I'm always loathe to raise my head above the parapets when there is a security breach - there but for the grace ... and all that!
But I thought on this occasion, I'd make a few (I hope helpful) observations.
- First of all, MS Windows in all of its forms is a honeypot for nastily-motivated bees. So it needs assiduous care to keep it anywhere near safe.
- Second, having machines that are data-free is a measure against "ransomeware", after all, for $300 a new device can be acquired. After all, it's the data that has the value to be ransomed, not the tin.
- It's 20+ years now that the second wave of "thin clients" (data-less computing end point devices) was heralded by Larry Ellison at a conference in London over which I was presiding. 10 years before that Dave Jackson, the founder of Altos (now Acer) was building "diskless PCs" and having no great success in them being adopted. What have we done since then? Become more attached to Windows data hovels, that's what. Data in clouds with diskless terminal devices is much, much safer.
- Some basic things that I try to practice are: Keep as much data-rich stuff in cloud environments as I can (a stolen laptop is a far higher security risk than having your key data tucked up in "the cloud" however flaky you think that might sound); Never bringing a revived PC (or a new one) into the local network without having first brought the op sys up to date on a single dedicated line; Passwords - that's a blog in itself and sharing my approach to this would be a security breach in its own right; Windows Update - always stay on top of critical updates (even though my machines are set to manually authorise updates) - I just hate it when a machine self-updates and reboots in the middle of some mission-critical work.
- The NHS Breach at this stage appears to be non-targeted at any specific organisation - just about any outfit with weak system management is vulnerable. This gives rise to a criticism from me on public sector procurement and similarly for Microsoft. The Public sector hardly ever buys IT stuff based on quality - its almost always on price. Bad Practice! ... So far as Microsoft is concerned, my view is that peddling Windows software to the world and then discontinuing maintenance and update support for earlier versions (like XP) shows lack of care towards the world at large. I sympathise with the economic imperatives in funding that support that they must deal with - but making a globally-adopted operating system redundant and then profiting from mass upgrades leaves me wondering where the moral line needs to override the cost consideration.
- We don't know how this Ransomware came into being, though it as been suggested that it was built in U.S. security circles and then stolen. If that was to be the case, I'd be asking about their own security methodologies. It's like making chemicals for warfare and then not locking the contents in the deepest vaults imaginable.
I'm certain I haven't covered the matter in any depth at all here - though I felt like I should commit my initial thoughts to a little blog :-)