Irish health service hit by cyber attack (opens in new tab)

It looks that the majority of recent ransomware is stealing and publishing private data, instead of blocking access to data. So DLP like solutions are required in addition to posture management.

I would like to also add: A system to lower privileges based on last use.

Companies often have IAM/ssh/keys all over the place. If you centralize things to IAM you can lower permissions based on their last use. EG. A frontend dev needs access to GCP to configure things in firebase. This frontend developer hasn't used these IAM permissions in 3 months. This persons IAM permissions should automatically have these permissions removed.

Probably one of the easiest yet most powerful thing to implement in cloud sec ops AND probably never done.

https://cloud.google.com/iam/docs/recommender-managing

Example script to automate it: https://github.com/james-ransom/auto-apply-gcp-iam-recommend...

It's easy to be healthy, just eat right, exercise more, sleep enough and lower your stress levels. Tadaa! The secret to being healthy!

You are both correct and incorrect. By following simple procedures you can likely stop the majority of ransomware attacks that have occurred recently, but that is because most of the ransomware attacks were likely done with a budget on the order of $1k-$10k since that is all you need to get a $1M payout from these organizations. No point in running a mission impossible style attack when walking in the front door works just as well.

The problem is that they are getting $1M payouts on a $10k budget. That is a staggering ROI of 100! If you could magically improve the security of every system on the market by 1000% you would wipe out the current forms of attack, but it would still be insanely profitable to run $100k attacks to get $1M payouts. To actually stop attacks from continuing to escalate exponentially at their recent pace of >100% per year that any VC darling would be proud to achieve, you need to make it cost more on average to attack than they can get.

We are literally orders of magnitude away from that in the average case at current returns. And even worse returns per attack keep escalating. Just 4 years ago during WannaCry the ask was $300 per computer which can be a painful chunk of change for an individual which is who most ransomware attacks were targeting before, but nothing for any company. They were attacking companies for ~$10k payout and still making enough money to expand their operations doing it.

As the focus has moved to industry the payouts have increased exponentially since there are many companies whose operations are so valuable that they are willing to pay millions or tens of millions or even hundreds of millions per day. At those payouts there are 0 commercial IT systems that can make attacks unprofitable. So, when those attacks become the ones with the best risk-adjusted ROI you better believe they will occur. And when the attackers have a $10M budget simple defenses and techniques that worked on $10k attacks will not work because the attackers will have literally 100,000% more resources at their disposal in much the same way that defenses that work against a rock thrown at 10 m/s do not work against a ICBM traveling 1000x faster at mach 30.

So yes, simple mitigations would stop the simple successful attacks now, but do not solve the actual problem that it would still be profitable to attack even if they were all implemented everywhere since payouts are so much higher than cost.

To be honest, it seems like a lot of part-time hobby projects created by single engineers have better security practices than whole government agencies.

The Critical Security Controls [1] are a good place to start. Alas, it's neither free or necessarily straightforward to implement them - which is why breaches persist.

[1] https://www.cisecurity.org/controls/cis-controls-list/

I would like to add a couple of ideas to the list.

* Also ensure your Production and DR do not use the same automation, or that there is full segmentation in your automation so that if automation goes sideways, or is compromised, your Production and DR are not simultaneously blown away or encrypted.

* If you can't keep backups offline, at least write them to a write-only destination and/or have an enforced vaulting policy that keeps {n} copies in multiple locations and can't even be deleted by super-users. Deletion must require multiple VP's using MFA to log into a thing and "turn a key" so to speak.

I typically work in situations where the entire data to be backed up (file storage, database) is on the order of 10-100Gb. The projects I’m working on don’t fit the high profile of a Colonial but I’d rather err on the side of safety.

Is there a service that could regularly fetch data from s3 or even connect to postgres, and regularly send a physical copy of the data by mail?

Does it make sense to offer airgapped backups as a service to smaller companies? Over mail?

> dial back on the automation and invest manual effort in airgapping the backups

Can we please call it The Department of Redundancy Department?

Jokes aside it seems that the DR, backups, and system images (i.e. installation including patches) that you mention are all related and it could make sense to dedicate a role or team to it. We split out things like networking and security into their own teams when we want them to be taken seriously.

Complete, tested tape backups would cure many, many ills. They're out of fashion, but..

So I don't have details on this specific case, but I did work in cybersecurity and can comment on the vast majority of similar cases I saw, including some which made the front page. Every single one I remember came from unpatched OS vulnerabilities for which the patch was already available.

Regular patching is necessary hygiene for corporate IT, but often the department is understaffed, or frankly told by management to prioritize shiny things instead.

We don't usually get those details published in the case of events, but as someone who's seen more ransomware than I want to admit to, nearly every case comes down to either a word macro, or a .js file inside a zip file. Both of which are easily blocked with a GPO.

These guys do a lot of honeypot writeups that are pretty consistent with my experience: https://thedfirreport.com/

My guess is that it's not mentioned because they don't know (yet).

A lot of places that get crippled by ransomware have outdated or underfunded IT departments (health care is particularly bad at this), so that kind of insight is barely on the table at the best of times.

