Ransomware & HSE

Seth Brundle

Gael23 wrote: »

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

Do you know that the attack was through obsolete IT systems?

Hibernicis

10000maniacs wrote: »

You would get in the company who originally carried out the installation to certify that the conversions were done correctly. Simples.

OK I think I follow but I’d just like to make sure I fully understand. You’ve already told us:

10000maniacs wrote: »

Personally I would write a kernel to emulate the drivers of the particular target whether it is XP, Vista or whatever.

10000maniacs wrote: »

A friend of mine is a dentist and he ran his x-ray/photo/scanning software on XP up to 2020. He wanted my help to move to Windows 10. It took a bit of effort and coding but I helped him do it over two weekends.

10000maniacs wrote: »

I am a software developer, and one of the most important aspects of the system software is to make it forward platform compatible. Win32 or Win64 does not lose functionality with newer versions. It just gains functionality. Make your software compatible with the lowest common denominator. But don't create any dependencies on third party drivers. Write all of the interfaces yourself and stick to Win32 compatibility for these interfaces. If you have to sacrifice graphics/speed in doing so, so be it.

10000maniacs wrote: »

And then I would suggest
1: Buy in new Windows 10 PC's.
2: Analyse which drivers the old systems were using.
3: Enumerate which drivers are still compatible with Windows 10 and which are not.
4: Figure what the non compatible drivers were doing and emulate this functionality by either tweaking their config/registry settings or a driver rewrite (the hard part).

So after you’ve finished writing kernels and emulators, “tweaking” config files and registry settings, writing all the interfaces yourself as well as rewriting drivers and generally putting in a bit of effort and coding, your pick up the phone and call the company who originally carried out the installation to certify that the conversions were done correctly ? And they would happily do this. It’s really that simple, is it ?

No matter how well intentioned your suggestions are, and I don’t doubt that they are well intentioned, in any industry where validation, certification or regulation need to be taken seriously (e.g. scada in Pharma plants, LIMS and software controlling medical devices in hospitals, ATMs in the banking sector etc.) the last thing that anybody with any IT Governance knowledge would consider is any of the actions you set out above. Any one of these would raise immediate red flags as these are precisely the sort of well intentioned home grown solutions which create vulnerable weak spots, result in unpredictable outcomes, are utterly unmaintainable and can ultimately destabilise entire environments.

The more you post the more you demonstrate that you really have no idea what you are talking about.

10000maniacs

Hibernicis wrote: »

What on earth does a statement like that even mean? The receptionists, the cleaners, the janitor all trained on every aspect of enterprise cyber security ????

You response does nothing to directly answer the question you were asked - "what area of enterprise cyber security are you involved in ?". Indirectly your response answers the question very very clearly.

Yes, anybody who uses a computer is trained on every aspect of cyber security. They do the course and are tested afterwards and need 80% to pass. They have to be certified on this every year or they don't use a computer.

kippy

10000maniacs wrote: »

Going forward, it has to be done in the HSE. Simple as. They will be forced to do it if there is no initiative to do it off their own bat.

So everyone in the HSE needs to be educated up to masters level in Security?

Hibernicis

Seth Brundle wrote: »

If he wasn't out talking to the media then the numpties would be complaining that he is off hiding. He can't win :rolleyes:

You beat me to it. I had exactly the same thought..... "nowhere to be seen....." "hiding behind the PR peoples skirts....." "afraid to be held accountable...." etc etc.

10000maniacs

Hibernicis wrote: »

OK I think I follow but I’d just like to make sure I fully understand. You’ve already told us:









So after you’ve finished writing kernels and emulators, “tweaking” config files and registry settings, writing all the interfaces yourself as well as rewriting drivers and generally putting in a bit of effort and coding, your pick up the phone and call the company who originally carried out the installation to certify that the conversions were done correctly ? And they would happily do this. It’s really that simple, is it ?

No matter how well intentioned your suggestions are, and I don’t doubt that they are well intentioned, in any industry where validation, certification or regulation need to be taken seriously (e.g. scada in Pharma plants, LIMS and software controlling medical devices in hospitals, ATMs in the banking sector etc.) the last thing that anybody with any IT Governance knowledge would consider is any of the actions you set out above. Any one of these would raise immediate red flags as these are precisely the sort of well intentioned home grown solutions which create vulnerable weak spots, result in unpredictable outcomes, are utterly unmaintainable and can ultimately destabilise entire environments.

