Ransomware & HSE

kippy

ineedeuro wrote: »

Doesn’t matter what version of Windows they have if they don’t patch

If only life were as simple.
You are obsessed with this angle.

ineedeuro

kippy wrote: »

If only life were as simple.
You are obsessed with this angle.

Do you think I’m wrong?

Wombatman

ineedeuro wrote: »

Do you think I’m wrong?

Yes. Even if the systems were up to date with the latest patches, that wouldn't stop a skilled intruder with phished credentials wreaking havoc.

notAMember

It’s layered like any security.
Have intact Walls, lock the doors, install an alarm, don’t share the code, security cameras, monitor them.

For IT
Lifecycle maintenance (Recent versions and Patching up to date )
Segregation of networks
Permissions locked down
Intrusion detection
Etc

It’s not one thing.

ineedeuro

Wombatman wrote: »

Yes. Even if the systems were up to date with the latest patches, that wouldn't stop a skilled intruder with phished credentials wreaking havoc.

I responded to a poster who said that with an open cheque book the HSE should do a win10 upgrade. As I posted even if they upgrade to Win10 if they don’t patch it’s pointless. The very basic of security is to patch your environment

If you have your environment up to date with patches vulnerabilities and a decent setup EDR, SOC etc yes you can stop them and if not stop limit exposure.

Saying you can stopped a hacker is rubbish, companies do it every day of the week.

biko

Not strictly on topic but this is the physical security at a datacentre

https://www.youtube.com/watch?v=kd33UVZhnAA

alrightjack89

ineedeuro wrote: »

Do you think I’m wrong?

With zero day exploits no system is safe

Many hacking groups and i'm guessing many countries intelligence teams will have exploits that are not known and might never be known to Microsoft to access the OS

Cyber security is like drug testing in sports, a farce and always behind

By the time Microsoft fix the exploit through an update ( notice we have updates way more regularly now than before ) a new exploit will have been uncovered as thousands of intelligence teams work through the latest update as it comes out to find holes in it

Its going to get worse not better

Carfacemandog

Van.Bosch wrote: »

Where are we at now in terms of HSE systems back up and running? Is it 50%? Do we just work through it but by bit or is there some issues which can’t be resolved?

HSE emails back up and running in the last 24hrs, apparently.

Flinty997

alrightjack89 wrote: »

With zero day exploits no system is safe

Many hacking groups and i'm guessing many countries intelligence teams will have exploits that are not known and might never be known to Microsoft to access the OS

Cyber security is like drug testing in sports, a farce and always behind

By the time Microsoft fix the exploit through an update ( notice we have updates way more regularly now than before ) a new exploit will have been uncovered as thousands of intelligence teams work through the latest update as it comes out to find holes in it

Its going to get worse not better

I'm not sure people get this.

I wonder how many people here have their own personal files backed up and air gaped.

biko

Flinty997 wrote: »

I'm not sure people get this.

I wonder how many people here have their own personal files backed up and air gaped.

Almost no one.
Most people don't even understand what airgapped really means. Even for techy people it's losing its original meaning.

ressem

Flinty997 wrote: »

Not been my experience.
Even after migrating to the cloud.

An increasing pattern I see is IT being left out of the loop and then the business goes out outsourcing. They run into problems with the outsourced solution then come back to IT looking for help, who can't because they aren't involved.

I've actually walked into meetings and been asked why a project is months behind schedule. Only for then to realise they never involved anyone in IT.

Yep, and data being placed on different clouds by different departments, with no secure method to keep the data and permissions managed and synchronised.
So it's demanded for IT junior staff to hand-craft synchronization between cloud platforms that seem designed to dissuade data compatibility with rapid alterations. These organisations might not have someone at a level that can tell the other leaders that it's guaranteed to fail.

Facilities is especially a problem. Stuff like hikvision cctv, panasonic phone systems; only lip service is given to security when contrasted to other platforms (despite all the phone phreaking books written since the 80s).
Anything IE6, Java, flash dependencies; should go in the bin. Paid install companies that will not install patches unless yelled at, using common superadmin passwords between companies (a slightly altered version of their company name.)
But many of the replacement cloudy services are barely less indifferent or unaware. DPD's "cloud" delivery label printing solution, that requires a local app opening port 5001 needs a locked down PC of it's own.

And as for all the other cloud services that employees put on their private phones, alongside their work email and contacts.
Such as locations of NATO nuclear weapons being placed on publicly shared flash card cloud apps by trainees reportedly.
https://www.voanews.com/usa/nuclear-flash-cards-us-secrets-exposed-learning-apps

Silent Running

biko wrote: »

Almost no one.
Most people don't even understand what airgapped really means. Even for techy people it's losing its original meaning.

