Penetration tests could have spared NHS from WannaCry

NHS Digital has announced a £20 million project to improve data security across the service. The Security Operations Centre will provide:

  • A monitoring service which analyses intelligence from multiple sources and shares guidance, advice and threat intelligence with health care organisations;
  • On-site data security assessments for NHS organisations;
  • Specialist support for NHS organisations that think they have been affected by a cyber security incident; and
  • Ongoing monitoring of NHS Digital national systems and services.

The announcement of this project comes weeks after a National Audit Office report on the NHS’s preparation for and response to WannaCry, which confirmed what most people already assumed: NHS staff were ill-equipped to deal with a cyber attack and didn’t understand the service’s network and system vulnerabilities.

In other words, a devastating cyber attack was only a matter of time. WannaCry wasn’t a sophisticated attack but it still wreaked havoc, infecting at least 81 NHS trusts, locking computers at 600 GP practices, causing 19,000 appointments to be cancelled and forcing five hospitals to divert ambulances elsewhere.

The NHS’s investment in cyber security has been long awaited, but it’s ironic that WannaCry was the trigger, because the damage could have been prevented by simply patching Windows 7 or securing firewalls. These are both low-cost and essential security practices that would have come to light in a penetration test.

How do penetration tests help?

Penetration testing is essentially a controlled form of hacking in which a professional penetration tester, working on behalf of an organisation, uses the same techniques as a criminal hacker to search for vulnerabilities in the company’s networks or applications.

Different kinds of penetration test identify different flaws. In this case, the NHS should have conducted a network penetration test. The objective of network penetration testing is to identify security vulnerabilities in the way organisations connect to the Internet and other external systems, including servers, hosts, devices and network services.

If an organisation’s interfaces aren’t designed correctly, criminals will be able to enter the network and perform malicious activities. They are able to exploit:

  • Unpatched operating systems, applications and server management systems;
  • Misconfigured software, firewalls and operating systems; and
  • Unused or insecure network protocols.

If the network penetration test identifies any of these problems, organisations can fix the issues relatively simply – whether that’s installing the appropriate patches, reconfiguring the software, firewall or operating system, or putting in place a more secure network protocol.

A penetration test would have identified the unpatched version of Microsoft’s Server Message Block (SMB) protocol, which is the exploit that allowed WannaCry to spread so rampantly. Microsoft patched SMB in March, two months before WannaCry was unleashed, and any organisation that applied the patch was protected from the attack.

Timing is therefore crucial: if you don’t conduct penetration tests regularly, vulnerabilities will accrue and leave you exposed for long periods of time. The cyber security landscape is continually changing, so we recommend conducting tests at least every three months, or whenever organisations:

  • Apply security patches;
  • Make significant changes to the infrastructure or network;
  • Add new infrastructure or web applications; or
  • Move office or expand their premises.

NHS trusts would have needed a bit of luck for the routine penetration test to occur between the patch being released and WannaCry being launched, but the odds would’ve been in their favour. Nonetheless, a test would have identified the need to secure firewalls, which would also have prevented the attack.

You’re responsible for your own security

The Security Operations Centre will provide NHS trusts with some much-needed advice, but the service is clear that trusts will still be responsible for “keeping the information they hold secure, and for having arrangements in place to respond to an incident or emergency, including a cyber attack”.

This means individual trusts are responsible for applying patching, securing firewalls and conducting penetration tests, and against the backdrop of WannaCry, all NHS trusts should make these a top priority. As well as identifying potentially crippling vulnerabilities, penetration tests will also help cyber security personnel rank and rate vulnerabilities, which will guide them on how to best invest their limited resources.

Trusts will also have to take responsibility for the security of their supply chain, as vendors can introduce vulnerabilities. As a result, they will almost certainly keep a close eye on their industry partners, looking for demonstrable proof that vendors take cyber security seriously.

We offer a variety of penetration testing services, but if you’re unsure of your requirements or have complex needs, please get in touch. Our Technical Services team will answer your questions over the phone or in an on-site meeting.

Book a penetration test before 22 December 2017 and save 10%.