back to article Ransomware keeping cops, NHS and local UK gov bods awake at night

Cybersecurity bods at the Met Police, NHS and the Local Government Association in the UK believe ransomware will be one of the biggest threats facing the British public sector next year. Speaking at the Cyber Security in Healthcare event at the UK Health Show in London, the public sector heads discussed the predicted …

  1. HmmmYes

    OK, this is simple.

    How many computers does your organisation have?

    What OS does each run?

    What computers are connected to the internet?

    Find the answers to those simple 3 questions or, better, have an automatic tool thats tracking all of the above, and youll be in a position to start managing and securing your infrastructure.

    If you cannot answer those then sack your C suite and pull the internet connection.

    1. rmason

      They know the answers to all those questions. they just don't have the time or cash to sort it.

      I was involved with our local NHS trust doing the windows seven rollout.

      All such projects end the same way. A total windows seven rollout turns into a windows 7 rollout in 80% of cases, with 20% being frantically rolled back because applications X,Y and Z don't work any more, critical web based services 1 and 2 don't work properly etc etc.

      It's all well intentioned, and it seems simple to those who have done such things in the past. Dealing with a couple of decades of reliance on certain things, decades of bodges and corner cutting and decades of things becoming just bespoke enough to never work again if moved from XP/Vista/Whatever. A few years of "well we stopped paying for support on that" or "Bob got fired and only he knows where thsat is/how that works.

      It turns an OS rollout into a nearly impossible task. AFAIK north notts NHS trust is still not fully windows seven, and my contract with them doing the rollout was now over three years ago.

      It's alright saying "bin it of it doesn't work" but these are hospitals and GPs (or the rozzers). Doing so means things like Xrays, surgeries and emergency treatments grind to a halt. The reality is you roll back in those cases and then the *new* generation of bodges, work-arounds and corner cutting begins.

      All of which means the next lucky few who get to do the next upgrade will face exactly the same issues all over again, only now another 5-10 years has passed.

      Hurrah.

      1. goldcd

        I do understand the complexities

        But cannot believe it's as hard as it's made out (i.e. impossible).

        Does the machine need to be connected to the internet? What does it actually need to connect to? What are the programs blocking? Can they be replaced, run server-side etc.

        e.g. That computer running bespoke MRI software that refuses to leave Windows 95. It needs to connect to the MRI, it needs to be able to get software updates installed (but just locally and only with admin access) and it needs a one-way path to get images out onto something that can be secured.

        Backups. Assuming machines can't be upgraded/secured and important stuff really is stored locally - why isn't this stuff backed up? You hit a problem, you roll back.

        Then looking forward, what rules can be put in place to prevent future debt building?

      2. Lysenko

        re: Bob got fired and only he knows where thsat is/how that works...

        That's a common one. Livestock Control (a.k.a. HR) like to serenely pontificate that "No-one is irreplaceable" but as a practical matter in the real world that platitude is worth about as much as their CIPD coffee mugs. People are frequently irreplaceable[1]. So much so that making them redundant and then being forced to hire them back as consultants on double salary doesn't even raise eyebrows. Just because "overhead" staff (like the C suite and LC) can be freely swapped around with minimal detrimental side effects it does not follow that the same applies to specialists with domain specific knowledge.

        [1] Yes, that's "fall under a bus" risky and ideally it shouldn't happen. In other news: smoking is bad for you, always wear a condom and don't run with scissors. Back in the real world.....

      3. HmmmYes

        I dont hink they do, not 100%.

        Ok, now we've IDed al lthe boxes.

        Now we need to audit the software.

        What software do we use?

        What version have we deployed?

        Is it in support?

        You got to iterate to find this stuff out.

        It would help if orgd kept a register of software that is being put on machines. Buy, hey!, lets live wit hte world and all its failings.

        Then you nmeed to start:

        DO we need this software?

        is it in support?

        Can it be moved/ditched/?

        As far as time and money goes. NHS is a big org with lots of money. The idea with software is you can the computers to manage the software. If its needs warm bodies to maintain youve just entered into the world of 'make work IT'.

        A lot of UK pubic sector spend time and money and thrown lots of medium paid, high pension people at problems rather than throw a single high paid person. You dont save money in the end.

        1. rmason

          "the NHS is a big org, with lots of money"

          Some trusts in the NHS spunk their entire yearly budget for certain things, within the first quarter of the year.

          There's loads of cash sloshing around, but that doesn't mean it's available to internal I.T for things like planning, testing and security etc.

