Posts by DMSlicer

Honestly? That's pretty much spot on these days for corporate PCs...

1. Patch Tuesday happens, making a bunch of new updates available on the MS Website.

2. Our WSUS server syncs with the new list of updates sometime early Wednesday Morning (4am ish)

3. Client PCs sync with WSUS sometime on Wednesday, and tell it what they need from the new list of updates. WSUS then goes off and actually downloads all the needed updates in the background over the course of the day from the MS Website onto one of its local disk drives.

4. Client PCs sync to WSUS again every ~6 hours. At some point whenever WSUS has their requested updates available, the clients will start to download them. Group Policy determines whether the local user of the machine is actually permitted to install them or not (which kicks in at midday - so realistically this will be 12pm Thursday or Friday depending on the number of updates needing downloaded), otherwise they wait for them to be manually installed by IT staff during an agreed downtime window.

If at any time there's any argy-bargy noticed on the interwebs relating to botched updates, those updates get declined on WSUS before Thursday midday; so they never actually hit the client PCs.

It's literally a built-in time delayed "stop those updates!" killswitch.

This week we actually got told about the AV Crashing Issue on Thursday at ~11am, and I had a Decline in place on WSUS by 11:15. And a lucky escape it was too, since we're one of the poor fools whose higher-ups have mandated the use of Sophos Enterprise...

> Suppose that must have been the experience for in Belfast...

It's interesting how much Belfast has been portrayed as a "War Zone" in international news over the years, but I can say that growing up here has been a vastly different experience.

I was born in the very early 80s in East Belfast. I remember hearing bombs going off and there being a security fence around the pedestrian precinct in the City Center.

Occasionally I heard bangs in the background (one or two a year perhaps?) and later on I might see the front of a building lying in rubble and/or being rebuilt. But generally any violence I saw was more just young thugs chucking bricks at each other - which happens in most cities but at least in Belfast you could tell what side they were on by which football top they were wearing.

There were security mesh/bars on the windows of most public buildings to stop them getting a brick or petrol bomb thrown through them. My Mum used to get her handbag searched going into shops in the City Center until they took down the security fencing, and during parade season every July there were a slew of buses + cars being stolen and burnt out to block a road and we had to go home via a different route.

Apart from that, life pretty much just went on - aside from developing a rather black and sarcastic sense of humour, myself and most of my friends that grew up all over Belfast weren't too badly affected by the "Troubles". I had two school classmates die, but neither was related to the violence - one was due to a congenital illness and the other was a teen suicide.

Once you got further outside the City Center into the suburbs, it was very rare for there to be any trouble. At least in East/Southeast Belfast which was predominantly Loyalist (and I assume also Northwest Belfast which was predominantly Republican...) where the only trouble you heard of tended to be infighting between different Paramilitary groups. If you went further out into towns/villages it was rare to find a "mixed" town - you could tell what the town's political stance was by the flags and the colour of paint on the kerbstones, and things were generally quiet as long as nobody stirred up any trouble.

The various paramilitary groups had pretty much cornered the market on crime, so much so that you never really heard about anyone selling drugs in the schoolyard or pedophiles pulling kids into cars because the Paramilitary groups put the fear of God into anyone that looked remotely shifty. During the late 80s and early 90s I walked home from primary school and got the bus to/from town regularly and never had any trouble - the place was probably safer for a civilian than it is today.

Most of the province was even fairly receptive to outsiders (unless you had an Irish/English accent and were in the "wrong" part of the city). Although understandably there were very few foreigners that actually wanted to come to Belfast... I think I only saw a single person with black skin my entire childhood - he was the much-loved owner of a local Corner Newsagents/Sweet shop.

Over the years as the peace process developed, most of the hatred just seems to have been redirected. Young thugs are now more likely to target a local Asian or Polish family than their traditional "other side"... and heaven help you if you're non-white and Islamic with a foreign accent.

> Take it further - NHS owned DR DCs, with a ("secure") warm copy of a hospitals data, copied over fat pipes, fast enough for staff to use the DR systems remotely when their local system is down? When disaster strikes a hospital, just connect the data disks to a suitably powerful system and boot it. I don't know if it's practical, original, or even useful in this scenario, but I'll risk the derision and downvotes because it might just spark a better idea in someone.

In this case it would have been largely pointless, because if the main system got infected then there's nothing to stop your DR system getting infected as soon as you spin it up, unless you spun it up on an isolation network (e.g. on an entirely different VLAN to anything in your live systems) and manually joined cleansed clients to it one by one.

One possible solution might be a DC on a different operating system entirely (there are several Linux solutions that can act as a secondary Windows DC and at least one that can be a PDC) that wouldn't have been susceptible to WCry - to allow more vital software processes or any uncompromised clients such as firmware-based hospital equipment to still have *something* to talk back to and authenticate against.

Re: Funny

> And we know that NHS Mail/NHS.net was not used to spread the infection.

Actually so far there has been no evidence that any emails were used to spread this particular infection, although I'll certainly agree that email is a very common method of entry for other attacks in general. WCry actually got inside the NHS network due to certain Trusts having SMB shares on unpatched* servers lying open to the wider internet... these servers were remotely infected by external attackers using the leaked NSA exploits. Once inside, the nastyware replicated itself across the internal networks between trusts quite handily, infecting unpatched* Windows 7 boxes as it went. (*At least two months behind the regular MS Windows patch cycle, given that the WCry SMB exploit was patched back in March)

There's no doubt that IT competency and redundancy levels vary wildly between the different NHS trusts, but in this case having a lot of loosely-connected trust networks instead of one big one was both a curse (the infection got in) and a benefit (the infection could only spread so far). Firewalls between trusts blocked a LOT of infections: one such example being the Northern Ireland *.hscni.net network - itself a collection of smaller trusts - which didn't get infected at all.

Having dozens of different interconnected IT networks therefore makes the NHS more difficult to secure, but more difficult to bring down: In an emergency situation you can completely close off the WAN pipe between your trust and the others and run off your own dedicated internet links. Any authentication etc. can take place on cached copies of user credentials such as a secondary DNS zone and backup AD - so it's only the centrally-held internal databases (like Staff Overtime and Travel claims) that will be temporarily unreachable.

Objectively there's very little reason for hospital machinery control systems to need to be on the same section of a network as a standard Windows client attached to a projector in a meeting room. Or for the 999 Room's Computers to be able to talk across to someone's BYOD smartphone.

Re: Virtualisation Of OS

> I have not been in the support environment for many years, but will virtualisation of the target OS be of benefit here ?

Actually it might, for a reason that might not be readily apparent:

A lot of modern nastyware will try and detect if it's running in a Virtual Environment and either alter its behaviour or terminate itself entirely. The idea behind this is to stop itself from being detected by sacrificial "honeypot" VMs used by Security Researchers. As a byproduct to this, production virtual servers can actually be slightly safer than non-virtual: they can still get infected, but often the payload actually refuses to run.

As an aside: I actually work in the NHS in an IT Support capacity, albeit not on Mainland Britain. Our trust didn't get infected by WCry for several reasons, but the attack has provoked a bit of a shakeup upstairs and a fresh round of "Potential Scenario Planning", so there may be some good that comes out of all this. (Most of the machinery out in the Hospitals works off relatively-uninfectable firmware, so one ideal would be to have a redundant network backbone using both Windows and Linux-based OSs so that any Malicious infection could only ever take out one set of servers... but (at least for now) that still remains a pipedream...) :/

Re: @redundancy

Switch# configure terminal

Switch(config)# power redundancy-mode redundant

Switch(config)# end

In theory though switches should ship in redundancy-mode "redundant" by default (instead of "combined")...