UK's NHS Could Have Avoided WannaCry Hack With 'Basic IT Security', Says Report (theguardian.com) 59
An anonymous reader shares a report: The NHS could have avoided the crippling effects of the "relatively unsophisticated" WannaCry ransomware outbreak in May with "basic IT security," according to an independent investigation into the cyber-attack. The National Audit Office (NAO) said that 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere. "The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients," said Amyas Morse, the head of the NAO. "It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
Re: (Score:2)
The very first three posts illustrate the dangers of having an agenda. One comment blames Microsoft. The next one blames nationalized healthcare. Neither comment gives any evidence for linking the reported problems with their favourite culprits.
The way I see it, your most valuable data and services are more or less equally insecure in the hands of government, Microsoft, or other corporations. Namely, not very.
People keep making the same old mistakes, and one of the commonest mistakes is "either/or". If not
Re: (Score:2)
Except health outcomes are better in the UK than the USA.
Re: (Score:2, Funny)
Dental outcomes, however, do not bear this out.
Re: (Score:1)
https://arstechnica.com/information-technology/2017/10/hackers-stole-bugs-from-microsoft-database-but-company-never-disclosed-it/
Re: Basic IT security (Score:1)
OpSec is the melt important factor, but the Windows ecosystem is the worst of all worlds.
Linux is fully open source and highly customizable, with default permissions hardened (the user is not in an admin state without using the sudo command) and most software also open source and coming from trusted repositories.
OSX is a tightly-controlled ecosystem. This means the user has to rely almost entirely on Apple, but their strict walled garden is pretty good at keeping out threats.
Windows, on the other hand, is c
Re: (Score:2)
Linux is fully open source and highly customizable, with default permissions hardened (the user is not in an admin state without using the sudo command) and most software also open source and coming from trusted repositories.
Equifax blames open-source software for its record-breaking security breach [zdnet.com].
It doesn't matter what software you use, you need to actually have both the ability and the incentive to use it correctly. Otherwise, you're going to and up with crap whether it's Windows, Linux, OS X, or AmigaDOS.
Re: Basic IT security (Score:2)
You already have the same issues in your non nationalised healthcare, there was a whole track at DEF CON this year on security in the healthcare sector, there was one by a US penetration tester who found many of these same issues. "We thought the vendor was responsible for supporting that out of date machine", but it is on your network, and have you have also not maintained any oversight of the vendor.
Re: (Score:3)
Probably the larger problem is that this is indicative of the type of problem that we will start to see with nationalized health care
Way to politicize the issue. In the most unproductive manner possible.
Americans hospitals were affected by ransomware outbreaks too. We didn't hear much about it because they are private organizations that don't need to report to the public. If you think IT in American health care is much better then NHS, I have some very bad news for you. Health care IT security was a joke until the government stepped in.
There was some improvement in the wake of HIPAA, but even now it is hit-and-miss. As it stands, governm
Re: (Score:1)
From the article:
Before the attack, NHS Digital carried out an “on-site cybersecurity assessment” at 88 out of the 236 health trusts in England. None passed, but the agency had no powers to make them “take remedial action even if it has concerns about the vulnerability of an organisation”, the report says.
The trusts are not part of the government, and the government had no authority to force them to use better security.
England and US and in the same boat: Not enough protections for their citizens.
Make laws with big fines. Make businesses pay when this happens. They will cry about the cost, but they will fix the problem. Their tears mean nothing. They were willing to expose your information to save a few bucks, so they deserve no sympathy.
Re:Basic IT security (Score:5, Insightful)
I know it is fashionable to bust on MS -- always has been here. I will say that from a security standpoint (if not a privacy standpoint, which is related but not the same), they have gotten better. That aside, the fact remains that if you don't do the first 5 of the CIS critical security controls, doing the remaining 15 doesn't really matter.
https://www.cisecurity.org/con... [cisecurity.org]
Of course throwing blinkin-light boxes, doing pen tests, etc. is all the "sexy" parts of security, but here's the deal -- MS patched the vuln over a month before WannaCry hit and the crisis could have been averted by asset control and patch management before any signatures were released either for the vulnerability itself, or for specific threats such as WannaCry.
Within a day of ShadowBrokers dumping the haul which contained EternalBlue, nearly everyone in the security field that was paying attention understood that a patch already existed, MS had released it without fanfare as they usually do for this sort of thing, and that due to lack of attribution in the release notes that it was almost certainly NSA working on it with MS once they had reason to believe that EternalBlue was taken and would be burned by SB.
So, yeah "Don't use Microsoft" -- but if you go around not patching RedHat, you're not actually going to be that much better off. Unpatched software is still unpatched software, email has the quality of turning local exploits into remote exploits, and office workers whom you stick on an Ubuntu or RedHat box are still going to click whatever they're going to click. DAC and the Unix permissions model only goes so far, and most sites I've worked at have a tendency to have a "disable SELinux because it's hard and we're lazy" item in their deployment guide.
