Ransomware & HSE

hmmm

Keyzer wrote: »

Its a very valid point.

Sadly, like a lot of things in human nature, we leave things to the last minute, don't do something until there is impending danger or react when something bad happens. Many organisations I have seen in my time operate this way. IT and, more specifically, IT Security are seen as a cost. Cost's are, generally speaking, minimised. Until something really bad happens.

We're just going to have to roll back large amounts of computerisation and disconnect entire industries from the Internet. I don't know what else you do.

You can say "oh it's so much more efficient to have xyz" which may be true, but then can you afford to have your hospitals knocked out for a month as a consequence? It's interesting as an example that several banking groups are saying payment speeds need to be slowed for security and fraud reasons, and not sped up as has been the aim until now.

The ransomware groups are now able to buy zero-days because of the money they have raised. It's an impossible problem and on the verge of out-of-control - it'd be like bank robbers buying up nuclear and chemical weapons, and threatening banks with them.

Man Vs ManUre

I wonder if it is the same group from St Petersburg that keep trying to login to my Instagram??

Donald Trump

Man Vs ManUre wrote: »

I wonder if it is the same group from St Petersburg that keep trying to login to my Instagram??

The fuckers keep logging into my boards.ie account and posting shite under my name.


Wouldn't mind but the did the same to me twitter and now I'm banned from there

Infini

hmmm wrote: »

We're just going to have to roll back large amounts of computerisation and disconnect entire industries from the Internet. I don't know what else you do.

You can say "oh it's so much more efficient to have xyz" which may be true, but then can you afford to have your hospitals knocked out for a month as a consequence?

The ransomware groups are now able to buy zero-days because of the money they have raised. It's an impossible problem and on the verge of out-of-control - it'd be like bank robbers buying up nuclear and chemical weapons, and threatening banks with them.

Whats needed is more segrigated networking, critical or essential tech needs to be kept off the grid or designed to work in a closed intranet network with no external access to the wider internet. Systems need to be built in mind that unless theyre a primarily stand alone item that the maximum life of this hardware will be at most 10 years and they need to be able to support software and such for that time period.

We've changed as a society over the years but at the same time incidents like this show how absolutely important it is to have skilled IT administrators and technicians to be able to deal with these kinds of incidents. Its also showing up how the state had either vastly undervalued or understood the importance of having someone in Cyber Security to be able to deal with these incidents.

FileNotFound

Wombatman wrote: »

What do you do when your recent backups are either infected or encrypted by the attack?

You'd have to be storing the backups on the same drives for that - surely not good practice...

Of course if there was a delay on something activating and it was present in the system for a long time maybe backup is not the way.


Big companies far larger than the HSE manage to stop this all the time was more my point. No expert here for sure

I'm sure this has been asked or pondered already.

But why in any instance would you pay the ransom?.

Its akin to someone having a DVD you made of yourself which compromise you, they demand you pay for it back.
But theres no reason to believe they didnt copy it.

If someone is lousy enough to blackmail you, they're lousy enough to copy it and come back a second, third, fourth time(or the equivalent means in this case)

So it seems to be like a ransom you wouldn't ever pay.

realdanbreen

Am I right in thinking that the security of a network system could come down to being dependent on an employee not clicking on an email link, or an employee even being offered a sweetner to do so?

FileNotFound

joe40 wrote: »

Are we getting to the stage where the use of technology and software has advanced at a faster speed than the ability of organisations/companies to maintain proper security.
That would mean we are very vulnerable to this sort of thing. Imagine a power grid, Air traffic control or banking just to name a view where this sort of breach could be catastrophic.

The technology involved here is totally beyond me, I'll leave others to discuss the details of this issue, but just how vulnerable are we as a society.

I dare say the ability to protect will always lag behind the ability to attack.

The cost involved in keeping up is probably a real issue.


Realistically hearing a guy who deals with this on the news talking about an office of these hacker lads in russia who even obey religious holidays (tie off from work). Its pretty clear that the real way to stop this is shocking punishment.

Say the US sent the Special forces in and took care of the oil line hackers like they did Binny boy, would others be so quick?

Blowfish

cnocbui wrote: »

Machines that run xp or windows 7 for dedicated hardware purposes should not be connected to any network. Air gap all machines that have to be run insecure.

