Ransomware & HSE

ineedeuro

ineedeuro wrote: »

As I said, you might accept it but some people won't.
I can tell you waht will happen if you wait, nothing. It will be swept away and we will get told a review will be done and then it will never arrive. Standard practise in Ireland and loads of people just accept that. It's crazy. But people are changing and this can only be good.

We cannot continue to accept incompetence and give people a round of applause for doing it.

Can you provide any public or private organisation that published their security report in full for the public?

DublinWriter

swampgas wrote: »

The HSE is huge, there is not one homogenous "staff", or a single "IT system", or a single HSE "IT Team".

Is it true that they're still operating on a pre-HSE basis in terms of IT Management and still running the old 6+ Health Board IT Teams?

swampgas

DublinWriter wrote: »

Is it true that they're still operating on a pre-HSE basis in terms of IT Management and still running the old 6+ Health Board IT Teams?

I've no idea, but in a large organisation you will have multiple teams with different roles and responsibilities, that's what I was getting at really. An Oracle database admin and a Microsoft Active Directory admin have very different jobs. Figuring out what each team needs to change (if anything) isn't a one-size-fits-all job.

AndrewJRenko

DublinWriter wrote: »

Is it true that they're still operating on a pre-HSE basis in terms of IT Management and still running the old 6+ Health Board IT Teams?

Doesn't look like it.

https://www.hse.ie/eng/about/who/oocio/

DublinWriter

swampgas wrote: »

I've no idea, but in a large organisation you will have multiple teams with different roles and responsibilities, that's what I was getting at really. An Oracle database admin and a Microsoft Active Directory admin have very different jobs. Figuring out what each team needs to change (if anything) isn't a one-size-fits-all job.

True, but most organisations most don't have 6+ independent DBA Teams and 6+ independent Security/AD User Provisioning Teams over multiple and unconnected OUs.

Dyr

kathleen37 wrote: »

All of this.

The most basic role of any IT department is to keep it's systems and data safe. And to have a contingency plan.

The reality is that most IT depts in Iish businesses are not run that way, management see no value add in it and assign little or no resources to it. That's all below deck stuff so they just ignore and assume it gets done by IT fairies that live in the server room.

They'll panic for a bit now and invest in some measures which will be gathering dust in a corner 12 months down the line.

ineedeuro

Bambi wrote: »

The reality is that most IT depts in Iish businesses are not run that way, management see no value add in it and assign little or no resources to it. That's all below deck stuff so they just ignore and assume it gets done by IT fairies that live in the server room.

They'll panic for a bit now and invest in some measures which will be gathering dust in a corner 12 months down the line.

Not true, plenty of companies have invested in security and IT over the years, plenty of course haven’t but just saying every customer in ireland is the same is incorrect

Just look at this breech, only the HSE got hit, no other company in ireland. Doesn’t that tell you a lot?

Hibernicis

DublinWriter wrote: »

Is it true that they're still operating on a pre-HSE basis in terms of IT Management and still running the old 6+ Health Board IT Teams?

Based on two things that Anne O'Connor said last week I have a strong suspicion that this may be the case at infrastructure level and if so it could be a very significant factor.

Cuddlesworth

ineedeuro wrote: »

The "lack of investment" line is coming from who/where? has anything been provided to back that up?

Yes, the IT director said the budget had double in the last 2 years from 100million to 200mil. That's a clear example of a long term lack of investment.

ineedeuro

Cuddlesworth wrote: »

Yes, the IT director said the budget had double in the last 2 years from 100million to 200mil. That's a clear example of a long term lack of investment.

So the IT director in the middle of a huge failure says they didn’t have enough investment? Well that’s a surprise

What did they do with the extra 100m?

Did he/she include any information to back that up? Like they are a 1 on the security assessment and should be a 3?

kathleen37

swampgas wrote: »

There may well be incompetence and negligence, but that's not a given, and jumping to condemn the IT teams before the facts emerge is unfair to those involved.

I never mentioned incompetence or negligence and I am absolutely not blaming the IT teams for this. As I said, I really feel for the people on the ground. I've been there.

I mentioned head of departments for a reason. I've worked in this industry for years and I can guarantee that the main issue here is funding. But again, that's the role of the head of dept to flag and make sure the correct people are aware of the issues/risks and to get the funding in place.

Would love to see their risk register.

AndrewJRenko

ineedeuro wrote: »

So the IT director in the middle of a huge failure says they didn’t have enough investment? Well that’s a surprise

What did they do with the extra 100m?