No one thing is the end-all/be-all of security. Layered defense and understanding that it is a constant arms race wherein blue team isn't likely to prevent a dedicated adversary from gaining a foothold but needs to do what is possible to increase the cost of success and extend operational time for the attacker to increase the likelihood of detection before exfiltration or destruction of data is it.
Most things can be fixed with basic IT security. (Score:5, Interesting)
The problem is there are a lot of things under basic IT security and it is nearly impossible to checklist them all.
Health Care tends to be at least a decade behind in technology and implementing new technology is a big deal, because breaking a downstream system, could cost someones life. So there is nearly always a big queue of things that should be done that you just can't get business approval to do.
doctors independent contractors / own offices (Score:2)
doctors independent contractors / own offices have to do there own IT. Other times they are stuck on old apps that may need ADMIN rights and even only run in windows XP.
Re: (Score:3)
doctors independent contractors / own offices have to do there own IT. Other times they are stuck on old apps that may need ADMIN rights and even only run in windows XP.
This wasn't the case though. The majority of infections were in unpatched Win7 machines. And for the specific issue one of the major reasons for NOT patching was the need to communication with SMB1 servers. Most frequently these server run Linux.
Re: (Score:2)
Re: (Score:2)
Well those same IT people should have patched the servers! Oh wait, they probably knew sweet FA about Unix.
Two comments...
1. We do know Unix thanks
2. This knowledge is mostly irellevant as the vast majority of our servers use Windows.
Re: (Score:3)
Samba 3.6 added basic support for SMB2.0. This support was essentially complete except for one big item:
durable file handles (Added in Samba 4.0.0).
Release Notes for Samba 3.6.0
August 9, 2011
So m
Re:Most things can be fixed with basic IT security (Score:4)
Which leads ultimately to outsourcing and service based view on the IT. If the business experts don't understand accounting, physical security, cleaning or legal services, they buy those from the providers as well. Then they can fulfill any compliance requirements to the monitoring authorities or courts, whatever they might be.
It doesn't solve the fundamental problem, which is that a lot of medical software is sold with some very specific system requirements and they're not certified to work on anything else. Part of it is that the liability is huge, part of it is that the vendors know they got the clients over a barrel. So you got a hodgepodge of outdated and obsolete configurations and it's not like a hospital will shut down a million dollar MRI machine or operating theater equipment simply because the OS is out of support or only supports SMBv1. You can red-flag it in a compliance report but unless there's actually money in the budget for a replacement system it's just CYA documentation. Worse yet if the product is EOL or the vendor has quit or if the new system is such a big change it's not really an upgrade anymore.
Microsoft actually used to be best in class here with their 5+5 support on client desktops. With their new "life of device" who knows, as vendors tend to not give a shit when the warranty has expired. But I think there will be a demand for like really long term support, I mean XP lived for well over 10 years and Win7 is still king of the hill, if only you got security patches I think many could run the same OS for decades. Particularly in a business context where you might only run a few vertically integrated applications and the OS is almost invisible.
Re: (Score:2)
It isn't that people are now more stupid, it is that more stupid people have access to technology.
No shit Sherlock (Score:3)
Re:No shit Sherlock (Score:4, Insightful)
But security costs money!
Re: (Score:2)
Especially the paying out of all those golden parachutes to CTO's...
Re: (Score:2)
Then toss the fuckers with lead parachutes and out of your 17th floor. Read your Sun Tsu, as soon as 2 have hit the concrete, the rest will suddenly be MUCH more compliant.
Re: (Score:2)
Trouble is, its also their 17th floor. So unless they feel like throwing themselves out, this isn't really a thing that can be done short of revolution essentially.
Re: (Score:2)
I know my CTO. Trust me, I can toss that wet noodle.
Re: (Score:2)
Right so a link to a USA commerce website urging British people to buy a book! Let's try that again with a link to the UK Amazon web site.
https://www.amazon.co.uk/Basic... [amazon.co.uk]
Protect vs. WannaCry easily... apk (Score:1)
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via regedit.exe:
Disable SMBv1 on the SERVER, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SERVER, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWOR
Surprised? No... (Score:2)
Not that using XP, an OS known to be thoroughly insecure by design, after official support end
Don't assume the secret stuff is that good either (Score:3)
> it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy.
You might be surprised at the crap you see at those agencies too. "Defense and diplomacy" you say, so for example the State Department. Can you imagine if the top-level head of the State Department, the Secretary of State, was handling "subjects like defense and diplomacy" by using an out-of-date, unpatched mail server s
Basic IT Practice (Score:2)
Keep critical systems off the internet. This way your only method of attack is an insider.
Human laziness enabled this mess - and the UK and USA are fucking hotbeds of laziness and useless bloat.
I say this as an American.
Sorry what? (Score:2)
What basic IT security practices are they refering to? everyone keeps saying that, but to me that sounds like a user that heard "someone from IT" use those words and then parots them to everyone till it becomes fact.
It would be nice, you know, on a technical site, to actually list somewhere what the referenced "basic IT security" steps to prevent this were IN THIS SPECIFIC INSTANCE.
Not like generally, as some comments are doing. Was it everyone running as admin? were they not running virus scanners? not seg