pixel_dreams - Fotolia
From teenage hackers in their bedrooms to large-scale international incidents – the number of cyber attacks in the UK is increasing.
Figures from July 2017 show that the National Cyber Security Centre (NCSC) recorded nearly 500 major cyber attacks in the space of eight months, meaning the likelihood of being hit is on the up. At the latest CW500 Club, experts shared their tips, advice and lessons learned from recent high profile attacks.
One thing that stands out as a common denominator among several incidents, is that simple defenses are missing, according to Yiannis Pavlosoglou, strategic change manager for operational resilience at UBS and co-chair of the (ISC)² EMEA Advisory Council.
He said that although the number of attacks are increasing, organisations’ defences haven’t changed. “Look at Petya; look at WannaCry,” he said. “What was missing? A patch.”
It sounds simple, he said, but in reality, it’s complexity that’s the issue. “We’re victims of complexity. It’s not that we have somehow failed at our job, but it’s that we’re dealing with much more complex situations, systems and platforms. We know how to solve a specific problem, but somehow we’re unable to apply that solution,” he said.
A world in which connected devices are the norm, and one technology interacts with another, creates this complexity. Pavlosoglou has a solution to this: “I’m here to advocate simplicity,” he said.
“If there’s one solution I’d like to propose to help us prevent against cyber attacks and actually help us stop this influx of news of more and more sophisticated and complex attacks, then it’s to try to simplify what we have as a problem statement.”
The gap between business and IT
The complexity, he explained, often comes from a gap between business and IT. The IT department will be given a set of requirements and deliver against them, but can lose focus on what the end purpose of that is.
“What I’d like to share and advocate is the need to change our approach towards how we tackle things. Instead of picking up a specific requirement or accepting the status quo around how we manage IT, look at what happens when human interaction feeds into IT,” he said.
“And if that carries an element of complexity, first, know that that’s your weak point, and second, note that’s where you need to spend most of your time on simplifying.”
In other words, de-cluttering how you operate is a surefire way of upping your threshold in terms of being able to prevent a cyber attack having a massive effect on your organisation.
During the attack
Preparing and being ready for an attack is all well and good, but what happens when you find yourself under fire? Both Dan Taylor, head of security at NHS Digital, and Rob Greig, former director of the parliamentary digital service (PDS), have had to tackle major cyber attacks this year.
In May the NHS was hit by the WannaCry ransomware attack, which affected several hospitals GP practices and pharmacies across England and Scotland, which created a huge challenge for NHS Digital.
With local organisations responsible for their own cyber security, when the attack happened, said Taylor, “we were almost getting the intel second hand, which was unnerving”. One particular organsiation went from zero to 8,000 machines being cryptolocked in the space of 37 minutes, he added.
“The problem is there’s a national scale issue, such as WannaCry, affecting the system, but you actually have no control.”
Read more about cyber attacks
- A study has revealed that most UK local authorities have suffered cyber attacks in the past year, showing local government is a key target for cyber criminals and that legacy software is a top security concern.
- What key things should organisations be doing in terms of cyber defences to ensure they are resilient?
- Awareness of the impact of cyber attacks on business and regulation are expected to be the top drivers of continued and increased spending on cyber security, according to research firm Gartner.
The WannaCry attacks in May 2017 highlighted the vulnerability of unpatched operating systems, with the attack exploiting a vulnerability that had been patched by Microsoft two months before. However, in spite of popular belief that computers running Windows XP were to blame for the attack, Taylor said it was a “very small percentage of those affected running XP”.
“If I hear one more so-called expert say this was because of Windows XP, I will hunt them down personally,” he joked.
The WannaCry attack wasn’t specifically targeted at the NHS – in fact, more than 200,000 computers in 150 countries were infected by the malware. It provided an opportunity to highlight the investment the NHS needed in security.
“The investment that needs to be put into health is substantial,” said Taylor. “Although we have no evidence saying health was specifically targeted, what we often see in health are really simple exploits.” He added that health needs to do better, which begins with translating to those on the ground why they need to have good cyber security practices in place.
The mantra, he said, is that clinical risk trumps data security risk. But one can argue those are the same. If a security breach means you can’t access clinical systems, that impacts clinical decisions and patient care. “Health is now waking up to the idea that making risk-based decisions has an impact,” said Taylor. “So now they are more likely to patch and ensure everything is up to date, because they the consequences.”
Parliament in the firing line
While the NHS attack dominated news headlines in May, it didn’t take long before another large-scale incident adorned the front pages. In June, it was Parliament’s turn in the firing line.
Unlike WannaCry, which was a ransomware attack, the incident which led to PDS having to suspend remote access to the accounts of parliamentary network users, was the result of someone trying to actively penetrate the environment.
This was no teenager in a bedroom somewhere, but a state-sponsored attack, which, according to the latest rumours, was orchestrated by Iran. Regardless of who was behind the attack, Parliament was getting hit heavily and repeatedly by someone trying to get access to the network.
The attack didn’t happen overnight. In fact, it had been going on for weeks when PDS finally made the decision to suspend 18 high risk accounts on 22 June.
The following day, all 9,000 parliamentary accounts were getting tried every hour, six or seven times an hour, and the day after that, Greig made the decision to disable remote access to every single account. “Believe you me, that’s a really difficult decision to make,” he said.
Bravery is key
Just like with the NHS incident, the attack, said Greig, showed that cyber incidents are not just about IT, technology and the digital crew, but everybody. In the end, it was a “good thing” because it highlighted the need for proper cyber security investment and allowed PDS to “accelerate some of our cyber work”.
“We were able to shut down systems which would’ve taken years to get rid of and we were able to get decisions made right then and there,” he said.
“This is about the wider scope with cyber security responses, and practicing that, and waking up to the fact is really important,” said, Greig, adding that it should be treated on the same scale as an explosion or terrorist attack.
One takeaway both Greig and Taylor agree on is that when it comes to handling a cyber attack, you must “be brave” and “embrace the panic”.
“I think one of the lessons we learnt during that week in the NHS is that sometimes it’s more about asking for forgiveness rather than permission,” said Taylor.
Greig added that some have said the attack was “an avoidable situation”, but that “anybody who works in an IT department knows that’s just naïve”.
What every organisation needs to understand, said all three speakers, is there is no magic bullet to stop cyber attacks from happening, but that doesn’t mean you shouldn’t be prepared.