[ Date Index ] [ Thread Index ] [ <= Previous by date / thread ] [ Next by date / thread => ]

Re: [LUG] nhs cyber attack

To: list@xxxxxxxxxxxxx
Subject: Re: [LUG] nhs cyber attack
From: Simon Waters <simon@xxxxxxxxxxxxxx>
Date: Fri, 12 May 2017 22:47:56 +0100
Delivered-to: dclug@xxxxxxxxxxxxxxxxxxxxx
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=dclug.org.uk; s=1491642364; h=Sender:Content-Type:Reply-To:List-Subscribe:List-Help:List-Post:List-Unsubscribe:List-Id:Subject:MIME-Version:References:In-Reply-To:Message-ID:Date:To:From; bh=CdYjj+Nc7WsslfJOF+gZRoyh+aWGgfsH3KU3kERDtac=; b=AYiyC2IfcSI0dh4LymwzMOLC4NGe0F0Cyf4ybF9Jg2H2ZOtc1IxSeSE2jWwaJe9T5JG8uJ87Y8pOhEVbfurTnklB2Rxxz3VuXqR2FA7CrXnItYqgflGRVIbAajJGzV0wb74A8z4ReVxw56zDtaIX6BBWwL0UmTPhhuNQdxO2g5w=;

On Friday 12 May 2017 17:37:12 daniel Phillips wrote:
> https://www.theguardian.com/society/2017/may/12/hospitals-across-england-hit
> -by-large-scale-cyber-attack

Bringing it closer to home Derriford has been hit.

https://www.plymouthhospitals.nhs.uk/latest-news/computer-problems-2055

Been following it all afternoon (in between work of course - cough).

For clarity this is definitely not just the NHS. They just seem to have been 
particular badly hit. I suspect being a large established organisation with 
legacy IT and established incident reporting procedure they are just getting 
it slightly worse, and confessing their sins more quickly.

Whilst I agree Linux distros are not immune to this type of thing, this 
specific one is Windows only.

What should have been done is "NOT HELPFUL". As is gloating "not Linux".

Nor is casting blame helpful, we can assign blame in a few weeks when this is 
fixed.

What can be done.

Upgrade Windows boxes - just needs to run the updater for supported OSes - for 
private boxes just make it the default to upgrade itself when it can.

Disable SMB v1 - very few organisations have a business need for the affected 
protocol. Windows admins tell me it can be disabled by group policy.

Segment networks further. Either physically, or logically. Again client to 
client SMB can be disabled by group policy according to those lovely Windows 
Admins, that is something you can likely do quicker than physical network 
changes - be careful not to cut off the client to server connectivity you need.

Have backups and test them.

Have AV software and have it be up to date, probably wouldn't have stopped the 
outbreak, but it'll be detecting it by now. Martijn can probably tell us who 
spotted it based on similarities to earlier versions fo Wanna Crypto, and who 
had to rush out updated signatures.

Whilst I'm joining the chorus of "upgrade" as it is the easiest way to 
mitigate the SMB spread, anyone who says "they should have upgraded already" 
will be required to provide documentary proof they have upgraded all their 
operating systems, phones, routers, smart TV, tablets (I can't and I'm paid to 
be more paranoid than most - okay all my desktops, work phones, router, and 
tablets with supported Android are patched, but the rest of it is a mess).

I believe there is also some server to client stuff going on, so all those file 
servers need updating too, and all those clients, and missing one may be 
fatal. Which suggests upgrading alone will not be enough; upgrade, segment, 
backup, test.

Attachment: signature.asc
Description: This is a digitally signed message part.

-- 
The Mailing List for the Devon & Cornwall LUG
https://mailman.dclug.org.uk/listinfo/list
FAQ: http://www.dcglug.org.uk/listfaq

References:
- [LUG] nhs cyber attack
  - From: daniel Phillips

Prev by Date: Re: [LUG] nhs cyber attack
Next by Date: Re: [LUG] nhs cyber attack
Previous by thread: Re: [LUG] nhs cyber attack
Next by thread: [LUG] Holsworthy Meeting
Index(es):
- Date
- Thread