Risky business: defending against cyber attacks

The HSE ransomware attack shows how catastrophic a data breach can be, but there are still ways to weather the storm

The HSE’s data was encrypted by the Conti ransomware strain, disrupting health services across the country. Picture: Getty Images

“Universities and hospitals aren’t as robust as we’d like them to be,” Michael Conway, director of Renaissance, said in an interview on May 12.

“If you go into a hospital you’re likely to find there are users from all over the place working on a single computer; doctors, nurses, people who wander in and aren’t employed there full time. A lot of high-profile breaches have been in industries that aren’t as mature as others, like healthcare, in terms of their data security.”

His remarks proved prescient. One day later, the Health Service Executive (HSE) experienced what is being called the most significant cyberattack in the history of our country.

The HSE’s data was encrypted by the Conti ransomware strain, with disruption spreading throughout the country and likely to continue for some time. An organised cybercrime gang based in eastern Europe, named Wizard Spider, is believed to be responsible.

As the HSE and Department of Health take stock of the damage, and begin their recovery, organisations of every scale and in every industry should take note: the only way to emerge in one piece after a ransomware attack is to plan your recovery in advance.

Data breaches, whether the result of malicious attacks or simple user error, can and will happen, and the onus is on organisations to implement protections as well as taking steps to limit who has access to sensitive data in the first place.

“It’s the data breach we didn’t want to have. It couldn’t have happened at a worse time, and involving worse data. The impact is horrendous,” Emerald de Leeuw, global head of privacy at Logitech, said.

It’s all the more regrettable for being preventable: stories have long circulated about the HSE’s vulnerability to hackers, its outdated software and data privacy measures. Most experts agree that an attack like this was coming, sooner or later.

“This has been bubbling below the surface, but people didn’t pay attention. They tend not to, until it actually impacts them personally and directly,” Michele Neylon, chief executive of Blacknight, said.

The landscape is shifting. Hackers are no longer disgruntled teenagers breaking into organisations for kicks. They’re part of fully fledged crime gangs and nation-state campaigns, equipped with sophisticated products and even help desks to instruct their victims on how to make payments.

“If you’re using out-of-date software then you’re opening yourself up to attacks,” said Grant Caley, chief technologist at NetApp in Britain and Ireland.

“The attacks themselves are becoming financially driven, and criminally driven, rather than just amateurs trying to break into systems. They’re becoming a commercial proposition now, and if you don’t keep up with security and patching then it will absolutely happen.”

It’s tempting to think only big companies experience data breaches, or at least the kind of catastrophic data breaches that appear in the news, like the leak of data belonging to 500 million Facebook users. The truth is that no organisation is immune, regardless of their company size, or scale, or sector.

Last year was reported as the worst on record for data breaches, and 2021 doesn’t seem to be much better. In fact this epidemic is difficult to track

Niamh Hodnett, head of regulatory affairs at Three Business Photo by Naoise Culhane

“There is an obligation, under data protection legislation, to report breaches in certain circumstances,” said Conway.

“That doesn’t mean everyone reports them. It doesn’t even mean everyone is aware of them. Still, anecdotally there’s no doubt that data breaches are up, especially high profile breaches. You don’t have to go far to find another ransomware attack, another attack on a university or health service.”

The pandemic, and the drive to work from home, has undoubtedly been a factor in creating this problem. Even before 2020, certain influences were conspiring to make protecting data harder.

Colin Gaughan, data protection specialist at Dell Technologies Ireland, said that while the number of attacks taking place is worrying, the upside is that regulations on data protection are improving, along with increased efforts to trace those who commit the crimes.

“There’s the internet of things (IoT), people working from home, different market models with people shopping online,” Gaughan said.

“The technologies to address these challenges are getting better in response, and more sophisticated. We’re developing new regulations in the area, and there’s an additional obligation on governments and regulatory bodies to have more sophisticated cyber forensics.”

This often overlooked part of recovery might actually hold the key to stopping ransomware gangs, or at least slowing them down.

“One of the things that comes with ransomware attacks is that they think they can get away with it. They’re brazen about it; up till now, it hasn’t seemed like there’s much fighting back going on.”

Another key factor in this rash of data breaches is the proliferating nature of data itself.

“The reason the numbers are so big is that the companies are big, and hold vast amounts of data,” said Joe Brady, chief information officer of Evros.

Citing widely-publicised incidents like the recent Facebook breach, and that of LinkedIn data in 2016, he said “Ten years ago it wouldn’t have been possible to have breaches on that scale, because people weren’t holding as much data as they do now. Data breaches are becoming more prevalent, likely because there’s more data being held everywhere.”

