Troubleshooters are still trying to flush a virus out of hundreds of hospital computers more than three weeks after it first hit.
The Downadup virus, also known as Conficker B, infected 800 out of the 7,000 PCs at five hospitals in Sheffield, leading to a "small number" of patient appointments being cancelled, according to a spokeswoman for the Sheffield Teaching Hospitals NHS Foundation Trust.
Engineers at the hospitals run by the trust are still clearing up the "last remnants" of the virus, which was first detected on 29 December, she said.
The virus was uncovered at the same time that Microsoft Windows automatic security updates were disabled on PCs supporting operating theatres.
Microsoft released a patch that blocked the vulnerability used by the Downadup virus back in October last year.
David Whitham, informatics director at Sheffield Teaching Hospitals NHS Foundation Trust, said in a statement: "There has been limited impact on patient care."
"The virus has now been contained and our IT team have been working very closely with external antivirus specialists to update PCs and remove the last remnants of the virus from the network to limit the chances of a repeat infection.
"The automatic Microsoft update process had been temporarily disabled following problems with some PCs providing supporting information in theatres.
"This decision was taken by the IT Change Advisory Board to prevent further disruption in theatres."
The latest variation of the Downadup virus has reportedly infected some nine million machines worldwide in recent weeks.
The incident echoes an earlier infection at the Barts and The London NHS Trust, where hospital PCs were struck down by the Mytob worm.
Talkback
Price Waterhouse Cooper and Carnegie-Mellon’s CyLab have recent surveys that show the senior executive class to be, basically, clueless regarding IT risk and its tie to overall enterprise (business) risk. I like to pass along things that work, in hopes that good ideas make their way back to me. Data breaches and thefts are due to a lagging business culture – and people aren’t getting the training they need. As CIO, I look for ways to help my business and IT teams further their education. Check your local library: A book that is required reading is "I.T. WARS: Managing the Business-Technology Weave in the New Millennium." It also helps outside agencies understand your values and practices.
The author, David Scott, has an interview that is a great exposure: http://businessforum.com/DScott_02.html -
The book came to us as a tip from an intern who attended a course at University of Wisconsin, where the book is an MBA text. It has helped us to understand that, while various systems of security are important, no system can overcome laxity, ignorance, or deliberate intent to harm. Necessary is a sustained culture and awareness; an efficient prism through which every activity is viewed from a security perspective prior to action.
In the realm of risk, unmanaged possibilities become probabilities – read the book BEFORE you suffer a bad outcome - or propagate one.
While reading books and more intensive training may help, the underlying problem still exists. Using an inherently, insecure OS. Redmond has only recently became concerned about security. They have always been about integration, ease of use, and lack of user knowledge, and information. This gives the end user a sense of false security, and usually comes back to bite them. Give me a secure system, even if I am forced to read a book and actually learn how to work with the code, and how to make sure the system is secure. In other words, I will stick to Linux, which I am still learning after using it for 7 years.
What stops a virus in its tracks? - Application Control
The principle of Application Control is to only allow applications that are required to execute. ie Unknown applications such as a virus or malware will NOT run - so we can stop this havoc from occuring.
The technique is also referred to as "whitelisting" - this straightforward control mechanism allows the IT manager to eliminate unknown or unwanted applications in their network, improving overall managaeability but most importantly by reducing the risk of malware, viruses and spyware.
Therefore, by using application control in your environment would quite simply not allow a virus to run.
Check out: http://tinyurl.com/cmpp3y for more specifics.
"The automatic Microsoft update process had been temporarily disabled following problems with some PCs providing supporting information in theatres."
It seems logical to me that if it became necessary to disable security updates for this reason, the preferred solution would have been to isolate the part of the network needed to support the operating theatres while solving the problems. This would have permitted procedures to carry on as normal until it was possible to rejoin the network. Similar principle to my re-installing an OS in a PC, install the security software before rejoining my LAN/WAN.
Their IT mangment should really consider modularising their system to enable critical and other elements to operate, if necessary, as small LANs independently from the WAN.
That only works in Vista (and Win7 beta). You're assuming the systems at issue are Vista boxes. XP Pro is more likely the OS in use.
You're assuming that somebody is actually operating at a desktop and has group policy rights to manage that setting.
You're assuming that they have a clue what they are doing.
The I(dio)T department at the hospital should have locked those systems in their own little domain and installed and updated the malware software on the boxes and managed them more closely. The Downadup is easily avoided.
