What Happened?
This may seem only relevant if you were affected but you will see, this sort of attack is very common.
The NSA lost a lot of information in 2016 that related to tools that may or may not have been for espionage or just for spying on individuals.
A group called The Shadow Brokers managed to steal complete toolkits that they later released online. Embarrassing as this was for the NSA, they should have moved quicker to educate the providers of systems that could have been attacked with this toolkit. Should they have provided solutions as well? From an ethical view point I would say yes.
One of the tools stolen was linked to a Zero Day Vulnerability that would allow malicious code to be executed.
Microsoft usually releases updates on what has become known as Update Tuesday, but broke with tradition on Friday 5th April 2017 when it released an emergency update.
On Wednesday 10th April the National Health Service (NHS) in the UK was one of hundreds of organizations globally that suffered a Ransomware Attack. The attack affected Hospital Trusts in England resulting in cancelled appointments and cancelled operations due to the inability of staff to access patient records.
In fact, the NHS went into panic mode; turning off computers across the country to prevent the spread of the malware.
Lets be fair here, although the NHS was affected, so were millions of other computer systems, maybe even one of your computers.
So why did this happen? Lets focus on one very important piece of information that came to light quite quickly; the ransomware was particularly useful when used in conjunction with an attack vector that focused on attacking older operating systems such Windows XP and Windows 7.
Unsupported Operating Systems
Microsoft has made it abundantly clear that it will support applications and operating systems for a specific amount of time and no longer. After the appropriate date there will be no more security patches and no more feature changes.
Many organizations are still using out-dated operating systems because they have no burning need to change up. In fact I have clients who are farmers and they only care that they can get online and send/receive emails and animal documentation. However, data security and even your privacy means that staying safe when online makes staying up to date with operating systems, software and the updates for that software essential. Oh and by the way, you should also remove old software you no longer use.
So why is the NHS using outdated Operating Systems?
The potential reasons are listed below:-
- Untested or incompatible software
- Untested or incompatible hardware
- Staff Training Program Requirements
- License cost
- IT Staff work load
But can that list be justified? In our opinion the answer is no. Even the most basic slightly sub entry level desktop can run Windows 10 Pro with sufficient RAM and that machine could run a virtual machine with an operating system of Windows 7 on it. So we can't accept the incompatible software option from a security standpoint.
Hardware issues? These may be overcome by speaking with the manufacturers of the connected machinery who surely want your custom?
Staff training is a possibility, government departments are slow moving leviathans and as a result are slow to adopt technology, but there are thousands of training programs out there providing online training for Windows 10 basic operation and I even know of several free options with excellent teaching sessions.
Licensing cost should never be a problem for a large organization with a variety of options from Microsoft that would fit the solution and cost model, especially for Government Organizations.
IT Staff workload? Come on, give me a break, there is nothing more critical to the continued operation of IT systems than security. Operating system upgrades, updates and patches are at the core basics of protecting your IT. So nothing is more important.
Some people will no doubt say that we have failed to mention budgetary restrictions, so let me just say now that it will have cost the NHS far more to rectify the damage done by this malware attack than it would to prevent it. NHS Budget Managers should be running for the hills or resigning. Protecting patient data and patient confidentiality is as important as any heart bypass operation because it will cost lives when you break the trinity; Confidentiality, Integrity, Availability.
This won't be the last attack of its type.
All of the reasons in the last section for the NHS not getting systems up to date could be offered by any number of companies globally, but every single reason is just an excuse. You have business insurance, health insurance, life insurance but you will only get Cyber Insurance if your systems are kept up to date! That makes sense doesn't it? Insurance companies want to reduce the risk of paying out.
In a recent article I suggested that this attack won't be the last for the NHS, and certainly not for anyone else either. From the points raised above it seems obvious that unless something radical is done about the Operating Systems being used and the level of protection afforded by firewalls and anti-malware software then then next attack will be country wide.
Recently Cyber Security experts have raised the point that although organizations may have cleaned machines, there may be unknown files left on the system that will activate in the future or that the attack which was a financial disaster for the hackers was a screen to allow them to plant code in other areas to enable a much bigger attack in the future.
