NHS Hacking - Comments from the experts

Hackers exploit weak links and don't care about the consequences. Severely interfering with any country's health system and creating situations that can cause fatalities through delayed operations, or ambulances failing to arrive in time in emergency situations.

Here the experts in Cyber Security matters discuss the recent high profile attack on the NHS system, part of a global hacking exercise, caused through a known weakness in Microsoft Windows XP, that had been found and a patch issued some time ago.

Andrew Henwood CEO at Foregenix [1], an information security consultancy said

"This extensive ransomware attack is non-targeted and global, so any computer system that's accessible and lacking recent Microsoft patches will be completely vulnerable and could be infected right now."The WanaCry ransomware infestation is a wake-up call for all entities connected to public networks,such as the Internet, to recognise cybersecurity is a necessity and not a nice-to-have. "Organisations only implement robust cyber security programs if mandated or legislated. Yet, maintaining a robust patch management and network segmentation policy would have almost completely mitigated the threat of this ransomware infection."

In order to reduce the risk of infection, Andrew Henwood recommends the following steps; he says businesses must:

Patch or update all Microsoft software, the lack of patching is the most common reason leading to being hacked (as we've see with the current WannaCry ransomware)
Use vendors' response recommendations. Microsoft and major anti-virus vendors have provided detailed mitigation steps.
Backup critical systems and ensure they're not connected and online; the rotation of backups is also highly recommended.
Ensure incident response plans and procedures are available, understood and encompass all aspects of the organisation such as legal and Public Relations considerations.
Disable and / or block all server message block services and traffic
Monitor computer systems for peculiar behavior such as network traffic spikes
Treat unusual incoming e-mails as suspicious
If a system is suspected of being infected, either remove it from the network (pull the network cable) or shut the system down

According to CTERA [2]'s CEO and co-founder Liran Eshel:

"The attack shows how sophisticated ransomware has become, forcing even unaffected organizations rethink strategies for countering ransomware. Organizations need to combat ransomware by minimizing attack exposures and enabling the rapid recovery attacked data and files. The onus is on organizations to stop the ransomware epidemic by building the right safeguards that eliminate enterprise vulnerabilities. Until that day comes, organizations need to be ready to catch and recover from some serious ransomware crypto-lock events. With the right file sync and backup procedures, even attacked organizations can minimize their recovery points to as little as five minutes while making a full recovery of encrypted data."

Phil Bridge, Managing Director, Western Europe, Data & Storage Technologies, Kroll Ontrack said:

The international ransomware attack that affected the NHS and other organisations on Friday and over the weekend highlighted the severe risks posed by the growing ransomware phenomenon.

Kroll Ontrack has identified over 225 different strains of ransomware, which is a type of malware that blocks access to data on a device or server by encrypting it and has issued the following guidance to reduce risk and mitigate the effects of an attack:

Seek help from a data recovery professional before paying the ransom. There are many cases of ransomware victims paying the ransom demanded and not receiving their data back in return. Rather than running this risk, companies should work with data recovery experts who may be able to regain access to data by reverse engineering the malware.
Create and follow a backup and recovery plan. Ensure that a plan includes storing the backups offsite.
Be prepared by testing backups regularly. Organisations and individuals must be familiar with what is stored in backup archives and ensure the most critical data is accessible should ransomware target backups.
Implement security policies. Use the latest anti-virus and anti-malware software and monitor consistently to prevent infection. Always keep your systems up-to-date and apply the latest security patches.
Develop IT policies that limit infections on other network resources. Companies should put safeguards in place, so if one device becomes infected with ransomware, it does not permeate throughout the network.
Conduct user training, so all employees can spot a potential attack. Make sure employees are aware of best practices to avoid accidentally downloading ransomware or opening up the network to outsiders.

Mishcon de Reya law firm : Joe Hancock, cyber security expert said

"The malicious software used in the attack infects systems and encrypts their contents - often known as ransomware. These types of attacks have been growing in recent years, but have not been seen at this scale before. The attack can move from system to system laterally, as well as being delivered via malicious e-mails.

"Much of the blame for this week's specific problem has been laid on organisations using Windows XP, an operating system that is 16 years old and has not been supported by Microsoft for three years. Whilst people are strongly advised to move away from the platform, Windows XP is here to stay - it is embedded within many devices, from MRI machines in the health service to Point of Sale systems in large retailers which cannot be easily or cheaply upgraded.

"There will be a large global investigation into these attacks, and it is probable that some of the perpetrators will be identified. It is unlikely however that all those responsible will be held to account.

"As well as an in-depth investigation, we are now likely to see a strong reaction from governments, speeding up the regulation of crypto currencies such as Bitcoin and anonymous payment mechanisms that allow criminals to profit from such attacks. Somewhat conversely, such mechanisms are often the very thing that also allows new digital businesses to thrive.

"More broadly, a debate is emerging between large tech vendors and the government, as to where responsibility lies for the disclosure of vulnerabilities. It is likely that the National Security Agency (NSA) had previously identified this issue, but for intelligence purposes, chose not to disclose publicly. The damage caused by it being leaked into the wild is now, unfortunately, all too clear."