They did the strategic programmes detailed at https://www.hse.ie/eng/about/who/oocio/

Which of these would you have canned or cut back to invest more on security?

ineedeuro

AndrewJRenko wrote: »

They did the strategic programmes detailed at https://www.hse.ie/eng/about/who/oocio/

Which of these would you have canned or cut back to invest more on security?

Did I say to invest more in security? It would be nice to see what they are currently spending and on what?

Also with whom? An organisation the size of HSE with its complexity should have specialist, worldwide specialist companies involved

AndrewJRenko

ineedeuro wrote: »

Did I say to invest more in security?

Yes, pretty much. Remember when you said:

ineedeuro wrote: »

This gives management the information on which decisions they should/shouldnt make and also the information to figure out what risk they have if they don't invest.

ineedeuro wrote: »

It would be nice to see what they are currently spending and on what?

Also with whom? An organisation the size of HSE with its complexity should have specialist, worldwide specialist companies involved

Why don't you ask them? Or FOI them? Or get a job there and see what's going on?

Loads of options to you instead of moaning incessantly here.

ineedeuro

AndrewJRenko wrote: »

Yes, pretty much. Remember when you said:





Why don't you ask them? Or FOI them? Or get a job there and see what's going on?

Loads of options to you instead of moaning incessantly here.

Selective quoting. It's a pity some people have to resort to that.

gameoverdude

ineedeuro wrote:

Selective quoting. It's a pity some people have to resort to that.

Indeed

DublinWriter

Cuddlesworth wrote: »

Yes, the IT director said the budget had double in the last 2 years from 100million to 200mil. That's a clear example of a long term lack of investment.

That's not a lot for an organisation of that size and significance.

DublinWriter

AndrewJRenko wrote: »

Doesn't look like it.

https://www.hse.ie/eng/about/who/oocio/

You're looking at the most senior of senior IT management in the HSE there.

The question is, like the rest of the HSE, was an additional upper-level of management just 'plonked' on top of the original 8-board structure?

Wombatman

AndrewJRenko wrote: »

They did the strategic programmes detailed at https://www.hse.ie/eng/about/who/oocio/

Which of these would you have canned or cut back to invest more on security?

Probably none of them. Your question is classic example of how not to approach cybersecurity. It's not optional. It's not 'a project' you can choose over another. It's a culture, an essential foundation. If you are not approaching all of these projects from a security first perspective you are only making a stick to beat yourself with later.

Maxface

So they got the money back they sent, so not a Bitcoin thing......https://www.breakingnews.ie/world/us-recovers-ransom-payment-made-after-pipeline-hack-1138473.html

Might get flamed for the above but whatever.

ixoy

Maxface wrote: »

So they got the money back they sent, so not a Bitcoin thing......https://www.breakingnews.ie/world/us-recovers-ransom-payment-made-after-pipeline-hack-1138473.html

They got most, not all, and it was certainly a Bitcoin thing until they pissed off the wrong people.

ineedeuro

Maxface wrote: »

So they got the money back they sent, so not a Bitcoin thing......https://www.breakingnews.ie/world/us-recovers-ransom-payment-made-after-pipeline-hack-1138473.html

Might get flamed for the above but whatever.

Yes it was a bitcoin thing.....just because the US spent millions to get it back so as not to lose face doesn't change anything

ineedeuro

ineedeuro wrote: »

Yes it was a bitcoin thing.....just because the US spent millions to get it back so as not to lose face doesn't change anything

Link to where you seen that the U.S. spent millions to get it back?

ozmo

DubInMeath wrote: »

Link to where you seen that the U.S. spent millions to get it back?

"75 bitcoin — then valued at roughly $4.4 million"

"The Bitcoin amount seized — 63.7, currently valued at $2.3 million after the price of Bitcoin tumbled— amounted to 85% of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. The ransomware software provider, DarkSide, would have gotten the other 15%."

So most of the losses appear due to the devaluation of bitcoin.

AndrewJRenko

ineedeuro wrote: »

Selective quoting. It's a pity some people have to resort to that.

Feel free to add in any more context you like, but you've been repeatedly banging on here about the need for them to do more, do better, hire more external consultants. That costs money, which needs to come from some budget.

DublinWriter wrote: »

You're looking at the most senior of senior IT management in the HSE there.

The question is, like the rest of the HSE, was an additional upper-level of management just 'plonked' on top of the original 8-board structure?