Over a year in near-global lockdown has only accelerated this process. With increases in online shopping, online communication, and the digitisation of pretty much everything that could be digitised, a vast trove of data will be part of the legacy of our plague year.

“The growth of data is exponential. Phone cameras, for instance, are so much more powerful now, and phones can store so much more. Data will continue to grow, and it’s unrealistic to think we can easily manage it,” said Conway.

“Take something like Tiktok, for example: that’s a good example of people who just click and publish videos. You see horror stories about people being photographed without their knowledge, and it just gets published without any controls. This puts the idea of a ‘data breach’ in a new context.”

In this expanding, frequently chaotic climate all data is fair game for criminals. Conway said: “Realistically there’ll always be data breaches, because it will always be worth somebody’s while.”

Niamh Hodnett, head of regulatory affairs at Three Business, said that the general data protection regulation (GDPR) remains a significant landmark for how data protection is treated in Ireland, changing it for the better, but that efforts must be maintained.

“The biggest success for companies in the run-up to GDPR coming into force in 2018 was around awareness, a good knowledge of the basic dos and don’ts of data protection,” she said.

“Where companies may be failing is in the follow up. Having done the work in 2018, it’s important to ensure all the compliance measures you put in place are still being enforced and built upon.”

Gaughan noted a common misconception in relation to data protection: an absence of attacks is no guarantee that it will continue. It’s very hard to convince a business to assign resources and time to protection against a threat they have no experience of.

“No one is safe, and there’s no real pattern to it. Typically hackers will go for the biggest potential payout, but really no company is immune,” said Gaughan. “There are no ethics to it either: healthcare, charitable organisations, anyone can be attacked.”

There is, however, a set framework for things organisations can do. “It includes data leakage protection, identity and access management, threat protection software and other measures. What isn’t standardised is how much effort a company puts into training procedures. That can vary a lot.”

For young startups and SMEs, it’s important to start as you mean to go on.

“I feel very sympathetic to the challenges new companies face,” said Gaughan. “Traditionally the model has been to get your business up and running first, get functional, go to market and then learn about the security required as you go along.

“Now if security comes after the rest of the business, you’ll really and truly be very vulnerable.”

Caley said legacy systems posed a problem for larger and older organisations, even making it difficult to install security patches.

“On the whole, it’s about process, procedures, testing and installing the required updates, but a lot of organisations don’t have the resources or staff to update them. Getting the government to provide more funding for updates is going to be a tricky question to broach.”

It’s that old dilemma: it’s almost impossible to argue for the cost of preparing for an attack until that attack happens, and damages are significantly more.

There’s been a lot of discussion about the HSE’s use of the outdated Windows 7 operating system. Support for it ended early last year, with the HSE admitting in 2019 that 79 per cent of its computers were running the software.

Emerald de Leeuw, global head of privacy at Logitech Photo by Gerry Mooney

While the thought is jarring, there’s a valid case for sticking with tried and tested products, however outdated they are.

“The reality is that in the enterprise space you use stable and known software and hardware, you don’t go off and buy the shiny new thing,” said Neylon.

“There’s a balancing act here: obviously you can’t keep using Windows 98. You need to update, evolve and leverage with better technology. But there’s a reason they don’t use the latest products: they’re not startups spending all their money on flashy new technologies before they run out of funding.”

Rather than blaming the operating system, Neylon said that data protection, specifically, has been neglected among government bodies in general.

“A lot of it hasn’t been funded in a very long time. Information security isn’t especially sexy or headline-grabbing. It doesn’t matter what you do with it: you can’t make a firewall look interesting. It’s hard to get people excited about these things.”

The other side to a data breach is its legal fallout. Three years after the GDPR was first implemented, organisations are obliged to not only report data breaches, but to provide evidence of efforts taken to prevent and contain them.

“There’s a huge security implication but there’s also a huge implication for privacy and data protection. It’s one thing to experience a ransomware attack but you never know what’s happened to the data until there’s a full forensic investigation,” said de Leeuw.

“Getting things back up and running is part of the response, but when it comes to writing a breach report, which is obligatory under GDPR, you’ll have to explain what you did to prevent it.”

De Leeuw said that companies can’t afford to put this off. They should take a hands-on approach, reading through the regulation itself.

“I always encourage people to actually read through the GDPR. When you get into the legislation, and get to Article 5, the core of data protection is there. It lists out all the principles in clear language,” she said.

“Security is something you have to do, so it’s worth investing in. I realise that can be difficult, though, for smaller businesses in economic terms.”

For organisations looking to improve their IT security, be they in the public or private sector, and of any size, there are certain steps to take.

“Ultimately it’s not that difficult. You have to get back to basic principles. Work out what data you have, and what you are doing with it,” said Neylon. “Once you can answer that, it becomes a lot easier to manage the entire project.”

