Ransomware & HSE

kippy · 19-05-2021 9:33pm

10000maniacs wrote: »

All you have said to add to the constructive debate is "paying up in no way guarantees you will get your data back" and "disgruntled employees are going to press dodgy links anyway". Very constructive. No solutions offered.
Bet you didn't know that there is software to stop ransomware being triggered even if disgruntled employees press the dodgy email links.

Cost for install and maintenance across 20,000 odd devices?

Corruptedmorals · 19-05-2021 9:33pm

Galwayguy35 wrote: »

Thought the staff did an amazing job today when I was there considering what they have to cope with over the last few days.

That's great! It really is nice while going through this that almost every patient is so understanding. We ring all patients coming in to advise there will be delays.

There are a few patients who can't quite get it and keep demanding their child's position on the waiting list/last time they were seen/etc. Or 'I want to change my address'. 'I want to know what consultant I normally see'. 'I have an appointment in July and I want to change the time'. Although in fairness it is hard to comprehend how utterly in the dark we are. It took me 2 hours today and a phone call to the patient for clues to track down their chart for tomorrow.

And we are genuinely lucky that we have a workaround through a closed system that allows us to see clinic lists with chart numbers and phone numbers. There was utter joy on Monday when we realised the fax machine is working. Bleak..

10000maniacs · 19-05-2021 9:36pm

kippy wrote: »

Cost for install and maintenance across 20,000 odd devices?

Well I would use €20 million to make a start on upgrading the system instead of coughing up that money to the hackers. They are going to have to do it anyway.

Blowfish · 19-05-2021 9:37pm

Blowfish wrote: »

How do you know that the CISO/Head of Security is to blame? What if they've been jumping up and down yelling about the risk of ransomware all this time, but have been ignored or not given the budget to defend against it?

This is the issue on this thread, there's an incredible amount of jumping to conclusions on what caused the breach, who is to blame and what the (overly simplistic) solutions are, despite us having next to no information about what actually happened or why.

And just to show that I'm not blindly defending the HSE, here's a criticism that absolutely can be levied at them. Their IT policies are published here: https://www.hse.ie/eng/services/publications/pp/ict/

The last update to most of them (including the InfoSec Policy) was 2014. Because of how quickly IT changes, these should all be reviewed at least annually. I'm hoping that they are actually being reviewed and published internally and it's just a lapse that they weren't put on the public portal. If not, it's inexcusable.

Donald Trump · 19-05-2021 9:39pm

On-thread IT experts hold your horses for a second. News just in.

I just asked an international IT expert contact of mine for his opinion and advice and he asked whether they had tried turning it off and back on again yet?

kippy · 19-05-2021 9:41pm

10000maniacs wrote: »

Well I would use €20 million to make a start on upgrading the system instead of coughing up that money to the hackers. They are going to have to do it anyway.

So what next? 20 mill is the starting point. How much do you think it costs to bin all machines not running an in support operating system?
What about the software itself? How secure is it btw?

Donald Trump · 19-05-2021 9:42pm

kippy wrote: »

So what next? 20 mill is the starting point. How much do you think it costs to bin all machines not running an in support operating system?

They are going to need to do it anyway. Even if it costs a lot more to roll it out fast, they should prefer that over paying up. Assuming they can get back to a relatively recent restore point and rebuild the missing data.

ineedeuro · 19-05-2021 9:43pm

Seth Brundle wrote: »

So you're suggesting to sack the head of IT Security without knowing if they are in any way responsible. Given that kind of knee jerk sacking, how many applicants will want to fill the role, do you think?

As for a security assessment, how do you know one has not been done and all the measures possible within the finite budget available have been implemented?

I don't know if they have one, which is why a few times I have mentioned on this thread I would hope they have one. If anyone has any questions they can point back to that, what it would cost to bring up to code and why it was blocked.

They are Head of Security, responsible for Security. This is the biggest security breech in the history of Ireland.
What would you do if HSE had a doctor that just kept killing people?

C.O.Y.B.I.B · 19-05-2021 9:44pm

Just looking through some old jobs I'd looked at in this area and I found this from 8th April 2020.
"Information Security Manager Framework and Controls General Manager Office of the Chief Information Officer HSE"
Means the person was likely only in the job less than a year. Also starting salary for the role was 71k

ineedeuro · 19-05-2021 9:46pm

kippy wrote: »

So what next? 20 mill is the starting point. How much do you think it costs to bin all machines not running an in support operating system?
What about the software itself? How secure is it btw?

They don't need to bin all those machines. They can limit those machines using segmentation, virtual patching etc. Plenty of options available and loads of companies who have solution.
You will find some of those system cannot be replaced

kippy · 19-05-2021 9:46pm

Donald Trump wrote: »

They are going to need to do it anyway. Even if it costs a lot more to roll it out fast, they should prefer that over paying up. Assuming they can get back to a relatively recent restore point and rebuild the missing data.