This is one of those urban myths that has gained traction. It's a while since I directly worked with them, but their structure had nothing to do with health boards. They had a regional model for some services and some structures, which isn't surprising for any national organisation.

Wombatman wrote: »

Probably none of them. Your question is classic example of how not to approach cybersecurity. It's not optional. It's not 'a project' you can choose over another. It's a culture, an essential foundation. If you are not approaching all of these projects from a security first perspective you are only making a stick to beat yourself with later.

You're broadly correct, but if you're going to 'do security' in a way that you haven't done it before, it is going to take extra resources - extra staff, extra training, extra consultants, extra tools and infrastructure. These won't come out of thin air, and so will take budget that would otherwise be used for other projects or services.

ozmo

ozmo wrote: »

"75 bitcoin — then valued at roughly $4.4 million"

"The Bitcoin amount seized — 63.7, currently valued at $2.3 million after the price of Bitcoin tumbled— amounted to 85% of the total ransom paid, which is the exact amount that the cryptocurrency-tracking firm Elliptic says it believes was the take of the affiliate who carried out the attack. The ransomware software provider, DarkSide, would have gotten the other 15%."

So most of the losses appear due to the devaluation of bitcoin.

Yeah seen reports of the value falling after they recovered some of the ransom, not sure how that equates to the U.S. spending millions to get it back.

ineedeuro

AndrewJRenko wrote: »

Feel free to add in any more context you like, but you've been repeatedly banging on here about the need for them to do more, do better, hire more external consultants. That costs money, which needs to come from some budget.




This is one of those urban myths that has gained traction. It's a while since I directly worked with them, but their structure had nothing to do with health boards. They had a regional model for some services and some structures, which isn't surprising for any national organisation.




You're broadly correct, but if you're going to 'do security' in a way that you haven't done it before, it is going to take extra resources - extra staff, extra training, extra consultants, extra tools and infrastructure. These won't come out of thin air, and so will take budget that would otherwise be used for other projects or services.

No you don’t, to provide extra security while not increasing budget is done every day of the week in every organisation. Companies drive efficiencies from existing process. Move workload offshore to more competitive rates. Outsource to providers to reduce costs etc etc etc

Having 20 low skilled security workers in ireland could be replaced by 1-2 off shore high skilled. I say low skilled because earlier on the thread it was mentioned HSE couldn’t hire anyone and more or less just hired what they could into positions. Maybe this is untrue?

riclad

So you think we can improve security by employing people in poland or some other low pay country in the eu.
personal medical data is of value to hackers, and fraudsters .
I don,t think theres 1000s of security professionals in poland waiting to work for the hse.
What the hse needs to do is get an outside company to audit their security
systems and practices .
are the using old passwords, do all users have admin level acess on pcs they do not need to use.
is there user logs kept on all activity on the network.
are user backups being made every day in order to recover from future hacks
Is there multiple backups in different locations that are secure from potential hacks.
so you think that 2 security experts could provide 24/7 cover and control to a network of 80,0000 pcs that are in use every day ,
that contain sensitive personal medical data.
systems have to be backed up,maintained and updated and medical info entered, eg xray scans
i don,t think the hse could employ 2 people to work more than 10 hours a day under existing eu working hours leglislation.
each hospital and hse building has iots own network of pcs in different locations all over the country

AndrewJRenko

ineedeuro wrote: »

No you don’t, to provide extra security while not increasing budget is done every day of the week in every organisation. Companies drive efficiencies from existing process. Move workload offshore to more competitive rates. Outsource to providers to reduce costs etc etc etc

Having 20 low skilled security workers in ireland could be replaced by 1-2 off shore high skilled. I say low skilled because earlier on the thread it was mentioned HSE couldn’t hire anyone and more or less just hired what they could into positions. Maybe this is untrue?

They're already outsourced heavily - if an offshore provider submits the most economically advantageous tender, they get the job. You're about 20 years late with your advice.

So we're back to having to change existing processes to meet additional requirements within a fixed budget. Something's got to give.

marieholmfan

ineedeuro wrote: »

No you don’t, to provide extra security while not increasing budget is done every day of the week in every organisation. Companies drive efficiencies from existing process. Move workload offshore to more competitive rates. Outsource to providers to reduce costs etc etc etc

Having 20 low skilled security workers in ireland could be replaced by 1-2 off shore high skilled. I say low skilled because earlier on the thread it was mentioned HSE couldn’t hire anyone and more or less just hired what they could into positions. Maybe this is untrue?

No it isn't and no they don't.