But what about you? How are you affected by this?
If the NHS can get caught out then so can you, 80% of attacks come via outdated software; that is to say software that has updates available that haven't been applied. These updates are nearly always security based updates and seldom features.
- Update your Operating System via your Vendor (Microsoft, Apple, Android, Google)
- Update Java
- Update Adobe Applications (Adobe Reader, Flashplayer etc.)
- Update Microsoft Office
- Any 3rd party software
- Hardware Drivers
Remember, your computer may be attacked and turned into a "Zombie" to help facilitate the next round of attacks by adding its processing power to a Botnet. So, it is just as important for you to keep your systems up to date to reduce the tools available to the bad guys.
So, what should the NHS change and what can we learn from it?
We believe from the age of equipment typically observed within the NHS Hospitals, that the Firewalls in place are not likely to be Unified Threat Management (UTM) Firewalls; which are automatically updated with rules monitored and changed based on threat intelligence. As a result the NHS IT staff probably have to apply manual updates. This is not only time consuming but very much reliant on expertise and specific skill sets.
If you have a business then you should ensure you have UTM Firewalls, they provide a much higher grade of protection and require less maintenance.
It would also seem obvious that there are no Intrusion Detection Systems (IDS) running in Hospital Trusts and that the departmental firewalls are either not in place or they are insufficiently compartmentalized.
What do we mean by that? Users were being asked to shut down their computers in the hospitals affected. If an IDS was in place a quick look at the logs should have identified the ports to shut down on the firewalls to prevent the spread of the ransomware between departments allowing basic operations to continue.
An IDS system doesn't need an all singing all dancing computer to host it, just one with reasonable RAM and a reasonable amount of drive storage. There are Open Source systems like SNORT that are well documented and easy to implement.
Software Solutions
Over the last 12 months several companies have claimed to have produced solutions to provide protection against ransomware. We have investigated as many as we can, as thoroughly as we can; and one very cost effective solution soon became the benchmark for our comparisons.
As a result we found two solutions that were truly effective and were also affordable but we have a favorite.
Check out the video below for an operational explanation in laypersons terms.
Why Heimdal?
Second generation malware no longer relies on you clicking on a link, these days opening a web page that has a legitimate advert connected to a malware server is all that is required. With ransomware variants appearing daily and Anti-Virus databases unable to keep up to date you need something else.
And as if to further prove the point about how the team at Heimdal is so efficient,
The Register have just released a report about a new variant of the malware that took down the NHS, the new version has been modified to make it even harder to stop, of course!
Cyber Essentials
The UK Government has been trying to push Cyber Essentials since 1994. Cyber Essentials is guidance for organizations and businesses to help protect against Cyber Threats.
In the recent attack on the NHS none of the NHS trusts that were infected had achieved Cyber Essentials, more impressively; of the trusts that had achieved Cyber Essentials not one was infected.
Cyber Essentials provides guidance for businesses on how to protect IT systems from attack. Of course you can't 100% guarantee that you won't be attacked successfully, but much like a House Alarm can reduce the chance you will be attacked, so Cyber Essentials increases the likelihood that a hacker will leave you alone in preference of an easier target.
Conclusion - Get educated!
The NHS Cyber Threat that resulted in this weeks attack is not an isolated incident. These attacks happen daily and are widespread globally.
We regularly find people of the opinion "It won't happen to me", in fact it would be prudent to think "When will it happen to me, if it hasn't already!". I'm not in the habit of scaremongering but with security education caution becomes your first line of defense.
In 2016, 43% of all security breaches were the result of employees either accidentally or in some cases maliciously interacting with cyber threats.
Training your staff is the simplest and cheapest option available to most businesses and it is certainly one of the most effective tools that you have available to you today.
Next apply all updates to your software and operating system.
Remember that in our opinion there are two types of computer user, those that have been hacked and those that don't know they have been hacked yet!
Stay safe online and keep your wits about you.
