DOCSLIB.ORG

Technical Report RHUL–ISG–2020–5 22 June 2020

Total Page:16

File Type:pdf, Size:1020Kb

Download full-text PDF Read full-text
Technical Report RHUL–ISG–2020–5 22 June 2020 The WannaCry Attack: An Evaluation of Centrally Mandated Information Governance for the English NHS and Local Government Tony Leary Technical Report RHUL–ISG–2020–5 22 June 2020 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom Student Number: 100886647 Anthony Leary THE WANNACRY ATTACK: AN EVALUATION OF CENTRALLY MANDATED INFORMATION GOVERNANCE FOR THE ENGLISH NHS AND LOCAL GOVERNMENT Supervisor: Geraint Price Submitted as part of the requirements for the award of the MSc in Information Security at Royal Holloway, University of London. I declare that this assignment is all my own work and that I have acknowledged all quotations from published or unpublished work of other people. I also declare that I have read the statements on plagiarism in Section 1 of the Regulations Governing Examination and Assessment Offences, and in accordance with these regulations I submit this project report as my own work. Signature: Date: 21st August 2019 Information Security Group Royal Holloway University of London Egham, Surrey, TW20 0EX United Kingdom i Page Intentionally Left Blank ii Keywords NHS, WannaCry, Ransomware, Security Management, Local Government, Local Authorities, Health and Social Care Information Centre, HSCIC, NHS Digital, information governance, cyber security, malware, information security. iii Acknowledgements I would like to express my gratitude to my course advisor, Prof. Peter Komisarczuk, and my project supervisor, Dr Geraint Price, for their guidance. And a huge thank you to Sara, my wife, and to my children, Danny and Erin. Their support and understanding over the last two years allowed me to focus, not only on this project, but the whole MSc programme. iv Table of Contents Keywords .................................................................................................................... iii Acknowledgements ..................................................................................................... iv Table of Contents ......................................................................................................... v List of Figures ............................................................................................................ vii List of Tables............................................................................................................. viii List of Abbreviations................................................................................................... ix Executive Summary ..................................................................................................... x Chapter 1: Introduction ...................................................................................... 1 1.1 Context ................................................................................................................ 1 1.2 Objectives ........................................................................................................... 1 1.3 Structure Of The Remainder Of This Dissertation ............................................. 2 Chapter 2: Background ....................................................................................... 5 2.1 Approach............................................................................................................. 5 2.2 What Is Ransomware? ........................................................................................ 5 2.3 The WannaCry Attack ...................................................................................... 12 2.4 The NHS in England ......................................................................................... 18 2.5 English Local Government ............................................................................... 19 2.6 NAO report: “Investigation: WannaCry cyber-attack and the NHS” ............... 20 2.7 NHS report: “Lessons learned review of the WannaCry ransomware attack” . 22 2.8 UK Parliament report: “Cyber-attack on the NHS” ......................................... 23 2.9 Summary ........................................................................................................... 23 Chapter 3: Governance Analysis ...................................................................... 25 3.1 Approach........................................................................................................... 25 3.2 ISO/IEC 27001:2013 Annex A controls ........................................................... 25 3.3 Cyber Essentials................................................................................................ 27 3.4 WannaCry: Security Control Failures .............................................................. 27 3.5 NHS England Security Controls ....................................................................... 29 3.6 English Local Government Security Controls .................................................. 32 3.7 Summary ........................................................................................................... 34 Chapter 4: Data Discovery Methodology ........................................................ 35 v 4.1 Approach ........................................................................................................... 35 4.2 Information Commissioner’s Office Data ........................................................ 35 4.3 Organisational Breach Reporting: NHS England ............................................. 37 4.4 Organisational Breach Reporting: Local Government ..................................... 39 4.5 Summary ........................................................................................................... 44 Chapter 5: Data Analysis................................................................................... 47 5.1 Approach ........................................................................................................... 47 5.2 ICO Complaint Data ......................................................................................... 47 5.3 ICO Civil Monetary Penalty (CMP) Data ........................................................ 53 5.4 ICO Security Incident Trends April 2016 to Sept. 2018 .................................. 56 5.5 Summary ........................................................................................................... 58 Chapter 6: Conclusions...................................................................................... 59 6.1 Governance Weaknesses ................................................................................... 59 6.2 Vulnerability Reporting .................................................................................... 60 6.3 Security Data Reporting .................................................................................... 60 6.4 Limitations ........................................................................................................ 61 6.5 Recommendations ............................................................................................. 61 Bibliography ............................................................................................................. 63 Appendices ................................................................................................................ 78 Appendix A Project Analysis of ICO Complaint Data .............................................. 79 Appendix B Project Evaluation of ICO Civil Monetary Penalty Data ...................... 82 Appendix C Project Evaluation of ICO Security Incident Data ................................. 86 vi List of Figures Figure 1 Google search term trends: malware & ransomware 2004 to 2018 [11] ....... 6 Figure 2 Kaspersky ransomware detection trends [37]–[39] ..................................... 11 Figure 3 NHS England structure [71, pp. 2–3], [73] .................................................. 18 Figure 4 English LA funding and relationships [3], [71, p. 3], [74] .......................... 20 Figure 5 Frequency of Annex A control sets in Table 16: ICO CMP NHS data ....... 54 Figure 6 Frequency of Annex A control sets in Table 17: ICO CMP LA data.......... 54 Figure 7 ICO incident data NHS 2016/17 and 2017/18 ............................................. 57 Figure 8 ICO security incident data for LAs 2016/17 and 2017/18 ........................... 57 vii List of Tables Table 1 CVSS 3.0 severity scale from [58, Sec. 5] .................................................... 14 Table 2 CVSS 3.0 metrics and values, based on [58, Secs 6 and 8.4] ....................... 15 Table 3 ISO 27001 Annex A summary, from [7, pp. 10–22] .................................... 26 Table 4 Project evaluation of WannaCry root causes using ISO 27001 [7] .............. 28 Table 5 Project evaluation of WannaCry root causes and IGT v.14 [90] .................. 30 Table 6 Project evaluation of WannaCry root causes and DSPT v1.9.6 [83] ............ 32 Table 7 Project evaluation of WannaCry control failures and PSN V1.31 [97] ........ 33 Table 8 Project analysis of ICO complaint reporting fields ....................................... 48 Table 9 Project summary of ICO data sets ................................................................. 49 Table 10 Project evaluation of ICO case outcome applicability ................................ 50 Table 11 Project evaluation of ICO complaint nature and CIA applicability ............ 51 Table 12 Project analysis of ICO complaints relating to security failures ................. 52 Table 13 Project analysis of ICO
Load more

