that if the PCs were ten years old, the underlying network infrastructure was also.

JibJabWibWab

magicbastarder wrote: »

JibJabWibWab was referring to the Cisco courses in the examiner article. which i suspect was erroneous/misleading about all staff doing them; i googled the three courses mentioned and combined they've a stated length of 65 hours.

It's repeated here on Cisco's own blog

With that in mind, I’m thrilled to announce HSE is collaborating with Cisco and its Networking Academy to help over 120,000 HSE employees to advance their digital skills.

And earlier you suggested cost was a barrier, but the courses are normally free to anyone, so even with some cost for customising the content for HSE it wouldn't have been "a couple of hundred million" as you suggested...

Our courses are freely available to everyone. But by working with organisations like HSE, we can create customised courses designed specifically for employees’ needs.

https://gblogs.cisco.com/uki/digital-skills-in-healthcare-hses-exciting-collaboration-with-cisco-networking-academy/

Tow

Hi JabJab,

Don't believe everything you read in online, even when from official sites. For a start the HSE does not have 120,000 employees. 120,000 more like every public and private care worker in the country.

magicbastarder

JibJabWibWab wrote: »

And earlier you suggested cost was a barrier, but the courses are normally free to anyone, so even with some cost for customising the content for HSE it wouldn't have been "a couple hundred million" as you suggested...

at this point i don't know if you're deliberately misreading what i'm saying. those three courses, as they stand, run to 65 hours.
i mentioned that it would cost a couple of hundred million 'just in staff time alone' were all staff to do the courses (it'd be over a million days of staff time)

but as i mentioned, the notion that 65 hours of cyber security training would be applicable for all staff (or even more than a few percent) is absurd.

ineedeuro

Tow wrote: »

Hi JabJab,

Don't believe everything you read in online, even when from official sites. For a start the HSE does not have 120,000 employees. 120,000 more like every public and private care worker in the country.

Anyone that access the network would need to have training. So that would be doctors etc who dont work for the HSE but still have access. That is probably why 120k is mentioned.

Lantus

JibJabWibWab wrote: »

It wasn't an "attack", it was caused by a careless idiot clicking a link in a phishing email... :rolleyes:

The intention of the link being sent was to cause harm. It was an attack, albeit not specifically at the hse.

Much the same way where you drop a hook and line into the sea with the intention of catching a fish to eat. You don't care if it's cod or haddock. But you want to kill a fish.

The intent is critical. Don't defend these scum by saying it was co incidental or it was some poor person's fault for clicking a link. Do you blame women for wearing short skirts when they are attacked?

sphinxicus

Lantus wrote: »

Much the same way where you drop a hook and line into the sea with the intention of catching a fish to eat. You don't care if it's cod or haddock. But you want to kill a fish.

Haddock. Haddock every time. Much prefer Haddock :P

Tow

ineedeuro wrote: »

Anyone that access the network would need to have training. So that would be doctors etc who dont work for the HSE but still have access. That is probably why 120k is mentioned.

Training only helps. I have had the same customer hit by crypto viruses twice. The practical experience is having to wipe every PC in the company and all the safe guards put in place after the first attack were obviously not effective!

thebourke

will users have to change their windows passwords...what about domain admin passwords?

JDxtra

thebourke wrote: »

will users have to change their windows passwords...what about domain admin passwords?

With the exception of some very limited IT admin accounts, I hope there is nobody with domain admin credentials! If there is, that explains a lot.

Purple Mountain

Are people who are having vaccines this week at the gp (over 70s) still OK?

Purple Mountain

Purple Mountain wrote: »

Are people who are having vaccines this week at the gp (over 70s) still OK?

Yes

hmmm

kippy wrote: »

These types of organisations are the main targets of lots of hacks/malware - they have to get it right all of the time and it's just not feasible in the modern world - doesn't mean you don't try but an acceptance has to be realised.

Yep, how do you even begin to secure a network this big and complex. Big banks can afford to spend hundreds of millions every year on cybersecurity, but every extra penny you spend on this in a hospital has to come out the health budget. It's very very difficult to get it right.

I think more than anything else we need much more emphasis on a data minimisation approach for every company and organisation who collects personal data. If you don't need it, delete it or securely encrypt it. I know the GDPR says you should do this, but that whole thing needs a rework. Let's minimise the damage when something does (almost inevitably) go wrong.

sphinxicus

sphinxicus wrote:

Haddock. Haddock every time. Much prefer Haddock

Who are ya coddin wha!

