What Have We Learned

By Randy Rose, Director of Cybersecurity, Tasman Global

By Randy Rose, Director of Cybersecurity, Tasman Global

“Time flies like an arrow; fruit flies like a banana.” This stunning example of both antanaclasis1 and double entendre2 is a good scene setter. The first part will be obvious in the next sentence; the second is just a testament to how my own brain works: bananas are delicious, and they’re also good for health, and, naturally, “health” reminds me of healthcare. Thus, we arrive at the point of this post: it has been a year since the large-scale, multinational ransomware attack that crippled the UK’s National Health System (NHS); what have we learned?

Let’s start with what we know of the attack:

  • The principle ransomware was dubbed WannaCry by the security community;

  • WannaCry is a worm that spread rapidly across interconnected computer systems worldwide, estimated to have impacted over 200,000 systems in 150 countries;

  • Ransomware is a specific type of malicious file that encrypts files on a system and/or connected storage locations and holds them for ransom;

  • Ransomware ransom is typically paid in cryptocurrency;

  • WannaCry has been attributed to actors in North Korea (Lazarus Group), believed to be sponsored by the nation-state itself;3

  • WannaCry exploited a Windows vulnerability that is suspected to have been discovered by the United States National Security Agency;

  • The vulnerability that was exploited lies in the Windows implementation of the Server Message Block (SMB) protocol, which is used for network communication on a Windows domain;

  • The NSA is believed to have discovered this vulnerability and to have developed an exploit called EternalBlue, which was in turn stolen and released to the public by the hacking firm Shadow Brokers;

  • Microsoft had also discovered this same vulnerability over a month earlier and released a patch for it, yet many systems remained unpatched at the time of the attack;

  • WannaCry is comprised of multiple components that include a dropper file, an encryptor/decryptor, files containing encryption/decryption keys, and a copy of the Onion Router;4

  • The program code was not obfuscated, thus it was easy for experts to analyze;

  • Analysis led to the discovery of a kill switch domain hard-coded into WannaCry that ultimately led to thwarting the attack (after British researcher Marcus Hutchins registered the domain and created a site);

  • The four most affected countries were Russia, Ukraine, India, and Taiwan; and

  • One of the largest single victims was the UK NHS; more than one-third of health trusts in England were affected by the attack with upwards of 70,000 devices, including computers, MRI scanners, and blood-storage refrigerators, impacted

These bullets represent different observations, but to progress, we must turn those observations into lessons learned. In other words, we must turn data into knowledge into wisdom. So, what have we actually learned from all of this?

You may have noted that there was a bullet in the middle stating that Microsoft had discovered the vulnerability before the attack. Indeed, Microsoft released Security Buletin MS17-010 on 14 March 2017, nearly 2 months before the attack crippled systems around the world. Microsoft had also flagged the patch associated with MS17-010 as critical, yet administrators the world over failed to deploy the patch.

Of note, the initial patch deployed by Microsoft was only available for supported operating systems, which no longer includes Windows XP. However, since many networks still employ XP devices, particularly within the UK’s NHS, Microsoft eventually made an SMB patch available for those systems.5

So, that’s it. We just need to keep systems patched and updated.

Not so fast. Yes, patching and updating is critical. But this is part of a bigger problem with the cybersecurity culture across the board. And nowhere is it more critical than in healthcare.

At this point, the UK has failed to solidify a real action plan. Think about that for a minute. It has been a year since a malware infection—one that did not impact other critical sectors, such as US DoD or UK Defence systems—and the UK still has no solid plan to fix the culture. Indeed, every single one of the 200 NHS trusts in the UK audited for cyber security purposes has failed their on-site assessment6, yet not a single one has agreed to an action plan.

Yes, NHS has signed a ₤150M agreement with Microsoft to upgrade all systems to Windows 10 (which has an auto-patch feature to ensure systems are not left unprotected). Yes, this new agreement is suppose to bring new threat intelligence capabilities to the NHS. But it still does not address the basic culture.

The UK’s National Audit Office reported that the attack, which they consider unsophisticated, could have been easily prevented if NHS followed basic security best practices.7

Ransomware is small apples. The looming threat of truly sophisticated, nation-state sponsored8, or advanced criminal attacks, or even unwitting internal mistakes9 requires a lot more than regular patches and backups. It requires a culture change.

We at Tasman Global are poised and ready to lead that change. Our mission is to enhance the cybersecurity landscape for all patients around the world through customized, risk-based, and strategic solutions. Regardless of where you are on your journey, we can help you navigate. Let Tasman Global be your compass for changing the cyber culture.

“Culture does not change because we desire to change it. Culture changes when the organization is transformed; the culture reflects the realities of people working together every day.”  ― Frances Hesselbein

1 - A rhetorical device in which a phrase or word is repeatedly used, though the meaning of the word changes in each case.

2 - A word or phrase open to two interpretations, one of which is usually risqué or indecent.

3 - Kaspersky Labs and Symantec both performed code analysis and have identified similarities with earlier identified Lazarus Group code; Microsoft, UK National Cyber Security Centre, and the US Government (with concurrence from Canada, New Zealand, and Japan) all assess the attack originated in North Korea

4 - The Onion Router is a free software that enables anonymous communication through complex routing across a network of systems and relays using the service.

5 - Later analysis found that the great majority (~98%) of affected systems were running Windows 7, which is currently supported by Microsoft.

6 - https://www.theregister.co.uk/2018/02/06/200_hospitals_failed_cyber_security_assessment/

7 - https://www.independent.co.uk/news/uk/home-news/health-department-it-security-wannacry-nhs-hack-report-jeremy-hunt-funding-national-audit-office-nao-a8021881.html

8 - https://www.independent.co.uk/news/uk/home-news/russian-hackers-target-millions-devices-cyber-attacks-us-uk-intelligence-warn-a8307696.html;

9 - https://www.theregister.co.uk/2018/05/02/computer_algorithm_blamed_for_450k_women_failing_to_receive_breast_screening_invite/