At the tail end of last week, the National Health Service (NHS) was among those organisations hit by IT failures resulting from the significant WannaCry cyber attack, with NHS Trusts and hospitals in London, Blackburn, Nottingham, Cumbria and Hertfordshire all affected. Some GP surgeries were forced to shut down their phone and IT systems while A&E Departments informed patients not to attend unless it was for a real emergency.
In a statement, NHS Digital said that “a number of NHS organisations” were affected by the ransomware attack, but that the WannaCry ransomware isn’t specifically targeted at the NHS. In fact, reports suggest that it has affected organisations from across a range of sectors and around the globe.
There’s no evidence to suggest that patient data was accessed. NHS Digital is working closely with the National Cyber Security Centre, the Department of Health and NHS England to support affected organisations and ensure patient safety is protected. The focus is on supporting organisations to manage this incident both swiftly and decisively.
Ransomware attacks such as this are becoming more and more commonplace with public sector organisations arguably receiving an unfair proportion of them due to a perceived – or perhaps even an actual – weakness in their cyber defences. With healthcare providers across the country having to cancel services, it’s clear that this current episode has been an alarming situation for the NHS.
“It doesn’t matter where the threat comes from,” said David Thorp, executive director of the Business Continuity Institute (BCI). “Organisations must have plans in place to deal with the consequences of such disruptive events. By putting plans in place to deal with such events, it means that organisations are better prepared to manage through them, lessen the potential impact and still provide an appropriate level of service for their customers.”
Following the news that the NHS had been hit by this large-scale cyber attack, Joe Hancock (cyber security expert at law firm Mishcon de Reya) said: “This episode seems to be a criminally-motivated ransomware attack. The attack seems to have spread between interconnected systems, affecting multiple NHS Trusts and providers and impacting their operations. While there’s currently little evidence of ransoms having been paid, it’s possible that some smaller organisations will do so, although they may then deny it.”
Hancock continued: “High-profile cyber attacks are often closely linked to geopolitics. This is likely to become a national issue over the coming weeks, and especially so for a sector that’s key to our Critical National Infrastructure. There have been recent examples of attacks affecting healthcare globally, such as huge leaks of US medical records, for example. It was almost inevitable that this type of activity would cross the Atlantic at some point. That said, it’s surprising to see it happen at this scale.”
Windows XP: an old operating system
Much of the blame for the WannaCry episode has been laid on organisations using Windows XP, an operating system that’s now 16 years old and hasn’t been supported by Microsoft for three years. While end users are strongly advised to move away from the platform, Windows XP is here to stay. It’s embedded within many devices, from MRI machines in the NHS through to EPoS systems in large retailers, neither of which may be easily or cheaply upgraded.
Ilia Kolochenko, CEO of web security firm High-Tech Bridge, told Risk UK: “So far it’s not yet clear when exactly the infected machines were compromised, but quite probably it’s a very recent large-scale phishing attack targeting hospitals with ransomware. We cannot exclude a well-thought out attack, planned and prepared for months, which continuously infected more and more NHS victims, preparing to demand ransoms at once and cause panic.”
Kolochenko went on to state: “Without further technical investigation, it’s impossible to say who’s behind the attack, but it can be virtually anyone from a small group of Black Hats seeking profit through to a State-sponsored hacking group. This attack should be thoroughly investigated on a national level. There may be an opportunity to trace the attackers if they made some technical mistakes during their attack preparation.”
In addition, Kolochenko outlined: “This incident exposes how a two-month old vulnerability can cause global panic and paralyse the largest companies and Government institutions on all continents. Worse still, cyber criminals could have easily released this worm just after the National Security Agency’s (NSA) 0day was leaked two months ago. That would have led to much more destructive consequences. It must also be said that there’s nothing new in this particular attack. The main cause of the epidemic is our failure to adhere to cyber security fundamentals.”
Many companies were infected because they failed to maintain a comprehensive inventory of their digital assets and simply forgot to patch some of their systems. Others either omitted or unreasonably delayed security patches. Also, malware’s capacity to self-propagate leveraged the lack of segregation and access control within corporate networks.
