SlideShare a Scribd company logo

Wannacry or learn?

D
dan hyde

If we are to be prepared in future we need to learn from history

Technology
1 of 2
Download to read offline
A Cecile Park Media Publication | December 2017 15 BREACH RESPONSE The NAO investigation into WannaCry Dan Hyde Partner Dan.Hyde@penningtons.co.uk Penningtons.Manches LLP The Breach Friday 12 May 2017 was a ‘Black Friday’ in the truest sense of the phrase; not a day of panic in trying to grab a bargain in discounted sales, but a day that witnessed a global ransomware attack now known as WannaCry. The attack was random and whilst one of the major victims was our NHS, it was certainly not targeted. The cyber attack affected some 100 countries and an excess of 200,000 computers. The exact numbers and full extent will never be known. Perhaps more surprisingly, the cost to the NHS will also not be known, as despite investigation by the DoH and the Report from the NAO, we are informed that the cost is not calculable; much of the data as to the full impact of the attack is seemingly lost or unavailable. If this is true, there are shoddy systems in place at the NHS. There were certainly shoddy systems in terms of IT and cyber security. For a start the infection by the WannaCry ransomware was entirely avoidable. Every single NHS organisation that was infected by WannaCry had unpatched or unsupported Windows operating systems that enabled virus infection. Significantly, in March 2017 Microsoft had issued updates that NHS Trusts using Windows 7 could have adopted to protect themselves. Further, on 17 March 2017, NHS Digital had issued a CareCERT asking NHS Trusts to apply the Microsoft update. If the DoH’s figures are to be relied upon, more than 90% of the devices in the NHS are operating on Windows 7, so 90% of those devices would have been protected if they had been patched in line with the NHS Digital request. Trusts running older Windows XP operating systems on devices had been expressly notified that they were to migrate away from their use, yet when the attack came on 12 May 2017, approximately 5% of the NHS was still reliant on an outdated Windows XP operating system. Windows XP can however be patched, and following the attack Microsoft issued an XP update that would have prevented the ransomware infection. This non-targeted ransomware attack was spread via the internet and caught the NHS which was exposed due to its unpatched Windows systems. Even this The National Audit Office (‘NAO’) published a full report entitled ‘Investigation: WannaCry cyber attack and the NHS’ (the ‘Report’) on 27 October 2017, which looked to investigate the context, causes and result of the international ransomware attack WannaCry on the NHS. Dan Hyde, Partner at Penningtons Manches, discusses the findings of the Report and the lessons the NHS and the Department of Health (‘DoH’) have learned from WannaCry. Image:tzahiV/iStock/GettyImagesPlus
CYBER SECURITY PRACTITIONER16 exposure would not have been fatal had effective firewalls been in place to repel the threat, but there was no such line of defence because firewalls had not been maintained so that even this basic shield was missing. Prior to this ‘Black Friday,’ the NHS had no joined up cyber security and a culture of woeful non-compliance; as on 12 May 2017 only 88 out of 236 NHS Trusts had been subject to a cyber security inspection by NHS Digital. Of the 88 inspected not a single Trust passed. The inspections were voluntary and CareCERTs requesting updates and other basic cyber security measures were treated as being voluntary and largely ignored. The NHS Trusts were silos and the DoH had no knowledge as to which had complied with the requests. The DoH was itself unprepared; it was warned a year before the attack that it was at risk, yet did not provide any written report in response until two months after the attack in July 2017. The Breach Response So what happened after the initial breach? Sadly the NHS had no proper breach response plan or, if it did, it did not have one worth having. History tells us that one of the key features of a cyber attack is the communication blackout that follows. It was Maersk’s lack of preparedness for this that caused such bewilderment and the same was true of the NHS. The very first hurdle, the loss of key communication systems, was not properly prepared for and staff were left scrabbling for personal mobiles in order to try and send WhatsApp messages, subject to the contact being within their personal contact list. Roles, responsibilities and reporting lines were not properly defined with the result that emergency calls were made to various local, national agencies and emergency services in the uncoordinated disorganised panic that followed the attack. It is arguably better not to have any breach response plan than one that is merely a box ticking exercise that leads, as here, to complacency and increased confusion when the attack hits. Incident response plans should be tested in a realistic way - there needs to be a drill where systems are not available for use and staff become familiar with who and how they make contact, and a step- by-step means of limiting damage and restoring and recovering systems. In conclusion, they had a woefully inadequate breach response plan, which arguably wasn’t a plan at all, but rather an unpractised and ineffective hypothetical policy that none of the key personnel were sufficiently familiar with. The recovery was aided by a cyber security researcher who activated a kill switch; his action prevented WannaCry locking out further systems and devices. That was by luck or intuition rather than design as it was not in pursuit of any implemented national cyber security policy; NHS England’s IT Department did not even have on-call emergency facilities in place so there was a reliance on IT staff attending work voluntarily to assist in firefighting. The National Cyber Security Centre and National Crime Agency also pitched in, assisting the NHS and other affected organisations - it is unclear just how much worse the lines of communication and impact might have been but for that external assistance. Lessons learned? The disjointed structure of the NHS gives little cause for hope. The DoH has overall responsibility for cyber security but this is delegated down to a myriad of NHS Trusts, GPs and social care providers. History tells us that these organisations do not all march in step and have previously failed to heed warnings or requests. The NHS has now declared ‘the need to improve the protection from future cyber attacks’ - but how will it actually implement such a statement of intent when it comprises silos that are seemingly ungovernable? It sets out a number of key measures, namely: • To develop a response plan. • To ensure ‘critical’ CareCERT alerts are implemented. • To ensure essential communications get through during an incident when systems are down. • To ensure organisations, staff and boards take the threat of cyber attack seriously, work proactively to maximise resilience and reduce the impact on patient care. This all sounds rather trite. The NAO Report found a cyber breach response plan had already been developed on 12 May when the attack hit. It was not the absence of a plan, but rather the inability to put any plan into practice that was at the heart of the failure. That can only be taught through cyber drills that replicate the loss of communication and key system support. There needs to be a scheme of regulation and a compliance regime with teeth to ensure that there are routine checks and sanctions for those who fail to adhere to CareCERTS. In terms of practical steps, the DoH should be setting a minimum number of drill targets, rather like fire drills backed by mandatory inspections by NHS Digital or an external inspector; if an organisation fails inspection there should be immediate action to remedy and a follow up test. I have no doubt that the NHS and its constituent parts will take cyber attacks more seriously going forward, but deeds not words are required. I remain unconvinced that this will happen. BREACH RESPONSE continued Sadly the NHS had no proper breach response plan or, if it did, it did not have one worth having. History tells us that one of the key features of a cyber attack is the communication blackout that follows.