        2. JohnMurray

          The NHS is a lot of small organisations.

          Operating alongside a lot of private providers.

          The private providers have new equipment, some of them, some have inherited ex-NHS equipment and staff.

          The departments running maintenance and upgrades are under-staffed, under-funded and over-stressed.

          That is, if that particular healthcare organisation has any in-house staff. Most are moving to external contracts and tuping their existing staff..those that want to stay that is!

          Locally, the hospital is joining in a partnership with another area hospital. None of their IT is compatible. You'd be surprised exactly how much is networked via people talking to each other over landlines!

          Then of course there is the ever-thorny problem of external contracts ending, and new ones starting, during which the new contractor fully realises the extent of the problem they're facing........

          Oh yes. This is fun. NHS style.

          Decades of non-joined-up non-thinking and under-funding....

      4. Anonymous Coward
        Anonymous Coward

        Un-patchable systems need compensating controls; hardened, locked-down, white-listed from a behaviour perspective, increased segmentation and monitoring and if you can't do that then I'd suggest they are a bigger risk to the org than not having them in the first place.

    2. Anonymous Coward
      Anonymous Coward

      would be nice to have the staff to do this, but NHS wide IT is viewed as an add on expense until something stops working and departments are stick thin (ratios of 100-150 staff to IT)

      we are strugling to keep up with the day to day, let alone the new initiatives comming form on high, which require complete chages of working

      meantime the Deskside support queue gets longer, the devices get more out of date, and did somone say it was patch tuesday again?

      A/C as man has to work in the NHS

  2. rmason

    Next year..

    Next year is a massive risk point, because it's at that point they expect the chewing gum, masking tape and spit they have "fixed" their security with, will start falling off.

  3. Anonymous Coward
    Anonymous Coward

    'The Digital World has gone at a steep curve'

    * Sure, but what hurts more is that Police, Government, Bureaucrats have gone backwards and are 100% blind to it. Watch Secrets-of-Silicon-Valley or ask anyone whose suffered online-fraud and reported it to the police....

    * Result? Politicians, Police, Legislators are still debating it. They were asleep at the wheel over Ransomware, and are now just playing 'ass covering' games or catch-up for elected official's 'elite friends' that got burnt!

    1. Anonymous Coward
      Anonymous Coward

      Re: 'The Digital World has gone at a steep curve'

      The interesting thing here is that the Cyberrozzer-in-chief confidently tells us "every year the key cyber threat has changed significantly. But next year, I confidently predict that the threat will be the same as this years".

      How convincing does that sound?

      1. Anonymous Coward
        Anonymous Coward

        Re: 'The Digital World has gone at a steep curve'

        The interesting thing here is that the Cyberrozzer-in-chief confidently tells us "every year the key cyber threat has changed significantly. But next year, I confidently predict that the threat will be the same as this years".

        How convincing does that sound?

        I must confess, that comment from plod raised a snort of derision in our office too. However, at my most generous, I think that he simply didn't express himself clearly. It's possible that "more of the same" from the original quote meant "will keep changing", especially considering that later on in the article he is quoted as saying that what worries him most is not knowing what the next big threat will be.

        However his choice of wording is poor at best. The quote "Don't write so that you can be understood, write so that you can't be misunderstood." is especially applicable here.

  4. Anonymous Coward
    Anonymous Coward

    HR

    HR are the biggest threat to security. Ransomeware just finishes the job they prepared the company/organization to do badly at with all their cuts!

  5. John Smith 19 Gold badge
    Unhappy

    Ransomeware --> f**ked without known good working backups.

    So, maybe make sure you really can restore all that data?

    And test it on a regular basis, so you know you can keep on doing it?

    Remember, a fully working backup means if it all goes pair shaped you always have another shot at fixing s**t.

    And never having to grab ankles and grease cheeks for malware scum.

    1. rmason

      Re: Ransomeware --> f**ked without known good working backups.

      In your ideal word that's fine.

      Have you any idea what testing backups would involve for, say, greater Manchester police? Or any NHS trust?

      If you think these folks have the cash for things like resiliency, backup and failover servers, spare servers etc then think again. They largely don't.

      In my experience of the NHS there's zero chance of testing backups, zip. The live systems are the only place they can be tested, and for pretty obvious reasons they don't like to lose them for the required time. If you want to test backups for "department A" then there's isn't access to machines/servers/networking stuff on which to restore any data, apart from the ones they are sat using.

