Become a fan of Slashdot on Facebook

 



Forgot your password?
typodupeerror
Security United Kingdom IT

UK's NHS Could Have Avoided WannaCry Hack With 'Basic IT Security', Says Report (theguardian.com) 59

An anonymous reader shares a report: The NHS could have avoided the crippling effects of the "relatively unsophisticated" WannaCry ransomware outbreak in May with "basic IT security," according to an independent investigation into the cyber-attack. The National Audit Office (NAO) said that 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere. "The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients," said Amyas Morse, the head of the NAO. "It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
This discussion has been archived. No new comments can be posted.

UK's NHS Could Have Avoided WannaCry Hack With 'Basic IT Security', Says Report

Comments Filter:
  • by jellomizer ( 103300 ) on Friday October 27, 2017 @09:46AM (#55443963)

    The problem is there are a lot of things under basic IT security and it is nearly impossible to checklist them all.
    Health Care tends to be at least a decade behind in technology and implementing new technology is a big deal, because breaking a downstream system, could cost someones life. So there is nearly always a big queue of things that should be done that you just can't get business approval to do.

    • doctors independent contractors / own offices have to do there own IT. Other times they are stuck on old apps that may need ADMIN rights and even only run in windows XP.

      • doctors independent contractors / own offices have to do there own IT. Other times they are stuck on old apps that may need ADMIN rights and even only run in windows XP.

        This wasn't the case though. The majority of infections were in unpatched Win7 machines. And for the specific issue one of the major reasons for NOT patching was the need to communication with SMB1 servers. Most frequently these server run Linux.

        • by dhaen ( 892570 )
          Well those same IT people should have patched the servers! Oh wait, they probably knew sweet FA about Unix.
          • by Gonoff ( 88518 )

            Well those same IT people should have patched the servers! Oh wait, they probably knew sweet FA about Unix.

            Two comments...
            1. We do know Unix thanks
            2. This knowledge is mostly irellevant as the vast majority of our servers use Windows.

        • Samba 3.6 added basic support for SMB2.0. This support was essentially complete except for one big item:
          durable file handles (Added in Samba 4.0.0).

          Release Notes for Samba 3.6.0
          August 9, 2011

          So m

  • by amalcolm ( 1838434 ) on Friday October 27, 2017 @09:54AM (#55444037)
    I wonder who got paid ££££ to come to THAT conclusion
  • by Anonymous Coward

    From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via regedit.exe:

    Disable SMBv1 on the SERVER, configure the following registry key:

    Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1

    REG_DWORD: 0 = Disabled
    REG_DWORD: 1 = Enabled

    Default: 1 = Enabled

    Enable SMBv2 on the SERVER, configure the following registry key:

    Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2

    REG_DWOR

  • Can't say I'm particularly surprised as it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy. Everywhere else IT tends to be thoroughly mismanaged due to incompetent management, interference from non-IT management, insufficient budget to do the job properly or a combination of these.

    Not that using XP, an OS known to be thoroughly insecure by design, after official support end
    • > it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy.

      You might be surprised at the crap you see at those agencies too. "Defense and diplomacy" you say, so for example the State Department. Can you imagine if the top-level head of the State Department, the Secretary of State, was handling "subjects like defense and diplomacy" by using an out-of-date, unpatched mail server s

  • Keep critical systems off the internet. This way your only method of attack is an insider.

    Human laziness enabled this mess - and the UK and USA are fucking hotbeds of laziness and useless bloat.

    I say this as an American.

  • What basic IT security practices are they refering to? everyone keeps saying that, but to me that sounds like a user that heard "someone from IT" use those words and then parots them to everyone till it becomes fact.

    It would be nice, you know, on a technical site, to actually list somewhere what the referenced "basic IT security" steps to prevent this were IN THIS SPECIFIC INSTANCE.

    Not like generally, as some comments are doing. Was it everyone running as admin? were they not running virus scanners? not seg

"When the only tool you have is a hammer, you tend to treat everything as if it were a nail." -- Abraham Maslow

Working...