We all remember the disastrous effect of Wannacry ransomware attack which spread across the world infecting more than 230,000 computers in over 150 countries. This is biggest cyber-attack to have hit the NHS IT systems in the UK so far. However, a recent report released by the National Audit Office claimed that the affected NHS trusts could have easily prevented the attack if cyber security recommendations were followed.
This news sparked a lot of discussion among industry experts. Here are some of their views:
Lee Munson – Security Researcher at Comparitech.com:
“While it is a well-known fact that no organisation can ever be completely safe against all forms of cyberattack, it is also true that low hanging fruit tends to get picked off first.
That’s why larger companies and entities invest so heavily in technological Security defences and training and awareness sessions for their employees. All of those things have little value, however, if they are not managed through standards, policies and procedures.
To that end, the NHS trusts affected by WannaCry are certainly culpable for not following the recommendations given to them. Whether those recommendations would have mitigated the chance of the ransomware taking hold to zero is up for debate, but it was a starting point that was completely”
Mark James, Security Specialist at ESET:
“To be honest, for most cyber-security professionals this report tells us nothing that we don’t already know. The Wannacry infection would only target systems that were not patched; it’s no different to what the NHS actually do- they patch us humans to be safe from virus attacks. If you don’t keep your immune system up-to-date, then you will be susceptible to old virus attacks.
The worrying bit in the report is the statement that reads “NHS trusts had not acted on critical alerts from NHS Digital and a warning from the Department of Health and the Cabinet Office in 2014 to patch or migrate away from vulnerable older software.” If you have someone of perceived authority giving you instructions on how to protect your systems, then why was it not acted on? We are not talking about mass upgrades or huge costly system changes here, these are patches that are not overly hard to instigate and ensure they are in place. We all know how much it will cost the NHS to replace all their computers and devices, with the latest operating systems and to be frank, it would cause a massive strain on an already underfunded authority- but I would assume the recommendations would take into account the costs involved and would meet current budget levels.
It does seem like a huge breakdown in communications and would highlight an urgent need to get things right for the time when a sophisticated attack gets hold- unlike Wannacry, that technically was not sophisticated at all! Hopefully not just the NHS, but many companies around the world, suddenly jumped into action to avoid further outbreaks and have put plans in place to stop the next unnecessary cyber disaster from happening….”
Andrew Clarke, EMEA Director at One Identity:
“Often, we see cases where the organisation gets impacted by an attack – ransomware being the most reported – and afterwards we hear that the issue has been ignored, advice has been misunderstood or there has been a lack of visibility into whether or not the advice has been implemented comprehensively. This is not just about the NHS, as for example in the recent case of Equifax we heard afterwards that a security notification regarding Adobe Struts application had not been applied thoroughly.
In many cases the organisation does not have an inventory of all operating systems and applications that need to be patched – which makes the challenging task of patching even harder – a robust patch management system would aid that. In the case of NHS, we do know that Windows XP systems were still in place and that Microsoft is no longer maintaining that operating system. So by continuing to use it, the door was always open for an attack to be successful given that vulnerabilities are emerging all the time.
However, one of the factors at the NHS that we must consider is that some of the specific medical equipment being used was only every designed to run Windows XP – so in that case the options are limited. What could have been done better was the compartmentalization of environments that were known to be running older software so that if they did get impacted, the damage could be limited. This would have required internal firewalls and mirroring best practices that have been adopted by more sensitive IT installations.
Authentication measures that step beyond passwords and embrace multi-factor authentication are a positive step in the right direction in controlling access. Beyond the basic IT security measures that can be adopted, some of the more recent innovations around identity and access management need to be in place in the NHS.
We know that the security basics are important and the NHS cyber security strategy has focused on securing the wider enterprise having implemented core infrastructure security components such as Firewalls; Intrusion Detection and Malware prevention, but it is now about ensuring their security coverage really stops this new wave of malware while also enabling them to operate effectively.”
Javvad Malik, security advocate at AlienVault:
For many organisations, it’s not a matter of if, but when. Fundamental security controls and hygiene could have prevented, or at least minimised the impact of WannaCry on the attack. But perhaps even more telling is that while the Department of Health had an incident response plan, it was neither communicated nor tested. Without a clearly communicated and tested incident response plan, trying to make one up in the midst of an incident is a recipe for disaster.
It becomes increasingly important for all organisations of all sizes to invest in cyber security. It doesn’t necessarily need to be huge investments, but care should be taken that the fundamental security controls are put in places and validated, as well as testing an incident response plan.
