A detailed report of the 2021 ransomware attack against Ireland’s Health Services Executive lists some really bad security practices:
The report notes that:
The HSE did not have a Chief Information Security Officer (CISO) or a “single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
Over 30,000 machines were running Windows 7 (out of support since January 2020).
The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.
PwC’s crisp list of recommendations in the wake of the incident as well as detail on the business impact of the HSE ransomware attack may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded.
More Stories
Scam ‘Funeral Streaming’ Groups Thrive on Facebook
Scammers are flooding Facebook with groups that purport to offer video streaming of funeral services for the recently deceased. Friends...
Europol Taskforce Disrupts Global Criminal Network Through Supply Chain Attack
The suspected creator of Ghost, an encrypted communication platform allegedly used by organized crime groups worldwide, has been arrested Read...
Introducing LevelBlue’s 24/7 Managed Threat Detection and Response Service for Government
As new threat vectors emerge and cybercriminals leverage sophisticated technologies to orchestrate more targeted attacks, staying ahead of threats is...
AT&T Agrees $13m FCC Settlement Over Cloud Data Breach
Telco giant AT&T will pay the FCC $13m to resolve a cloud breach investigation Read More
CISA Issues Advice to Help Eliminate XSS Bugs
The US Cybersecurity and Infrastructure Security Agency is trying to eradicate cross-site scripting vulnerabilities Read More
The AI Fix #16: GPT-4o1, AI time travelers, and where’s my driverless car?
In episode 16 of The AI Fix, Mark and Graham meet GPT-4o1 and ask if it knows how many cousins...