NHS Cyber Attack
Yesterday, the 12th of May 2017, there was what the media are calling a ‘massive cyber attack’ against the NHS. I’m in agreement with a former leading figure at GCHQ, Brian Lord, who was interviewed on BBC Breakfast News this morning. He stated that calling this a ‘cyber attack’ is somewhat misleading and sensational in the press.
Ultimately, as I’ve argued before about the term cyber security – it brings up pictures in the public mind of films like Hackers where there’s someone sat at the other end of a remote connection stealing data or doing things with malicious intent.
One of the many antivirus firms we work with VIPRE Security have posted out a note today saying that they believe the ‘attack vector’ has been via phishing emails with a zip file that once opened initiates the WannaCry malware, which is then capable of spreading around unpatched machines via the SMB (port 445) vulnerability that unpatched Windows machines have.
For me, as an IT Professional, this is a different variant of a cryptolocker style virus than what I’ve seen and much messier to clean up!
It could be argued if the email had been specifically targeted at NHS email addresses with particular tailored social engineering messages, then the term ‘cyber attack’ would certainly be appropriate. As there would have been intent to get the malware into that particular organisation. In general, these types of attack are a scattergun approach, sent everywhere and the fact that this is effecting multiple organisations would lead me to believe that it is less likely a targeted operation against the NHS. However, that all said, these are early days and information scarce.
In our opinion any unpatched machines are vulnerable and there’s a few steps that IT Managers should be looking at taking now, at this precise moment and we’re also doing the same for our managed service customers.
What can you do to protect your network?
According to another supplier, Cisco and their Talos Intelligence business this issue should have been addressed as part of Microsoft Security Bulletin MS17-010. They actually disagree with VIPRE Security as to whether the EternalBlue issue is being used. Personally, I’d let the security nerds argue that one out and not worry about it.
There are five best practice steps you can to reduce your risk to a similar security event to the NHS Cyber Attack in your organisation:
- Block SMB traffic from coming through the firewall – ports 139 and 445. It shouldn’t be externally accessible anyway, so you should probably check!
- Ensure all Windows systems are patched, make sure WSUS, other patch management solutions or your Automatic Updates are running
- Make sure your backups are appropriately regular, and restorable
- Anti-spam and anti-phishing products are also another step in the layered security model
- Obviously up-to-date and good antivirus, check that signatures are being pushed out
If you have a decent firewall, I’d also add another check you should do – IDS services should be up-to-date, switched on and if your antivirus can do that on the endpoints, again up-to-date and switched on!
The Windows XP Question
We all know Windows XP should have been phased out – we talked about it some time ago. However, budget, practicalities and other issues really come into play. Even application compatibility. In the NHS, I’d like to think it’s less likely to be the cost of the endpoint upgrade that’s the issue and more the sheer volume of other applications that they use – proprietary stuff for patient record management, x-ray viewing, dictation etc. The cost to upgrade would have been huge if they had to upgrade and test all these other applications. Given the pressures the NHS is under, then one would hope that the IT Management in the various trusts has put the risk to the various boards and they chose to accept this.
If they didn’t, then ultimately that is the IT functions problem. However, I think given the programmes of awareness of end-of-life for Windows XP would make this unlikely.
We have customers still using Windows XP for similar reasons, even older in some cases – older applications make an upgrade impossible, we’ve developed systems to isolate and sandbox these machines and even simple steps such as removing the network card can be done! However, I will always repeat this to any IT Manager friend of mine – you must document and pass the risk back to senior management if they choose not to take the route of upgrading the system for business and budget reasons.
The NHS Cyber Attack has become political. Sadly in the UK our health service is largely a political plaything and really if constant change and reorganisation along political lines would stop, it would probably function brilliantly.
IT often plays second place to many other priorities, whether this is in a business or in a complicated organisation such as the NHS. Unfortunately, part of the politics and public procurement usually means they can’t buy from affordable more agile IT Businesses like us! Which ultimately gives another headache in terms of affording upgrades, the cheapest suppliers are usually excluded from even tendering.
However, I do it’s ironic that the Health Secretary, Jeremy Hunt is missing in action and made no statements on the matter at the time of writing, starting the hash-tag #wheresjeremy on Twitter. For readers in the UK, they’ll remember he had a large campaign about getting doctors to work on weekends and at present doesn’t seem to be around himself, let’s hope he’s not ill.
My organisation, Unleashed works on cyber security issues like this and offers not only consultancy to risk management and documentation services but the actual practical controls that you may need in your IT Department. We’ll help you develop your IT Security Operations, train the department or wider staff-base and hand it back to you with full knowledge of how to continue tasks like the above. Unfortunately the last few days have shown that cyber security is not sometime that can be ignored. We here for a non obligatory, friendly chat on 0333 240 0565.