It would be unreasonable and inappropriate to blame the NSA for any significant contribution to this attack. Similar 0days are bought and sold almost every day. Virtually anyone can (un)intentionally leak an exploit and cause similar damage. According to Kolochenko, the real problem is that, in 2017, the largest companies and Governments still fail to patch publicly disclosed flaws for months.
“Companies and organisations that have fallen victim to this attack may consider contacting their legal departments to evaluate whether their IT contractors can be held liable for negligence and breach of duty,” concluded Kolochenko. “In many jurisdictions, failure to update production systems for over two months can certainly qualify as being carelessness at the very least.”
It’s likely that the NSA had previously identified this issue, but for intelligence purposes chose not to disclose it in the public domain. The damage caused by it being leaked into the wild is now, unfortunately, all too clear.
Paul Barber from managed service provider IT Specialists observed: “It’s appalling that our NHS would be targeted. Organisations must focus on employee education and insist on vigilance at all times. Of course, updating all software to the latest patched versions and having robust security solutions in place will help. The most important thing is to ensure daily off-site back-ups are actioned in order to protect business data. These steps will guard against other malware and non-malicious incidents.”
Nathan King, director at cyber security consultancy Cyberis, said: “It’s well-established that the health sector is an industry which has been specifically and repeatedly targeted by cyber attacks. The NHS should have clearly identified the threat as a priority for vulnerability management and predicted such incidents. Managing the threat and related vulnerabilities isn’t straightforward as it involves people, process and technology controls in order to be fully effective. Practically, there’s no defence strategy that’s 100% effective . For the NHS, the logistics of co-ordinating the deployment and management of the controls would not be easy, while the associated costs are likely to be high.”
Dr Alexeis Garcia-Perez, an expert on cyber security risk management from Coventry University’s Centre for Business in Society, said: “We’re seeing a massive chink in the UK’s preparedness for a cyber attack, but everyone is talking about IT infrastructure. That can be upgraded overnight with investment. People and skills are the problem. There is simply too little awareness of cyber security risk at management and senior level in the UK. Cyber literacy in the NHS, across the wider public sector and within UK plc in general is going to be every bit as important over the next decade as being able to read and write.”
e-mail continues to be the most common way to be infected by ransomware which highlights the critical need for employee education. The lack of such education is manna from heaven for cyber criminals, who can click and send mass e-mails to generate profit as they calculate that at least some of those e-mails will be opened.
While public sector bodies have a civil duty to share the devastating effects of a cyber attack, the BCI believes the news concerning the WannaCry attack is just the tip of the iceberg. Government offices will have IT teams and funding to restore information, even if data wasn’t adequately backed-up. However, the BCI believes that the greater threat lies with the small businesses that have installed an anti-virus and believe they have adequate protection.
Preparing for a ransomware attack
So how should organisations prepare for a possible ransomware attack? First and foremost, they must make sure that their data is backed-up. If data is backed-up and the organisation experiences a ransomware attack then it can isolate the ransomware, clean the network of it and then restore the data from the back-up. It’s not necessarily an easy process, but it means that companies don’t lose all their data and that they don’t pay a ransom.
Make sure the operating system and installed software are up-to-date with the latest security patches and that anti-virus and anti-malware tools are conducting regular scans of the network such that they can pick up anything malicious before damage can be done. Configure access controls to the file directory so users can only access the files they need. The more restricted the flow of data is across the network, the better chance there is of stemming the spread of any ransomware attack.
Prevention is better than cure, so one way in which to reduce the impact of ransomware is to stop it happening in the first place. The vast majority of the time, the user has to do something to install the software – click on a link or open an e-mail attachment, for example – so if the user doesn’t do that, then the software cannot install itself. It may not be quite as simple as this, but it’s important to develop a culture whereby end users think twice about their actions.
With Business Continuity Awareness Week 2017 taking place from 15-19 May, the BCI is calling on all organisations to make sure they have adequate plans in place to deal with such events so that disruptions don’t turn into disasters.