Anton Grashion, managing director-security practice at Cylance:
“While it’s true that organizations could have prevented at least one recent ransomware outbreak through ‘basic IT security,’ such as regular patching, the fact remains that a treasure trove of weapons-grade malware has recently been made available to every variety of threat actor on the Dark Web. It’s easy to say that if recommendations were acted upon the effect would have been less, but there would still have been an effect because the initial malware infection had to be stopped as well – not something the recommendations covered.
“Regular patching is necessary, but not sufficient for preventing highly damaging cyber-attacks on networks. It’s still imperative for security teams to evaluate next-generation anti-malware technologies inside their own organizations to see what works best for their purposes against these increasingly sophisticated new malware types, which are regularly failing to be stopped by traditional security products. Indeed, there is still a large estate of aging operating systems in daily use in both public and private organizations and while it is advisable to migrate to more up to date versions it’s sometimes a decision on what else will be cut to upgrade. Better yet is to protect these platforms in the first place and buy some breathing space in which an orderly upgrade program can be executed when budgets allow.”
Stephanie Weagle, VP at Corero Network Security:
“Organisations operate un-patched legacy systems and no formal mechanism to effectively protect against the evolving landscape of cyber security threats is irresponsible. Over a third of national critical infrastructure organisations in the UK (39%) have not completed basic cyber security standards issued by the UK government, according to data revealed under the Freedom of Information Act. In order for the UK to become the safest place to do business, Critical Infrastructure must engage in cyber resiliency best practices, and proper security defenses. To keep up with the growing sophistication and organisation of well-equipped and well-funded threat actors, it’s essential that organisations maintain comprehensive visibility across their networks, to instantly and automatically detect and block any cyber threat, including DDoS attacks.”
Edgard Capdevielle, CEO of Nozomi Networks:
“The National Audit Office’s report reminds us that cyber security is not optional, it needs to be part of regular operations. Clearly there is a high cost when regular IT system updates aren’t implemented and cyber security recommendations aren’t followed.
“Attackers continue to look for new and inventive ways to infiltrate organisations and infrastructure meaning global outages as Wannacry was able to realise could become increasingly frequent if left unchecked.
“The EU’s NIS Directive due to be implemented into UK law next May, those who fail to adequately protect infrastructure will be penalised financially.
“With ransomware – such as WannaCry, especially given its ability to reinfect connected devices, prevention has to be first and foremost. Applying artificial intelligence and machine learning for real-time detection and response, organizations can monitor for known malware infections and detect anomalous behavior that might indicate new malware variants enabling organization to rapidly discover and act to remove malicious code before harm is done.”
Gavin Millard, technical director at Tenable:
“In theory, Wannacry could have been easily prevented by deploying a freely available patch and restricting or removing a ubiquitous service called SMB from Windows systems that couldn’t be updated. In reality though, due to the complex networks in place, overlapping ownership of devices and systems that can’t be updated due to contractual issues with the suppliers, this was far from trivial to accomplish.
“To be resilient to further attacks of this nature, each of the NHS trusts has to ensure foundational security controls are in place and identify where improvements are needed. The UK government has already defined controls every critical infrastructure should follow with schemes such as Cyber Essentials and NIS. But to implement these guidelines effectively, investment is required into a public sector that is already severely lacking funds.
“As we become more reliant on IT systems for every aspect of our critical infrastructure, including healthcare, the impact of a major vulnerability affecting those systems shouldn’t be underestimated or the risks ignored. Putting in place a robust process for identifying all systems on the network and how vulnerable they are, are foundational security controls for a reason. Without this ability, networks will continue to be easily infected by ransomware like Wannacry”
Eyal Benishti, CEO and Founder of Ironscales said:
“WannaCry started because someone unwittingly opened an attachment sent via an email and unleashed the malware – it could, and does, happen to anyone. What was different in this ransomware attack from previous examples is that the attackers had laden it with, what we now know as, EternalBlue. This previously unknown malicious software checked for file-sharing arrangements the computer had, and begun exploiting them and so it was able to spread from Patient Zero to 200,000 computers across the globe.
“Wannacry and EternalBlue remind us that current email security solutions that live on the ISP and/or gateways and employee education and awareness training on its own, are simply not working. Attackers are too smart; too patient and too determined to defeat the cybersecurity status quo. We must do better as an industry to quickly detect, mitigate and remediate email phishing attacks if we are to have any hope of getting the ransomware epidemic under control. Especially given that approximately eight in 10 ransomware attacks begin with phishing. We must neutralise the messenger [phishing emails]”