Slashdot Mirror
UK's NHS Could Have Avoided WannaCry Hack With 'Basic IT Security', Says Report (theguardian.com)
An anonymous reader shares a report: The NHS could have avoided the crippling effects of the "relatively unsophisticated" WannaCry ransomware outbreak in May with "basic IT security," according to an independent investigation into the cyber-attack. The National Audit Office (NAO) said that 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere. "The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients," said Amyas Morse, the head of the NAO. "It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."
Basic IT security, i.e. don't use Microsoft.
#DeleteFacebook
The problem is there are a lot of things under basic IT security and it is nearly impossible to checklist them all.
Health Care tends to be at least a decade behind in technology and implementing new technology is a big deal, because breaking a downstream system, could cost someones life. So there is nearly always a big queue of things that should be done that you just can't get business approval to do.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
doctors independent contractors / own offices have to do there own IT. Other times they are stuck on old apps that may need ADMIN rights and even only run in windows XP.
I wonder who got paid ££££ to come to THAT conclusion
Time for bed, said Zebedee - boing
"The Basics of Information Security, Second Edition: Understanding the Fundamentals of InfoSec in Theory and Practice" by Jason Andress
Basic IT staff. Seems the majority of workers have been outsourced all that's left is some low level workers (change your keyboard level) and a few overworked admins who don't have any power to get the required changes past the pen pushers.
IT is seen as a low end job but when staff and patients rely on IT working it really should be a priority especially considering their push towards digitising everything.
From MS - SMB Ports 445/139 (TCP) & 137/138 (UDP) protection via regedit.exe:
Disable SMBv1 on the SERVER, configure the following registry key:
Registry subkey: HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB1
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
Enable SMBv2 on the SERVER, configure the following registry key:
Registry subkey:HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters Registry entry: SMB2
REG_DWORD: 0 = Disabled
REG_DWORD: 1 = Enabled
Default: 1 = Enabled
---
Disable SMBv1 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb20/nsi
sc.exe config mrxsmb10 start= disabled
Enable SMBv2 & SMBv3 on the CLIENT, run the following commands:
sc.exe config lanmanworkstation depend= bowser/mrxsmb10/mrxsmb20/nsi
sc.exe config mrxsmb20 start= auto
---
* The above is per https://support.microsoft.com/en-us/help/2696547/how-to-enable-and-disable-smbv1,-smbv2,-and-smbv3-in-windows-vista,-windows-server-2008,-windows-7,-windows-server-2008-r2,-windows-8,-and-windows-server-2012/
(THIS HAS BEEN PATCHED but you can protect this way too & it works...)
Not sure if this works in a "mixed-mode" network though (check MS link) using older Windows (e.g. XP/2000 etc.).
APK
P.S.=> For a SINGLE 'standalone' non-networked PC (no home network/LAN but TCP/IP connected online) turn off Server & Workstation services.
That shuts off any "handles" (port 445) this thing propogates thru + turn off NetBIOS over TCP/IP in your internet connection & uncheck/disable Client for Microsoft Networks + File and Print Sharing. Port 139 & 445 always pop up issues over time. It also makes your packet trains smaller (no encapsulation of LanMan)
I covered all this 11++ yrs. ago in a security guide I wrote for users with a single system & apparently, its advice STILL STANDS THE "TEST OF TIME" https://www.google.com/search?hl=en&source=hp&biw=&bih=&q=%22HOW+TO+SECURE+Windows+2000%2FXP%22&btnG=Google+Search&gbv=1/ vs. even today's threats like this one.
* This effectively makes this threat a non-issue + saves you CPU cycles/RAM & other I/O wasted on services you don't NEED as a single PC user only... & you don't. They're just wastes with a single PC really. Many services are (covered in guide above based on CIS Tool guidance (who took fixes to their ware from "yours truly" too, no less)) & again, no more encapsulated packet bulk.
AND?
Don't be STUPID & click on attachments in bogus malicious emails this thing propogates thru also (Chrome/Opera/Webkit users - BEWARE of the ShellControlFile issue that just popped up (.scf file) noted here-> http://www.theregister.co.uk/2017/05/17/chrome_on_windows_has_credential_theft_bug/ ) ... apk
It took the NHS a few days to recover, ask TNT how long it took them.
"basic IT security best practice." what? It's either basic practices or best practices, it can't be both.
Can't say I'm particularly surprised as it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy. Everywhere else IT tends to be thoroughly mismanaged due to incompetent management, interference from non-IT management, insufficient budget to do the job properly or a combination of these.
Not that using XP, an OS known to be thoroughly insecure by design, after official support ended helped matters. You'd have hoped that they would have at least migrated to Windows 7, which is a massive step forwards in terms of security, but it seems like there was a massive organizational failure for the NHS to have found themselves with their pants down like this.
"Why should I want to make anything up? Life's bad enough as it is without wanting to invent any more of it."
So there is nearly always a big queue of things that should be done that you just can't get business approval to do.
Which leads ultimately to outsourcing and service based view on the IT. If the business experts don't understand accounting, physical security, cleaning or legal services, they buy those from the providers as well. Then they can fulfill any compliance requirements to the monitoring authorities or courts, whatever they might be.
