Nhs network security

Jivesinger

Pound wrote: »

Some companies turn off automatic updates because people would come into work one morning and find Internet Explorer 6 which is the only browser which works with a business critical legacy system has been upgraded to the latest version causing the entire company to grind to a halt until IT can work out how to revert back. Instead updates are done in a controlled and tested way so they know everything will still work.

I think Microsoft's current upgrade strategy for Windows 10 seems to be:

1. Major Windows upgrades (eg. the so-called Creator's Update) once or twice a year, which businesses (assuming they run Windows 10 Pro or Enterprise or Education) can defer.
2. Security updates and patches (but no new 'features') on an ongoing basis, which you can't defer.
3. Application updates through the Windows Store as and when things change. I think these updates can be switched off at the moment (?).

Parts 1 and 2 look sensible to me - companies can test out the major upgrades in their own time, but meanwhile the security patches keep coming for the previous Windows 10 version (and perhaps the one before). So it doesn't have to be a binary On/Off for updates - security updates can come through while those which are more likely to be disruptive don't.

I'm not sure part 3 is so mature though - and this might become an issue if, for instance, the 'Edge' browser started to get updates via the Store. In that case I'd expect there to be 2 branches of the Edge browser, in the same way as for example Firefox has an 'ESR' version designed for businesses (but is the one I use personally).

onomatopoeia99

Jivesinger wrote: »

I think Microsoft's current upgrade strategy for Windows 10 seems to be:

1. Major Windows upgrades (eg. the so-called Creator's Update) once or twice a year, which businesses (assuming they run Windows 10 Pro or Enterprise or Education) can defer.
2. Security updates and patches (but no new 'features') on an ongoing basis, which you can't defer.
3. Application updates through the Windows Store as and when things change. I think these updates can be switched off at the moment (?).

The scenario you outline applies to home users and SMEs. Large organisations will run WSUS (I can do random acronyms that almost no-one will understand just as well as DavidP24) and so the IT department will be able to block ALL updates to client computers on an AD domain, until they approve them.

DavidP24

chunter wrote: »

Many thanks to DavidP for his insights on this.
What we have on the tv is lots of stupid politicians (and others) trying to blame someone else, without any particular knowledge of how and why it happened.
I suspect the one thing they'll not talk about is the amount of money that needs to be spent to prevent such obvious vulnerabilities been exploited.

To be honest I think all Governments since the 90's could have done more for the NHS, however, what people need to understand is RISK, if you IT system fails for a few hours in some companies it can be a major inconvenience, in a Hospital people can DIE. I am not kidding, a patient comes in, bloods are taken along with all usual tests, it get sucked up a chute to pathology, rushed into a machine and appears on the computer a short time later. The doctor makes a decision based on those results. Not just at the numbers but often the software has worked out the patient risk and may even propose a diagnosis.

I remember being brought in to do a data audit for a 3 weeks data sample for one system in one department, it was 12 million records!

The one thing I have noticed with the Government since 2010, is their appetite for risk is much higher, the politicians are told about the risks but they come back with the same old quips and the NHS Execs are told to manage it from existing resources.

So when I hear motor mouths like Diane (can't let anyone speak) Abbott on Any Questions saying

"We do have to do more"
"More Investment"
"considered investment"
"We have to do something about this"

But without a clue what to so or even where to start.

DavidP24

Jivesinger wrote: »

All those machines with forced updates were safe from this particular malware though.
Is that really such a terrible thing?

Generally no, but I have seen a whole hospital shut down by a windows update so you are damned if you do and damned if you don't, that is why they created a service where organisations could store and forward MS update rollouts after they had tested them.

I think if they are going to get into this model they need to make it more granular.

How many times have to been told to reboot to fix something, yet I very rarely reboot, I will suspend and hibernate for 60 days plus. If my wifi card has a problem I will end the tasks, stop and start the services, which solves the problem, same for audio if volume crashes.

Win Updates need to work like this, to update a service they need to suspend it, update it, restart it, all with permission and with care.

Johnmcl7

esuhl wrote: »

To be honest, I'm wondering if the NHS would be better of using GNU/Linux in a lot of situations, and restricting Windows to medical devices with custom software that would be too costly to upgrade.

