Ransomware & HSE

kippy

OMM 0000 wrote: »

Companies need to start taking cybersecurity seriously.

They can continue making whatever excuses they want ("we need to use Windows XP") but at some stage they're going to have to join the real world.

I've heard nothing but Cybersecurity for the past 5 years or so as one of these buzz words - millions of jobs available in security etc etc.
You'd swear security was a "new thing".
What makes you think that companies or indeed the HSE don't take security seriously?
You don't think millions are spent on security in general in these organisations?

The best way to take cybersecurity more seriously is to improve international co-operation on implementation of punishment for perpatrators of these types of crime - which can be difficult when states themselves are involved.

It's a never ending circle of nonsense to keep ahead of those looking to do damage and as I stated above ultimately you'll probably get compromised anyway - there's only one solution that would reduce the level of cybercrime.

kippy

10000maniacs wrote: »

Can scarcely believe they had xp and Win7 machines hooked up to their network.
Bin them and get Win 10 everywhere.
They need to get a corporate license for Solarwinds SEM.

Have you ever worked in a large organisation?
It wouldn't be uncommon to have legacy systems in place for a number of years after end of support - whether they be client or server side.
Usualy organisations complete risk analysis and risk mitigation with these systems but it's never as simple as just "bin them" and even getting Windows 10 every has it's major issues (update paths, compatability with existing software/hardware between updates etc....)

magicbastarder

OMM 0000 wrote: »

Companies need to start taking cybersecurity seriously.

They can continue making whatever excuses they want ("we need to use Windows XP") but at some stage they're going to have to join the real world.

i'll pass your advice on. i'm sure it will be welcome.

FileNotFound

All joking aside and working in a big company with legacy equipment.
I can only assume that due to budgetary constraints the HSE has fallen far below the required mark on protecting their systems.

Now that said i am sure when they decide where to spend and have options like "spending here will save more lives" v "Spending here may prevent future IT issues" it's not as simple as many have made out.

No matter the equipment - backups are the simple route to safety - If they are going to lose years worth of info and systems are still down then one can only assume these have not been backed up in a long time if at all.

The likes of the FDA will shut Pharma companies for having poor data integrity systems (includes he safeguarding of data).

If J&J can back up their systems - the HSE can really only accept that prioritisation of budget and spending is the cause. The HSE is smaller than most big pharma.

Wombatman

FileNotFound wrote: »

All joking aside and working in a big company with legacy equipment.
I can only assume that due to budgetary constraints the HSE has fallen far below the required mark on protecting their systems.

Now that said i am sure when they decide where to spend and have options like "spending here will save more lives" v "Spending here may prevent future IT issues" it's not as simple as many have made out.

No matter the equipment - backups are the simple route to safety - If they are going to lose years worth of info and systems are still down then one can only assume these have not been backed up in a long time if at all.

The likes of the FDA will shut Pharma companies for having poor data integrity systems (includes he safeguarding of data).

If J&J can back up their systems - the HSE can really only accept that prioritisation of budget and spending is the cause. The HSE is smaller than most big pharma.

What do you do when your recent backups are either infected or encrypted by the attack?

Wombatman

The presence of legacy systems is acceptable ONLY if there are projects on going aimed at replacing them.

The main problem with legacy systems is they are nearly always performing in an inefficient and antiquated way.

20 years in IT terms is like comparing modern life with the dark ages.

When organisations roll out software and hardware their is a belief that it's job done at that point. No plans for maintenance, upgrades, DR, BC or future proofing. Bananas. A system is for life not just for Christmas.

JDxtra

Wombatman wrote: »

What do you do when your recent backups are either infected or encrypted by the attack?

You don't only have the most recent backup. You have a history of backups so you can do a point in time recovery.

_Kaiser_

seamus wrote: »

And in a corporate context I tend to go for the "upgrade it ta ****" approach, which is to say that none of your corporate apps are so important that you need to stay on a really old OS version. There's always an alternate or a workaround.

Not necessarily. Unless you're someone like Microsoft, IT will have a limited budget, generally seen as a cost/burden than a benefit, and compromises will need to be made.

If you are a service provider to another company (for example financial services), you'll need to maintain compatibility with that client's systems which will also limit your own upgrade options.

The corporate apps you'd so casually say "just upgrade it" to control everything from your loans, to your utility bills. It's nowhere near as simple as you suggest.

Wombatman

JDxtra wrote: »

You don't only have the most recent backup. You have a history of backups so you can do a point in time recovery.

