Sophos Plc reports that a 20-year Californian kid has been collared for releasing a bug that has managed to infect a hospital full of computers - and caused massive downtime (and probably risking patients lives). However, reading through the article they put all the blame on the kid - who at the end of the day, could be just a script kiddie - nothing more. I'd be more concerned with the Hospital.
- They were running Windows machines, exposed (poor AV, poor spam filters, missing Critical Security Patches, etc)
- They didn't have their critical systems internally segregated - usually a split subnet, with a filtering firewall in between works wonders
- Where's their IT Policy? In all probability, someone opened the first email ...