WannaCry no more
Andy Norton, Risk Officer, EMEA, at SentinelOne, explains how we can protect HE from similar NHS cyber attacks
Unless you’ve been completely disconnected from the digital world over the past few weeks, you know all about the WannaCryptor 2.0 (WannaCry) ransomware attack which crippled the NHS and infected more than 200,000 computers worldwide. Once the computers were infected and their data encrypted, hackers began demanding $300 worth of Bitcoin in ransom. The ransomware, which leveraged the EternalBlue exploit leaked by the hacking group Shadow Brokers, exploited a vulnerability in Microsoft which, incidentally, released a patch to fix it in March 2017. However, organisations don’t always install updates and patches, leaving their systems vulnerable to attack.
The question is, how can we ensure the higher education sector is protected from similar attacks?
The educational perspective
By nature, universities are very liberal in their security implementation; with lots of collaborative research taking place, there is much more freedom of movement between network and department IT systems. Different research groups need varied access and permissions, with file sharing a common practice. Whilst this is all good for research, it can also be a university’s Achilles heel when it comes to a ransomware attack such as WannaCry.
Universities are no strangers to ransomware attacks, as evidenced in a SentinelOne Freedom of Information study; results showed that 63% of universities had been targeted by ransomware, of which 56% were attacked multiple times. This just goes to show how universities are seen as potentially lucrative targets, thanks to the wealth of data they hold on staff, students and research IP. Herein lies part of the problem.
63% of universities have been targeted by ransomware, of which 56% were attacked multiple times
Applying patches in a timely manner is tricky, especially in an environment which has many interconnections between systems. Whilst applying a patch ASAP is good security practice, what would happen if the process of updating conflicts with production and affects ongoing research experiments? How would this affect a student’s thesis? This is how the vulnerabilities creep in.
What can be done?
It’s interesting to note that all of the universities questioned in the FOI study had some sort of antivirus solution in place. But so did most of the NHS Trusts questioned in a similar study – some of which were victims of WannaCry. These results highlight the fact that traditional AV technology is powerless to halt virulent, mutating forms of ransomware and that the defensive approach of protection based on existing knowledge of an attack is increasingly futile.
Regular backups are key when it comes to ransomware defence, allowing a university to either recover or rollback the data to an earlier version. However, if a university is hit multiple times in a year and the average remediation time is 33 hours, restoring backups can be very time intensive.
It’s also important to educate staff in good cyber security practices. Educating the workforce by informing them of the risks and vulnerabilities, and teaching them about situational awareness can go a long way to improving an organisation’s defences. For example, whilst the WannaCry attack didn’t use phishing as a delivery method, internal phishing drills could point out areas of the organisation most at risk, and highlight those employees most likely to click the link as well as making employees more aware of suspicious emails.
It’s likely that we haven’t seen the last of WannaCry and with Shadow Brokers promising another data dump in June, the world should be prepared for similar attacks. However, investing in next-generation protection – based on machine learning, artificial intelligence and threat behaviour recognition – combined with timely patch updates and an effective backup system, means that universities can be protected from the malicious actors seeking to leave destruction and devastation in their paths.