>It found that the Health Service Executive was operating on a frail IT system and did not have proper cyber expertise or resources.
Do we know if that has changed at all?
I saw them advertising for a head of security there a while ago but the salary was about half of what it should have been.
Huh, so unlike the HSE to cover up fuck ups.
So who’s going to jail?
Anyone going to face any reprecussions? No?
Did anything happen about this? DId the government just say keep the data, we’re not paying ye.
Hardly surprising. So many temps working at hospitals and sites now who are paid buttons and don’t give a fuck.
Of course they did.
Why do civil service organisations refuse to modernise with even the most basic IT systems.
Im sure lots of it comes down to poor investment and training.
Some fascinating reading on how a competent response protected one hospital:
Timeline prior to the Incident and the response at Hospital A, Hospital C and the DoH Two voluntary hospitals, Hospital A and Hospital C, identified suspicious activity prior to the Incident. In addition, the DoH, a third party to the HSE’s environment, successfully acted on a detection of the Attacker which prevented the execution of the Conti ransomware across the vast majority of the DoH.53
The following timeline describes the key activities at Hospital A, Hospital C and the DoH prior to the Incident. On 10 May 2021, Hospital C asked Hospital C’s cybersecurity solutions provider whether they should be concerned about Cobalt Strike alerts. They were advised by Hospital C’s cybersecurity solutions provider that since the threat had been remediated by their antivirus software, their risk was low.54 Hospital C did not initiate a cyber incident response investigation. On 12 May 2021, Hospital A engaged Hospital A’s Incident Response provider to investigate alerts of malicious activity. They reset passwords for 4,500 accounts55 and made firewall configuration changes56 to contain the activity, and made contact with the HSE to request information on two IP addresses.57 To further contain the activity, Hospital A utilised their existing security tooling across their environment. On 13 May 2021, the HSE identified the IP addresses reported by Hospital A related to two servers within the HSE’s domain. The HSE conducted an investigation into the activity identified by Hospital A and incorrectly concluded in an email between the HSE teams58 that the suspicious activity originated from Hospital A, rather than the other way round. On 13 May 2021, DoH’s cybersecurity solutions provider59 alerted the DoH to a potential attack on their network. DoH contacted the NCSC and engaged DoH’s IR Provider60 who installed endpoint detection and response (“EDR”) security tooling on the majority of their systems. These actions blocked the execution of the Conti ransomware across the vast majority of the DoH’s infrastructure, including critical and data servers.
Real Headline should be “HSE only have eight weeks of log”.
They have been in the system for a lot longer.
Remember when they said they’d open the position for the Director of the National Cybersecurity Center?
10 comments
>It found that the Health Service Executive was operating on a frail IT system and did not have proper cyber expertise or resources.
Do we know if that has changed at all?
I saw them advertising for a head of security there a while ago but the salary was about half of what it should have been.
Huh, so unlike the HSE to cover up fuck ups.
So who’s going to jail?
Anyone going to face any reprecussions? No?
Did anything happen about this? DId the government just say keep the data, we’re not paying ye.
Hardly surprising. So many temps working at hospitals and sites now who are paid buttons and don’t give a fuck.
Of course they did.
Why do civil service organisations refuse to modernise with even the most basic IT systems.
Im sure lots of it comes down to poor investment and training.
I think this is the report the media are quoting:
https://www.hse.ie/eng/services/publications/conti-cyber-attack-on-the-hse-full-report.pdf
Some fascinating reading on how a competent response protected one hospital:
Timeline prior to the Incident and the response at Hospital A, Hospital C and the DoH Two voluntary hospitals, Hospital A and Hospital C, identified suspicious activity prior to the Incident. In addition, the DoH, a third party to the HSE’s environment, successfully acted on a detection of the Attacker which prevented the execution of the Conti ransomware across the vast majority of the DoH.53
The following timeline describes the key activities at Hospital A, Hospital C and the DoH prior to the Incident. On 10 May 2021, Hospital C asked Hospital C’s cybersecurity solutions provider whether they should be concerned about Cobalt Strike alerts. They were advised by Hospital C’s cybersecurity solutions provider that since the threat had been remediated by their antivirus software, their risk was low.54 Hospital C did not initiate a cyber incident response investigation. On 12 May 2021, Hospital A engaged Hospital A’s Incident Response provider to investigate alerts of malicious activity. They reset passwords for 4,500 accounts55 and made firewall configuration changes56 to contain the activity, and made contact with the HSE to request information on two IP addresses.57 To further contain the activity, Hospital A utilised their existing security tooling across their environment. On 13 May 2021, the HSE identified the IP addresses reported by Hospital A related to two servers within the HSE’s domain. The HSE conducted an investigation into the activity identified by Hospital A and incorrectly concluded in an email between the HSE teams58 that the suspicious activity originated from Hospital A, rather than the other way round. On 13 May 2021, DoH’s cybersecurity solutions provider59 alerted the DoH to a potential attack on their network. DoH contacted the NCSC and engaged DoH’s IR Provider60 who installed endpoint detection and response (“EDR”) security tooling on the majority of their systems. These actions blocked the execution of the Conti ransomware across the vast majority of the DoH’s infrastructure, including critical and data servers.
Real Headline should be “HSE only have eight weeks of log”.
They have been in the system for a lot longer.
Remember when they said they’d open the position for the Director of the National Cybersecurity Center?