Thursday, 18 May 2017

Ransomware is malicious software that locks a device, such as a computer, tablet or smartphone by encrypting the data and then demands a ransom to unlock it. The software is normally contained within an attachment to an email that masquerades as something innocent.

The ransomware attack on the United Kingdom’s National Health Service (NHS) raises some issues we must all consider:

  1. The nature of the data which has been encrypted. Encryption of personal medical data caused medical procedures to be delayed or cancelled as critical services and records were taken offline.
  2. Whether the data has been stolen, to be sold later on the ‘dark web’ where it may be extremely valuable.
  3. The antiquated nature of the NHS information systems. The UK Government will be under severe pressure to explain why these systems were not updated to the latest software version, even after a warning from Microsoft.
  4. The fact that this ransomware (WannaCry) was stolen from the United States National Security Agency (NSA). The NSA actions was exposed by information leaks from Edward Snowden a number of years ago.
  5. An attack of this nature, and the massive level of disruption caused, suggests the ‘big-stick’ approach to Cyber Security is not working.

Ransomware attacks, traditionally, are not complex

Whilst the program WannaCry itself might be complex, the process used to attack the NHS is not. In its simplest form:
  1. Once the ransomware program is written, it is typically activated by a user clicking on a file (frequently an attachment to an email). The program then identifies available drives and encrypts the files within.
  2. Assuming the appropriate backup and disaster recovery strategies are in place, it should just be a matter of restoring the data. Under a worst-case scenario, very recent data might be lost. But the entity could be operational again without having to accede to the demands of the ransomware criminals. However, many organisations do not have adequate disaster recovery strategies in place to produce this outcome.

Why doesn't virus protection protect the data?

Virus protection relies upon virus ‘signatures’. For example, once virus protection software developers have seen the ransomware program they can identify unique traits:

  1. In the attachment to the email.
  2. In the program installed on the computer.

Because they understand this iterative process, ransomware criminals continue to develop their programs to avoid detection.

Microsoft and Anti-Virus vendors are generally good at quickly developing fixes or patches to identify these ransomware programs as soon as they become aware of them, notwithstanding the risk of Zero Day vulnerabilities (holes in software they are not yet aware of). However, not all computer users or network administrators update their computer environments to the latest software versions, leaving both their systems and users vulnerable to an attack.

Why does it continue to happen?

These preventative actions are not difficult to implement however many organisations forgo these simple steps due to priority or funding issues.

The UK NHS was still using the Microsoft XP Windows operating system (released in 2001) at the time of the ransomware attack. Microsoft ceased supporting this system in April 2014. Why was the NHS, which has access to very sensitive data, using such an outdated operating system?

It raises the question: how many Australian corporates and Government organisations are using similarly outdated and unsupported operating systems?

Give data a value and make it an asset of the entity

Another way to change the level of focus on data security might be to allow entities to include the value of their data as an asset in their financial statements. Like the plant and equipment of a manufacturing business, if the data of an entity could be recorded as an asset of the business, senior management may be more likely to pay attention to maintaining data security and quality.

Perhaps a global event such as this suggests the “big-stick” approach to Cyber Security is not working. We need to change our thinking. Perhaps Governments could consider legislative changes to allow entities to value data. This may act as a trigger for a better approach.