Ransomware & HSE

TheValeyard

TheValeyard wrote: »

I'd like to think the Israelis are not that petty and wouldnt go after hospitals.

Tell that to the Paestinians:

https://www.aa.com.tr/en/middle-east/indonesian-hospital-in-gaza-suffers-damage-by-israeli-attack/2238936

https://www.nbcnews.com/storyline/middle-east-unrest/another-gaza-hospital-hit-israeli-strike-four-dead-40-hurt-n161086

AndrewJRenko

fael wrote: »

Still, those attacks in the past should have been a warning for any company and should have been mitigated against.

How do you mitigate against a zero day exploit?

AndrewJRenko

AndrewJRenko wrote: »

How do you mitigate against a zero day exploit?

According to Fael its well known and well documented.

Adelman of Beamfleot

AndrewJRenko wrote: »

How do you mitigate against a zero day exploit?

Shouldn't the HSE be finding the zero day exploits first rather than malicious actors?

Corruptedmorals

It's hard not to get the impression that some of the people previously criticising that the HSE is overly reliant on paper charts are now criticising that appointments are being cancelled because the patient's notes have switched to electronic databases which can't be accessed. They are damned either way.

magicbastarder

Adelman of Beamfleot wrote: »

Shouldn't the HSE be finding the zero day exploits first rather than malicious actors?

thanks, i needed the laugh.

Hurrache

Adelman of Beamfleot wrote: »

Shouldn't the HSE be finding the zero day exploits first rather than malicious actors?

Ha, they're not an IT sercurity company.

Adelman of Beamfleot

Adelman of Beamfleot wrote: »

Shouldn't the HSE be finding the zero day exploits first rather than malicious actors?

Definitely post of the week.

Adelman of Beamfleot

magicbastarder wrote: »

thanks, i needed the laugh.

It's IT security 101

Hurrache

You're guaranteed to find Twitter threads full of people asking for the head of the minister for heath and the head of the HSE for not finding these exploits.

Hurrache

Hurrache wrote: »

You're guaranteed to find Twitter threads full of people asking for the head of the minister for heath and the head of the HSE for not finding these exploits.

Im actively avoiding twitter today for that very reason.

AndrewJRenko

Adelman of Beamfleot wrote: »

It's IT security 101

So just to be clear, you expect the HSE to spend tens or hundreds of millions of euros on building a team of white hat hackers attempting to find exploits in the tech of the hundreds or probably thousands of vendors of equipment and services that they use?

Well,that beats Banagher.

Adelman of Beamfleot

AndrewJRenko wrote: »

So just to be clear, you expect the HSE to spend tens or hundreds of millions of euros on building a team of white hat hackers attempting to find exploits in the tech of the hundreds or probably thousands of vendors of equipment and services that they use?

Well,that beats Banagher.

I had thought that the question was so preposterous that no one would take it seriously

Adelman of Beamfleot

Adelman of Beamfleot wrote: »

I had thought that the question was so preposterous that no one would take it seriously

Unfortunately this thread is littered with preposterous statements. So you being serious was perfectly plausible.

frozenfrozen

wonder if there's a measurable difference on the demographic using boards today while all the IT related people are in meetings being asked if this could happen to their company

Hurrache

Hurrache wrote: »

You're guaranteed to find Twitter threads full of people asking for the head of the minister for heath and the head of the HSE for not finding these exploits.

LOL, as night follows day, magpies to shiny things and all that, look at the dumb responses this attracted.
https://twitter.com/HSELive/status/1393199835591892996
https://twitter.com/RoibeardD/status/1393203848777506818

whippet

frozenfrozen wrote: »

wonder if there's a measurable difference on the demographic using boards today while all the IT related people are in meetings being asked if this could happen to their company

i've been on meeting all day and it's the first topic of conversation. We have been banging the drum for the last couple of years and it's scary how diverse the reaction has been from some of our clients and partners.

The ones who dismissed it as not something to worry about previously are now the ones in full on panic mode !!

zom

whippet wrote: »

The ones who dismissed it as not something to worry about previously are now the ones in full on panic mode !!

And funny thing is the same people will be first to forget about it. It is like everywhere - specific type of people, dynamically acting, dynamically thinking, dynamically panicking and dynamically forgetting...

schrodinger

Adelman of Beamfleot wrote: »

Shouldn't the HSE be finding the zero day exploits first rather than malicious actors?

Wow. This post has broken my Boards silence. Made my Friday. Thanks!

frozenfrozen

and the people who push back against any change and really hold up rollouts are the same people in panic mode...

schrodinger

schrodinger wrote: »

Wow. This post has broken my Boards silence. Made my Friday. Thanks!

That poster now says he was joking.

schrodinger

Hurrache wrote: »

You're guaranteed to find Twitter threads full of people asking for the head of the minister for heath and the head of the HSE for not finding these exploits.

Wanna hear something disgusting? I saw some call for HSE staff to be jailed for negligence rather than jailing the criminals.... It's infosec "experts" like this that worry me daily because some decision maker some where is going to listen to him.

schrodinger

Deleted User wrote: »

That poster now says he was joking.

