NHS ransomware: If 60+ hospital trusts can be taken down by mass market untargeted malware then what else has and can get through?

Let’s start off with this quote from government officials “And, we are not aware of any evidence that patient data has been compromised”. Derh! A malicious email (or new evidence, malicious comms over SMB) got through your defences, an exploit ran, malware was downloaded and the malware then went out over the internet to get a public key and then start encrypting. Focus on “malware then went out over the internet to get a public key”. If the malware reached out over the internet to get a public key it could have easily planted a RAT (remote access trojan) or uploaded files back to the CnC (command and control) server.

Back in October last year I published “Help we are under attack! Let’s create a hundred-page defence plan not actually roll out the big guns” on my website and with the major NHS ransomware incident in May 2017 I think I have proved myself right.

Let’s look at the words “cyber security”. Cyber means: computer, virtual or computer network, and security of course means security. Let’s move into the physical world before computers say 200 years ago. Security for a king or queen was build a castle with three-metre-thick walls, dig a moat (and fill it with water), install a draw bridge, setup a few cannons and employ tens of soldiers to guard your castle.

Securing a castle from attack is solely about physical defence not following a 50-item checklist and writing standards & policies to never read or update. Move forward 200 years and castles are not being built and there is more chance of picking up a virus than someone breaching your castle or being mugged.

With computers and networks, everyone is under attack 24/7, it is not just the MoD/DoD but banks, the local pharmacy and hairdresser that are targets. If physical security is about physical then shouldn’t cyber security be about putting in technical security controls. Think again! Antivirus, firewalls, web & email filters etc. are the cyber equivalent of a moat, cannon and soldiers yet the primary defence is a piece of paper or a high-level design not low to medium.

The reason is partly two things cyber security is a fairly new topic whereas gunpowder has existed for over a 1000 years and companies & government still do love compliance which gives a false sense of security. In time technology and staff will mature then again as defences get better attackers will get better to. Most general endpoints owned by the public sector and private sector today simply still just have your bog-standard Symantec or McAfee agent installed.

Such agents are usually poorly configured and on top of that, there will be a web gateway scanning just HTTP again not configured properly to do reputation lookups or file blocking. I could go on, and people not necessarily technology need to evolve. Some people say it is not about tin but people and processes. You can buy cutting edge hardware and software, then find it was installed with the defaults set. Have a technical security expert review the settings with a fine tooth comb and within hours your security will be stronger.

A conclusion... Ransomware is just like a banking trojan or any other type of malware. It is mass market and un-targeted yet it has broken through many global public sector departments and giant global companies. If that is getting through what else is? Is the question we need to be asking swiftly! Many people say nothing is 100% secure but with true technical analysis you can do a lot better than the current state of cyber security.