I'm not involved in info security in any way. I have my laptop as secure as I can get it. I have all of my important files off the laptop and only plug in the external SSD when I need access to the files. I have two drives with the same files on both, and I back up to both of them regularly. If the files are really sensitive, I disconnect from the internet before I access them.

Storage is cheap as chips now, so anyone not doing this is leaving themselves wide open. Even a crash of their onboard storage could/would lose a lot of their important stuff.

All that said, I've been on the internet since the early nineties (worked in the industry) and I'm completely paranoid about cyber security. I've passed this on to my kids too. All adults now, and passing it on to their kids.

ressem

deandean wrote: »

With the press reporting that this could cost the HSE up to €100m to rectify, I wonder if they taking the opportunity, and the blank cheque they no doubt have, to upgrade to Windows 10?

Hmm. That's missing a lot.
This May 2021 is the last month for free support of Windows 10 1909 Pro (Nov 2019),
After which it is in a similar situation as Windows 7 for new security flaws, unless paying extra for enterprise or a different LTSC version.

So... Windows 10 2004 and higher is a minimum if you don't want to fall into the same situation.

The version that Microsoft said was finally safe for enterprise deployment in February 2021. And the enterprise 1909 goes out of service in May 2022. A whole 15 months of enterprise stability. December 2022 for Enterprise 2004.

(And if you have an inconvenient sound device on your motherboard, then a lock may have been placed upon installing the feature update. Only took a year to remove the lock.
https://docs.microsoft.com/en-us/windows/release-health/status-windows-10-2004)
Errors or issues during or after updating devices with certain Conexant audio drivers. Windows 10 devices with affected Conexant or Synaptics audio drivers might receive a stop error with a blue screen during or after updating to Windows 10, version 2004.
Resolved: 2021-05-07, 13:29 PT Opened: 2020-05-27, 00:20 PT

alrightjack89

ressem wrote: »

Hmm. That's missing a lot.
This May 2021 is the last month for free support of Windows 10 1909 Pro (Nov 2019),
After which it is in a similar situation as Windows 7 for new security flaws, unless paying extra for enterprise or a different LTSC version.

So... Windows 10 2004 and higher is a minimum if you don't want to fall into the same situation.

The version that Microsoft said was finally safe for enterprise deployment in February 2021. And the enterprise 1909 goes out of service in May 2022. A whole 15 months of enterprise stability. December 2022 for Enterprise 2004.

(And if you have an inconvenient sound device on your motherboard, then a lock may have been placed upon installing the feature update. Only took a year to remove the lock.

Errors or issues during or after updating devices with certain Conexant audio drivers. Windows 10 devices with affected Conexant or Synaptics audio drivers might receive a stop error with a blue screen during or after updating to Windows 10, version 2004.
Resolved: 2021-05-07, 13:29 PT Opened: 2020-05-27, 00:20 PT

What a horrible job it would be to get the public sector machines all imaged to Windows 10 20H2 and continually patched from there on in, even the logistics alone of getting it done would be a nightmare, never mind that every windows update breaks many things, the testing that would have to go into that project would be insane, even something simple like printing is a nightmare, how many different model printer would the HSE/PS have lol.

Wouldn't take on that project management role for all the money in the world, they are too far gone and far too big now, nightmare situation.

alrightjack89

Flinty997 wrote: »

I'm not sure people get this.

I wonder how many people here have their own personal files backed up and air gaped.

I would say very few, hard to get users to use onedrive lol and the only thing that gets air gaped now is crypto coins onto a usb , external off network storage just isn't a thing anymore, everything is connected all the time. At least hacking intelligence teams before had to put the work in to get your data and access your network, now it seems ridiculously easy.

Multi national I work for recently got hacked and had to pay a few million to get access back and had everyone in the company change AD passwords and mfa authenticate within 24hrs, it seems incredibly common now and it's not open knowledge, it's never confirmed and talked about, if we knew how common it was, it would scare the bejesus out of us. Before a password would be enogh, now it's MFA with hard and soft tokens you store somewhere safe, next it will be a blood or urine sample lol, as even retinal with hard takens is being broken. Honestly it's scary where it's going.

ineedeuro

alrightjack89 wrote: »

What a horrible job it would be to get the public sector machines all imaged to Windows 10 20H2 and continually patched from there on in, even the logistics alone of getting it done would be a nightmare, never mind that every windows update breaks many things, the testing that would have to go into that project would be insane, even something simple like printing is a nightmare, how many different model printer would the HSE/PS have lol.

Wouldn't take on that project management role for all the money in the world, they are too far gone and far too big now, nightmare situation.

