Re: Easy to mitigate
How simple it is, I dont know why it has not been done.
Apart form you have a piece of software that has not been updated for years because it is vitally important yet nobody has the money to upgrade it.
You cannot put the latest patches for other software/OS on because it will break this very important piece of software. You tell the relevant people you need to update the software and OS to stop a potential security breach but this will break the software. The answer you always get back is 'if it stops working a child might die'.
And that is where the argument ends, a potential security breach VS a child dying. Yes we all know that the potential security breach could in turn mean all systems are down and more risk to people but it never works.
Testing in a sandbox is so easy. Ohh wait we support 700+ applications, who is going to test them all, with all possible iterations. It is not possible.
Add to this that a lot of the software used is very niche and only ever made by one company and you are caught by the short and curlys. You know it is not 'secure' yet it is the only thing that can do what you need.
Why not make your own software then? Ok we will just hire some more staff to do it (with the imaginary money tree) and then find out that it cannot integrate with what everyone else is using so it is no use.
I don't work for the NHS (or in the security team) but local government and we get it all the time. People working for either small companies or those that use a very limited amount of applications and need little integration with anyone else have no idea. Try working for the government or NHS where ICT has very little power or budget and has to support hundreds of critical applications that are made by a plethora of suppliers.
Biting the hand that feeds IT
