During the last few days, we have seen a new ransomware with code name WannaCry spread rapidly all over the world, infecting thousands of computers and causing crisis in a wide range of industries, with spotlight on the National Health Services (NHS) in England.
Ransomware is a malicious software that prevents affected users from accessing their devices (or part of it). Now that the biggest wave of ransomware attack has come to an end (probably), we can analyse what went wrong and learn the lessons.
Lesson 1: We Lack Security Awareness
One of the most common single point of failures when building security software is the human factor. IBM observed that 95% of all security incidents involve some kind of human error. Furthermore, 60% of these attacks were carried out by insiders, people who either acted deliberately or inadvertently helped an attacker from outside the organisation. Regarding the WannaCry ransomware attack, we read that the attack probably begun when a NHS employee clicked on a malicious link (phishing attack). Moreover, the attack spread widely easily since large numbers of NHS organisations failed to act on a critical notice from Microsoft two months ago - a software patch that if installed would have prevent the attack. There is no doubt that the impact of WannaCry could have been much smaller or could have even been avoided if NHS employees were properly prepared. The lack of security awareness plays a key role in ransomware. Let's hope that now, after the severe consequences of the attack, employers will put the necessary efforts in advancing employees' knowledge about cyber security. Otherwise, without advancing end-user knowledge, it is highly unlikely that security levels will improve.
Lesson 2: Healthcare Data Are Prone To Cyber Attacks
The healthcare industry is one of the biggest targets for cybercriminals. The main reason for that is the fact that medical data and personal health records can be sold to medical insurance companies for a significant amount of money. In addition to that, stealing patients' data is relatively easy since healthcare has been slow in adopting proper security mechanisms, especially when compared to other sectors like banking where customer information is also sacrosanct.
Lesson 3: Secret Services Can be a Real Threat
In the past, we saw many times secret services asking companies to relax their encryption policies, or to install a backdoor or even to totally remove encryption. These requests are always dressed around the theme of protection against terrorist. However, as we have seen from Edward's Snowden revelations, almost everything that we have ever suspected about government spying is true. In addition, with regards to the recent ransomware attack, based on the currently available information, an arsenal of powerful malicious tools designed by the NSA with the main aim to infect and control computers running certain versions of Windows was leaked by the Shadow Brokers hacking group. A month later the hackers used that tool to perform their powerful ransomware attack. While security services need to enjoy the power to access everybody's computers so as to avert/investigate crime, they also have a responsibility to ensure that such technology is isolated securely so that it does not get into the wrong hands. Such a leak was also exploited and rolled out in the form of the WannaCry ransomware attack, the consequences of which we have all seen in the news.