Recommended

The lessons learned from WannaCry.
The lessons learned from WannaCry.The lessons learned from WannaCry.
The lessons learned from WannaCry.
dan hyde
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
xMattersMarketing
 
Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014
Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014
Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014
xMatters Inc
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
Rodrigo Varas
 
No Money, No Problem - A Scalable Approach to Social Media Monitoring
No Money, No Problem - A Scalable Approach to Social Media MonitoringNo Money, No Problem - A Scalable Approach to Social Media Monitoring
No Money, No Problem - A Scalable Approach to Social Media Monitoring
Tamer Hadi
 
Webmasterbreach
WebmasterbreachWebmasterbreach
Webmasterbreach
Édgar Medina
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Black Duck by Synopsys
 

Recommended

The lessons learned from WannaCry.
The lessons learned from WannaCry.The lessons learned from WannaCry.
The lessons learned from WannaCry.
dan hyde
 
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie AheadRethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
Rethinking Cyber-Security: 7 Key Strategies for the Challenges that Lie Ahead
OpenDNS
 
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
2014 Top 10 Predictions for BC/DR by Dr. Steven B Goldman
xMattersMarketing
 
Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014
Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014
Dr Steve Goldman's Top Ten Business Continuity Predictions / Trends for 2014
xMatters Inc
 
Impacts cloud remote_workforce
Impacts cloud remote_workforceImpacts cloud remote_workforce
Impacts cloud remote_workforce
Rodrigo Varas
 
No Money, No Problem - A Scalable Approach to Social Media Monitoring
No Money, No Problem - A Scalable Approach to Social Media MonitoringNo Money, No Problem - A Scalable Approach to Social Media Monitoring
No Money, No Problem - A Scalable Approach to Social Media Monitoring
Tamer Hadi
 
