NHS cyber-attack is a warning for business

Matt Horan, security director of C3IA Solutions

After the NHS was crippled by a computer hack, one of the country’s leading cyber-security experts has warned businesses to be on their guard and explained how they can reduce the risk of attack.

Matt Horan, security director of Dorset-based C3IA Solutions, also advised that ransoms should never be paid to hackers.

C3IA Solutions was one of the first companies to be certified by the government’s National Cyber Security Centre (NCSC) and has worked across government, including GCHQ.

Matt, who also works with businesses, said: “The NHS ‘WANNACRY’ incident started when an authorised user of the NHS IT system opened up a supposedly genuine email with an attachment.

“You could say that it started with a standard ‘phishing’ type attack which contained a hidden Trojan. It then spread across the network using a different modus operandi, a ‘worm’.

“Worms are self-spreading and replicating; they crawl across the target network using up memory and attacking applications on the hosting machines that have not been patched.

“This method was fundamentally different to normal phishing attacks which rely on each instance of ‘ransomware’ being extracted by authorised users’ actions.

“The perpetrators of this are still to be identified but judging by the way the attack was coded and distributed this it is probably an organised crime sponsored attack.

“They exploited a vulnerability known as ‘EternalBlue’ that was ‘stolen’ from the US National Security Agency (NSA) in March.

“Looking at the number of countries falling victim to this I would suggest that it would not appear to be a state sponsored attack.

“Parts of the NHS were unprepared because they continue to run services on platforms that are running software that is deemed end of life, and vulnerable.

“Even if you have updated 80% of a system to a more secure platform profile, vulnerabilities remain on the older platforms such as Win XP, NT, Server 2008 etc. These do not get wrapped up in patching updates.

“Fundamentally a security patch was available for this back in March 2017. Some NHS Trusts have invested in newer technology and do not have legacy hardware, and some have not.

“Ultimately every piece of hardware on a network should be part of a patching regime to ensure that security updates and AV updates are as up-to-date as possible.

“To prevent such attacks there must be ‘user education and awareness’ training to prevent phase one – clicking on that email.

“Investment in replacing legacy out-of-date hardware which has known vulnerabilities present is crucial – and following that: Patching! Patching! Patching!

“The implementation of a Windows Server Update Service (WSUS) could be run which automatically updates Windows’ platforms at scheduled times to ensure that all hardware has the latest patches installed.

“Finally, data should be backed-up to an isolated network that scrubs the data to ensure that any viruses are not present at the point of back-up.

“We have already seen that this was not an NHS-specific attack and therefore any business is vulnerable.

“However, if you have a good patching regime, invest in your IT systems and run appropriate host and network-based Intrusion Detection Systems you will greatly reduce the potential attack vectors of your network.

“Never pay any ransom, it is highly unlikely that your data will be released and you will just be listed as a future potential target because you have paid.

“To become secure business leaders should imagine their IT network is their home or car. You would not leave the doors or windows open when not there, so shut the vulnerabilities.

“There are a number of government and commercial schemes out there that help businesses become more cyber-savvy – these include the Cyber Essentials Scheme (CES), CES+, ISO/IEC 27K to name a few.”

C3IA Solutions is based in Poole and works across the public and private sector in all areas of cyber-security and information assurance.


For more information contact:

Ed Baker at Deep South Media on 01202 534487 or 07788392965