Waikato DHB IT Outage

Forums › IT Pro and developers › Waikato DHB IT Outage

1 | 2 | 3 | 4 | 5 | 6

5680 posts

Uber Geek

Lifetime subscriber

#2713208 26-May-2021 14:13

alasta:

It really scares me that IT departments seem to be running around telling people that there is no way that this dangerous single point of failure can be mitigated.

They're not saying that. They work very hard to prevent/mitigate those attacks. They spend large amounts of money on malware scanners.

But it's always an artillery vs armour battle, and artillery always wins that in the end. Armour will defend you against the known, and perhaps expected, artillery. But it won't protect you against the novel, unexpected attack. After someone finds their armour is inadequate, everyone upgrades their armour. But there will always be someone in armour who loses. Malware scanners can only find *known* malware.

Yes, you can put on more and more armor, but that limits your own ability to do useful work. So you could probably prevent malware attacks entirely if you didn't allow people to open email attachments or plug in USB sticks, and disconnected your network from the Internet (except maybe email). And even then, people will try to find ways around the rules. But locking everything down reduces your capability enormously, so a calculated? risk has to be taken. Use a firewall to exclude as much of the Internet as possibly, whilst allowing necessary services to get through. Run malware scanners and keep them up to date so that you're not vulnerable to any known malware.

networkn

Networkn
32349 posts

Uber Geek

ID Verified

Trusted

Lifetime subscriber

#2713212 26-May-2021 14:31

A few years ago, all the focus was on prevention. Now those in the higher tiers of the IT security industry are saying prevention is important, but move to having a plan for *when* you are attacked.

It's a very hard conversation to have with a client or potential client. "we need to talk about what we do *when* you are attacked."

There is simply no reasonable way to protect *every* surface 100% in a business that needs to operate with internet access.

When I first started in IT, we had 2-3 surfaces to protect and usually, attacks were simple, crude and infrequent. Now people can attack mobile devices, email, gateways, photocopiers, IOT devices, and everything in between. Consider these attackers are extremely well resourced thanks to money from traditional criminal enterprises are being moved to digital, plus all the money paid out in ransom.

I'd be interested to know how they escalated from a workstation presumably with limited admin rights, to the servers though (though this has not been specifically disclosed).

kiwifidget

"Cookie"
3413 posts

Uber Geek

Lifetime subscriber

#2713214 26-May-2021 14:31

@frankv you forgot - have a backup plan for when the steamy brown stuff hits the oscillating blades to return to business as usual as fast as possible.

Delete cookies?! Are you insane?!

bagheera

539 posts

Ultimate Geek

#2713224 26-May-2021 14:51

networkn:

A few years ago, all the focus was on prevention. Now those in the higher tiers of the IT security industry are saying prevention is important, but move to having a plan for *when* you are attacked.

It's a very hard conversation to have with a client or potential client. "we need to talk about what we do *when* you are attacked."

There is simply no reasonable way to protect *every* surface 100% in a business that needs to operate with internet access.

When I first started in IT, we had 2-3 surfaces to protect and usually, attacks were simple, crude and infrequent. Now people can attack mobile devices, email, gateways, photocopiers, IOT devices, and everything in between. Consider these attackers are extremely well resourced thanks to money from traditional criminal enterprises are being moved to digital, plus all the money paid out in ransom.

I'd be interested to know how they escalated from a workstation presumably with limited admin rights, to the servers though (though this has not been specifically disclosed).

100% agree and IoT devices are very scary things to have on your network - as casino found out the hard way with a fish tank monitor

frankv

5680 posts

Uber Geek

Lifetime subscriber

#2713225 26-May-2021 14:51

kiwifidget:

@frankv you forgot - have a backup plan for when the steamy brown stuff hits the oscillating blades to return to business as usual as fast as possible.

Actually, have a *tested* recovery plan. I've known of several places where they found that, for whatever reason, they couldn't restore from the backups they took so assiduously. And of course they only discovered that at the worst possible moment. So, for example, a 1-hour job to replace a failed hard drive became several days of restore from last month's backup and scrape together whatever we can remember and figure out.

BlinkyBill

1443 posts

Uber Geek
Inactive user

#2713227 26-May-2021 14:57

Batman: This is very concerning. What will happen when we have one national everything.....

why did this happen? Inadequate focus on prevention and restoration, due to low levels of investment by each of the 20 DHB’s, and low levels of expertise in each of the 20 DHB’s.

when there is a single everything, there will be a single and much better-qualified resource base to address the problem, and the investment will be able to be much better focused.

A national everything for New Zealand’s public health system is, in global terms, a small IT system, with a few hundred thousand connection points - peanuts in the wide scheme of things.

alasta

6701 posts

Uber Geek

Trusted

Subscriber

#2713299 26-May-2021 15:17

frankv:

They're not saying that. They work very hard to prevent/mitigate those attacks. They spend large amounts of money on malware scanners.

But it's always an artillery vs armour battle, and artillery always wins that in the end. Armour will defend you against the known, and perhaps expected, artillery. But it won't protect you against the novel, unexpected attack. After someone finds their armour is inadequate, everyone upgrades their armour. But there will always be someone in armour who loses. Malware scanners can only find *known* malware.