Will they need to do it anyway?

Some would say that adding additional software to an endpoint isn't always the best thing to do from a security standpoint.

The levl of naivety on this thread is astounding. Although I doubt very much those that are displaying it have ever been involved in the types of decision making in IT infrastructure, budgets and policy that we are talking about here.
Not absolving blame, just saying that things are never as straightforward as some would have you believe.

hmmm · 19-05-2021 9:46pm

ineedeuro wrote: »

They are Head of Security, responsible for Security. This is the biggest security breech in the history of Ireland.
What would you do if HSE had a doctor that just kept killing people?

The Board are responsible for Security in every company. They don't get to outsource this responsibility to some other employee. There are very few companies out there who provide their Head of Security with everything that person might like.

And 20 milion - I'd say more like starting at 200 million, and heading towards a billion to make an impact.

As for paying a ransom - you will need to rebuild everything. Are you really going to allow compromised systems go back onto a health network after paying millions to a bunch of what are clearly ruthless criminals? Of course not. And we're here talking about firing security people while discussing this completely stupid idea.

kippy · 19-05-2021 9:48pm

ineedeuro wrote: »

They don't need to bin all those machines. They can limit those machines using segmentation, virtual patching etc. Plenty of options available and loads of companies who have solution.
You will find some of those system cannot be replaced

I know this but the poster I am responding to has stated their opinion on out of support operating systems and I'd like them to continue with their budget building.

Blowfish · 19-05-2021 9:49pm

ineedeuro wrote: »

I don't know if they have one, which is why a few times I have mentioned on this thread I would hope they have one. If anyone has any questions they can point back to that, what it would cost to bring up to code and why it was blocked.

They are Head of Security, responsible for Security. This is the biggest security breech in the history of Ireland.
What would you do if HSE had a doctor that just kept killing people?

So, say the CFO of a company repeatedly warns the CEO and the board that the financial decisions they are making will make the company go bust. The company then goes bust. Is it the CFO's fault? Have they not done their job?

19-05-2021 9:50pm

salonfire wrote: »

I do actually.

And I'm in a position to ask some very awkward questions if I wanted to to show me if code copied from stack overflow does not contravene copyright and licensing policies.

Then you realise that the security issue faced by the HSE most likely doesn't have anything to do with anything on SO as nothing has indicated that the breach was caused by an in-house application.

ineedeuro · 19-05-2021 9:55pm

Blowfish wrote: »

So, say the CFO of a company repeatedly warns the CEO and the board that the financial decisions they are making will make the company go bust. The company then goes bust. Is it the CFO's fault? Have they not done their job?

Yes it is the CFO's fault.
Plus it is the CEO's and the boards fault.
Any more crazy "what if's?" to make excuses for the incompetence of the HSE?

Blowfish · 19-05-2021 9:57pm

ineedeuro wrote: »

They are Head of Security, responsible for Security. This is the biggest security breech in the history of Ireland.
What would you do if HSE had a doctor that just kept killing people?

It's interesting that you've accidentally used the correct word here. Let's go to our good old RACI tables:

The Head of Security is responsible for security.

The board are accountable for security.

Both have roles, but we don't know where the failure here was.

Hibernicis · 19-05-2021 9:58pm

Blowfish wrote: »

This is the issue on this thread, there's an incredible amount of jumping to conclusions on what caused the breach, who is to blame and what the (overly simplistic) solutions are, despite us having next to no information about what actually happened or why.

This is so true. Very well said.

Donald Trump · 19-05-2021 10:04pm

kippy wrote: »

Will they need to do it anyway?

Some would say that adding additional software to an endpoint isn't always the best thing to do from a security standpoint.

The levl of naivety on this thread is astounding. Although I doubt very much those that are displaying it have ever been involved in the types of decision making in IT infrastructure, budgets and policy that we are talking about here.
Not absolving blame, just saying that things are never as straightforward as some would have you believe.

Well we might not have all the same extensive experience of these things as whatever is imagined in others own heads, but it would be a fairly safe bet that such a large organisation would likely have systems still up and running that were out of support. They might not have been affected by this attack, but that doesn't mean that 20m wouldn't be useful to putting towards fixing that.

I would not consider myself "IT" but I would have technical roles. I worked in a place where the OS had passed EOL support 4 years before it crashed and an entire day of data was lost. The main system running on top of it was years technically out of support, as was the DB for the back end, although the company had paid big to purchase extended service contracts. When it went down, in order to get it back up and running, emergency changes had to be made to production systems without any migrations through lower environments. The reason that it had gone so long is that from decision to actual deployment of an upgrade for that system for any sort of major upgrade was about 2 years. And a few had started but never been implemented.

I don't get the point of coming on here to sneer at other posters in order to give self validation. It's an internet message board. Not even a technical one. It is likely that posters on here don't know as much as they think they know. They will know more than the average person on the street about their area. But that's really it.

whodafunk · 19-05-2021 10:12pm

Could the government roll out the old e voting machine...