I'm no expert in corporate networks, and I don't know how the NHS networks are set up, so I wonder how the support costs and scalability of Linux would compare to Windows. I'd guess it would be relatively(!) easy to move the patient records system to Linux... and leave Windows on systems that absolutely need it...?

Although, with the NHS being killed off due to underfunding, I can't see any money being spent on the IT system for a while.

In short, no for the simple reason that if the NHS is lacking the time, money and expertise to properly configure Windows systems then there's no chance that a more difficult Linux system would be even remotely viable. It appears the reason the NHS has been hit so badly is because they have systems exposed to the internet that shouldn't have been and running legacy, unsupported systems. It doesn't matter if it's Linux or Windows, systems should be properly secured at the network level and they should be automatically updated - Linux is absolutely not a crutch for insecure networks and out of date patching, without the right expertise can be vulnerable as well when it's not securely set up...good old chmod 777, hey it works let's leave it at that

I don't work for the NHS and have no direct insight but while it's easy to blame the IT departments, even aside from getting the time and money to make sure systems are up to date and secure it's difficult to convince businesses to accept restrictions in turn for better security. It's also difficult to convince people to install patches, upgrade software and upgrade operating systems when from their point of view everything is working fine so they could do without the hassle of having to change it. When it comes to regulated systems which need time consuming validation to make changes, it's even more difficult to convince people they need to do the work.

Vendors can also be terrible with regards to security by only supporting old unsupported operating systems and when the software doesn't work, want you to disable all anti-virus, firewalls, UAC, give the user account full admin rights and turn off patches because patches break things. The obvious answer would be to choose a different vendor but the market can be very small for specialist systems and often it will be someone else that chooses it without any agreement with the IT department.

One small plus of all this though is that there's arguments about installing patches, locking down firewalls, restrict system access etc. this is a really good example of why we need to do it. On the other hand it's been nearly 20 years since the i love you virus spread rapidly through e-mail and still, malware easily spreads through mails as plenty people aren't cautious when checking their e-mail.

John

novirus

Don't welcome me, as I am a long time member for over 10 years here. You can probably guess for whom i work for.

Often you have an app written by company X (often a small company). If you are lucky that company still exists - often to claim 'maintenance' money (usually for a corrupt database). If you are really, really lucky the developer has not retired, or left. The developers often know very tittle about the o/s, especially Linux implementations, some can't even upgrade a hard disk. I pick on linux as it is free (top choice for devs at the mo) and it currently works for the time the developer uses it, but same goes for windows too.

Now often the software containing the data belongs to a medical department, and is running on and IT department server or own metal box or virtual. Say a service pack is released to fix security, do you patch the server?

Short answer, 99% of the time don't patch it. Long answer: Medical department just want it to work. IT department do not know after patching if it will still work, or will integrate the same way, can't test it 100%. At best which rarely happens. suppliers want to sell you a new version, which in a small and limited market does not exist, at best cost 10's of thousand, but could be well over 5 digits too, or in most cases usually dev's can't be bothered to check their software, and the original developers have left or retired and exisiting ones do not want to get involved.

If that server gets any unsanctioned modifications, then the supplier will wash their hands of it, and obviously the ones doing the update are accountable for the failure no matter what. Out of many, many servers can count on one hand the number of systems we have patched that are not hospital owned.

We do regularly patch our own servers, and there is a structured process to get this done, including patch name applied and what each patch does.

It is easy when looking at you own PC and environment to form a conclusion. Try that with 8000 PCs of which a good few are set up differently and run a mixture of over 500 different pieces of software

LittleJo

Hi
Does anybody remember MsBlast?
Jo

forgotmyname

Is that Blaster that infected fresh XP installs when users connected to the net to do the updates with no firewall and AV in place?

A few people told me they got infected and reinstalled XP and as soon as they connected to the net to download a FW and AV and get updates they got hit again.

I always install an AV or FW before connecting to the home network.

Strider590

This NHS ransomware thing........ I'm really sick of it now........

It was NOT AN "ATTACK", it was merely some idiot academics with no common sense, opening and passing on emails/links that contained or lead to this malware!

What is wrong with admitting you fell for something that you have absolutely no knowledge about??????

DavidP24

Makes great news to scare people and now you will have updates from this thread!