At around 14:00 hrs on the 12th of May 2017 saw, what was yet again a cyber-situation of unprecedented magnitude when the NHS, at the outset, suffered a cyber-attack against 16 authorities, which utilized ransomware as the logical weapon of choice – an attack which quickly spread to around 100 countries to infect global targets ranging from commercial organizations to train companies. This, yet another unprecedented attack following in the footsteps of the Yahoo debacle, the chaotic Talk-Talk indecent, and many, many other such unprecedented successful cyber-attacks which have laid systems to waste, and exposed millions/billions of records open to compromise by hackers and cyber criminals.
One fact here which was obvious at the outset of this unprecedented cyber-attack was the significance of the logical weaponry involved – which would seem to have been complex in both its creation, and in the MO of who such a weapon had been launched on such a UK wide, and then global scale – a situation which would seem to be indicating the NSA in some way – maybe for not correctly securing their next version of Stuxnet, or some other new cyber-weapon which has found its way into the hands of hostiles, or criminals who which to exploit its power to their own justified end. Maybe like the unprecedented accidental release of the Morris worm way back in the day!
I was also interested to read, and listen to media comments which expressed an opinion that it was disgusting to attack the NHS – but let us be clear here, if this was, say a cyber-attack by a hostile government, or radicalized group, one key intention will be to break down the morale of the targeted populations, and what better way to effect this than to see people die! And looking to the pages of fiction, here it is well worth reading the Edge of Madness by Michael Dobbs who outlines such events as this to some dramatic effect.
To get where we are today however residing under the shadow of the cyber-threat the world faces, along the route we have trodden, as a society, we are culpable of three things.
1) The scale at which we have embraced and woven technology into almost every facet of our professional and social lives
2) The way in which we have placed trust in COTS [Commercial of the Shelf] products and applications to run critical systems, and
3) 3] How we have failed to take the appropriate steps dictated by the cyber-threat over two decades! In fact, in the example of the NHS attack, we are aware that they were utilizing vulnerable systems such as Windows XP which are unpatched by inference, and exposed to many new, andold vulnerabilities such as Conficker – so even at the simplest hurdle, here we would seem to have failed to make the jump into any form of delivering an adequate level of base security. But then, as I, and many others are aware many organizations are still running core critical services on Windows NT SP6a, so maybe we should not be so hard on the NHS. After all, running outdated systems would seem to be a common andaccepted practice!
But the real culprits of this situation lie with those who ran with the high faulted title of CISO of the NHS in its early days of implementation of thisopen-system who were both resident, and incumbent in the post that imperfectly oversaw the debacle unfolding before their very eyes – who I can assure you from a first-hand conversation were aware from day one that the security model of this critical system, supporting critical services was flawed – this fact we now all know!
But it’s not just that. In the last 15 years, I have worked for many organizations as a contractor and first responder where I have observed:
- In a gas company with soft-belly internal servers with no AV, next to no appropriate ACL which were hosting critical client, and PCI related data – with no audit policy in place
- Third-party Outsourcing company who failed to recognize the need to have appreciate AV controls, and an applicable policy – only to suffer infection by ransomware some six months after ignoring a report issued to their, then responsible [or irresponsible] Security Manager and Governance Team
- The third-party Outsourcing company who’s CISO, and Security Manager where aware that they did not meet the requirements of a UK Governments Terms of Connection, with a system hosted in a hostile country – ignored and tolerated
- Take the company who were aware from their PCI-DSS scans that there were hostile Access Points available, but they were tolerated and ignored and allowed to remain extant
- And of course, the ultimate posture of insecurity of all, is those who have managed to gain security positions based on inflated, falsifiedcredentials which have been leveraged to obtain certified status – e.g. Certified CISO
To conclude, it was around ten years ago now when I sat down with Mrs. T May MP [in opposition], Mark Pritchard MP, and Margert Moran MP [who lost her set after the expenses scandal], and John Thompson, the then CEO of Symantec in the luxurious surrounding of the Ritz. Mr. Thompson was setting the scene that all was well, and in hand when it came to delivering against the cyber exposure – a position with which I strongly disagreed [in fact according to Mark Pritchard MP I was banging on too much]. The following day, I wrote to Mrs. May regarding my concerns – ignored! But then, some years later a key member of CPNI told me that the cyber-threat was over hyped, and was not posing the dangers as I had outlined! She is now involved with our National Cyber Unit, so clearly, the lady was for turning after all. To finish of the introductory conversation, the very same CISO who was involved with the early planning stages went on to work for a big name global player providing digital defense and commercial applications – and it was they who said some years later TV “We are winning the fight against hackers” – so at least we have consistency in misunderstanding and misrepresentation.
Epilogue: Compliance and Governance have taken the lead for far too long – soft skills have had far too much sway and say on the direction of cyber-defenses, and the induction of far too many certifications, which in many cases mean nothing – and with some being falsified are all culprits which have, and are exposing society. Time is now here to grip the problem by the horns, get back to basics, and to look to employ professionals who do have the depth of knowledge and skill – that is before the next unprecedented successful cyber-attack occurs.