So how do you get scan results run from air gapped machines back to the patient records? Do you want Doctors/Nurses/Medical techs wandering around with USB's full of patient data all day?

joe40 wrote: »

Are we getting to the stage where the use of technology and software has advanced at a faster speed than the ability of organisations/companies to maintain proper security.

The issue is with defining what 'proper' security is. Making something 100% 'unhackable' is easy, it's just not terribly useful. You just throw all computing devices into a shredder and burn whatever comes out. Secure, but useless.

This is why InfoSec should be thought of as a subset of Risk Management. Just as there is no functioning business with zero business risk, there is no functioning business with zero InfoSec risk. Risk is a requirement of doing business and thus every business/organization can be breached. The question then becomes what is the appropriate/acceptable level of risk that allows the organization to function as it needs to without it being overly exposed. This is not a straightforward question in a standard business, it's even more complex in healthcare.

realdanbreen

FileNotFound wrote: »

I dare say the ability to protect will always lag behind the ability to attack.

The cost involved in keeping up is probably a real issue.


Realistically hearing a guy who deals with this on the news talking about an office of these hacker lads in russia who even obey religious holidays (tie off from work). Its pretty clear that the real way to stop this is shocking punishment.

Say the US sent the Special forces in and took care of the oil line hackers like they did Binny boy, would others be so quick?

We could always invade Russia, or at least threaten to.

Donald Trump

FileNotFound wrote: »

I dare say the ability to protect will always lag behind the ability to attack.

The cost involved in keeping up is probably a real issue.


Realistically hearing a guy who deals with this on the news talking about an office of these hacker lads in russia who even obey religious holidays (tie off from work). Its pretty clear that the real way to stop this is shocking punishment.

Say the US sent the Special forces in and took care of the oil line hackers like they did Binny boy, would others be so quick?

They can do that in Pakistan. I don't think they'd get away with it with other states. Especially some where the bad actors might be being controlled by the state or with the tacit approval of it. I couldn't imagine their special forces going into Russia, China or even North Korea for fear of what it might precipitate.

A counter cyber attack is probably more realistic and feasible.

Keyzer

Blowfish wrote: »

This is why InfoSec should be thought of as a subset of Risk Management. Just as there is no functioning business with zero business risk, there is no functioning business with zero InfoSec risk. Risk is a requirement of doing business and thus every business/organization can be breached. The question then becomes what is the appropriate/acceptable level of risk that allows the organization to function as it needs to without it being overly exposed. This is not a straightforward question in a standard business, it's even more complex in healthcare.

This 100%

Forget all the techno babble - Its all down to effective risk management.

Quin_Dub

realdanbreen wrote: »

Am I right in thinking that the security of a network system could come down to being dependent on an employee not clicking on an email link, or an employee even being offered a sweetner to do so?

In some cases yes.

In my company they regularly send out test emails to all staff and if you click any links in the mail you are automatically sent to a mandatory online "How to avoid phishing etc." training.

Do that 3 times in a year and the company reserve the right to take disciplinary action against you.

I've yet to hear of that happening to someone , but the threat is there.

It's a huge deal and potentially a massive massive cost.

DublinWriter

I saw this up close and personal in a public body of similar size with the "Wannacry" virus in 2017.

A user had opened up and ran an attachment from an email that looked like an Eircom bill.

The virus proceeded to encrypt any file it could on network shares that the user had open and left a text file ransom note in each subdirectory.

Thankfully, the organisation were running nightly enterprise backups, so only a day's work was lost at worst.

Weren't the HSE running any daily backups?

FileNotFound

Donald Trump wrote: »

They can do that in Pakistan. I don't think they'd get away with it with other states. Especially some where the bad actors might be being controlled by the state or with the tacit approval of it. I couldn't imagine their special forces going into Russia, China or even North Korea for fear of what it might precipitate.

A counter cyber attack is probably more realistic and feasible.

Very true but surely a state protected/supported group launching attacks on a national health service is not far off an act of war.

Not saying ireland is going to war but if this is the case time for the entire rest of the world to really put the squeeze on a nation.

Juts seems that russia is the location of most of these ones and the russians clearly don't care.

frozenfrozen

DublinWriter wrote: »

I saw this up close and personal in a public body of similar size with the "Wannacry" virus in 2017.

A user had opened up and ran an attachment from an email that looked like an Eircom bill.

The virus proceeded to encrypt any file it could on network shares that the user had open and left a text file ransom note in each subdirectory.

