Ransomware & HSE

Hospital A seem to have come out of it very well, not just in their reaction, but it seems their overall posture is better than the wider HSE's:

The HSE should prioritise the remediation of critical legacy systems. Immediate efforts should focus on prioritising the upgrade of the NIMIS system, as this is currently inhibiting the upgrade of a significant proportion of 30,000 Windows workstations from Windows 7 to Windows 10.

In considering the acceleration of the NIMIS upgrade, HSE should review if the configuration changes made in one hospital (Hospital A) to enable the application to run on Windows 10 can be more widely implemented, and supported by the vendor, to expedite the central Windows 10 rollout plans (see key recommendation FA1.KR11 g in section 5.1).

So, it turns out upgrading to Win 10 was possible all along, it just needed a bit of effort that 'Hospital A' put in, but the rest of the HSE didn't.

From an InfoSec perspective, there are a lot of pretty failings from the HSE in the report, even stuff as basic as not having an asset register. It seems that the IT end overall has been underfunded and understaffed for a long time and this is the result.

You can't train people perfectly either though. And these attacks are getting better all the time. It's no longer the Nigerian prince stuff, it's better crafted emails that appear to come from legit contacts.

At the end of the day your system needs to account for the fact that your people are vulnerable - and sometimes malicious. To assume that someone has clicked on something dodgy means the problem is that they're stupid and have ignored their training, is a hole in one's process. Because you're also assuming that nobody else in the company will make the same mistake.

Yes, you absolutely need to train and refresh your staff on security vigilance, but you also need to understand that for 99% of your staff, security is the last thing on their minds. The ICU nurse who uses the computers as a tool to treat their patients is not thinking about Russian hackers, and they shouldn't have to. There should be security systems in the background so that when they are inevitably exhausted, counting down the minutes to the end of their shift and mindlessly click on a link in an email, it doesn't bring down an entire country's health infrastructure.

It's the swiss cheese model of protection. You have many layers of security, each of which assumes the one above it is not perfect. Training staff is just one layer, the one at the top with the most holes. If the layer below fails to catch what falls through, then it's a systems failure, not a people failure.

If every company fired everyone who ever made a mistake and clicked on the wrong thing, most people would have lost their jobs at some point.

Page 7 of the PWC report, right hand column, bullet point 4.

Reliance was placed on a single antivirus

product that was not monitored or effectively

maintained with updates across the estate.

For example, the workstation on which the

Attacker gained their initial foothold did not

have antivirus signatures updated for over a

year.

I've never seen a HSE admin staff break sweat. It's a bit of a basket case and still unionised?