Are Your Endpoints Really Secure? Lessons from the WannaCry Attack on NHS

table of contents

It has been a little over a year since WannaCry wreaked havoc on the internet in May 2017. One of the organizations that was heavily affected by this malware attack was the National Health Service (NHS), UK. Last week, the NHS came out with a report that pinned the total cost of the damage and subsequent IT expenses at £92 million ($120 million).

Cyber attacks have become a regular affair across the world, but what stood out in this case, was the scale of the attack. WannaCry infected 200,000 computers by locking out users and displaying a demand for a Bitcoin ransom. The virus also caused over 19,000 appointments to be cancelled over a period of one week as it spread across 45 NHS organizations including 37 trusts, affecting a total of 603 primary care centers.

Why WannaCry Succeeded Beyond Measure

WannaCry infected personal computers by exploiting the Windows implementation of the Server Message Block (SMB) protocol. Ironically, this vulnerability was reported to be first discovered by the U.S. National Security Agency, who developed a code called EternalBlue to exploit it. Unfortunately, this code was stolen and used by hackers to create WannaCry.

Though Microsoft had released a patch to prevent WannaCry-like attacks in March 2017, many systems remained unpatched when the outbreak took place in May. The patch was also exclusively available to the versions of Windows that Microsoft supported. Systems running on Windows XP were left completely excluded.

The NHS Digital had issued a warning to all organizations to patch their systems against WannaCry, but there weren’t any compliance mechanisms in place to verify if systems were patched. This resulted in a widespread infection, causing a major financial setback to the NHS and disruption of several critical healthcare services.

Lessons to Be Learned from the NHS-WannaCry attack

When we look back today, it is easy to draw the conclusion that an outbreak like WannaCry could have been avoided if all the NHS organizations had complied with the recommended upgrades and patches. However, this would be a very simplistic way to assess the entire WannaCry episode. Here’s why.

1. Operating System Vulnerabilities

Self-spreading malware like WannaCry succeeds because of vulnerabilities in operating systems. The ground reality is that many organizations still run their endpoint on Windows XP, which Microsoft no longer supports. This holds true for special purpose systems like banking ATMs, Point of Sale (POS) systems at retail outlets, airport check-in counters, etc. Upgradation to a new OS is a huge capital and operational expense, which is why most organizations settle for traditional antivirus protection.

2. Software Patch Management

Vulnerabilities in the OS are not always discovered by OEMs in time. Even if they are, creating a patch, testing, and deploying it could take months and sometimes even years. As attacks have been increasing in frequency and sophistication, waiting for patches is simply not practical for large enterprises. In the case of WannaCry, the Windows patch was released two months before the NHS was attacked. However, lack of network visibility and absence of strict compliance requirements meant that the malware could spread unchecked at a great speed.

3. Reactive Security

When it comes to endpoint security, antivirus/anti-malware is pitted as the optimum protection that your computer needs. However, signature-based antivirus software relies on the ‘known bad ‘ (signatures or behaviors) and is not capable of preventing unknown threats or zero-day attacks. Organizations need to shift from reactive security solutions and start taking a proactive approach to securing their network and endpoints. It is also important to note that any change in the security posture is going to take time – a situation which hackers use to their advantage.

How to Secure Endpoints Against Sophisticated Threats

Vulnerable endpoints are soft targets for hackers to not only disrupt network communications but also to move laterally and gain access to sensitive data that is spread across different servers. Like the WannaCry attack on NHS demonstrates, waiting for patches and depending on traditional antivirus software is not a reliable strategy anymore. Enterprises need to switch to a proactive security approach.

4 Aspects to Look for When Choosing a Proactive Endpoint Security Solution

  1. An effective security solution should have a signature-less approach that works at the kernel level to detect, alert, and prevent unauthorized processes running on end-points and critical servers.
  2. Network security operators should also be able to get full visibility and control of the processes to effectively lock-down and protect your systems – even those running on unpatched legacy systems like Windows XP.
  3. The security solution should be light enough to run without slowing down the primary system functions and be completely invisible to the end user. This will reduce any additional cost incurred in teaching cyber hygiene to your employees.
  4. It should grant complete process control while ensuring that only the known, whitelisted processes run, therefore eliminating the need for disparate anti-virus tools, signature updates, patch management software, and SIEM products.

See how ColorTokens can help proactively protect your company’s endpoints from cyber threats.