Plain English cybersecurity advice in 3 articles, 2 statistics and 1 action.
This week: In the aftermath of a cyber attack on Ireland’s Health Service, it will be no surprise that this week’s Cyber 3-2-1 focuses on this crime. Or perhaps, this week should be called Cyber 2-3-1 as the two statistics are the most important elements to consider.
This week’s action: Review and restrict access to data.
1 – ONE
According to the latest media report, the attack on the HSE started when one person was fooled into clicking a link.
If this is true, and in the unlikely event that this one person is reading this, they need to know the following:
This is not their fault.
They may think the attack would not have happened if they had not been fooled. But they are not the only one who could have been fooled. It was probably just a matter of time. Others may even have been fooled by a similar scam in the past, but because the outcome was insignificant in the past, no-one has been told. Them, you, me, everyone else – We are all vulnerable to this type of scam. All it takes is the right type of email, message or popup at the wrong time.
Even if they don’t believe me, They must not feel that they are to blame for the extent of the damage that this attack is alleged to have caused. There are many defences an organisation can put in place to reduce the likelihood and impact of an attack. The human is only one of these defences. No-one expects a human to successfully defend the organisation 100% of the time.
Yes, we should try to be mindful of how these attacks happen and be constantly watching out for malicious links and files. But, we are all human and we are all vulnerable.
Every organisation needs to take steps to help, support and protect people – Help them spot a malicious email or link, help them report their suspicions, help them alert us even after they have done something. But most importantly, every organisation needs to have measures in place to minimise the impact when the human defence fails.
For example, the first 10 things that come to mind (in no particular order) are:
- Restrict access to data (as discussed below)
- Ensure email systems are protected with email filters / threat protection
- Ensure devices are protected from accessing known / malicious websites
- Ensure devices have effective anti-virus and other endpoint protection systems in place
- Ensure a very limited number of people have administrator / privileged access
- Ensure IT systems are updated with the latest security patches
- Implement Two-Factor Authentication / Multi-Factor Authentication so a password is not enough to get in
- Segment networks so access to one device doesn’t immediately provide a pathway to all devices
- Make sure you have backups and that these backups are not accessible from your network (search for the term ‘air gapped’; Or dig out your old CD-ROM drive and use WORM media!)
- Monitor for large volumes of data changes (a sign of ransomware encryption) or large volumes of data transmission (a sign of data theft)
The list goes on and I am sure I missed plenty of obvious ones. This list is not specific to the HSE attack – It may well have succeeded even with all of these in place. After all, as described below, the HSE’s environment is far more complex than most of us in our ivory towers can comprehend.
My point is the following: The human is frequently our first line of defence. But they’re not the only line of defence.
2 – 2,000
The HSE has 2,000 patient-facing IT systems, each involving multiple servers, infrastructure and other devices. They all need to be assessed and put through a “rigorous process of assessment and recovery in a controlled and structured way” before they can be regarded as secure. They also have 80,000 other devices that need to be assessed. There are not many organisations with such a complex IT environment. We should not expect things to be back to normal in a matter of days.
1 – A cyber-attack on Ireland’s sick people
Last week’s ransomware attack on Ireland’s healthcare service is “having a catastrophic impact” on sick people. Appointments in outpatient clinics are down by 70 to 80pc. Chemotherapy appointments are down 50%. There are concerns about some crisis mental health services.
A week after the ransomware attack was first identified, the HSE is still reporting that “All the HSE networks are down and all HSE applications are down”.
These cyber criminals have no moral boundaries. Even after they got into the HSE systems, they could have walked away when they realised where they were. But they didn’t. And they also attempted to attack the Department of Health at the same time.
Read more: https://www.independent.ie/irish-news/hse-and-gardai-investigate-scam-texts-and-emails-in-wake-of-health-service-cyber-attack-40450116.html on the impact to patients, https://healthservice.hse.ie/staff/news/general/staff-update-hse-it-cyber-attack.html (as at May 21st) for the impact on IT systems, and https://www.ncsc.gov.ie/pdfs/HSE_Conti_140521_UPDATE.pdf for information on the DoH attempted attack
2 – Ransomware is not the problem. The problem is the horse that has bolted. It was loaded up with data.