The more you post the more you demonstrate that you really have no idea what you are talking about.

Retrospective fixing of stuff like this is difficult. That is how I would suggest people tackle it. But I am not in that position. So who knows.

Hibernicis

10000maniacs wrote: »

Yes, anybody who uses a computer is trained on every aspect of cyber security. They do the course and are tested afterwards and need 80% to pass. They have to be certified on this every year or they don't use a computer.

One more time before we let it go:

"what area of enterprise cyber security are you involved in ?"

Seth Brundle

ineedeuro wrote: »

The HSE from day 1 has lied to the public, they have used RTE to run a PR campaign for them & the government.
The finger is already pointing at everyone else. Even today going on about people suing so to change the topic of conversation.

We will never be told the truth based on what has happened already. People need to stop making excuses and demand answers. Otherwise it will be swept under the carpet.

What lies have been told?
Who lied?
Any sources toi back up your allegations?

Hibernicis

10000maniacs wrote: »

Retrospective fixing of stuff like this is difficult. That is how I would suggest people tackle it. But I am not in that position. So who knows.

After dozens of posts in this thread I think we are finally getting clarity on your competence in this area.

Seth Brundle

10000maniacs wrote: »

No it's actually true.
GDPR rules insist that systems must uphold customers data based on the three core principles, Integrity, Confidentiality and Availability.
They need to go back to the drawing board and get the most up to date hardware and OS software they can. Then bullet-proof it. Then pay off all the inevitable law suits and fines for what has happened.

You have no idea.
For someone who claims to work for an IT company, I can't help thinking that you're the transition year student in doing some work experience for a few weeks. I also doubt that I'm the only one who thinks that given what you've posted here recently.
:rolleyes:

SEPT 23 1989

Monday is deadline day

10000maniacs

kippy wrote: »

So everyone in the HSE needs to be educated up to masters level in Security?

No, the course is to enable them to do the right things with applications on their computer.
You don't need to know how Excel was written to be able to use it safely.

whippet

10000maniacs wrote: »

No, the course is to enable them to do the right things with applications on their computer.
You don't need to know how Excel was written to be able to use it safely.

And only need 80% to pass - so leaving 20% is alright then?

The more you post the more it is obvious that you have some knowedge but nothing equating to any level of understanding to get your head around the issues in the HSE and the appropriate responses

10000maniacs

Seth Brundle wrote: »

You have no idea.
For someone who claims to work for an IT company, I can't help thinking that you're the transition year student in doing some work experience for a few weeks. I also doubt that I'm the only one who thinks that given what you've posted here recently.
:rolleyes:

You quoted my GDPR post, so, in Tuesdays Examiner it even mentions the issues they could be facing.
https://www.irishexaminer.com/news/arid-40292597.html

Ash.J.Williams

10000maniacs wrote: »

The fundamental rule number one in my organization is every employee who uses a computer is involved in enterprise cyber security and is trained to do the right thing.
Everybody is trained on every aspect of enterprise cyber security.
= First failsafe.
Second failsafe is every executable or script that is run on our servers is gridlocked using specialized security software and is not run if it is not recognised. You cannot run or install ANYTHING from the web or disc.
Discs, floppy's and USBs are disabled.
The software that we use is obtained solely from the organizations software repository.
The entire drive on every computer is encrypted. etc...etc.

Is your network segregated? Have you isolated your file storage from the internet? Have you disabled protocols such as smb1 where possible? Have you got rid of the administrator account in favour of temp accounts that stop after a few hours?

kippy

10000maniacs wrote: »

No, the course is to enable them to do the right things with applications on their computer.
You don't need to know how Excel was written to be able to use it safely.

This is what you siad:
"Everybody is trained on every aspect of enterprise cyber security."
Your definitiion of "Every aspect of enterprise cyber security" differs a lot from my own if that is the case.

ineedeuro

Seth Brundle wrote: »

What lies have been told?
Who lied?
Any sources toi back up your allegations?