Thankfully, the organisation were running nightly enterprise backups, so only a day's work was lost at worst.

Weren't the HSE running any daily backups?

how do you know how far back the malware has been present?

cnocbui

Blowfish wrote: »

So how do you get scan results run from air gapped machines back to the patient records? Do you want Doctors/Nurses/Medical techs wandering around with USB's full of patient data all day?
The issue is with defining what 'proper' security is. Making something 100% 'unhackable' is easy, it's just not terribly useful. You just throw all computing devices into a shredder and burn whatever comes out. Secure, but useless.

They would have to be one use USBs that are treated like hazardous waste with them collected and an IT person cleaning them for reuse. Cumbersome but doable. Or burn the scans to a CDROM. You can make up stuff about inconvenience all day long, but the current imbroglio shows that convenience and money saving can have costs far in excess of the alternative.

NORAD in the US famously has some incredibly outdated systems for transferring nuclear launch codes based on 8" floppy discs manually transported from A to B. Although unintentional, the security of this system is unparralelled. Thousands of Russian, Chinese Iranian and North Korean hackers can wear their fingers to the bone and they will never be able to compromise this archaic, inefficient and inconvenient system.

realdanbreen

Quin_Dub wrote: »

In some cases yes.

In my company they regularly send out test emails to all staff and if you click any links in the mail you are automatically sent to a mandatory online "How to avoid phishing etc." training.

Do that 3 times in a year and the company reserve the right to take disciplinary action against you.

I've yet to hear of that happening to someone , but the threat is there.

It's a huge deal and potentially a massive massive cost.

But if an employee is offered a sweetener to leave their laptop unattended in a coffee shop for 20 minutes then it's virtually impossible to secure a network.

DublinWriter

frozenfrozen wrote: »

how do you know how far back the malware has been present?

Even so, most IT shops would be running a grandfather-father-son generational backup system.

10000maniacs

DublinWriter wrote: »

I saw this up close and personal in a public body of similar size with the "Wannacry" virus in 2017.

A user had opened up and ran an attachment from an email that looked like an Eircom bill.

The virus proceeded to encrypt any file it could on network shares that the user had open and left a text file ransom note in each subdirectory.

Thankfully, the organisation were running nightly enterprise backups, so only a day's work was lost at worst.

Weren't the HSE running any daily backups?

Going back to Keyzers point.

So you can't tell them to hire a decent IT team because that would infer the C-suite are incompetent (even if they are) - you'd be fired on the spot.

If they had any sense, they would sack their IT team on the spot if they weren't doing nightly backups.
Or if nightly backups weren't even on the radar, although I am not sure if this is the case or not, the Government should sack the board.

TomSweeney

Keyzer wrote: »

Its a very valid point.

Sadly, like a lot of things in human nature, we leave things to the last minute, don't do something until there is impending danger or react when something bad happens. Many organisations I have seen in my time operate this way. IT and, more specifically, IT Security are seen as a cost. Cost's are, generally speaking, minimised. Until something really bad happens.

A great example of this is Maersk - they almost went out of business a couple of years ago because of NotPetya. Its a fascinating story. They had to rebuild over 4000 servers. Their entire Active Directory system (simply put, a critical system which allows you access to your Windows machine when you logon in the morning) was significantly affected. In Maersks case, because this system was down, they couldn't open the gates of their shipping ports because it was all managed through Active Directory.

They eventually found one Active Directory (domain controller, you have multiple domain controllers in a large organisation which replicate with each other) server somewhere in Africa which was offline due to an electrical storm, the guy in Africa was ordered not to turn it back on under any circumstances, to take out the hard drives, put them in a stainless steel briefcase, handcuff the briefcase to his wrist and fly to Maersk offices in London immediately. He couldn't because he didnt have a visa so Maersk flew one of their guys to Kenya, met the guy, got the brief case and prayed the hard drives were operational.

Thankfully for Maersk, they were. They rebuilt their entire Active Directory system using this one hard drive. If that drive failed, the company was gone.

But consider that for a moment, a company of the size of Maersk, a company the global economy is dependent on, almost going out of business. And they almost did.

After this fiasco, Maersk's entire approach to Information Security changed. Sometimes you have to go the edge of oblivion before you decide to make a change.

wow thats a great story!!