Webmasterbreach
WebmasterbreachWebmasterbreach
Webmasterbreach
Édgar Medina
 
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Open Source Insight: Artifex Ruling, NY Cybersecurity Regs, PATCH Act, & Wan...
Black Duck by Synopsys
 
Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
Nexon Asia Pacific
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
Sylvain Martinez
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
Texas Medical Liability Trust
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
Digital Pymes
 
Social media and technology
Social media and technologySocial media and technology
Social media and technology
Mary Jo Flynn, MS, CEM
 
Digital Volunteers and Emergency Management
Digital Volunteers and Emergency Management Digital Volunteers and Emergency Management
Digital Volunteers and Emergency Management
Patrice Cloutier
 
5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats
Hannah Jenney
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cyber Solutions
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
RapidSSLOnline.com
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_en
Andrey Apuhtin
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
UltraUploader
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Steve Fantauzzo
 
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Proofpoint
 
Web Attack Survival Guide
Web Attack Survival GuideWeb Attack Survival Guide
Web Attack Survival Guide
- Mark - Fullbright
 
Ransomware in Healthcare: 5 Attacks on Hospitals & Lessons Learned
Ransomware in Healthcare: 5 Attacks on Hospitals & Lessons LearnedRansomware in Healthcare: 5 Attacks on Hospitals & Lessons Learned
Ransomware in Healthcare: 5 Attacks on Hospitals & Lessons Learned
Barkly
 
Cisco - See Everything, Secure Everything
Cisco - See Everything, Secure EverythingCisco - See Everything, Secure Everything
Cisco - See Everything, Secure Everything
Redington Value Distribution
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
Gov BizCouncil
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
The Internet of Things
 
Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
Dan L. Dodson
 
The WannaCry Black Swan Event -- Unpatchable FDA medical devices
The WannaCry Black Swan Event -- Unpatchable FDA medical devicesThe WannaCry Black Swan Event -- Unpatchable FDA medical devices
The WannaCry Black Swan Event -- Unpatchable FDA medical devices
David Sweigert
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
IJNSA Journal
 

More Related Content

What's hot

12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
Digital Pymes
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
UltraUploader
 

What's hot (18)

Whitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformationWhitepaper | Cyber resilience in the age of digital transformation
Whitepaper | Cyber resilience in the age of digital transformation
 
INCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATIONINCIDENT RESPONSE NIST IMPLEMENTATION
INCIDENT RESPONSE NIST IMPLEMENTATION
 
Ransomware attacks
Ransomware attacksRansomware attacks
Ransomware attacks
 
12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware12102 vipre business-protecting-against-the-new-wave-of-malware
12102 vipre business-protecting-against-the-new-wave-of-malware
 
Social media and technology
Social media and technologySocial media and technology
Social media and technology
 
Digital Volunteers and Emergency Management
Digital Volunteers and Emergency Management Digital Volunteers and Emergency Management
Digital Volunteers and Emergency Management
 
5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats5 Key Findings on Advanced Threats
5 Key Findings on Advanced Threats
 
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost AlertsHexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
Hexis Cybersecurity Mission Possible: Taming Rogue Ghost Alerts
 
Preparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategyPreparing for future attacks - the right security strategy
Preparing for future attacks - the right security strategy
 
Nexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_enNexusguard d do_s_threat_report_q1_2017_en
Nexusguard d do_s_threat_report_q1_2017_en
 
Anti virus in the corporate arena
Anti virus in the corporate arenaAnti virus in the corporate arena
Anti virus in the corporate arena
 
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
Ransomware and Emerging Cyber Threats: Why It's More Than Just An IT Problem ...
 
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
Adapted from an ESG report - Seeing Is Securing - Protecting Against Advanced...
 
Web Attack Survival Guide
Web Attack Survival GuideWeb Attack Survival Guide
Web Attack Survival Guide
 
Ransomware in Healthcare: 5 Attacks on Hospitals & Lessons Learned
Ransomware in Healthcare: 5 Attacks on Hospitals & Lessons LearnedRansomware in Healthcare: 5 Attacks on Hospitals & Lessons Learned
Ransomware in Healthcare: 5 Attacks on Hospitals & Lessons Learned
 
Cisco - See Everything, Secure Everything
Cisco - See Everything, Secure EverythingCisco - See Everything, Secure Everything
Cisco - See Everything, Secure Everything
 
Achieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress ReportAchieving Holistic Cybersecurity: 2016 Progress Report
Achieving Holistic Cybersecurity: 2016 Progress Report
 
Cisco Annual Security Report 2016
Cisco Annual Security Report 2016Cisco Annual Security Report 2016
Cisco Annual Security Report 2016
 

Similar to Wannacry or learn?

Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
Dan L. Dodson
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
IJNSA Journal
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
FireEye, Inc.
 
Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety Communications
Kory Edwards
 
Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety Communications
Kory Edwards
 
proofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperproofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paper
Ken Spencer Brown
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015
Robin "Montana" Williams
 

Similar to Wannacry or learn? (20)

Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016Fortified Health Security - Horizon Report 2016
Fortified Health Security - Horizon Report 2016
 
The WannaCry Black Swan Event -- Unpatchable FDA medical devices
The WannaCry Black Swan Event -- Unpatchable FDA medical devicesThe WannaCry Black Swan Event -- Unpatchable FDA medical devices
The WannaCry Black Swan Event -- Unpatchable FDA medical devices
 
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITALINCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
INCIDENT RESPONSE PLAN FOR A SMALL TO MEDIUM SIZED HOSPITAL
 
Ijnsa050201
Ijnsa050201Ijnsa050201
Ijnsa050201
 
2013 Incident Response Survey
2013 Incident Response Survey2013 Incident Response Survey
2013 Incident Response Survey
 
The Menace of Ransomware Attacks on Healthcare Systems.pdf
The Menace of Ransomware Attacks on Healthcare Systems.pdfThe Menace of Ransomware Attacks on Healthcare Systems.pdf
The Menace of Ransomware Attacks on Healthcare Systems.pdf
 
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
Breaches Are Bad for Business. How Will You Detect and Respond to Your Next C...
 
Security - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaperSecurity - intelligence - maturity-model-ciso-whitepaper
Security - intelligence - maturity-model-ciso-whitepaper
 
Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety Communications
 
Cyber Threat to Public Safety Communications
Cyber Threat to Public Safety CommunicationsCyber Threat to Public Safety Communications
Cyber Threat to Public Safety Communications
 
Cybersecurity
CybersecurityCybersecurity
Cybersecurity
 
proofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paperproofpoint-blindspots-visibility-white-paper
proofpoint-blindspots-visibility-white-paper
 
CFS November
CFS NovemberCFS November
CFS November
 
2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast2014 Data Breach Industry Forecast
2014 Data Breach Industry Forecast
 
Healthcare Cybercrime
Healthcare CybercrimeHealthcare Cybercrime
Healthcare Cybercrime
 
Websense 2013 Threat Report
Websense 2013 Threat ReportWebsense 2013 Threat Report
Websense 2013 Threat Report
 
Post covid 19 era new age of cyber security
Post covid 19 era new age of cyber securityPost covid 19 era new age of cyber security
Post covid 19 era new age of cyber security
 
2013 Threat Report
2013 Threat Report2013 Threat Report
2013 Threat Report
 
2015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_10152015-advanced-persistent-threat-awareness_whp_eng_1015
2015-advanced-persistent-threat-awareness_whp_eng_1015
 
Role of data science during covid times
Role of data science during covid timesRole of data science during covid times
Role of data science during covid times
 

Recently uploaded

+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
?#DUbAI#??##{{(☎️+971_581248768%)**%*]'#abortion pills for sale in dubai@
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Orbitshub
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
UiPathCommunity
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Safe Software
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc
 

Recently uploaded (20)

Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..Understanding the FAA Part 107 License ..
Understanding the FAA Part 107 License ..
 