Online?

Hurrache

Wombatman wrote: »

The presence of legacy systems is acceptable ONLY if there are projects on going aimed at replacing them.

The main problem with legacy systems is they are nearly always performing in an inefficient and antiquated way.

20 years in IT terms is like comparing modern life with the dark ages.

When organisations roll out software and hardware their is a belief that it's job done at that point. No plans for maintenance, upgrades, DR, BC or future proofing. Bananas. A system is for life not just for Christmas.

People might want to move all their cash, investments and insurance/assurance and stick it under their mattresses when they realise the majority is managed by decades old software and languages.

"The presence of legacy systems is acceptable ONLY if there are projects on going aimed at replacing them. " Taking my examples, it would be madness to migrate from their systems just because there's a 'fresher' and 'newer' system and language.

penny piper

Triangle wrote: »

Quote: 10000maniacs

Bin them and get Win 10 everywhere.

fyi Co.Leitrim HSE offices operate windows 10.

DessieJames

DessieJames wrote: »

touched a nerve have we, you sound as if you actually work for the HSE IT department you are getting that worked up it doesnt take a genuius to work out that you need to spend a lot of money on cyber security in order to prevent a cyber attack, evidently the HSE didnt have the necessary cyber security protocols in place otherwise this would have been prevented.

So stop talking nonsense, im telling it as it is.

Go to bed, child.

:rolleyes:

Ger Roe

Triangle wrote: »

Quote: 10000maniacs
Can scarcely believe they had xp and Win7 machines hooked up to their network.
Bin them and get Win 10 everywhere.


Shows a very basic knowledge of large corporations. They often have hundreds of applications, all of which work off different platforms.
The future might be different with windows 10 being the final version. But those legacy systems....... Some don't have upgrades..

I know of a world leading multinational based tech firm that has mission critical operations running on machines with 'obsolete' software - no longer supported. They have highly specialised proprietary software running their systems and decided that the least disruptive option to their process is to carry on with what works and instead operate world leading security systems. It works for them.

I suppose the bigger problem is when your 'obsolete' software is front facing and allows access. If you have a ring of steel firewall around your network and highly trained and security aware staff, maybe you can run whatever you like behind it?

Keyzer

mcsean2163 wrote: »

No funding needed. A proper it policy and two good it people could secure and run the network.

The HSE develops nothing. Choosing and integrating the correct systems is all that is needed. Then a support desk to tell people to turn on and off their computers.

Solution: sign up with Microsoft Azure healthcare. That's half it and X millions per year saved. Instead they are using their own servers and these people (not all but a sizeable proportion), I'm sorry to say, shouldn't be let near patient data and hospital systems.

You haven't a clue what you're talking about.

I've been involved in something similar in the past and its a total nightmare trying to figure out how bad the situation is, triage the situation, trying to explain to non-technical people what's going on, working 18-20 hr days, trying to do your best while your physically and mentally exhausted.

We're talking about critical health services and critically sensitive health care data. For millions of people.

Significant funding is required in all areas...

10000maniacs

kippy wrote: »

Have you ever worked in a large organisation?
It wouldn't be uncommon to have legacy systems in place for a number of years after end of support - whether they be client or server side.
Usualy organisations complete risk analysis and risk mitigation with these systems but it's never as simple as just "bin them" and even getting Windows 10 every has it's major issues (update paths, compatability with existing software/hardware between updates etc....)

Yes, I work for an American corporation. And everything with a screen is always upgraded to the latest Windows version or latest Microsoft version.
If the hardware can't handle it, get new hardware.
It would be stupid not to.
And people complain that some of the legacy applications can't run on Windows 10. Should not have purchased them then.
Write the software not to depend on a systems drivers.

Keyzer

10000maniacs wrote: »

Yes, I work for an American corporation. And everything with a screen is always upgraded to the latest Windows version or latest Microsoft version.
If the hardware can't handle it, get new hardware.
It would be stupid not to.
And people complain that some of the legacy applications can't run on Windows 10. Should not have purchased them then.

Of course it would be stupid not to but its not that simple. Its not black and white.

In many cases, you're dealing with complex issues. Some applications are completely bespoke and entirely reliant on a particular operating system. The OS cannot be upgraded because the application wont run on it.

What would your advise be to a c-suite management team when it comes to a business critical system which is running on legacy hardware/software?

Bear in mind, turn it off is not the right answer.

seamus

_Kaiser_ wrote: »

Not necessarily. Unless you're someone like Microsoft, IT will have a limited budget, generally seen as a cost/burden than a benefit, and compromises will need to be made.