      Then you have the mish-mash of systems, some are entirely internal, some are centralised, and cannot be touched by the grunts at trust level. good luck testing all that stuff properly, or having any control over it at all.

      We all know how to do it, and how it should be done but i'm telling you with these massive public sector things that things are so badly done, and have been for so long, you've got no chance.

      I used the work "impossible" in an earlier posts, and stand by it.

      1. Anonymous Coward
        Anonymous Coward

        Re: Ransomeware --> f**ked without known good working backups.

        I work in the NHS, we test our restoration process every 6 months, for every server? no but on a rolling schedule and the process is identical for them with the products we use. We also do full bare metal restores on a 6 months basis so the staff are confident and practised at doing it.

        It use to be every quarter but frankly that was overdoing it.

        Is this unusual? Possibly but I won't tar all of the NHS IT departments as useless based on your own sole experience, just as I won't claim they're all doing a competent job like mine.

  6. Anonymous Coward
    Anonymous Coward

    Sod off

    Load of tripe. We're local government and ransomware is just another thing. The police and NHS worry because they have to run vulnerable systems quite extensively. The press like to FOI us and make a big deal of ransomware (90% of authorities hit etc) but really they're little worse than any other bit of malware.

    3 incidents in the last 3 years might sound bad but in reality those three incidents caused no disruption, no loss of data and the affected machines were back in service in hours.

    We've defence in depth, user awareness training, a good set of tested backups and incident plans that have been developed and tested as well.

    We're bloody tired of getting tarred with the same brush as the NHS.

    1. Anonymous Coward
      Anonymous Coward

      Re: Sod off

      "We're bloody tired of getting tarred with the same brush as the NHS."

      Ah, don't worry, before long you'll be Crapita'd off to India like the rest of local government.

  7. John H Woods Silver badge

    Quick and dirty interim solution

    1. Add a server with its own private storage to the network share and regularly copy changed files in the network share to the private storage.

    Something like rsync --backup --suffix `date +%Y%m%dT%H%M%S` network_share private_storage

    2. Image disks of of client machines whose function is important

    Once you have these in place, you start a strategic review of ransomware strategy.

    1. Anonymous Coward
      Anonymous Coward

      Re: Quick and dirty interim solution

      Not a bad idea in some ways, until you hit "strategic review".

      Every time I see the words "strategic review" in the NHS (hence AC) I die a little inside.

      1. Anonymous Coward
        Anonymous Coward

        Re: Quick and dirty interim solution

        "Not a bad idea"

        It's a terrible idea because you're naively copying around clinical data containing the most sensitive personal information with no heed paid to audit, retention or access control.

        1. John H Woods Silver badge

          Re: Quick and dirty interim solution

          "It's a terrible idea because you're naively copying around clinical data containing the most sensitive personal information ..."

          With respect, data that is already on a simple network share of the type that is most vulnerable to a ransomware infected client encrypting the lot is already stored "... with no heed paid to audit, retention or access control."

          Nothing to stop you using an encrypted FS for the private storage. But even if you don't you're hardly increasing your exposure any more than having a secondary backup system.

  8. Anonymous Coward
    Anonymous Coward

    and...

    ...there's your problem

    "Speaking at the Cyber Security in Healthcare event in London, the public sector heads"

    They probably didn't take anyone technical with them. Only the "Heads" and/or "Directors" get to go to talk buzzword bullshit. Then come back and say to IT "We're out sourcing you to the cheapest bidder".

  9. c1ue

    Ransomware isn't just spray and pray

    There are actually at least 2 different types of ransomware attacks:

    1) The email phishing/fishing hole web site type

    This is what most people think ransomware is

    2) The manual hack then encrypt

    This is what happens with a lot of SMBs

    3) The 3rd party vendor attack

    Wannacry, notPetya, and more are examples of this

    Backups help, but manual hackers will poison the backups first, then encrypt the primary targeted systems. Orgs then have to play the game of: how complex a backup/failover scheme has to be.

    Again, don't mistake the mass, low hanging fruit type attacks (Wannacry) with what is to come as the Eldorado of cyber crime will continue to yield treasure (ransomware).

  10. Winkypop Silver badge
    Alert

    "We need to make sure [good security practice] is everyone's responsibility,"

    Best be careful who you get in to advise your staff:

    https://www.theregister.co.uk/2017/09/26/deloitte_leak_github_and_google/

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Biting the hand that feeds IT © 1998–2021