Just over a week ago, the headlines were screaming about a Cyber attack against the NHS, the nightmare scenario of Denial of (public) Service was upon us. WannaCry ransomware was tearing through the world, encrypting everything in its wake and wreaking havoc.
Getting to the root of the problem
The issue was deemed to be a weakness that affected all systems from Windows XP to Windows 10 – using malware created by the NSA stolen and released by hackers onto the dark web.
As this weakness affected Windows XP, then the issue had to be the use of Windows XP and people clicking on links as the patch regime of the UK has been bolstered by £1.9billion invest in Cyber defences – a patch was made available almost two months prior to the attack (well within the timescales required by both Cyber Essentials and PCI DSS).
The reality, however is very different – according to an analysis on Friday (https://www.theregister.co.uk/2017/05/20/wannacry_windows_xp/), the hacking tools used were unreliable on Windows XP and Windows 10 – but were effective on Windows 7 and Server 2008. It now looks increasingly likely that:
- The ransomware entered companies because a port only used for file sharing (SMBv1) was available on the internet
- The first hacking tool exploited the weakness on the system accessible from the internet
- This ransomware spread as the second hacking tool too control of the computer and continued scanning inside the network
Have we been here before?
This type of attack may sound very familiar – it was used against Sony in 2014 and 14 years ago in Blaster. In short, this is an attack that has been prevalent for over a decade now and supposed to be protected by firewalls and patching. It’s also something that should easily be fixed by complying with Cyber Essentials or PCI DSS – the fact that the stealing of the NSA tools made the tabloid press, the wekness was easy to exploit and patch available for over a month should ask us to question why this happened on a such a scale?
A question of scope
The issue with both of these approaches is that you can include devices and entire networks out of scope, indeed Cyber Essentials doesn’t include applications or connected Cloud services in the assessment.
It’s perfectly acceptable to state that you would need to include your boundary in the scope of the assessment, but where does the boundary end with a large organisation? Parliamentary reports have stated that over 90% over data circulating the internet has been created in the last few years and recent studies have shown that the amount of unknown/dark data is over 50% within most organisations.
Are we learning from the past?
The real issue is that we have reached a tipping point with regards to how far scoped compliance for Cyber initiatives can take us on their own. We need to ensure that the organisation knows how, where and why to use the plethora of security tools, devices and advice. The tipping point needs to be addressed, for the following reasons:
Ignoring acquisitions
Looking at TalkTalk in 2015, the reason why a very easy attack was possible is due to not looking at a web server untouched since Tiscali was taken into the company. That cost TalkTalk over £400,000 in fines and far more in costs of credit check for their customers.
Not understanding information
Looking at Dr Deer vs Oxford University, the costs of not being able to respond to a Subject Access Request under the Data Protection Act 1998 rose to £116,000 from having to searching electronic storage. This was not a fine, but would’ve made the top ten easily for personal data.
Not understanding systems
Look at WannaCry, the likely reason for outage of NHS services was switching computers off was simply not knowing what was happening and taking steps to protect data. We created an effective Denial of Service condition that has not been tallied in terms of costs yet.
The need for governance
The need for information governance to augment Cyber initiatives is very real, within the UK a basic public sector organisation has over 40 separate laws to comply with for managing information (private sector organisations rise to over 50), which amount to the following activities for assessment:
- the location of the data (how do you know where it is being stored, or if it has been deleted?)
- the format of the information (what is the asset?)
- the usage requirements (what were the purposed the information was acquired for?)
- the disclosure requirements (can you share it, and what are the requirements?)
- the retrieval requirements (the retention period and can you access the information throughout that period?)
- the handling requirements (does it need encryption, where can it be accessed from, what right of audit is there?)
My overview of the current Cyber approaches http://central-government.governmentcomputing.com/features/is-cyber-resilient-5778773 concludes that the lack of a standardised approach and concentration on information is hampering evolution. This is supported by Rob Wainwright, director of Europol, who believes that the recent failings in cyber defences were more to do with lack of leadership in large organisations than lack of IT investment.
The issue, therefore, is not addressed merely by buying more technology, but looking at how, why and where the technology is used.
Lessons to be learned
I wrote an article about how to address ransomware last year (https://www.publictechnology.net/articles/opinion/ransomware-–-what-can-public-bodies-do-about-it), and this is still valid – however, we need to learn from WannaCry:
- Work out how, why and where you are undertaking Cyber activities – revisit those applications/systems you thought you didn’t need to patch or update because they weren’t in a compliance scope – hacking tools don’t respect scopes
- Review your firewalls to ensure that they are only allowing the access to the applications, networks and/or systems you intend
- Look at your information and understand how well you could answer the activities identified above – they will be crucial for the General Data Protection Regulation (in force from last year, but not law until next)
- Use this understanding of information to review all your applications/systems again
The clock is ticking for action – the next wave of attacks is on the way (https://www.bleepingcomputer.com/news/security/new-smb-worm-uses-seven-nsa-hacking-tools-wannacry-used-just-two/) – using seven NSA tools this time and far more subtle. The fix, however, remains the same – ensure that you manage information and related applications/systems within your entire estate.