If you are a service provider to another company (for example financial services), you'll need to maintain compatibility with that client's systems which will also limit your own upgrade options.

The corporate apps you'd so casually say "just upgrade it" to control everything from your loans, to your utility bills. It's nowhere near as simple as you suggest.

My point is that the limiting factor is always money or will though. Someone, whether it be in your customer's office or in your own, doesn't want to spend the time or the money to make it work.

In healthcare (and in some other contexts), time and money are not the only limiting factors, and there are some scenarios where even with all the money in the world, holding onto your legacy system for another few years is the preferred option.

magicbastarder

10000maniacs wrote: »

Yes, I work for an American corporation. And everything with a screen is always upgraded to the latest Windows version or latest Microsoft version.

sounds like you work for MS. we get this blind advice from them occasionally.

10000maniacs

Keyzer wrote: »

Of course it would be stupid not to but its not that simple. Its not black and white.

In many cases, you're dealing with complex issues. Some applications are completely bespoke and entirely reliant on a particular operating system. The OS cannot be upgraded because the application wont run on it.

What would your advise be to a c-suite management team when it comes to a business critical system which is running on legacy hardware/software?

Bear in mind, turn it off is not the right answer.

I am a software developer, and one of the most important aspects of the system software is to make it forward platform compatible. Win32 or Win64 does not lose functionality with newer versions. It just gains functionality. Make your software compatible with the lowest common denominator. But don't create any dependencies on third party drivers. Write all of the interfaces yourself and stick to Win32 compatibility for these interfaces. If you have to sacrifice graphics/speed in doing so, so be it.

Keyzer

Keyzer wrote: »

Of course it would be stupid not to but its not that simple. Its not black and white.

In many cases, you're dealing with complex issues. Some applications are completely bespoke and entirely reliant on a particular operating system. The OS cannot be upgraded because the application wont run on it.

What would your advise be to a c-suite management team when it comes to a business critical system which is running on legacy hardware/software?

Bear in mind, turn it off is not the right answer.

1000Maniacs advice is going to be to use a DeLorean to go back in time and tell the vendor to write the software in such a way that it will work on Windows 10, a future operating system which hasn't yet been designed.

10000maniacs

Deleted User wrote: »

1000Maniacs advice is going to be to use a DeLorean to go back in time and tell the vendor to write the software in such a way that it will work on Windows 10, a future operating system which hasn't yet been designed.

If the software developer stuck to these first principles 20 years ago or whatever, the software would still work on Windows 10 now.
Our company has enterprise wide applications that we wrote 20 years ago that still work now.

purplefields

Wombatman wrote: »

The presence of legacy systems is acceptable ONLY if there are projects on going aimed at replacing them.

The main problem with legacy systems is they are nearly always performing in an inefficient and antiquated way.

20 years in IT terms is like comparing modern life with the dark ages..

The advantage of legacy systems is that they work. They have had years of testing and most of the bugs have been resolved. They have stood the test of time.
The users know how to use them too.

Otherwise, when does it stop? - Technology is constantly changing. By the time you write your new system, it'll already be 'obsolete'.

10000maniacs

10000maniacs wrote: »

If the software developer stuck to these first principles 20 years ago or whatever, the software would still work on Windows 10 now.
Our company has enterprise wide applications that we wrote 20 years ago that still work now.

Keyzer's question to you was, what do you do now when you have an application that won't work on Windows 10, for whatever reason?

10000maniacs

magicbastarder wrote: »

sounds like you work for MS. we get this blind advice from them occasionally.

No, try again.

BailMeOut

10000maniacs wrote: »

Yes, I work for an American corporation. And everything with a screen is always upgraded to the latest Windows version or latest Microsoft version.
If the hardware can't handle it, get new hardware.
It would be stupid not to.
And people complain that some of the legacy applications can't run on Windows 10. Should not have purchased them then.
Write the software not to depend on a systems drivers.

Have you ever experienced IT in a health care environment? You can have a Windows 7 (or older) machine managing some serious equipment like a CT or MRI scanners. These machine would be working perfectly using an old OS and any downtime to upgrade is very difficult to organize as you need to accept the risks associated with any subsequent changes which may not even be supported by the original manufacturer.

How many managers and decision-makers every day say if it is not broken do not fix it so good luck getting approval taking some critical piece of equipment for possibly weeks just to install a more modern OS that may or may not stop future security issues.