Zero day attack. Yet the Department of Health was able to stop it. Funny zero day attack? It never was and never will be a Zero Day attack.
HSE Chief Operations Officer Anne O'Connor said the HSE was alerted to the attack at 4am and she described it as a "zero-day threat with a brand new variant of the Conti ransomware".


If this was true you would have companies all over the World with the same issue. Strange it is just the HSE and even an organisation in the same country can stop it.

Also RTE and HSE ran a campaign saying they done everything right in turning off everything. This is not true. Once you shut everything down how do you know what is infected and what isn't?

“In shutting everything down, it would appear HSE were unable to confidently isolate the problem by switching off just part of the network or even just quarantining the problematic IT assets out of the network,” suggested Amit Serper, associate vice-president of security research at Guardicore Labs.

That's just a start.

davo2001

10000maniacs wrote: »

Yes, anybody who uses a computer is trained on every aspect of cyber security.

That's one overly qualified janitor so. Do they get a CompTIA Security+ / CISSP / CISM / CCSP for completing every aspect of cyber security?

10000maniacs

Ash.J.Williams wrote: »

Is your network segregated? Have you isolated your file storage from the internet? Have you disabled protocols such as smb1 where possible? Have you got rid of the administrator account in favour of temp accounts that stop after a few hours?

Yes, Yes yes and yes.

Seth Brundle

10000maniacs wrote: »

Yes, anybody who uses a computer is trained on every aspect of cyber security. They do the course and are tested afterwards and need 80% to pass. They have to be certified on this every year or they don't use a computer.

ok so how long will it take toimplement this training programme across the board?

As an IT consultant in a former life, I worked with many HSE staff who had next to no computer skills.
Maybe 10 or 12 years ago I was trying to remote onto a users PC via Webex to get her to zip and email some files but as she was still on dial up it wouldn't connect. In the end I tried talking her through the process (right click on the folder, choose send to and so on).
Anyhow after about 10 minutes of it not working and me getting more and more exasperated, I asked her to explain what exactly she steps was doing and she told me that she was typing it. I said "typing what?"
She said "I'm typing what you told me - I'm writing click" :rolleyes:
This user apparently still works in the HSE and I've been led to believe is still clueless about using computers.

Now, I'm sure everyone has an anecdote from within the HSE but the reality is that she should not have been near a PC. However, nobody had trained her either. This is a long standing culture in many state run organisations due to budget constraints. What you are proposinbg needs to be done right across the board, in all departments and state bodies so that people meet a minimum standard.
However, that minimum standard will need to be defined and agreed. Unions (like it or not) will need to be on board and you can assume there will be some opposition. Budgets will need to be made available. Trainers will need to be recruited. In order to ensure that people meet a minimum standard, some form of exam or test will be required. This will be a long drawn out process to rollout.

However (and I'm not in IT Security) but I would imagine would have little impact on ensuring whether or not the systems going forwards are vulnerable or not to an orchestrated attack.

giles lynchwood

Gael23 wrote: »

Is it though? The HSE have a duty of care to protect confidential patient information and left that vulnerable due to using obsolete IT systems

100% agree with you it's about time civil servent's are held accountable for their short comings.Successive governments have buried their heads in the sand for way to long.

10000maniacs

davo2001 wrote: »

That's one overly qualified janitor so. Do they get a CompTIA Security+ / CISSP / CISM / CCSP for completing every aspect of cyber security?

None of the janitors or cleaners we employ use a company computer. They are contracted people who manage their own affairs with their own companies.

kippy

10000maniacs wrote: »

None of the janitors or cleaners we employ use a company computer. They are contracted people who manage their own affairs with their own companies.

Surely they need to be aware of aspects of physical security, identity theft and your companies physical access policies.

10000maniacs

kippy wrote: »

Surely they need to be aware of aspects of physical security, identity theft and your companies physical access policies.

That's HR's department, and I am not in HR. I don't know how janitors are dealt with, although I am aware of their presence. They come in to clean after most people have left the office.

plodder

ineedeuro wrote: »

Zero day attack. Yet the Department of Health was able to stop it. Funny zero day attack? It never was and never will be a Zero Day attack.
HSE Chief Operations Officer Anne O'Connor said the HSE was alerted to the attack at 4am and she described it as a "zero-day threat with a brand new variant of the Conti ransomware".