SC024 · 19-05-2021 10:14pm

hmmm wrote: »

The Government should get the Russian ambassador in and demand to know what they are doing to prevent these types of attack.

Not all attackers are from Russia, but most are, and they are becoming impossible to stop. They only need to find one small weakness, and the defenders have a million things to try and secure. Anyone who claims ransomware is easy - "just backup", "install patches", "use a firewall" - hasn't a clue how difficult this is.

How do you propose the Cajole said ambassador into telling the truth?

plodder · 19-05-2021 10:15pm

Donald Trump wrote: »

On-thread IT experts hold your horses for a second. News just in.

I just asked an international IT expert contact of mine for his opinion and advice and he asked whether they had tried turning it off and back on again yet?

Was that the expert on RTE Drivetime this evening who seemed to be sniggering through the whole interview, and whose advice was just pay the ransom if they can't sort the whole thing out in a couple of weeks?

ineedeuro · 19-05-2021 10:18pm

Blowfish wrote: »

It's interesting that you've accidentally used the correct word here. Let's go to our good old RACI tables:

The Head of Security is responsible for security.

The board are accountable for security.

Both have roles, but we don't know where the failure here was.

Not sure why you are trying to be condescending when you have admitted yourself you have no idea what went on.
I am entitled to my opinion, same as you are entitled to yours.

kippy · 19-05-2021 10:24pm

Donald Trump wrote: »

Well we might not have all the same extensive experience of these things as whatever is imagined in others own heads, but it would be a fairly safe bet that such a large organisation would likely have systems still up and running that were out of support. They might not have been affected by this attack, but that doesn't mean that 20m wouldn't be useful to putting towards fixing that.

I would not consider myself "IT" but I would have technical roles. I worked in a place where the OS had passed EOL support 4 years before it crashed and an entire day of data was lost. The main system running on top of it was years technically out of support, as was the DB for the back end, although the company had paid big to purchase extended service contracts. When it went down, in order to get it back up and running, emergency changes had to be made to production systems without any migrations through lower environments. The reason that it had gone so long is that from decision to actual deployment of an upgrade for that system for any sort of major upgrade was about 2 years. And a few had started but never been implemented.

I don't get the point of coming on here to sneer at other posters in order to give self validation. It's an internet message board. Not even a technical one. It is likely that posters on here don't know as much as they think they know. They will know more than the average person on the street about their area. But that's really it.

Apologes about the perception of sneering at other posters - maybe that's what I am doing, but it isn't the intention.

These things are never as black and white as they may appear on the outside - is pretty much the message I am trying to put across.

hmmm · 19-05-2021 10:25pm

SC024 wrote: »

How do you propose the Cajole said ambassador into telling the truth?

You're not. You're making it clear to the Russian government that it is not costless for them to ignore these attackers working from their soil. You can't hope to stop these attacks as long as they are free to operate within Russia.

Deliverance XXV · 19-05-2021 10:29pm

It really doesn't matter a whole lot if the environment is full of Win 7 or fully patched Win 10 if the attacker is already in the network. The odds are very much stacked in favour of the attacker either way. If an attacker gets in and has a whole lot of time, they will get admin creds and from there can compromise the majority of the network.

JDxtra · 19-05-2021 10:49pm

Deliverance XXV wrote: »

It really doesn't matter a whole lot if the environment is full of Win 7 or fully patched Win 10 if the attacker is already in the network. The odds are very much stacked in favour of the attacker either way. If an attacker gets in and has a whole lot of time, they will get admin creds and from there can compromise the majority of the network.

Yes, they had compromised user credentials and used these to spread around the Windows machines.

Donald Trump · 19-05-2021 10:51pm

kippy wrote: »

Apologes about the perception of sneering at other posters - maybe that's what I am doing, but it isn't the intention.

These things are never as black and white as they may appear on the outside - is pretty much the message I am trying to put across.

Sorry. No worries. I might have taken you up wrong. I shouldn't have been a prick with my response.

I'm not an IT person as I said. But I worked close enough with them in the past. So I would know a tiny little bit about some issues but only very shallow. When I'm talking on here, I presume I'm talking to other laymen and am happy if the odd expert corrects me.

skimpydoo · 19-05-2021 11:16pm

All I have seen on here is coulda, woulda, shoulda. Right now we don't know exactly what happened. So there is no point on appointing blame just yet. Speculating will get us nowhere. We should be thinking about getting the system back up and running as soon as it is safely possible. We should also be looking at making sure we can greatly lessen the chances of this happening as nothing is 100% secure.

Wombatman · 19-05-2021 11:27pm

JDxtra wrote: »

Yes, they had compromised user credentials and used these to spread around the Windows machines.

Source?

Ransomware & HSE

Comments