[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf[BuildWithAI] Introduction to Gemini.pdf
[BuildWithAI] Introduction to Gemini.pdf
 
Vector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptxVector Search -An Introduction in Oracle Database 23ai.pptx
Vector Search -An Introduction in Oracle Database 23ai.pptx
 
MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024MINDCTI Revenue Release Quarter One 2024
MINDCTI Revenue Release Quarter One 2024
 
presentation ICT roal in 21st century education
presentation ICT roal in 21st century educationpresentation ICT roal in 21st century education
presentation ICT roal in 21st century education
 
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, AdobeApidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
Apidays New York 2024 - Scaling API-first by Ian Reasor and Radu Cotescu, Adobe
 
How to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected WorkerHow to Troubleshoot Apps for the Modern Connected Worker
How to Troubleshoot Apps for the Modern Connected Worker
 
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ..."I see eyes in my soup": How Delivery Hero implemented the safety system for ...
"I see eyes in my soup": How Delivery Hero implemented the safety system for ...
 
MS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectorsMS Copilot expands with MS Graph connectors
MS Copilot expands with MS Graph connectors
 
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
+971581248768>> SAFE AND ORIGINAL ABORTION PILLS FOR SALE IN DUBAI AND ABUDHA...
 
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdfRising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
Rising Above_ Dubai Floods and the Fortitude of Dubai International Airport.pdf
 
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 AmsterdamDEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
DEV meet-up UiPath Document Understanding May 7 2024 Amsterdam
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
Emergent Methods: Multi-lingual narrative tracking in the news - real-time ex...
 
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot ModelMcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
Mcleodganj Call Girls 🥰 8617370543 Service Offer VIP Hot Model
 
Artificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : UncertaintyArtificial Intelligence Chap.5 : Uncertainty
Artificial Intelligence Chap.5 : Uncertainty
 
Corporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptxCorporate and higher education May webinar.pptx
Corporate and higher education May webinar.pptx
 
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FMECloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
Cloud Frontiers: A Deep Dive into Serverless Spatial Data and FME
 
Platformless Horizons for Digital Adaptability
Platformless Horizons for Digital AdaptabilityPlatformless Horizons for Digital Adaptability
Platformless Horizons for Digital Adaptability
 
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data DiscoveryTrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
TrustArc Webinar - Unlock the Power of AI-Driven Data Discovery
 

Wannacry or learn?