I thought that was a strange thing to say as well. It implies that they were protected against previous variants of Conti ransomware because the whole deal with zero-day attacks is that nobody has ever seen them before.

fly_agaric

kippy wrote: »

This is what you siad:
"Everybody is trained on every aspect of enterprise cyber security."
Your definitiion of "Every aspect of enterprise cyber security" differs a lot from my own if that is the case.

Or its a small IT company where it is possible that everyone on the staff can be fairly "expert" (compared to man in the street) as regards such issues.

In other words, it is not a public health service with 10s of ks of employees of varying IT skills, many of whom have alot of other more important shít to be learning/keeping up to date with & or worrying about apart from becoming "expert" on cybersecurity.

Great for that poster (and wherever he works etc.), but it is not really transferable/applicable to HSE.

realdanbreen

Rezident wrote: »

Has the Irish Government approached the Russian Embassy yet?

Russian Embassy
184 - 186 Orwell Road
Rathgar
Dublin 14

Anyone on for a peaceful protest?

So, I'm here, where's everybody?:mad:

Hibernicis

10000maniacs wrote: »

None of the janitors or cleaners we employ use a company computer. They are contracted people who manage their own affairs with their own companies.

Maybe you should consider it. A peer of mine dealt with a major incident in an American Multinational a few years ago. The extensive root cause analysis led them all the way back to a contract cleaner who was making unauthorised late night use of a computer to contact home (a continent or two away) using misappropriated credentials and who innocently downloaded some photos and videos, one of which contained a payload. The consequences were very significant and the cost of remediation and hushing it up to prevent extensive reputational damage was enormous. It shouldn't have happened, but it did - human error/fallibility is one of those intervening variables that brings the best of plans tumbling down. So it might be no harm to extend your training to include contractors etc.

Anyway, for the record I note that you have failed to answer the question you were asked on numerous occasions as to your expertise in cyber security.

10000maniacs

Hibernicis wrote: »

Maybe you should consider it. A peer of mine dealt with a major incident in an American Multinational a few years ago. The extensive root cause analysis led them all the way back to a contract cleaner who was making unauthorised late night use of a computer to contact home (a continent or two away) using misappropriated credentials and who innocently downloaded some photos and videos, one of which contained a payload. The consequences were very significant and the cost of remediation and hushing it up to prevent extensive reputational damage was enormous. It shouldn't have happened, but it did - human error/fallibility is one of those intervening variables that brings the best of plans tumbling down. So it might be no harm to extend your training to include contractors etc.

Anyway, for the record I note that you have failed to answer the question you were asked on numerous occasions as to your expertise in cyber security.

I have no problem with that. But good point before that.

ineedeuro

ineedeuro wrote: »

Zero day attack. Yet the Department of Health was able to stop it. Funny zero day attack? It never was and never will be a Zero Day attack.
HSE Chief Operations Officer Anne O'Connor said the HSE was alerted to the attack at 4am and she described it as a "zero-day threat with a brand new variant of the Conti ransomware".


If this was true you would have companies all over the World with the same issue. Strange it is just the HSE and even an organisation in the same country can stop it.

Also RTE and HSE ran a campaign saying they done everything right in turning off everything. This is not true. Once you shut everything down how do you know what is infected and what isn't?

“In shutting everything down, it would appear HSE were unable to confidently isolate the problem by switching off just part of the network or even just quarantining the problematic IT assets out of the network,” suggested Amit Serper, associate vice-president of security research at Guardicore Labs.

That's just a start.

Speaking as someone who has written Incident Response plans, turning everything off was the correct decision. The HSE's response has been excellent so far. Having a process in place when you can shut down 80,000 computers at 4am in the morning is exemplary.

The HSE consulted with FireEye who's primary job is focusing on zero days and they confirmed it was a zero day.

If this was true you would have companies all over the World with the same issue. Strange it is just the HSE and even an organisation in the same country can stop it.

Not if it was a targeted attack. This isn't a worm, the is a human-triggered attack.