You move to risk based patching, patch what the hackers are using to gain entry

If you google the 10 security project Gardner recommends for 2020/2021.

kippy

alrightjack89 wrote: »

What a horrible job it would be to get the public sector machines all imaged to Windows 10 20H2 and continually patched from there on in, even the logistics alone of getting it done would be a nightmare, never mind that every windows update breaks many things, the testing that would have to go into that project would be insane, even something simple like printing is a nightmare, how many different model printer would the HSE/PS have lol.

Wouldn't take on that project management role for all the money in the world, they are too far gone and far too big now, nightmare situation.

Many people don't understand the very complexities you have outlined there and never will, which is fine, there are lots of things outside of tech (any plentybin tech) that I don't understand.
The HSE is not a straightforward organisation from many angles. The vast changes that happen every few years when it comes to mergers, new hospitals, old systems, new systems and the vastness of the software and staffing make it an absolute nightmare to manage.

kippy

ineedeuro wrote: »

You move to risk based patching, patch what the hackers are using to gain entry

If you google the 10 security project Gardner recommends for 2020/2021.

You do understand 'risk' is analysed from more than just one angle.

ineedeuro

kippy wrote: »

You do understand 'risk' is analysed from more than just one angle.

No, Please tell me more!

kippy

ineedeuro wrote: »

No, Please tell me more!

No point tbh
Do a bit of reading up on analysing risk. It'll help.

ineedeuro

kippy wrote: »

No point tbh
Do a bit of reading up on analysing risk. It'll help.

I already done the reading, I mentioned it in post

https://www.gartner.com/smarterwithgartner/gartner-top-security-projects-for-2020-2021/

No. 2: Risk-based vulnerability management
Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.

kippy

ineedeuro wrote: »

I already done the reading, I mentioned it in post

https://www.gartner.com/smarterwithgartner/gartner-top-security-projects-for-2020-2021/

No. 2: Risk-based vulnerability management
Don’t try to patch everything; focus on vulnerabilities that are actually exploitable. Go beyond a bulk assessment of threats and use threat intelligence, attacker activity and internal asset criticality to provide a better view of real organizational risk.

Gartner are great - but as with a lot of theory - putting it into practice is not as easily done.

Lets break this out a bit.
What is the acceptal lag between Microsoft releasing a securty related patch for Windows 10 and the verified installation of that patch on ALL devices running windows 10 in an organisation?
Say Microsoft release a patch tomorrow - when should that be on all devices?

ineedeuro

kippy wrote: »

Lets break this out a bit.
What is the acceptal lag between Microsoft releasing a securty related patch for Windows 10 and the verified installation of that patch on ALL devices running windows 10 in an organisation?

Do a bit of reading up on risk based vulnerability management ....

kippy wrote: »

Gartner are great - but as with a lot of theory - putting it into practice is not as easily done.

So you know more than Gartner now?

kippy

ineedeuro wrote: »

Do a bit of reading up on risk based vulnerability patching....

Lets say there is a piece of malware already available on the darknet that can install a back door on machines without this patch installed, in certain situations.
So it's a fairly high risk not to install this for that perspective.
Whats the timeline......

Did I say I know more than Gartner?

HalfAndHalf

kippy wrote: »

Lets say there is a piece of malware already available on the darknet that can install a back door on machines without this patch installed, in certain situations.
So it's a fairly high risk not to install this for that perspective.
Whats the timeline......

Did I say I know more than Gartner?

It’s all a bit irrelevant discussing patch speed when Microsoft give themselves 90 days from exploit notification to patch release. That’s 3 months of free reign while you’re waiting on a fix.

kippy

HalfAndHalf wrote: »

It’s all a bit irrelevant discussing patch speed when Microsoft give themselves 90 days from exploit notification to patch release. That’s 3 months of free reign while you’re waiting on a fix.

I know this, some people don't.
But it's nice to tease these things out.

I would like to get to the point though where the poster might give their timeline around how long it should take from Microsoft releasing a "critical" to having it verifiably installed on all impacted devices in an organisation.

ineedeuro

kippy wrote: »

Lets say there is a piece of malware already available on the darknet that can install a back door on machines without this patch installed, in certain situations.
So it's a fairly high risk not to install this for that perspective.
Whats the timeline......

Did I say I know more than Gartner?

Give gartner and all the other analyst a shout and tell them they are wrong

I’m sure they will listen

timeToLive

appealing to Gartner is a new low

kippy

ineedeuro wrote: »

You are making stuff up now. Really no need. Give gartner and all the other analyst a shout and tell them they are wrong

I’m sure they will listen

I've not said they are wrong.
You have no clue what is involved in patching software of any description - NONE, let alone in complex organisations.
You're obsession with it is comical at this stage.

ineedeuro

ineedeuro wrote: »

Give gartner and all the other analyst a shout and tell them they are wrong

I’m sure they will listen

WW91IGRvbid0IGtub3cgd2hhdCB5b3UncmUgdGFsa2luZyBhYm91dA