  • 1. A Cecile Park Media Publication | December 2017 15 BREACH RESPONSE The NAO investigation into WannaCry Dan Hyde Partner Dan.Hyde@penningtons.co.uk Penningtons.Manches LLP The Breach Friday 12 May 2017 was a ‘Black Friday’ in the truest sense of the phrase; not a day of panic in trying to grab a bargain in discounted sales, but a day that witnessed a global ransomware attack now known as WannaCry. The attack was random and whilst one of the major victims was our NHS, it was certainly not targeted. The cyber attack affected some 100 countries and an excess of 200,000 computers. The exact numbers and full extent will never be known. Perhaps more surprisingly, the cost to the NHS will also not be known, as despite investigation by the DoH and the Report from the NAO, we are informed that the cost is not calculable; much of the data as to the full impact of the attack is seemingly lost or unavailable. If this is true, there are shoddy systems in place at the NHS. There were certainly shoddy systems in terms of IT and cyber security. For a start the infection by the WannaCry ransomware was entirely avoidable. Every single NHS organisation that was infected by WannaCry had unpatched or unsupported Windows operating systems that enabled virus infection. Significantly, in March 2017 Microsoft had issued updates that NHS Trusts using Windows 7 could have adopted to protect themselves. Further, on 17 March 2017, NHS Digital had issued a CareCERT asking NHS Trusts to apply the Microsoft update. If the DoH’s figures are to be relied upon, more than 90% of the devices in the NHS are operating on Windows 7, so 90% of those devices would have been protected if they had been patched in line with the NHS Digital request. Trusts running older Windows XP operating systems on devices had been expressly notified that they were to migrate away from their use, yet when the attack came on 12 May 2017, approximately 5% of the NHS was still reliant on an outdated Windows XP operating system. Windows XP can however be patched, and following the attack Microsoft issued an XP update that would have prevented the ransomware infection. This non-targeted ransomware attack was spread via the internet and caught the NHS which was exposed due to its unpatched Windows systems. Even this The National Audit Office (‘NAO’) published a full report entitled ‘Investigation: WannaCry cyber attack and the NHS’ (the ‘Report’) on 27 October 2017, which looked to investigate the context, causes and result of the international ransomware attack WannaCry on the NHS. Dan Hyde, Partner at Penningtons Manches, discusses the findings of the Report and the lessons the NHS and the Department of Health (‘DoH’) have learned from WannaCry. Image:tzahiV/iStock/GettyImagesPlus
  • 2. CYBER SECURITY PRACTITIONER16 exposure would not have been fatal had effective firewalls been in place to repel the threat, but there was no such line of defence because firewalls had not been maintained so that even this basic shield was missing. Prior to this ‘Black Friday,’ the NHS had no joined up cyber security and a culture of woeful non-compliance; as on 12 May 2017 only 88 out of 236 NHS Trusts had been subject to a cyber security inspection by NHS Digital. Of the 88 inspected not a single Trust passed. The inspections were voluntary and CareCERTs requesting updates and other basic cyber security measures were treated as being voluntary and largely ignored. The NHS Trusts were silos and the DoH had no knowledge as to which had complied with the requests. The DoH was itself unprepared; it was warned a year before the attack that it was at risk, yet did not provide any written report in response until two months after the attack in July 2017. The Breach Response So what happened after the initial breach? Sadly the NHS had no proper breach response plan or, if it did, it did not have one worth having. History tells us that one of the key features of a cyber attack is the communication blackout that follows. It was Maersk’s lack of preparedness for this that caused such bewilderment and the same was true of the NHS. The very first hurdle, the loss of key communication systems, was not properly prepared for and staff were left scrabbling for personal mobiles in order to try and send WhatsApp messages, subject to the contact being within their personal contact list. Roles, responsibilities and reporting lines were not properly defined with the result that emergency calls were made to various local, national agencies and emergency services in the uncoordinated disorganised panic that followed the attack. It is arguably better not to have any breach response plan than one that is merely a box ticking exercise that leads, as here, to complacency and increased confusion when the attack hits. Incident response plans should be tested in a realistic way - there needs to be a drill where systems are not available for use and staff become familiar with who and how they make contact, and a step- by-step means of limiting damage and restoring and recovering systems. In conclusion, they had a woefully inadequate breach response plan, which arguably wasn’t a plan at all, but rather an unpractised and ineffective hypothetical policy that none of the key personnel were sufficiently familiar with. The recovery was aided by a cyber security researcher who activated a kill switch; his action prevented WannaCry locking out further systems and devices. That was by luck or intuition rather than design as it was not in pursuit of any implemented national cyber security policy; NHS England’s IT Department did not even have on-call emergency facilities in place so there was a reliance on IT staff attending work voluntarily to assist in firefighting. The National Cyber Security Centre and National Crime Agency also pitched in, assisting the NHS and other affected organisations - it is unclear just how much worse the lines of communication and impact might have been but for that external assistance. Lessons learned? The disjointed structure of the NHS gives little cause for hope. The DoH has overall responsibility for cyber security but this is delegated down to a myriad of NHS Trusts, GPs and social care providers. History tells us that these organisations do not all march in step and have previously failed to heed warnings or requests. The NHS has now declared ‘the need to improve the protection from future cyber attacks’ - but how will it actually implement such a statement of intent when it comprises silos that are seemingly ungovernable? It sets out a number of key measures, namely: • To develop a response plan. • To ensure ‘critical’ CareCERT alerts are implemented. • To ensure essential communications get through during an incident when systems are down. • To ensure organisations, staff and boards take the threat of cyber attack seriously, work proactively to maximise resilience and reduce the impact on patient care. This all sounds rather trite. The NAO Report found a cyber breach response plan had already been developed on 12 May when the attack hit. It was not the absence of a plan, but rather the inability to put any plan into practice that was at the heart of the failure. That can only be taught through cyber drills that replicate the loss of communication and key system support. There needs to be a scheme of regulation and a compliance regime with teeth to ensure that there are routine checks and sanctions for those who fail to adhere to CareCERTS. In terms of practical steps, the DoH should be setting a minimum number of drill targets, rather like fire drills backed by mandatory inspections by NHS Digital or an external inspector; if an organisation fails inspection there should be immediate action to remedy and a follow up test. I have no doubt that the NHS and its constituent parts will take cyber attacks more seriously going forward, but deeds not words are required. I remain unconvinced that this will happen. BREACH RESPONSE continued Sadly the NHS had no proper breach response plan or, if it did, it did not have one worth having. History tells us that one of the key features of a cyber attack is the communication blackout that follows.