Still made my Friday! hahahahaha. More hot takes jokes like this please.

seamus

Tbh, I'd be skeptical of the "zero day" claim. I've seen companies roll it out before in order to keep the heat off and stop any speculation that they left the door wide open.

There are bigger targets available if you have a good 0-day and you want a big cash payment.

Alun wrote: »

Very true. As I mentioned earlier, these aren't always your typical Nigerian prince type emails. They're targeted, using information gleaned from various sources .. corporate websites, press releases, LinkedIn and Facebook profiles etc. and can look very believable.

This is known as Spear Phishing and it's insanely effective. All it takes really is one distracted employee and a decently crafted mail and you're in.

magicbastarder

conti is a devious beast too;
https://news.sophos.com/en-us/2021/02/16/conti-ransomware-evasive-by-nature/

fael

Deleted User wrote: »

According to Fael its well known and well documented.

Really? What you got from my post is that I believe you can protect yourself from every 0day?

I think you are misreading my posts and think I'm saying the HSE is doing a bad job. I can't know because I don't know what is going on in the HSE. I can't form an opinion, because I don't have knowledge about the HSE IT infrastructure.

The point I was trying to make was that ransomware is common and you should have a plan in place. I did not say that the HSE does not have that.

Like someone above said, pulling the plug on the network in the middle of the night can indicate seems like they have a detection mechanism in place.

schrodinger

And let's be clear here. This was not a zero day exploit. Every time someone says a zero day was used, I loose a year from my life expectancy. Is it the HSE's fault? Absolutely not. I've literally seen and investigated organisations with a much stronger security posture than the HSE get hit with ransomware. So, all the "expert" and idiot criticism of HSE I.T. staff needs to be taken some where else. All of those people can go some where and bang their knuckles off a rock and see who's the leader.

I.T. staff in these kinds of places are not security engineers, security analysts, forensic investigators, incident responders, malware analysts, etc.. They are system engineers, system administrators, network engineers, developers, technical support staff, applications supports staff, multiple hats staff - and people want to throw shade? Shame on those who do.

Not many comments about the private for-profit companies are who likely (literally) responsible for the security practices through all of the parts that make up the HSE. No, much easier to throw those ill-informed opinions at the HSE and blame them.

Credit to the people in this thread who actually have a clue and are providing valid comments on what's happened, how it's happened and how it needs to be treated moving forward.

fael

AndrewJRenko wrote: »

Are you suggesting that the HSE hasn't already taken all of these steps?

No, someone asked what steps you could take to prevent it and I just pointed him to a list of basic measures.

I don't work in HSE IT so I can't comment on what steps they have taken.

fael

AndrewJRenko wrote: »

How do you mitigate against a zero day exploit?

You can't mitigate against the 0day itself. Just against what happens after. Basic stuff like segmenting your network, a proper backup system (including regularly restoring backups to make sure it's working), etc, etc... to make sure you can clean up and get going again.

Can't imagine what kind of mind**** backups in the HSE must be though, so many different sections that are interlinked. Glad that's not my job.

jmayo

touts wrote: »

If one person dies as a result of the health systems being down it should be treated as murder and an act of terrorism.

After the attack on the oil pipeline in the US I suspect those bastards will be getting a visit from Seal Team 6 anyway. Don't know if it is the same terrorist group who attacked the US but clearly this has stepped up and we need to step up our response accordingly.

So they are going to attack someone sitting in Russia, or possibly North Korea or China then ?

Deleted User wrote: »

That's like where I worked in local authority, Windows 7. Public services always go for the cheapest available anything, not the most cost-effective in the long run.

Yes you will still find Windows 7 and maybe even older in the likes of HSE, hospitals, etc.
Medical systems lag consumer systems because they have to go through years of certification and a medical system could have shelf life of 7 odd years.
So you may have computers running medical grade software applications that are still running Win 7.
A lot of these systems may be isolated to their own subnets and VLANS, or even their own physical network but some may be connected to proprietary network and the general hospital LAN.

Win10 was only released in the middle of 2015.

Also people need to get their heads round fact that large organisations, be they public or private, don't run out every other year updating their hardware and indeed their OSes.
It takes years of planning to roll out the new OS version and most especially in somewhere like HSE with all their departments, all their hospitals, all their sites, all the clinics, the health centres, etc.

It is not fooking like an individual or a small entity going down to Currys and buying a PC or a few PCs that only runs Office and surfs the net.

leahyl wrote: »

I work in a University and have communcations with the HSE and some of them have extreme difficulty in even accessing microsoft Teams for meetings. Their IT infrastructure sounds very bad.

Teams is a bag of shyte that half the time doesn't work because of new Windows 10 updates, doesn't like headsets, microphones and the Microsoft sites often have global outages.

jams100 wrote: »

In fairness, the HSE employs over 100k people. This seems to be down to years and years of mismanagement.
Sure didn't I read a few years ago that they had to pay Microsoft to keep supporting Windows xp or 7?
You'd hope that after the previous incident a couple of years ago that they now work with external partners in terms of their IT.
I imagine it's a mammoth job trying to overhaul any IT infrastructure in the HSE both from a technical and political (money) point of view.

See my answer above.
You have no idea how complex their whole system is and now you have huge specialist systems running all over the place.