It’s easy to fall into bad habits, collecting unnecessary data and, worse, forgetting that you’ve stored it.

“Data grows over time. It builds up. But when it’s no longer relevant, it should be deleted. The less data I’m holding, the less of it there is for something to steal,” said Neylon.

“It’s the concept of data minimisation: only collect the information you need, in order to do what you need to do, and then get rid of it as quickly as you can.”

Companies that are new to selling online need to set clear rules on what their data is used for.

“If you collect contact details for the purpose of selling and delivering a product, you may not be able to use the data for other purposes, such as follow-up marketing, unless you thought to obtain the customer’s consent at the time of the sale,” said Hodnett. “Companies need to think about this before they collect the data, not after.”

Gaughan advised that you take stock of not only your data, but the applications your business uses. Do they work well together, or are they creating problems?

“It’s important to go with integrated solutions. Companies are using a range of technologies from multiple vendors to build up their security, and that can sometimes create new vulnerabilities thanks to a lack of integration,” he said. “The integration points will typically use generic sharing procedures to work together, and those can be vulnerable.”

Much of this stems from how projects are planned and funded within organisations.

“The way a lot of health services buy technology is on a per-project basis. Somebody comes along and suggests a new project, and it’s often installed in isolation to the technology around it,” said Caley.

“They end up with hundreds of thousands of islands of technology, none of which have been strategically planned, based on point funding projects at the time.” This patchwork of siloed technologies fails to work together, leading to problems later on.

“If you can’t have standardisation, and bring things in on a structured basis, you’re just going to end up with new challenges later on,. There is general funding for IT operations, but the real funding for transformational IT comes on a project basis instead,” said Caley.

“That’s always been the case. A hospital, for instance, might get a grant to install the latest cancer treatment technology, from a cancer institute, and that’s great. But it reinforces an isolated approach, lacking a cohesive strategy to keep everything safe.”

It’s possible to prepare for the worst by sealing the most sensitive data inside the digital version of a fire-proof safe.

“What we’re seeing is that now, if a threat gets in, you can put yourself in a place where you can recover, and that threat won’t take down your business,” Gaughan said. Dell Technologies works with clients to establish data vaults.

“We isolate your data and make it immutable, so that it can’t be compromised. We also introduce an air gap for your most important data and run analytics in that location to scan all of your data and tell you whether it’s clean or not,” he said.

“That’s one of the highest-profile solutions we provide, and it’s quite unique in terms of cyber-recovery. It takes copies of data on a daily basis, makes sure that data isn’t penetrable through air-gapping and mutability, and runs deep analysis on the data.”

Caley advised a layered approach to securing data, balancing threat detection with similar investment in security measures

“NetApp provides software to help people identify these attacks and then recover from them quickly,” he said.

“You need to have those measures in place, along with security to stop attacks in the first place. You need to have a multi-pronged approach, to make sure the perimeter is secured but also that you know how to recover. That goes for if you’re in the cloud, or if you’re operating on-premise.”

The zero-trust model is gaining traction, with some advising that it will very soon become the standard for data protection and data privacy. As per the name, it’s a philosophy built around preventing and limiting access to data unless it’s absolutely necessary.

A business with a zero-trust security posture will base access to data on the user, their location, their permissions, the device they’re working on and maybe even the time of day and the day of the week that they’re seeking access.

Michael Conway, director of Renaissance

“Zero-trust is the name of the game. It’s not a theoretical model anymore. It’s about multi-factor authentication, looking at each connection and each user every time, and constant re-evaluation of the user and their rights,” said Brady.

“It’s starting to be supported by more and more devices. They’re starting to have capabilities that tie into that model.”

Whether or not you choose zero-trust, identities and permissions should be a key focus in your plan for data protection and data privacy.

“Identity is at the foundation of all the measures you can take to protect data,” said Conway. “Identity underlines everything: zero trust, authentication, passwords and everything else. It’s all about proving that the person coming in to do something is the right person, with the right privileges and the right access. No one has access unless they need access, and have trustworthy credentials.”

Balance is important: the strictest, most effort-intensive security posture might not actually suit every business. De Leeuw said companies need to assess the data they’re protecting, first, its sensitivity and the level of risk, before spending money on ways to protect it.

“It depends. You need to look at the type of business you have, and the type of data you have, and install controls proportionate to that. If you’re a medical company with medical records, and lots of people engaging with that data, then you’ll need to do more than if you’re just holding onto names and email addresses,” she said.

“Also how much money do you have? Your spending should be proportionate to the sensitivity of your data, as well as how much of it you have.” Covering the basics is critical, not only online, but in everyday life.

