Since the NHS was hit with a ransom based cyber-attack last Friday, the health organisation has suffered continued disruption since, but no further attacks.
47 trusts were hit and 11 are still facing issues, leading to further cancellations and delays in seeing patients.
Here below are responses to the attack from reputable sources who voiced their comments to Lawyer Monthly.
Colin Tankard, Managing Director, Data Security Company, Digital Pathways:
But the NHS was not alone, 74 countries were affected including not only hospitals but businesses and others too, including Fedex, Honda the German rail systems, universities and national telco, Telefonica. It would not surprise me if other organisations were affected too but have not publicly declared it.
The malware was delivered through spear-fishing emails which, when opened, triggered a cyber-contagion on the internal network. Being a hybrid design it had a worm element, allowing it to spread through internal systems for maximum reach and effect. What was interesting is that the infected system’s settings were scanned to work out the user’s language, then displayed the ransom demand in the correct language for the victim. It also changed the desktop backdrop in order to ‘grab’ the victim’s attention – no subtlety there!
From reports, it seems the fix was published back in March but, as with many patches, some organisations were slow to update. However, this malware also attacked older Windows operating systems which Microsoft had removed support of years ago, and are no longer supported. This is why the NHS was so affected.
There are many reasons organisations do not follow the latest software releases but what seems to constantly fail, is the thought process around protecting what you have.
Machines running old versions of Windows can be protected in other ways, such as locking the core of the machine down so no external program is allowed to launch or modify the settings. Creating secure ‘communities of interest’, where core resources are only accessible to selected user communities, and are hidden for all others, including both rogue and good programs. In this way any infection is contained within the community but, if an infection occurs outside of the community, the internal community remains safe. This process requires greater control of users and resources but, we often see organisations that are so poorly organised that users have access rights to data or services they really should not have. This is not only a privacy issue it also means that a breach can quickly compromise the entire network.
The main problem with the hack we saw over the weekend is it that it was brought in by users clicking on a link, or being duped into thinking the message was genuine. It falls on the organisation to protect and educate the user but far too often this does not happen. User education needs to be ongoing to enforce the companies’ policy on data handling or website visits. We have seen an 80% fall in user bad practice when monitoring software, which prompts the user if they are about to breach a company policy, is installed. This is because the majority of users do not mean to do ‘bad things’ but sometimes they simply forget, once reminded they quickly learn!
A second issue is that most malware can stay on the system for up to 200 days before it is triggered. This brings into question how long backups should be held for, as most organisations, at best, keep a backup for a month. What is needed is for monitoring of the core system attributes (its DNA) to look for anomalies, those subtle changes in the systems operating system which are changed by malware, viruses worms etc., and to alert the system managers of the threat. These checks can even automatically quarantine or ‘fight off’ the infection before it takes a grip. This means you don’t wait 200 days to know there is something afoot.
Those who have been infected by this malware will no doubt be rapidly downloading the patches and fixes, ‘shutting the door’ and locking everything down.
All businesses should ensure security patches are up to date and ‘kill off’ SMBv1 at the very least, block access to it from outside your network. It’s understandable that IT managers with annoying corporate policies and heavy workloads have been forced to hold back patches, or are unable to apply them.
Our advice, update your installations, drop everything and get patching and do something about your users and their random clicking on attachments or links!
Joe Hancock, cyber security expert at law firm Mishcon de Reya:
The malicious software used in the attack infects systems and encrypts their contents – often known as ransomware. These types of attacks have been growing in recent years, but have not been seen at this scale before. The attack can move from system to system laterally, as well as being delivered via malicious e-mails.
Much of the blame for this week’s specific problem has been laid on organisations using Windows XP, an operating system that is 16 years old and has not been supported by Microsoft for three years. Whilst people are strongly advised to move away from the platform, Windows XP is here to stay – it is embedded within many devices, from MRI machines in the health service to Point of Sale systems in large retailers which cannot be easily or cheaply upgraded.
There will be a large global investigation into these attacks, and it is probable that some of the perpetrators will be identified. It is unlikely however that all those responsible will be held to account.
As well as an in-depth investigation, we are now likely to see a strong reaction from governments, speeding up the regulation of crypto currencies such as Bitcoin and anonymous payment mechanisms that allow criminals to profit from such attacks. Somewhat conversely, such mechanisms are often the very thing that also allows new digital businesses to thrive.
More broadly, a debate is emerging between large tech vendors and the government, as to where responsibility lies for the disclosure of vulnerabilities. It is likely that the National Security Agency (NSA) had previously identified this issue, but for intelligence purposes, chose not to disclose publicly. The damage caused by it being leaked into the wild is now, unfortunately, all too clear.
Josh Saul, CEO, The Gold Company:
Investment firm The Pure Gold Company has seen a 52% increase in sales since Friday afternoon from NHS workers, Chinese clients and local and international purchasers concerned that a cyber-attack could somehow affect their wealth.
42% of first time buyers have come from people who work within the NHS, with the balance mainly comprising a mix of financial professionals, teachers, retirees and property investors. We’ve had a 32% increase in Chinese first time purchasers reacting to reports that local Chinese ATM’s have been hijacked, and fearing the possibility of a deeper attack on national and international banks. Other clients have cited concerns that Russian and Chinese Central banks could be targeted, and what this could mean in the forthcoming days or months for money held closer to home.
Many of our clients who purchase physical gold aren’t necessarily looking for considerable growth. Safety and security are their underlying motivations. Existing clients and new customers are already concerned that many of our UK banks are undergoing stringent stress tests, and the added fear of a cyber-attack on their wealth is another reason to put some of that wealth into physical gold assets.”
Unfortunately, we are at our weakest when we can’t see our enemies, and this latest attack has incited feelings of fear and unpredictability amongst many of our clients who would rather have a larger percentage of their wealth in something they can see and touch.