📢 This is not OK, and I'm tired of pretending it is. 📢
Putting aside the fact that yes, the cybercriminals conducting this attack ARE the very definition of "Not OK" there are bigger pictures to look at.
How can an organization as large as Ascension suffer a crippling attack like this? Their team is large, and so is their security budget.
Is it a lack of adherence to the Standards and Frameworks that exist? Maybe, maybe not. I recently polled cybersecurity practitioners here on LinkedIn and ONLY 10% thought that current standards were effective.
Was it a lack of training for employees? This is almost always a contributing factor to events like this.
Maybe it was a focus on COMPLIANCE and not a focus on SECURITY. We don't know yet, and likely never will.
Were executives leading security practices more focused on business KPIs vs security KPIs? This happens a lot, often with executives with no practical/pragmatic security experience making....security decisions.
If this was ransomware (early thoughts are that it is, considering how widespread the impact is) were there not filters in place to prevent phishing / ransomware emails from entering the environment?
Were there endpoint agents scanning for outbreaks and automatically quarantining infected devices?
Was there a sandbox solution to test the URLs / files the user was attempting to let into the network?
Was it a BYOD (Bring Your Own Device) infection?
Was there a rapid-response solution in place to immediately isolate the infection? If so, was it FOLLOWED?
Did the pentesting performed at <whatever location was the entry point> report on ransomware exposures? If it didn't, it clearly should have. If it was reported in the pentest, was it remediated? If it wasn't remediated, was the active exploit in the Ascension environment acknowledged in documentation and road mapped to be remediated later?
Again, we will likely never know.
The technology exists to prevent this exact type of widespread carnage. I can't qualify it as "digital" carnage, because there are REAL WORLD impacts from it.
It's a hard problem or a soft problem, or both. Either way, it's definitely a problem. And I'm tired of pretending it isn't.
- We as an industry have the tech to do better.
- We as an industry have the experience to do better.
- We as an industry have frameworks & education to do better.
Where did things go wrong in the Ascension case? I hope we get answers, but we likely won't.
Now we're looking at operational disruptions at over 140 hospitals, directly impacting patients...REAL PEOPLE. Someone (a lot of someones, actually) at Ascension (and their vendors/partners) were responsible for keeping these people safe from this exact type of disruption to their care.
And they failed.
Ascension has a long road ahead of them, for a lot of reasons. The least of which is the arduous process of dealing with investigators during the post mortem.
Our ethics demand better than this.
Comentarios