Why wasn’t more done to protect NHS organisations from the WannaCry ransomware attack?
Ransomware infects computers around the world every day. In the last 18 months, instances of it have surged so prolifically that today it is the most common type of malware. However, the WannaCry strain hit the headlines because it brought large parts of the NHS to a crunching halt.
This is the problem with malware, it can have devastating effects. We don’t know what the real-world physical implications of WannaCry have been, for instance, patient treatments. Perhaps we will never know.
At a first glance, it appears almost criminal to be running operating systems that are no longer supported, in the case of the NHS, Windows XP. This was in no way helped by the government pulling the plug on an XP support contract to save money.
The ransomware infection was so serious that the government chaired a Cobra meeting, code for official panic. While patching an operating system is a fundamental security step, there can be a number of issues that complicate the process.
For instance, an organisation with a desktop fleet consisting of thousands of PCs might simply have not set up its configurations correctly, leaving holes in its patching process through which malware can insinuate itself.
Some organisations might be reluctant to automatically apply operating system patches because they could cause conflicts with business critical applications. In short, they might be unable to patch for fear of slowing down, or even halting other parts of the business.
In both these cases there should be at least an awareness of the potential risks. It could be that an IT team is stretched thinly and is juggling other issues such as networking or storage, and consequently security slides down the list of priorities. This isn’t uncommon.
In these cases IT should be creating a Risk Register which is essentially a list of system vulnerabilities of why they exist, how they can be remediated and why they haven’t been addressed. This could be because of budget limitations or some other reasons.
The C-level executive team should sign off on the ‘risk register’ to show that they are aware of the issues and have accepted responsibility. This protects IT from any fallout should a serious breach occur, and also illustrates that they are doing their job.
The WannaCry breach led to a lot of finger pointing and within hours had also become a political hot potato. Many people in the industry were quoted saying that defences are only as strong as the weakest link.
This is a self-evident truth, but in this case a very large condemning finger was pointed at end users. The implication was that a naïve employee or cluster of employees had clicked on an email link which unwittingly unleashed the worm-like WannaCry ransomware.
Phishing emails are increasingly sophisticated and even the most alert and astute end user can be fooled if the mail is targeted and well-crafted. The only problem with blaming end users is that it smacks of scapegoating and is essentially an abnegation of responsibility. However, there has been no evidence to suggest that WannaCry was initiated by an email or spread by user interaction.
First lines of defence
End user education and training is important and should certainly be more than an annual box ticking exercise. As well as patching operating systems, it should be a last line of defence and certainly not the first line.
Any organisation that is serious about IT security will have a range of defences in place to safeguard against these types of attacks. For instance, an email security gateway with sandboxing will filter out ransomware even if a user clicks on a malicious link. A web security filter with sandboxing will protect against drive by downloads, in which someone has to just visit a website to inadvertently download malware.
Web filtering tools in conjunction with a good firewall can detect dubious websites, as well as flag traffic that is leaving an organisation for a questionable destination. Of course there is also heuristic and signature detection, so if malware does penetrate the network it is immediately detected and stopped.
Added to this are a raft of endpoint tools that can protect devices, and we’re not just talking about patching operating systems but also patching browsers, plug-ins and third party software for vulnerabilities. On top of this, admin rights should be removed from endpoints so software doesn’t automatically run by default.
Lack of willingness
In short, the tools are available to protect organisations from ransomware and other types of malware, and they don’t have to be the latest and the greatest either. The real question is whether the willingness to take security seriously is there? Given the large number of attacks that happen regularly you’d have to say it’s not. For instance, if there’s commitment then budget is always made available to help over stretched IT teams.
Clearly in the case of the NHS the funding was missing, and if the government doesn’t yet fully understand the importance of comprehensive cyber security then who will? Will it take loss of life before someone sits up and takes security seriously?