Everything you need to know about cyber-attack on NHS England, and how it could have been avoided
The recent and highly public WannaCrypt cyber-attack had a huge impact on organisations around the world, in particular the NHS service Given the impact, particularly the human impact such as delayed appointments etc., how could this cyber-attack have been avoided?
What we Know
The attack was based on a known vulnerability found in Windows SMB. It was discovered first (that we know of ) by the NSA, but more recently published by a hacking group in April. Microsoft released a patch in March for all current operating systems, and then for older unsupported systems (Windows XP, 8 and 2003) after the attack.
We don’t know when or how the worm was originally spread, but it was activated on 12th May, 2 months after the original patch, and one month after the publication of the exploit.
The primary lesson is how important it is to keep security patches up to date. For desktop environments, patching should be automatic and mandatory. The enforced reboot is annoying, but this is the exact type of exploit that a regular and rapid patching regime is required for.
We don’t know exactly when WannaCrypt was first distributed, but there was a full month between the patch being released and the exploit code being leaked. Assuming the payload was already largely written, it would still take hackers a few days to write and test the new worm before the release.
In this case, anti-virus/malware didn’t help. It’s important to understand that anti-virus is designed primarily to defend against known malware. It is useful to Understand that malware is designed and tested against anti-malware products to ensure the heuristic detection mechanisms fail as well. Exploits written by both national security agencies and hackers alike are tested like any other piece of software against target devices and anti-malware suites. They are industrially and professionally produced because of the financial gains involved.
You should ensure that anti-malware is installed and up-to-date to detect and block the worm.
Security Awareness Training
We don’t know how the malware was first distributed, but it’s highly likely it was through phishing, either as an attachment to an email, or a link to a compromised website. Phising, or spear-phising attacks are getting more and more sophisticated, however this case doesn’t seem to be of a target. User security awareness training could probably have avoided the infection. The human element is often the weakest link in the security chain, so regular, effective and comprehensive coverage of training is important.
At a recent NHS client, security testing showed 80% of board members clicked on a link in a test email from an unknown source and proceeded to enter their login details into an unknown web page because it had the NHS logo on it.
Backups and Resilience
The key payload of this ransomware was the encryption of critical files, with the threat of deletion. At this point you will find out:
1) If you’ve correctly assessed which files and services are critical to your organisation
2) If your backup regime works
3) If you have the correct RPO (Recovery Point Objective) and RTO (Recovery Time Objective)
4) How effective is your BCP (Business Continuity Plans)
Setting and RPO determines how much data you’re prepared to lose. The answer can vary by a huge amount depending on the data. Sometimes you can lose all data because you can recreate it. Other times you may not be prepared to lose any (e.g. banking systems etc.) Typical systems can offer 5 minute RPO without significant cost, but this isn’t often applied to the shared files and folders affected by this malware. We recently worked with an NHS organisation where a spreadsheet was given an RPO of zero by the business because it had child protection data in it.
Setting the RTO determines how long you can be without the data/system. We know that systems and operations are still impacted 4 days after the WannaCrypt malware was activated, and it’s doubtful that any of the organisations impacted would have accepted a 4 day RTO.
On the impact WannaCrypt had to NHS, the press highlighted that clinicians resorted to using pen and paper to continue to offer services. This is absolutely the correct response in most circumstances. All NHS organisations should have BCP (Business Continuity Plans) in place to cope with system outages of any cause. The plan needs to be understood by all the staff, and well-coordinated. Often the BCP is out of date, poorly understood, and the implementation is badly coordinated. When an acute trust recently had performance issues on a critical system the BCP plan was so badly coordinated that half the hospital went to paper, while the rest stayed on the system. This was the worst possible outcome and meant departments werenot able to function.
Segmentation of services and devices is an important method of reducing the impact of an infection. Different departments, functions or devices within a business often have different risk profiles. Malware is most likely to be introduced through the human elements (phishing), so it makes sense to keep office based systems separate from critical operational systems. In NHS this is becoming more and more important as medical devices are becoming prevalent. Medical Imaging systems for example will normally have a dedicated PC system on a separate network (though they are also often neglected in terms of security updates from the 3rd party supplier). In the NHS it’s quite common to have no separation between user devices and key systems, and this presents a huge risk. More concerning though are the new generation of connected medical devices on wards such as insulin pumps that, if broken or hacked could kill a patient. Imagine a Stuxnet style attack that impacted drug pumps instead of nuclear centrifuge SCADA systems.
For the NHS the sad reality is the lack of security patching was the result of the continued use of Windows XP, and poor management. It’s very easy to blame IT for the failure, and in some cases there will be fault, but often IT, and security especially is poorly understood at board level, and is therefore ignored and underfunded. If there is any positive out of this attack, I hope it is that the boards of all NHS Trusts, even those unaffected this time, take IT security more seriously and give it the time, attention and funding it requires.
I highly recommend checking out the Trend Micro threat reports to fully understand the threat landscape, and the industrialisation of malware and hacking.