I work in financial services and we have many Windows 7 and 2008 Server systems that just cannot be replaced as the 3rd party software running on them cannot be migrated without significant time, disruption, and cost to the business. In these situations, you accept the risks but add additional security controls and technology to these systems to mitigate and reduce these risks. Eventually, they will get replaced but for many situations its just not that straightforward for many reasons.

10000maniacs

Deleted User wrote: »

Keyzer's question to you was, what do you do now when you have an application that won't work on Windows 10, for whatever reason?

Personally I would write a kernel to emulate the drivers of the particular target whether it is XP, Vista or whatever. And our company always buy new PC's with a traditional RS232 serial port. Most interfaces used this port back in the day.

magicbastarder

10000maniacs wrote: »

Our company has enterprise wide applications that we wrote 20 years ago that still work now.

my emphasis.

i would not like to guess how much of the problem software the HSE use was written in house. and they usually don't have a choice.
when you buy an MRI machine, for example, i suspect you don't get an awful lot of choice in relation to the software which runs it.

10000maniacs

magicbastarder wrote: »

my emphasis.

i would not like to guess how much of the problem software the HSE use was written in house. and they usually don't have a choice.
when you buy an MRI machine, for example, i suspect you don't get an awful lot of choice in relation to the software which runs it.

A friend of mine is a dentist and he ran his x-ray/photo/scanning software on XP up to 2020.
He wanted my help to move to Windows 10. It took a bit of effort and coding but I helped him do it over two weekends.

Keyzer

10000maniacs wrote: »

If the software developer stuck to these first principles 20 years ago or whatever, the software would still work on Windows 10 now.
Our company has enterprise wide applications that we wrote 20 years ago that still work now.

I'd be interested to see your response to my previous question...

I see you provided an answer, of sorts...

10000maniacs wrote: »

Personally I would write a kernel to emulate the drivers of the particular target whether it is XP, Vista or whatever. And our company always buy new PC's with a traditional RS232 serial port. Most interfaces used this port back in the day.

You'd be asked to leave the room or stop talking if that was your response to a c-suite management team/board.

jmayo

mcsean2163 wrote: »

I have to say I've been really upset by this. I was working with HSE years ago and using Windows 7 and paying Microsoft to extend support so they wouldn't have to upgrade was crazy in my opinion.

I expect a competent 12 year old could have hacked the HSE.

I'd even go to say that whoever decided to keep their infrastructure on Windows 7 should be imprisoned.

mcsean2163 wrote: »

This



How do you know it's not a few teen-agers in Blackrock. The HSE was running Windows 7 across all their PC's. My mother in her eighties was talking about being safe because she was on windows 10. It just beggars belief.

It could be anyone anywhere.

Speaking of teenagers.
Was she also talking about how Windows 10 updates don't bother having fixes pointed out by beta testers ?

mcsean2163 wrote: »

No funding needed. A proper it policy and two good it people could secure and run the network.

The HSE develops nothing. Choosing and integrating the correct systems is all that is needed. Then a support desk to tell people to turn on and off their computers.

Solution: sign up with Microsoft Azure healthcare. That's half it and X millions per year saved. Instead they are using their own servers and these people (not all but a sizeable proportion), I'm sorry to say, shouldn't be let near patient data and hospital systems.

Jaysus everyone that runs a computer is throwing their spake into this.

So should they put patient monitoring systems in ICUs and ORs on MS Azure ?
And these patient monitoring systems are connected into hospital LANs because doctors, nurses, consultants needs feeds from the systems and they need to be able to interrogate the historic data.

Nah the systems should be on the cloud.

You are some spoofer.
Yet another with some knowledge thinking they know it all.

As Oscar Wilde I think said...
"Sometimes it is better to keep your mouth shut rather than confirm ...."

Deleted User wrote: »

Keyzer's question to you was, what do you do now when you have an application that won't work on Windows 10, for whatever reason?

Well you can off find workarounds to getting the application to work.
I have had to do it a few times actually.
One example is serial to usb adapters.

Only thing is the next Windows 10 update decides fook you and that the application is incompatible and reverses all the work you have done.


Every gimp here is braying about Windows 10 when it is actually a retrograde step in the evolution of Windows.
MS have taken away the flexibility you had with Windows updates, deciding that they know best.

It was better when you could decide when and how you could do your updates, now MS decides what is best for the user.
And yes there are ways around it, but not with bog standard Win instance.

They have also managed to start doing the same fookups with server environments.
It was bad enough they started fooking with the interface.