Blowfish

cnocbui wrote: »

They would have to be one use USBs that are treated like hazardous waste with them collected and an IT person cleaning them for reuse. Cumbersome but doable. Or burn the scans to a CDROM. You can make up stuff about inconvenience all day long, but the current imbroglio shows that convenience and money saving can have costs far in excess of the alternative.

How do you know the inconvenience is in excess of the alternative? In A&E, seconds/minutes count in terms of lives. This is why standard InfoSec controls like PC's that automatically lock after a few minutes and require a password to unlock may not actually be appropriate to have there. Last thing you want is for critical care for a patient to be delayed because a Doctor in the stress of the moment fat fingers their password and locks themselves out. Again, it all comes down to risk.

FileNotFound

frozenfrozen wrote: »

how do you know how far back the malware has been present?

In the limited once i have seen it happen where i worked it was pretty fast acting once opened.

Sounds like Dublinwriter had similar experience.


2 Experiences of fast acting v never heard of a slow acting scenario. Have you?

notAMember

Blowfish wrote: »

So how do you get scan results run from air gapped machines back to the patient records? Do you want Doctors/Nurses/Medical techs wandering around with USB's full of patient data all day?

Validated interfaces between segregated networks.

This is the standard across industry with legacy systems they need to protect.

The data can move in a very tightly controlled way, as an xml file or json payload on a specific port, encrypted. All other ports and access methods are closed.

Keyzer

realdanbreen wrote: »

But if an employee is offered a sweetener to leave their laptop unattended in a coffee shop for 20 minutes then it's virtually impossible to secure a network.

Generally speaking, its virtually impossible to prevent collusion. If someone decides they are going to do something like this and are truly motivated to proceed, you can't really protect against it.

That said, with strong and effective security controls (segregation of duties, privileged accounts secured, logging and monitoring for anomalous activity) in place and a defense in depth strategy, you can significantly limit the damage.

10000maniacs

TomSweeney wrote: »

wow thats a great story!!

If a multinational like Maersk weren't doing nightly backups, that would be very surprising.

cnocbui

Donald Trump wrote: »

They can do that in Pakistan. I don't think they'd get away with it with other states. Especially some where the bad actors might be being controlled by the state or with the tacit approval of it. I couldn't imagine their special forces going into Russia, China or even North Korea for fear of what it might precipitate.

A counter cyber attack is probably more realistic and feasible.

I think it is passed time western nations started telling host states to close their embassies and to wrack off and not come back until they drop the pretence of innocence. In the case of Russia, these groups operate with official knowledge and approval and most are little more than offshoots of the intelligence services, who both work for the state and make money from crime. Handily reduces the GRUs salary bill.

My son was telling me there are some notorious hackers in Russia who's names and addresses are known. The possibility of certain old style responses spring to mind. We effectively have a one sided cold war going on, time to make it two sided again.

Keyzer

TomSweeney wrote: »

wow thats a great story!!

It would make a great documentary but I doubt Maersk would ever allow it to happen.

Cuddlesworth

DublinWriter wrote: »

I saw this up close and personal in a public body of similar size with the "Wannacry" virus in 2017.

A user had opened up and ran an attachment from an email that looked like an Eircom bill.

The virus proceeded to encrypt any file it could on network shares that the user had open and left a text file ransom note in each subdirectory.

Thankfully, the organisation were running nightly enterprise backups, so only a day's work was lost at worst.

Weren't the HSE running any daily backups?

Its new so there isn't exactly a lot of info on it and whats in the HSE is described as a variant. From what is available, Conti will first infect and spread. It does so via infecting files and maybe using a known SMBv1 vulnerability.

Then it encrypts the files(fast) and transfers data outbound if it can.

The issue with this you can't restore backups unless you know those backups don't contain infected files. Which means you have to be sure that you can spot those files. Otherwise it will just start again.

They are in the position where they can trust nothing and a single slip up puts them back at step 1 again.

Don't know anything about how the HSE network runs or how they manage shares but from comments on this thread it seems to be organisation/location dependant with a managing body, so basically exactly how they operate medically. So a hospital in Thurles might have nothing happen to them because they had a well run IT setup but a hospital in Drogheda might have had been hit hard because they were wide open to it.

FileNotFound

TomSweeney wrote: »

wow thats a great story!!

Thats insane, maybe we should all learn from these.

In fairness HSE should have looked at the 2017 NHS problem.


That said easy to blame, but when money is tight, I'm sure the choice between upgrading life saving equipment or improved IT goes the life save route.