Corruptedmorals

Please be patient if you are awaiting news for you/a family member's appointment or surgery. The website or HSE website should state whether you will be contacted if it's cancelled or if you should ring a number to confirm. Regular phone lines will be extremely busy.

It is like being in the dark ages. Pen and paper. We are okay to see patients in clinic on the paper charts which are now a complete nightmare to find without any ability to look them up. They expect our main system won't be back until the week after next and other supporting systems not for weeks yet. And of course, without results there isn't much point in some patients being seen so the whole thing is going to snowball. A complete ****ing nightmare. And the infected computers of which mine is one will probably take even longer to restore. All computers are running Windows 10 but I have no idea what the servers are.

It's not as simple as clicking a dodgy link. The emails are super protected we never ever get anything unsolicited.

hmmm

hmmm wrote: »

Yep, how do you even begin to secure a network this big and complex. Big banks can afford to spend hundreds of millions every year on cybersecurity, but every extra penny you spend on this in a hospital has to come out the health budget. It's very very difficult to get it right.

I think more than anything else we need much more emphasis on a data minimisation approach for every company and organisation who collects personal data. If you don't need it, delete it or securely encrypt it. I know the GDPR says you should do this, but that whole thing needs a rework. Let's minimise the damage when something does (almost inevitably) go wrong.

My last employer was a US Bank. Their total amount that they held in deposit was 36 Trillion. To put that into context, the GDP of the United States is 26 Trillion. Anyway, I worked in Security Operations, and we used to spend 21 million a year just on tooling.

kippy

Deleted User wrote: »

My last employer was a US Bank. Their total amount that they held in deposit was 36 Trillion. To put that into context, the GDP of the United States is 26 Trillion. Anyway, I worked in Security Operations, and we used to spend 21 million a year just on tooling.

Totally different though when you look into it.

T55PLUS

Anyone had any issue with payroll as a result of this?

thebourke

thebourke wrote: »

will users have to change their windows passwords...what about domain admin passwords?

Every 90 days

jmayo

kippy wrote: »

This is very true.

In security best practices you need to use a multilayer approach to stop the end user doing something they shouldn't while at the same time allowing them to do their job.

I have only recently heard of a user demanding all emails from HSE should be allowed through all email scanning systems rather than be held up.

Also know of management that have complained that emails should not be held up in mail scanning systems because they came from certain supplier.

Management and users are morons for the most part.
I have had management tell me they didn't need to spend much on security because a consultant involved in totally non IT field, had told them you could do the lot for nearly free.

magicbastarder wrote: »

JibJabWibWab was referring to the Cisco courses in the examiner article. which i suspect was erroneous/misleading about all staff doing them; i googled the three courses mentioned and combined they've a stated length of 65 hours.

Is that poster saying all HSE staff have gotten cybersecurity training because my missus definitely didn't.

To her a virus is something you pick up from someone else.
Oh and it can make ya sick and feel unwell.

Seth Brundle

Danonino. wrote: »

^^ This
Some of the more recent phishing emails I’ve seen have been fantastically convincing. Things have progressed very fast in that area imo.

Apparently the gardai have issued a general warning to the public over a new spoofing approach which uses cyrillic characters to spoof bogus addresses...

gmisk

Did the head of the HSE really say the ICT spend in HSE is 1/4 of what it would be in other countries?! I wonder where source is for that figure

Alun

Seth Brundle wrote: »

Apparently the gardai have issued a general warning to the public over a new spoofing approach which uses cyrillic characters to spoof bogus addresses...

It's called am IDN homograph attack. Been around for a while actually.

gmisk

gmisk wrote: »

Did the head of the HSE really say the ICT spend in HSE is 1/4 of what it would be in other countries?! I wonder where source is for that figure

Doesn't surprise me.

Larbre34

gmisk wrote: »

Did the head of the HSE really say the ICT spend in HSE is 1/4 of what it would be in other countries?! I wonder where source is for that figure

I imagine his source is himself, being the CE of the HSE and all.....

Larbre34

Wanderer78 wrote: »

Bitcoin isn't a currency at all

Quite right, no store of value whatsoever. Just a system of transferring notional value between criminal entities.

Larbre34

I think myself in these circumstances we should ask the question, what would Israel do?

This cyber attack on Ireland's most vulnerable people for attempted financial gain, is nothing less than an act of war, but with nobody obvious to target.

I'd like to see our agencies, working with Europol and bilaterally with other member States, chase these effers down and as the Mossad would, assassinate them.

Further, the EU governments should spare no effort to destroy cryptocurrency and everything to do with it.

That might give our Russian criminal friends the idea.