Reasons to avoid a proprietary monoculture #4 - Waikato DHB Ransomware attack.
I'm sure you have all heard of it by now and there are pundits galore out there opining on this and that with a focus on keeping systems up to date and user education as being the major ways to stop it happening again... But there is nothing I've seen so far that addresses the root cause of the problem which is the overwhelming use of a single vendors proprietary OS and applications despite said vendor being the largest malware attack surface the IT industry has ever seen.
Yes, I'm talking about Microsoft. Again. Yes, I know 'everyone' uses it (because you still *cannot* by a PC without an associated MS license) and yes, they have made some fantastic efforts to move away from their past 'cancerous' attitudes and provide some very good open source tooling and capabilities but their entire history of coding effort and development philosophies has lead to some very shonky software being released into production that is riddled with bugs and rife with exploits. Even their main selling point of seamless integration across their entire product suite that just 'makes life easier' for the end users opens up a massive attack vector... a recent exploit in Teams allowed arbitrary commands to be issued on *any* platform Teams ran on. A failure in a MS service (e.g. Azure AD) takes out multiple NZ Government agencies on a regular seemingly monthly basis according to the headlines.
So what can be done?
If we go back to some of the issues we've seen around the world with ransomware there are common threads. I don't know which of these will apply specifically to Waikato DHB but lets assume some will.
Keeping software current - This is a hospital so their primary focus is on healthcare (actually more of a break/fix operation) so every dollar that is *not* spent on directly making people healthy (Doctors, Nurses, medication, surgery) is viewed with suspicion, and rightly so when IT people can rip off the SDHB to the tune of NZ$17 million.
The outcome of this view is that IT things tend to be left operational past their 'use by' date (The day that the proprietary vendor arbitrarily decides they are no longer going to try and fix anything and require you to by something new). So they are now exposed to malware or have to repurchase their software suite... there is significant cost in either scenario so basically it is a rort. As an industry we have accepted that behaviour but you can see why people hate IT.
Even when the base software is upgraded we know that in some cases the applications running on it need to be rewritten to either bypass features that no longer exist or to take advantages of new features that may only be available on that particular platform thus perpetuating the lock in cycle on the hamster wheel.
Users - Newsflash! A significant portion of the human beings on this planet don't care about how IT works. They buy a car, they expect it to work. They buy a smartphone/computer/iSomething, they expect it to work. As noted previously, due to some monopolistic anti-competitive behaviours in the past Microsoft have achieved significant market penetration around the world and especially here in New Zealand. As also noted previously, these Microsoft products represent a significant attack surface that drives a large part of the current IT security sector that thinks that *educating* users on how to use these security compromised products is 'best practice'... well the users don't care and even if they did there will always be someone, somewhere that takes their finger off the button for just enough time for the wheels to come off.
So how about we look at things differently. How about we treat Microsoft as the root cause and the users as the symptom. For sure, keep updating the systems as bugs are found and fixed but lets go one step further and break the chain. Yes, I know that all the MS products are joined together but remember, that is exactly what makes everything so vulnerable.
So, DHB specific. We can see from the MoH websites that the various DHBs have spent the last few years migrating their applications to browser based web front ends in line with the rest of the industry. This goes for a lot of the Microsoft product suite as well... O365/M365 etc. There is now no need to have a fat client on the desktop and to be honest there isn't even a need for a Citrix type approach back to a virtual desktop environment... if the apps are purely browser based and aren't tied to the underlying OS then you can literally slap a Raspberry Pi on the back of a monitor and sling everything over the appropriate encrypted protocol. This means that any malware that gets to the desktop has nowhere to execute.
Stop using MS Exchange. Quite apart from all the license and access issues there are a number of browser based alternatives to MS Exchange that are not susceptible to the attacks that some ransomware uses. Removing these attack vectors from the equation increases your overall resilience. Also, each service being removed reduces the number of insecure protocols operating over the network.
Stop using windows based NAS/CIFS servers. Use a SAMBA/BTRFS combination instead. Why? Again the malware has nowhere to execute and just as importantly BTRFS is a Copy on Write filesystem which lets you do some interesting things... one of which is being able to retain almost realtime copies of data such that IF ransomware does manage to execute somewhere the original file is still available to recover from in a very timely fashion. If designed and implemented properly you could detect ransomware activity (massive rewrites of every file in the system should be a hint) and take appropriate action before things get completely out of hand.
Now that we've moved to browser based solutions we can then start looking at the need for O365. If your word processor is no longer tied to the OS and you are using an ISO standard document format such as ODF or DOCX then you have a choice of word processors as well. LibreOffice if you are running a desktop, OnlyOffice or Collabora if you are looking for a cloud solution. Big Blue Button instead of Teams (or Zoom). If you are looking for integration of all of these things then NextCloud could be an option.
And speaking of clouds, rather than just throw everything at Azure/O365/D365 which, as we have learned, is pretty much the same massive Microsoft attack surface but with added cloud, how about using something local, like the Catalyst cloud. How about taking a leaf out of the Reserve Banks books and require the DHB's to be able to operate in country if there is a failure of overseas capability? If it can't be isolated from any international issues then it's not really a solution.
And no, the proposed Microsoft Azure Datacentre will *not* fix that particular problem because while it will be based in New Zealand it will still be part of an international configuration, managed from offshore and 'owned' by Microsoft Ireland where they don't pay any taxes.