Once you HAVE the virus, you can no longer download updates from Microsoft and most antivirus software vendors. One thing the virus does is block requests from you computer to these web sites. Following the steps from a site I found - <a href="http://www.downadup.com">downadup.com</a> - downloading a free removal tool, disabling AutoPlay, and repairing the registry - you can remove this virus and protect from infection.
Whitelisting is the best way to prevent direct harm to computers from viruses and malware, but comprehensive application whitelisting – like Lumension Security Endpoint Protection Solution that does run on XP systems – offers many more benefits to organisations and the IT environment:
* Increased performance and stability. When only authorised applications can run on a computer, there is far less chance that inappropriately installed programs or hardware drivers will corrupt an operating system. Combined with Lumension Security Vulnerability Management Solution, patches and updates are rolled out in a uniform and approved manner, ensuring that all computers operate on the same release level.
* Control of computer and network utilisation. Computers have an unfortunate tendency to become cluttered with junkware, games, and web software that consume computing resources and
network bandwidth. Whitelisting offers a way to keep such programs from interfering with business operations.
* Decreased IT support costs. With no viral attacks to thwart, malware to hunt down, or incompatible applications to invoke the blue screen of death, IT can spend more time and resources on improving operations instead of constantly fixing computers.
* Increased data security and compliance with privacy laws.
Preventing programs not on the whitelist from running on any computer obviates the chance for spyware, keyloggers, and
sniffers to steal passwords, address books, customer files, or other sensitive data from otherwise physically secure computers. Combined with Lumension Security Data Protection Solution, which
prevents sensitive information from leaking out through lost or stolen storage devices, a whitelist creates a strong infrastructure that makes it possible to comply with privacy regulations.
A further benefit to application whitelisting is the ability – and the opportunity – to better understand your IT environment. What applications are your people really running? Which are necessary to your operations? Are you buying more bandwidth than you really need to conduct business? Getting an accurate view of IT usage is the first step in controlling your information and your business.
If a CIO were to dream up a perfect IT environment, it would no doubt be very different from what most organisations have today. It would be a controlled environment with consistent change-control systems. Updates and operating system patches would be rolled out uniformly across a homogenous network. Every computer would have a specific set of applications preinstalled. Users would have no local authority to install, update, or delete applications, drivers, or web plug-ins. Only approved storage devices and media could be used to copy and transport data. In such a tightly regulated computing environment, anti-virus and whitelisting programs might not be needed.
BUT this scenario represents an environment seldom found in the real world – albeit perhaps one that is not as desirable as it may first seem.
A totally locked down computing environment is not only rare – it is unlikely to best meet business needs. A system with complete top-down control loses the flexibility to quickly add and upgrade applications and business systems. In organisations where communication and creativity fly fast and furious, locked-down systems can frustrate and stifle the flow of business. And while such a setup may at first seem convenient for the CIO’s department, it ultimately adds labour-intensive work for system administrators and
help-desk operators.
So, what do you live with today? Organisations that start out small, with even smaller IT teams, often by default give users local administrative control of individual PCs. Though such a choice lessens the initial burden on IT, as a company grows those few savvy users are joined by well-meaning users installing rogue applications – sometimes incorrectly – corrupting files and registries in the process.
Or maybe your organisation has inherited an infrastructure with a history of uneven change control, resulting in a mishmash of service packs and application versions, sometimes running on the same computer. Unauthorised applications and preloaded junkware clog hard drives and networks. Malware and viruses continuously creep in through downloads and website visits. The anti-virus software you installed can’t keep up, and you are constantly rebuilding corrupted PCs. Sudden spikes in unauthorised application-generated traffic overload the network at critical times, forcing you to contract for more bandwidth than you really need.
Is this a snapshot of your world? Though your scenario may be slightly better, or worse, the general situation remains the same. You need a way to categorise all the applications on all the computers on your network, and then decide which should be allowed to run.
Whitelisting simply means defining what is “good,” then allowing only good programs and processes to load and execute in memory. Everything not on the whitelist – the virtual blacklist – cannot run. To increase flexibility, especially in the beginning, you can extend the concept of trusted change by implementing a graylist. This permits safe but potentially undesirable programs to run until you decide whether they are really needed.
Whitelisted applications run. Graylisted applications can launch with logging that notifies you when and where they are running. Anything else cannot run at all. Even corrupted or hacked applications on the
whitelist are recognised as altered, and prevented from running. Zero-day attacks through malware, worms, and Trojans are automatically prevented from running because they are not on the whitelist, and therefore never get the chance to launch and corrupt.