“The most important thing in relation to a good data privacy policy is to ensure that it is a living policy and is being applied in practice, rather than gathering dust on a shelf,” Hodnett said.

“Basic errors like misaddressing envelopes or missing a letter from an email address can account for a lot of the more minor data breaches. At the other end of the scale, there is the risk of an employee clicking on a malicious link.”

There are still reasons to be optimistic. If you’ve been following a solid security policy already, and have yet to experience a data breach, then take the attitude of keeping up the good work and evolving to protect yourself against increasingly sophisticated threats.

“If you follow good practices, it’s not inevitable. There’s always this line repeated ‘it’s not if you get breached, it’s when you get breached’, but often you can track breaches back to things that could have been solved with good security hygiene,” said Brady.

This includes phishing, dubious web links, social engineering and misconfiguration.

“We see Amazon storage buckets with no security on them that anyone can break into. While AWS have changed some of the default controls to make it easier for people to keep data safe, at the end of the day the responsibility rests with whoever put the data there to manage it, and to protect it.”

Ultimately, protecting one’s data seems to rely most of all on knowing oneself, vulnerabilities and all. This is why staff training is the final, and most important piece of the puzzle.

“You’re not going to get it right all the time. Add humans to the equation and you’re always going to have problems. But you can avoid the really silly ones through practice,” said Neylon.

The long, hard recovery from ransomware

The Conti ransomware gang first surfaced in 2019. Its eponymous product is human-operated, rather than automated, and commits double extortion, wherein it demands a ransom in return for encrypted data, and another ransom later by threatening to publicise whatever data it can take.

Ransomware creates a loss of control of your data, meaning that it constitutes a data breach.

“Typically the most prevalent attacks now are silent,” said Colin Gaughan, Data Protection Specialist at Dell Technologies Ireland.

“Your data is infected day by day without you knowing. It builds up, then the attackers launch the payload and request the ransom. But before that, they’ll see how far they can go.”

Keeping this in mind, one of the best things you can do to prepare is to make frequent and thorough backups. Dell Technologies’ software is able to isolate the precise point in time when the hackers gained entry, and restore from before that point.

“We can tell you where the clean copies are and, crucially, when they date from. We can catch the infection earlier. The analysis will also look for the cause of the infection, which is typically hard to find,” said Gaughan.

“The first thing you have to do, if a threat has occurred, is roll things back and find out when it got in. We can identify when the threat took place, and they can learn how and what to recover and move past the attack far faster.”

Joe Brady, chief information officer of Evros, said the HSE attack bore all the hallmarks of double extortion.

“It gives criminals extra leverage to ask for another ransom, or they’ll publish your data online. The fact that the HSE did not engage and didn’t immediately pay up also led to them being hit with an additional DDoS [distributed denial of service] attack, to up the ante. That’s something we see a lot; it’s the go-to for criminals when their victims refuse to cooperate.”

The attack is protracted. Data can leak instantly or take months, even years to surface on the dark web, which makes recovery all the more complicated.

“Chances are a certain amount of data has been exfiltrated. That doesn’t mean it’s sensitive data, and it doesn’t mean patient records are going to leak,” said Brady.

Criminals will often leak a sample of what they’ve taken, to show they mean business. “I wouldn’t be surprised to see proof of evidence published online sometime in the next while. Often it’s the act of exfiltration, rather than the encryption, that triggers a response.”

Brady made the comments mere days before the government confirmed such a leak had occurred.

Covid-19’s legacy, and the next security challenge

Studies suggest that workers have settled into working from home. One survey, led by NUI Galway and the Western Development Commission, and published in May, suggested that 95 per cent of Irish workers would prefer to keep up some form of working from home, at least several times a week. This poses a challenge to data protection.

“The requirement for an IT department isn’t going anywhere. In terms of how this affects security, it changed the way people work. More and more we’re seeing people working on their home laptops, then their children using the same device to watch cartoons. This introduces risks,” said Joe Brady, chief information officer at Evros.

“You need to maintain that separation. W’re seeing the emergence of zero-trust, evaluating the security of the device and the connection, every time they sign in. Companies are increasingly looking at their employees’ home networks and checking them for security.”

This requires a fundamentally different approach to securing your data: “It’s almost like having as many remote offices as you have users. You need to worry about securing all of them.”

Most experts agree that, out of necessity, far more than a year’s worth of digital transformation took place in 2020

“The pandemic has been one of the greatest transformation projects known to man,” said Michael Conway, director of Renaissance.

“They’re catering for a larger number of remote workers. It’s going to change the configuration of work.” Much of this, though, should have been happening already: “It brought forward things people were already planning. Digital transformation comes with challenges and issues, but if you don’t address them you’re going nowhere anyway.”