Over 100 countries and tens of thousands of computers have been affected by the WannaCry ransom-ware attack over the weekend. The attack has shocked the media and politicians but is less of a shock to those of us working in the IT sector. The big surprise is that we don’t see more of these outbreaks. Something which can only be attributed to luck rather than design.
Not just an NHS hack
The media, at least in the UK, have painted this as an attack on the NHS. It isn’t. The NHS is collateral damage of an indiscriminate criminal extortion job which has impacted many organisations within Europe and the UK. Hospitals, GP surgeries and other health services just happened to be the most visibly impacted large organisations which, by their nature, had to publicise the incident to try and mitigate the impact to their patients.
Thus a global incident which actually targeted more Russian systems than anyone else becomes the “NHS hack”, a double misnomer as it wasn’t just an attack on the NHS and it probably didn’t involve any hacking in the strict sense of the word.
Phishing with worms
At the moment it’s not exactly clear how the ransom-ware gets into a network in the first instance, but the most likely method is through sending a phishing email to some unsuspecting user, who is then tricked into installing the software. Once on one PC in a network the software uses a worm to then scan for any other machines it can find and replicates quickly.
By this point the user is unaware anything is amiss, but the software is busy encrypting all the files on the system. Once that job is complete it will then lock the system and present the ransom demand along with a payment deadline and link to a bitcoin account.
There are three hurdles that the attack needs to overcome before it can get to the point of encrypting a computer’s files and demanding payment. First, a user has to fall for the initial phishing email and accept it’s instruction to follow a link, download and install software or whatever variation the attack is using.
Second, the user must have the authority to install the software on the PC.
Lastly the PC being infected must be missing essential security updates released for the operating system.
The first hurdle is an education and training issue. The only way to get users to stop falling for phishing attacks is to educate them about the existence of phishing emails and how to spot them. It might seem obvious to those of us of a technical persuasion but if no-one fell for them then no-one would send them. You could try and prevent users from accessing personal email on work PCs, but I think in today’s world that is unlikely to be a fight that an IT department will win.
The other two hurdles are firmly in the hands of IT administrators. It is their responsibility to manage user permissions across a network, to ensure patches are rolled out, and that operating systems are current and still supported.
Not that easy
Knowing how to prevent the attack is only half the battle. If it was that easy then we’d never see a global incident like the one on Friday. So what stops us from doing these seemingly basic tasks to mitigate the risks?
Sadly, as ever, the answer is money. Upgrading an IT estate: desktops, laptops, and servers so their operating systems remain under vendor support is an expensive exercise. It often also means engaging with third party suppliers to make sure that applications and hardware still operate correctly with the new systems and if not, then they may need to be upgraded or replaced as well. It’s a task which often has exponential knock-on costs.
Then there’s paying for the resources to perform the work. Large enterprises performing a refresh often need to hire in additional staff or contractors to assist with the project.
Training staff in the tools needed to properly lock down and manage systems costs money, as does the education campaign needed to make users aware of why they can’t now install whatever they want on “their” PC and how they can spot and avoid phishing emails.
Lastly the simple fact is that everything takes time. Patches and updates need to be tested and rolled out in a managed way. It’s often unrealistic for an IT department to receive a patch from Microsoft and roll it out across an organisation before some malevolent hacker has pushed out a tool to exploit the vulnerability. That’s when they must ensure that other techniques are in place to mitigate the impact of any outbreak: a solid backup strategy, a disaster management plan, system monitoring, network storage for working files etc. so users don’t store data locally. It all adds up to more resources, money and time required.
So what now?
Last week’s attack is going to have repercussions and not just for the NHS. This is a serious wake up call for anyone working in enterprise IT and for all businesses. Many IT departments, often reporting directly to the finance director, are seen as an overhead. A cost to be tightly controlled and it’s too easy for IT to be one of the first victims of cost cutting in any downturn. This attack should be a warning to business about why they should think twice about pushing lower spending as the big goal for IT departments.
Along with that, many organisations focus on big capital projects like new ERP systems or the NHS patient records system. While these can have significant benefits (if successfully implemented) it’s important that they’re not taking resources and money away from business as usual IT operations. Though that’s a difficult juggling task for an IT manager trying to justify their existence. Shiny and innovative new systems are often an easier sell.
At the end of the day I think that most IT departments know what they should do but are weakened by pressure to be flexible, to allow “special cases” to install their own software and keep their legacy operating systems. It’s these outlier cases that weaken the overall security of a network and allow viruses and malware to get a bridgehead into an organisation.
After this global incident, I expect many organisations to give their IT departments a lot more power to manage security the way it should be managed. It will be painful, end users and management will have to be educated to understand why they can’t install their own software and businesses will need to increase their IT spend accordingly.
For some organisations that will be difficult, not least in the kind of politically sensitive public-sector groups like the NHS. A desktop refresh is one thing, finding the publicly funded budget to replace or update MRI machines, operating theatres, and associated software needed to run the health service which rely on Windows XP and other out of support systems is going to be a big topic in the coming weeks. Not least with a general election campaign under way.
The long game
In the long term will anything change? Possibly. Hopefully. I think IT departments need to become better at selling their business as usual activities as a benefit to the wider business. Without them that business can’t function and we’ve now seen the huge risk of not educating users, not controlling your network environment, and not updating your software estate. The challenge is to make sure that everyone — managers and users alike are aware of the risks to their business if they allow things to slip again. They have to let IT professionals manage their security and make sure best practice processes are in place and followed, without putting undue cost pressure on the heads of those responsible.
They also need to watch for the snake oil salesmen creeping out of the woodwork in the wake of this attack. There will be a huge push to find solutions to combat this specific type of malware. Leave that to the security researchers. Enterprises should concentrate on getting the basics right. Get your user policies tightened up, networks locked down, and your software up to date.