Slashdot Mirror

← Back to Stories (view on slashdot.org)

UK's NHS Could Have Avoided WannaCry Hack With 'Basic IT Security', Says Report (theguardian.com)

Posted by msmash on from the calling-out dept.

An anonymous reader shares a report: The NHS could have avoided the crippling effects of the "relatively unsophisticated" WannaCry ransomware outbreak in May with "basic IT security," according to an independent investigation into the cyber-attack. The National Audit Office (NAO) said that 19,500 medical appointments were cancelled, computers at 600 GP surgeries were locked and five hospitals had to divert ambulances elsewhere. "The WannaCry cyber-attack had potentially serious implications for the NHS and its ability to provide care to patients," said Amyas Morse, the head of the NAO. "It was a relatively unsophisticated attack and could have been prevented by the NHS following basic IT security best practice. There are more sophisticated cyber-threats out there than WannaCry so the Department and the NHS need to get their act together to ensure the NHS is better protected against future attacks."

2 of 59 comments (clear)

  1. Re:No shit Sherlock by DivineKnight · · Score: 3, Insightful

    But security costs money!

  2. Re:Basic IT security by bsDaemon · · Score: 4, Insightful

    I know it is fashionable to bust on MS -- always has been here. I will say that from a security standpoint (if not a privacy standpoint, which is related but not the same), they have gotten better. That aside, the fact remains that if you don't do the first 5 of the CIS critical security controls, doing the remaining 15 doesn't really matter.
    https://www.cisecurity.org/con...

    Of course throwing blinkin-light boxes, doing pen tests, etc. is all the "sexy" parts of security, but here's the deal -- MS patched the vuln over a month before WannaCry hit and the crisis could have been averted by asset control and patch management before any signatures were released either for the vulnerability itself, or for specific threats such as WannaCry.

    Within a day of ShadowBrokers dumping the haul which contained EternalBlue, nearly everyone in the security field that was paying attention understood that a patch already existed, MS had released it without fanfare as they usually do for this sort of thing, and that due to lack of attribution in the release notes that it was almost certainly NSA working on it with MS once they had reason to believe that EternalBlue was taken and would be burned by SB.

    So, yeah "Don't use Microsoft" -- but if you go around not patching RedHat, you're not actually going to be that much better off. Unpatched software is still unpatched software, email has the quality of turning local exploits into remote exploits, and office workers whom you stick on an Ubuntu or RedHat box are still going to click whatever they're going to click. DAC and the Unix permissions model only goes so far, and most sites I've worked at have a tendency to have a "disable SELinux because it's hard and we're lazy" item in their deployment guide.

    No one thing is the end-all/be-all of security. Layered defense and understanding that it is a constant arms race wherein blue team isn't likely to prevent a dedicated adversary from gaining a foothold but needs to do what is possible to increase the cost of success and extend operational time for the attacker to increase the likelihood of detection before exfiltration or destruction of data is it.