So if we are to believe what this story tells us, The cyber criminals behind the 'WannaCry' ransomware attack may have done us all a huge favour. Whilst a few unfortunate victims will have been conned out of $300, the world has received a massive wakeup call regarding the importance of cyber security awareness training.
The UK in particular will benefit, since if ever there was an organisation that would focus attention, it is the UK's National Health Service (NHS). An institution that is, if we are led to believe, is the envy of the world and one that garnered it's own chapter in the 2012 Summer Olympics opening ceremony!
So whilst politicians will forever battle over funding, interruption to the service it provides is sacrosanct.
For it to become a the victim of a ransomware attack that would lead to operational disruption was always going to become the ‘perfect storm’ where cyber security awareness is concerned. As is usually the case in this sort of situation there will be a lot of soul searching as to how things came about, with attempts to apportion blame as and where reasonably possible.
A range of circumstances clearly conspired to create a scenario that will have been predicted, however one that most will have secretly hoped wouldn’t happen, to them at least. So having had a few days to reflect on what has been going on I thought I’d highlight a few things that came to mind whilst I sipping my coffee at breakfast this morning.
1. Cyber crime is an industry in its own right: We may never know how much the gang behind this attack netted in bitcoin ransom payments. That said whether or not they hit the jackpot, it will have inspired others to give it a go. What it does however highlight is that all the tools and instructions to initiate cyber attacks are readily available to those who wish pursue this 'career path'. A mirror image of everything that is legitimate in high tech innovation.
2. Updating software is critical, however is it always practical: The frequency with which updates are issued can become overwhelming. With every vendor of every piece of software used issuing updates on what often seems like a random basis, it can be really challenging to stay on top of things. What’s more, applying an update can have knock on effects elsewhere. To many, there is likely to be a blur between security updates, functional big fixes and new features all of which make prioritising things very difficult.
3. Has the cyber security industry been 'crying wolf'? Cyber security is somewhat binary. If you are in it, you get it. If you are not, the chances are you will see it as an industry that peddles a never ending stream of fear, uncertainty and doubt. Perhaps there is just too much noise and too little interest in the messages that we relay. Or is it that without breach disclosure, too much goes unseen and as such we are largely oblivious of the impact cyber crime has on its victims.
4. Who can you trust to help you ? There are no shortage of experts. The last few days have been a field day for vendors and consultants to pass comment on what has been happening. There will never have been so many ambulances pitching up outside our hospitals! With the odd exception most are names that those outside of the industry will never have heard of. Could it be a case of their being too much choice or conversely a rather reassuring sign that if you are struggling, there are plenty of people and solutions out there to help
5. Cyber security is a community health issue: The fact that the attack was propagated by code that was purported to have been being stockpiled by the NSA and then stolen, only to end up in the public domain should be a lesson to everyone as regards protecting data in their possession. Be it personally identifiable information of intellectual property, placed into the wrong hands it could cause untold damage. All too often one is serving to protect one’s own self interest, however if ever evidence were needed, this is a perfect example as to why organisations have an obligation to protect data for the benefit of others rather than just themselves.
6. Should security patches be issued for unsupported systems ? It was surprising how quickly patches were issued for Windows XP to address the vulnerability that was at the heart of this weekend’s attack. We all understand the commercial need to call time on aging applications and operating systems, however for technologies as ubiquitous as Windows XP, getting everyone to upgrade will always be impossible. Whilst I am not familiar with all the facts behind why the NHS uses Windows XP to the extent that it does, my guess is that other aspects of health service delivery have had to be prioritised when it comes to funding. Despite the widely held believe that new is good, there is plenty of stuff out there that serves its purpose and for that reason if it ‘ain’t broke don’t fix it’ !
7. Always be prepared for an incident: First thing on Friday morning, no one in the NHS will have predicted the storm that lay ahead. Ransomware is nothing new, however who would have anticipated that before the day was out operations and admissions would be impacted as a result of its presence. If ever it were needed, it was an example why all organisations should be incident ready. My guess is that NHS was reasonably well prepared, however it is worth considering who would you call if such a scenario was to hit your organisation out of the blue.
Foregenix has Managed Threat Detection and Response services for companies of all sizes - view here.
As thousands of organizations work to contain and clean up the mess from this week’s devastating Wana ransomware attack, the fraudsters responsible for releasing the digital contagion are no doubt counting their earnings and congratulating themselves on a job well done. But according to a review of the Bitcoin addresses hard-coded into Wana, it appears the perpetrators of what’s being called the worst ransomware outbreak ever have made little more than USD $26,000 so far from the scam.