On May 20th, six days after the attack, it was reported that the password necessary to decrypt the encrypted data was released by the cyber attackers.
While this may seem like an act of goodwill, it isn’t. The gang may have released it to prove to the HSE that they are who they say they are.
More importantly, it does not address the concern that the gang took a copy of hundreds of gigabytes of data and is threatening to release this online and/or use it in future attacks directed at patients themselves.
According to the HSE, and reported in an article headlined “All of our data is potentially compromised”, the HSE is particular concerned about “the HSE database [which contains data such as] 1) Clinical, laboratories, diagnostics, oncology; 2) patient administration such as medical cards and administration systems and; 3) corporate (payroll, HR, finance).”
At this point, there is no point in paying a ransom – Even if it was paid, there is no way to prove that the gang will really delete all copies of the stolen data, and no way to prove that another gang has not taken a copy of it already anyway. The horse has bolted, and it sounds like the horse was loaded up with data.
Read more: https://www.independent.ie/irish-news/crime/cyber-criminals-hand-over-decryption-key-to-unlock-hse-systems-40450686.html about the release of the ransomware key and https://www.independent.ie/news/all-of-our-data-is-potentially-compromised-says-paul-reidas-hse-secures-high-court-super-injunctions-over-leakeddata-40450483.html about the extent of data that could have been stolen.
3 – The HSE is not the only organisation to be a victim. What can we do to reduce the risk of being the next victim?
This Prime Time report, including contributions from Brian Honan of BH Consulting, provides a detailed insight into the gang that hit the HSE and how the ecosystem works.
Professor Ciaran Martin of the University of Oxford points out that this attack was unlikely to be a sophisticated zero-day attack and may also be the first deliberate and targetted attack on a nation’s healthcare system, causing many cyber criminals to distance themselves from this particular attack (from 5:00 to 8:20 in the report).
Dr. Donna O’Shea of Munster Technological University points out that the ‘perimeter-based security model’, where the outside is hard but the inside is soft and wide-open, is no longer an appropriate approach to defend against cyber threats (8:20 in the report).
At the end of the segment, Dr O’Shea is asked how a firm can protect itself. She provides a very pragmatic list of things to think about before wrapping it all up with one key message: “Organisations need to implement defence-in-depth”.
(As as aside: As frequently happens when we talk about cybersecurity, I can imagine the interviewer’s eyes glazing over before they wrap up by saying “pretty complicated, by the sounds of it”. It is if you try to do it all in one go. But with a step-by-step prioritised plan, you can get there.)
See more: A video of the Prime Time report is accessible from https://www.rte.ie/news/primetime/2021/0518/1222466-hse-cyber-attack-irish-businesses/
ONE ACTION – If you do only one ‘cybersecurity’ thing this week, do this.
1 – Review and Restrict:
The latest media reports suggest that the cyber attackers have copied large volumes of data from HSE systems. While the HSE attackers may have gained access to all of this data through a sophisticated, multi-pronged attack that involved multiple breaches across multiple systems, most attackers can gain access to a lot of data because we allow our staff to easily access a lot of data.
To minimise the impact of a breach, we all need to review how much data is sitting on company-wide file shares and other easily-accessible locations. We need to ensure important or sensitive information is stored in locations with restricted access.
To use one example, most firms already take steps to protect information such as staff salary and bonus figures. This information is never stored in a location accessible to all staff. And yet many firms send sensitive data about customers as email attachments or store these lists in unprotected locations. One successful attack on one email mailbox or a staff PC means this data is now accessible to the attacker. Cha-Ching.
There are many solutions but if you don’t want ‘new’ solutions, think about the functionality available to you right now in Word or Excel: Password-protection. Protecting specific files with a password may be a clunky and inconvenient solution, but it is potentially an effective way to minimise the impact (assuming you are using a recent version of Word or Excel). If you use other tools, a compression tool such as 7-zip also provides password-protecting capabilities for directories and files. While an attacker will probably be able to break into a password-protected file if they persist, most attackers won’t bother – There is easier money to make elsewhere. It may not be a perfect solution but it’s far better than having the data sittting there, just waiting for an attacker to take it.