The spooks at GCHQ want to monitor everyone else. Meanwhile, Amber Rudd admits she doesnâ(TM)t understand encryption and the government cannot even protect its own data.
> it seems like the only government-run places where you'll see even halfway decently managed IT is in agencies that handle state secrets relating to subjects like defense and diplomacy.
You might be surprised at the crap you see at those agencies too. "Defense and diplomacy" you say, so for example the State Department. Can you imagine if the top-level head of the State Department, the Secretary of State, was handling "subjects like defense and diplomacy" by using an out-of-date, unpatched mail server set up in her house by some idiot whose education in the field consisted of asking basic questions on Reddit, a guy who apparently couldn't even be bothered to read the manual? Yeah, that's the IT security we get for " state secrets relating to subjects like defense and diplomacy".
LOL no all these 'ransomware' outbreaks can be prevented 100% with one simple trick: NOT BEING STUPID. Sadly people are stupid and they're getting more stupid as time passes, not smarter, so they're falling for stupider and stupider tricks, then crying and whining about how unfair it is that they've been taken advantage of. People working in the healthcare industry tend to be even more stupid because they're overworked and chronically sleep deprived.
Hands up those who have had patches cause no outage?
Unqualified individuals are just throwing medical equiptment on the internet? Not only on the internet you say, but without being behind a router?
Of course hospitals are. Hospitals have been for decades. This is a Hiring issue, not a security issue.
Which leads ultimately to outsourcing and service based view on the IT. If the business experts don't understand accounting, physical security, cleaning or legal services, they buy those from the providers as well. Then they can fulfill any compliance requirements to the monitoring authorities or courts, whatever they might be.
It doesn't solve the fundamental problem, which is that a lot of medical software is sold with some very specific system requirements and they're not certified to work on anything else. Part of it is that the liability is huge, part of it is that the vendors know they got the clients over a barrel. So you got a hodgepodge of outdated and obsolete configurations and it's not like a hospital will shut down a million dollar MRI machine or operating theater equipment simply because the OS is out of support or only supports SMBv1. You can red-flag it in a compliance report but unless there's actually money in the budget for a replacement system it's just CYA documentation. Worse yet if the product is EOL or the vendor has quit or if the new system is such a big change it's not really an upgrade anymore.
Microsoft actually used to be best in class here with their 5+5 support on client desktops. With their new "life of device" who knows, as vendors tend to not give a shit when the warranty has expired. But I think there will be a demand for like really long term support, I mean XP lived for well over 10 years and Win7 is still king of the hill, if only you got security patches I think many could run the same OS for decades. Particularly in a business context where you might only run a few vertically integrated applications and the OS is almost invisible.
Live today, because you never know what tomorrow brings
Keep critical systems off the internet. This way your only method of attack is an insider.
Human laziness enabled this mess - and the UK and USA are fucking hotbeds of laziness and useless bloat.
I say this as an American.
Still waiting on Serviscope_minor to wake up to fucking reality and realize that Jessica Price isn't going to fuck him.
What basic IT security practices are they refering to? everyone keeps saying that, but to me that sounds like a user that heard "someone from IT" use those words and then parots them to everyone till it becomes fact.
It would be nice, you know, on a technical site, to actually list somewhere what the referenced "basic IT security" steps to prevent this were IN THIS SPECIFIC INSTANCE.
Not like generally, as some comments are doing. Was it everyone running as admin? were they not running virus scanners? not segmenting the network? Patching too slow (obviously!)? I mean if its a report on this, can we get more specifics? that would be the interesting part! Not just people shit talking different departments. An actual technical discussion would be nice.
Maybe next article...
As a potential lottery winner, I totally support tax cuts for the wealthy
What they needed was clean closets for storing things. If they had only hired creimer - he works for pennies, too! - their IT closets would have been the envy of the industry.
And I think we all know that with clean IT closets, these hacks are next to impossible.
Just one more disaster that could have been prevented by an IT miracle worker.
It isn't that people are now more stupid, it is that more stupid people have access to technology.
If something is so important that you feel the need to post it on the internet... It probably isn't that important.
But, "Basic IT Security" costs MONEY.
Can't have that now can we. It cuts into the CIO's bonus.
So you got a hodgepodge of outdated and obsolete configurations and it's not like a hospital will shut down a million dollar MRI machine or operating theater equipment simply because the OS is out of support or only supports SMBv1.
It does sound like they could use some IT support, or take the liability hit when they lose patients over avoidable technical issues or sanctions over a review. They are out of business anyway if they can't pay their liability insurances. Doctors and nurses are trained to understand hygiene and dealing with immunodeficient patients, so maybe the jump to understanding data hygiene and how to interact with obsolete information systems wouldn't be such a large issue.
Wrong: Above my ps allows LAN use (butt not in "mixed mode" environs it notes (older Windows OS only SMB1 & no SMB2/3)).
APK
P.S.=> Funny thing here is you need to learn to read & how to network (hope this taught you part of it)... apk