2.4 What lessons can be learnt?
As the NHS was the organisation most affected by the WannaCry attack in the UK, the discussion here is focused on the experience of the NHS. Some of the lessons learnt might apply to other organisations too.
You might have expected a large and important organisation such as the NHS to have enough resources and support to protect itself against cyber-attacks. Furthermore, Microsoft announced the EternalBlue vulnerability and released a patch on 14 March 2017, which was almost two months before the attack. This should have given organisations enough time to patch the security hole and protect themselves against the WannaCry attack.
So why was the NHS still so badly affected by the WannaCry attack? What went wrong and what lessons can be learnt from this incident? According to Dan Taylor, Head of Security, NHS Digital, the following were the main reasons that the NHS was so affected (Evenstad, 2017).
- The NHS had a complicated organisational structure that allocated the responsibilities of policy making, service commissioning and data and information organisation to three different bodies, namely the Department of Health, NHS England and NHS Digital respectively. Although NHS Digital acted as the central data and information organisation, each NHS trust or GP surgery looked after its own data security. NHS Digital did not have direct control over the maintenance of computing assets in local hospitals and GP surgeries.
- The NHS’s main order of business is health and care. Technology and data security are not its main concerns, despite the fact that it has an obligation to protect the data it holds. With the NHS under severe financial constraints, keeping computing equipment up-to-date was not its priority. Although the patch for the EternalBlue vulnerability had been available for two months, most NHS trusts had not applied it to their computing equipment.
- To make matters worse, the NHS trusts had many different systems, including some old legacy systems. Applying patches to all these systems – especially the legacy systems – without affecting the critical clinical systems was not simple. Improperly applying a patch to a clinical system could render it unusable. These systems are critical for the NHS to operate its business. If the choice was between clinical risk and security risk, many NHS trusts would bear the security risk.
- Finally, communication was a problem too. The language and terminology used by NHS Digital were not always understandable by the health professionals. The responses to queries were not very timely either.
Since the WannaCry attack, the NHS has identified areas for improvement, which include the need for clearer communications and accountability for cyber security in every NHS organisation at senior leadership and board level. Local organisations must ensure effective management of their technology infrastructure, systems and services (Smart, 2018).
Although these points are explicitly about the NHS’s failure to prepare itself for the WannaCry attack, similar reasons may also lie behind the failures of many other large organisations who fail to protect themselves.
Before moving on to the next case study, complete the three activities on WannaCry below.
Activity 5
Based on how WannaCry spreads, why is it described as a worm rather than a virus or Trojan? Explain your answer.
Answer
WannaCry is classified as a worm because it exploits the vulnerability of computing devices in a network and replicates itself by finding and infecting other vulnerable computing devices.
It is not a virus because it doesn’t insert a copy of itself into applications or crucial parts of the operating system in order to infect other computing devices or storage media that interact with the infected computer.
It is also not a Trojan because it is not disguised as something useful.
More coverage of malware can be found in the ‘Malware’ section [Tip: hold Ctrl and click a link to open it in a new tab. (Hide tip)] of the Introduction to cyber security course on OpenLearn (open the link in a new tab or window by holding down Ctrl (or Cmd on a Mac) when you click on it).
Activity 6
Judging by how WannaCry works and spreads, explain what two main security measures the NHS trusts could have taken that would have prevented WannaCry from attacking their computing devices.
Answer
If their Windows-based computing devices had been patched with Microsoft’s update for the EternalBlue vulnerability in time, it would have prevented their computing devices from being infected.
Furthermore, any computing devices that do not need to use the Server Message Block (SMB) service should have their SMB protocol disabled through a proper firewall setting to prevent unnecessary exposure.
Activity 7
The spread of WannaCry was significantly slowed down after its kill switch was found and activated. However, security experts – including Sean Dillon, a senior security analyst at RiskSense – expected that new malware based on WannaCry would surface in the future and that this malware would not have a kill switch (Mimoso, 2017).
Complete a quick web search to find out the latest development. You can use a search term such as ‘WannaCry variants’ for your search.
Feedback
Within a few days of the WannaCry attack, a number of variants were detected. Most of them were created by editing a small part of the original malware’s code. For example, one variant used a different domain name as its kill switch, while another removed the kill switch altogether. Some copycat attackers simply replaced the bitcoin addresses in the code with their own, so payments would be directed to them (Mimoso, 2017).
In October 2017, the computer network of Pinehurst-based FirstHealth of the Carolinas in the USA was reported to be infected by a variant of the malware. The organisation took the system offline for a day in attempting to remove the malware (Davis, 2017).
Following the attention given to the malware in May 2017, more computers and devices were subsequently patched. Variants of WannaCry, which also exploit the EternalBlue vulnerability, do not appear to be as infectious as the original malware. However, the situation may have changed by the time you are doing this activity.