A detailed report of the 2021 ransomware attack against Ireland’s Health Services Executive lists some really bad security practices:
The report notes that:
The HSE did not have a Chief Information Security Officer (CISO) or a “single responsible owner for cybersecurity at either senior executive or management level to provide leadership and direction.
It had no documented cyber incident response runbooks or IT recovery plans (apart from documented AD recovery plans) for recovering from a wide-scale ransomware event.
Under-resourced Information Security Managers were not performing their business as usual role (including a NIST-based cybersecurity review of systems) but were working on evaluating security controls for the COVID-19 vaccination system. Antivirus software triggered numerous alerts after detecting Cobalt Strike activity but these were not escalated. (The antivirus server was later encrypted in the attack).
There was no security monitoring capability that was able to effectively detect, investigate and respond to security alerts across HSE’s IT environment or the wider National Healthcare Network (NHN).
There was a lack of effective patching (updates, bug fixes etc.) across the IT estate and reliance was placed on a single antivirus product that was not monitored or effectively maintained with updates across the estate. (The initial workstation attacked had not had antivirus signatures updated for over a year.)
Over 30,000 machines were running Windows 7 (out of support since January 2020).
The initial breach came after a HSE staff member interacted with a malicious Microsoft Office Excel file attached to a phishing email; numerous subsequent alerts were not effectively investigated.
PwC’s crisp list of recommendations in the wake of the incident as well as detail on the business impact of the HSE ransomware attack may prove highly useful guidance on best practice for IT professionals looking to set up a security programme and get it funded.
More Stories
Quishing Attacks Jump Tenfold, Attachment Payloads Halve
The figures come from Egress’s latest report, which also suggests secure email gateways lag behind tech advancements Read More
Russia’s Sandworm Upgraded to APT44 by Google’s Mandiant
Mandiant has confirmed that Sandworm is responsible for many cyber-attacks against Ukraine has close ties with a Russian hacktivist group...
New Cyber-Threat MadMxShell Exploits Typosquatting and Google Ads
Zscaler also confirmed MadMxShell uses DLL sideloading and DNS tunneling for C2 communication Read More
Change Healthcare data for sale on dark web as fallout from ransomware attack spirals out of control
February's crippling ransomware attack against Change Healthcare, which saw prescription orders delayed across the United States, continues to have serious...
3.5 million Omni Hotel guest details held to ransom by Daixin Team
The international hotel chain Omni Hotels & Resorts has confirmed that a cyber attack last month saw it shut down...
Police smash LabHost international fraud network, 37 arrested
Police have successfully infiltrated and disrupted the fraud platform "LabHost", used by more than 2,000 criminals to defraud victims worldwide....