Re: Experts all giving advice how how to stay secure
Some people do not have any choice. When the X-ray machines in the affected hospital trusts were bought using Windows XP (or even 2001) imaging software, that was state of the art. The issue is that the life of a piece of equipment like this vastly exceeds the lifespan of the OS that was used for the control system. On top of that, quite often these cannot be patched as the software is written so badly that it will work only with a specific patch-level of the core OS.
That CAN and SHOULD be mitigated by:
0. Considering each and every one of those a Typhoid Mary in potentia
1. Isolating such the Typhoid Mary in-potentia on a separate subnet
2. Preventing any communication except essential management and authentication/authorization going out
3. Providing a single controlled channel to ship out results to a location which we CAN maintain and keep up to date.
Instead of that, criminally stupid idots at NHS IT in the affected trusts as well as other enterprises which were hit:
1. Put these unpatchable and unmaintainable machines in the same flat broadcast domain with desktop equipment. There was no attempt at isolation and segmentation whatsoever.
2. In some cases allowed use of unrelated desktop applications (at ridiculously ancient patch-levels) such as Outlook or even Outlook Express.
3. Opened file sharing on the machines in question.
Each of these should be a sackable offense for the IT staff in question.