Even when a postmortem is eventually done, companies don't want to have to admit the attack could have been prevented, or at least minimized, with better investment in security.

The media are keen to cover the story ASAP. It can take some time to do an investigation.

I had a hospital appointment this morning, physio said that the attack happened in one hospital and all IT systems were shutdown to prevent it spreading. They were back to paper to manage all appointments. She said the big issue was bed allocation, live count of available beds no longer available and people running between different departments to see if people can be admitted and/or ringing other hospitals to find available beds. Luckily ambulance and COVID vaccination systems not impacted.

Ransomware: another great feature of cryptography.

The crypto-revolution and its consequences were a disaster for the human race...

I have always understood that all payments were traceable with digital currencies. Am I wrong?

apparently the traceability of digital currencies is proving effective in tracking down criminals that might otherwise operate in just cash.

Ransomware: Another great "feature" of computers.

Said the medieval King:

Ransom: Another great "feature" of difficult-to-trace personal gold coinage

What you're actually saying is:

Bad thing: Another great "feature" of any kind of positive development in personal sovereignty

Or

Bad thing: Another great "feature" of any kind of progress

---

Progress comes with pitfalls. Sharp knives prepare food and also kill people.

You argument effectively reduces to: never innovate.

This was done before crypto currencies.

Ransomware: Another great "feature" of non-backdoored encryption.

See how silly you sound?

I believe that if all health records leaked tomorrow, the world would end up a better place.

Sure, someone might get more expensive insurance quotes or made fun of for having ADHD, HIV or acne treatment...

But I think that would be outweighed by health benefits by combing the data for correlations and causations that have been unidentified in the past. Being able to shut down things that are poisoning millions of people, but to such a minor extent it isn't immediately obvious, would have a big benefit for society.

it's actually an argument in favour of well-protected centralized collection. It's more probable that smaller entities arre less protected than bigger ones even if the data they can disclose is more limited.

Large institutions aren't solving their security problems by hiring a small clutch of FreeBSD elves.

They're hiring consultants to confirm that they've met the requirements of some checklist, which requirements may include "have a plan to fix this obvious problem.... someday. You do? OK, then you're fine". That's much cheaper and is 100% management-class controlled.

Snapshots, RAID, etc are not substitutes for backups

I tried to imagine, but my mind told me that a couple of millions would not prevent these issues. Did I imagine it wrong?

You would likely end up with better security. Would it be good enough to prevent breaches? Doubt it.

The difference is it is not the attacked company that is paying the ransom, typically. It an insurance agency. So the company that was compromised still only pays $X a month, which is probably less than any million-dollar investment.

I hope this train of thought becomes more mainstream.

Disclaimer: I dont really beleive this, however...

The information surrounding the current pandemic within Ireland is heavily scewed in one direction, there is no room for any questions, without being labled as something. What if, someone decided to check the information for themselves. Just a thought, [removes crazy hat made from tinfoil]

Well, it was either this or human trafficking.

And with ransomware you don't have to hear the crying of your victims.

Plus if you show mercy on someone people can identify with, like a single mom barely getting by, you can go on draining pensioner's bank accounts like your fucking Robinhood.

To be honest, at this point I'm in favour of attacks on all health services all the time, to drive home the point that acceptable long-term data protection in this kind of infrastructure doesn't exist and that all data will be stolen at some point, before everything is collected everywhere.

The less data is actually leaked and sold the better, of course, but societies and especially politicians don't seem to learn that easily.

(Usually) - Those cloud providers know what they're doing though and de-couple things as much as possible, reducing and entire system compromise. It's their bread and butter, I would much prefer them managing the systems than the HSE.

What if software development isn't the most technically challenging aspect of their operation? Say spaceX or a nuclear physics lab?

The first response will be to make laws to punish the perpetrators and to pass knee-jerk cybersecurity laws that create the illusion that something is being done.

The entire technology industry is built on a foundation of limited liability and has a tradition of being ok with defects (eh, it's a small bug). When do we get hardware that is guaranteed to perform and be safe, operating systems, languages and compliers that are safe? It's going to be very difficult to deal with liability in a strict sense. Who's at fault? The OS that had a bug, the library that made the syscall, the code that called the library, the script that ran the program, the network router that allowed the egress, or the user that pushed the button? (edit: fixed typo)

I have limited faith in our legislators to fix computer security.

It's the HSE no one's going to be held accountable; in fact someone will probably get a nice bonus this year for 'managing' the situation

OT: In my recollection that comic ends with the 'That's terrifying' panel. Does XKCD ever update comics or is that a new iteration?

1. It can only be an act of war if it was done by a nation state. Even though the US likes to declare war on abstract concepts like "drugs" and "crime", that is not how it works in international law.

2. Terrorism has similarly precise definitions, usually along the lines of "the act has to be in pursuit of political aims". Just because its a big and important target does not make it political, ransomware is an economic crime.

You’d think these attacks would be worth some tit for tat. If people and companies were physically raided by groups, the govt would likely take action. I’m not sure what the difference is. (And to those saying it’s not international law, that’s just made up anyways so I’m not sure why that’d matter now).