Yes, you can put on more and more armor, but that limits your own ability to do useful work. So you could probably prevent malware attacks entirely if you didn't allow people to open email attachments or plug in USB sticks, and disconnected your network from the Internet (except maybe email). And even then, people will try to find ways around the rules. But locking everything down reduces your capability enormously, so a calculated? risk has to be taken. Use a firewall to exclude as much of the Internet as possibly, whilst allowing necessary services to get through. Run malware scanners and keep them up to date so that you're not vulnerable to any known malware.

Thanks - that's a good plain English explanation.

I just have one dumb question; why can't corporate workstations be set up to limit the file types that can be opened on email attachments? i.e. allow the user to open an Excel file or PDF, but not a file with executable code? I'm pretty sure my laptop at home prompts for the administrator password before it will run any software that's not already installed.

Does the executable code somehow masquerade as something benign?

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

Beccara

1469 posts

Uber Geek

ID Verified

#2713306 26-May-2021 15:37

Excel files/ PDF's etc etc all have code flaws that have been used to breach before. A rendering glitch in a PDF viewer, A macro in EXCEL that runs etc etc. Pretty much every attachment type I can think of has had some sort of a code execution flaw

Most problems are the result of previous solutions...

All comment's I make are my own personal opinion and do not in any way, shape or form reflect the views of current or former employers unless specifically stated

PolicyGuy

1726 posts

Uber Geek

ID Verified

Lifetime subscriber

#2713322 26-May-2021 16:35

And if you do manage to make everything fool-proof, you will find that your organisation has managed to recruit a special type of fool who brings your endeavours to naught. And/or you have a highly-entitled senior manager who is both technically clueless and convinced of their own brilliance (an 'obliviot'), and who deliberately breaks the rules because they don't apply to them.

The only thing that works is multiple generations of backups on tape, with at least one generation off-site at all times, and with data restores from the backup tapes tested rigorously.
Backups to disk can be encrypted by ransomware - this is what I understand the Waikato DHB hackers are saying they have done, they may be truthful or lying - and IMO to be considered useless for Business Continuity / Disaster Recovery

The trouble is, tapes are expensive: they require people to load and unload them - even if only to toggle the write-enable tabs before they go back in the robotic tape library; the tape cartridges and tape drives are mechanical devices that wear out; you need a human-assisted or entirely-human tape inventory management system; if you have a lot of data, large robotic tape silos & their software are waaaay expensive.

But, you pays your money and you takes your choice: cheap, lucky & happy; cheap, unlucky and in a world of hurt; or expensive and safe but no way of ever satisfying the beanies that the money isn't wasted
😬

ezbee

2405 posts

Uber Geek

#2713327 26-May-2021 17:16

Two French Hospitals got hit in January.
A third narrowly avoided disaster when a vendor reported a crypto-virus RYUK and they found two of their own systems in course of infection and took backups offline before it got to those, so they were able to restore.
https://www.france24.com/en/europe/20210216-cyber-attacks-hit-two-french-hospitals-in-one-week

Maybe as a loyal five eyes partner we can ask CIA nicely to see if they can decrypt our data, being friends it does not matter if they keep a copy.

It was said on RNZ that Waikato DHB had not been doing its yearly tests on its backup and restore systems.

Batman

Mad Scientist
29760 posts

Uber Geek

Trusted

Lifetime subscriber

#2713330 26-May-2021 17:43

Is it possible to encrypt data such that if hacked it cannot be read?

JaseNZ

2576 posts

Uber Geek

ID Verified

Lifetime subscriber

#2713337 26-May-2021 18:10

So they have no current backups of all data or were the backups encrypted as well ??.

They are saying it could be months down the track before things have been sorted.

If anybody dies because the dhb did not follow security advice could somebody be held criminally liable ??

Ding Ding Ding Ding Ding : Ice cream man , Ice cream man

frankv

5680 posts

Uber Geek

Lifetime subscriber

#2713346 26-May-2021 18:22

ezbee:

Maybe as a loyal five eyes partner we can ask CIA nicely to see if they can decrypt our data, being friends it does not matter if they keep a copy.

Surely you jest???

The CIA is an arm of the US government and friends only to them. And maybe not even them, if the Iran/contra deal is considered.

And the Privacy Commissioner would frown on the idea of giving our citizens' private info to a foreign government in exchange for any services.

Not to mention that the CIA might not want to disclose it's (in)ability to decrypt to the world at large. And maybe they'd take the data, decrypt it, save it, then say "Sorry bro, couldn't read it ".

Batman

Mad Scientist
29760 posts

Uber Geek

Trusted

Lifetime subscriber

#2713365 26-May-2021 18:53

would make a good PhD exercise though. unlock our data we give you a PhD ...

Oswold

1 post

Wannabe Geek
Inactive user

#2713453 26-May-2021 23:57

Batman: Is it possible to encrypt data such that if hacked it cannot be read?

I too would like to know this?
If the data is encrypted at rest then if they did get the data all the private info would be encrypted and unreadable, technically speaking?

1 | 2 | 3 | 4 | 5 | 6