Recommended publications
  • Reporting, and General Mentions Seem to Be in Decline
    CYBER THREAT ANALYSIS Return to Normalcy: False Flags and the Decline of International Hacktivism By Insikt Group® CTA-2019-0821 CYBER THREAT ANALYSIS Groups with the trappings of hacktivism have recently dumped Russian and Iranian state security organization records online, although neither have proclaimed themselves to be hacktivists. In addition, hacktivism has taken a back seat in news reporting, and general mentions seem to be in decline. Insikt Group utilized the Recorded FutureⓇ Platform and reports of historical hacktivism events to analyze the shifting targets and players in the hacktivism space. The target audience of this research includes security practitioners whose enterprises may be targets for hacktivism. Executive Summary Hacktivism often brings to mind a loose collective of individuals globally that band together to achieve a common goal. However, Insikt Group research demonstrates that this is a misleading assumption; the hacktivist landscape has consistently included actors reacting to regional events, and has also involved states operating under the guise of hacktivism to achieve geopolitical goals. In the last 10 years, the number of large-scale, international hacking operations most commonly associated with hacktivism has risen astronomically, only to fall off just as dramatically after 2015 and 2016. This constitutes a return to normalcy, in which hacktivist groups are usually small sets of regional actors targeting specific organizations to protest regional events, or nation-state groups operating under the guise of hacktivism. Attack vectors used by hacktivist groups have remained largely consistent from 2010 to 2019, and tooling has assisted actors to conduct larger-scale attacks. However, company defenses have also become significantly better in the last decade, which has likely contributed to the decline in successful hacktivist operations.
    [Show full text]
  • Ethical Hacking
    Ethical Hacking Alana Maurushat University of Ottawa Press ETHICAL HACKING ETHICAL HACKING Alana Maurushat University of Ottawa Press 2019 The University of Ottawa Press (UOP) is proud to be the oldest of the francophone university presses in Canada and the only bilingual university publisher in North America. Since 1936, UOP has been “enriching intellectual and cultural discourse” by producing peer-reviewed and award-winning books in the humanities and social sciences, in French or in English. Library and Archives Canada Cataloguing in Publication Title: Ethical hacking / Alana Maurushat. Names: Maurushat, Alana, author. Description: Includes bibliographical references. Identifiers: Canadiana (print) 20190087447 | Canadiana (ebook) 2019008748X | ISBN 9780776627915 (softcover) | ISBN 9780776627922 (PDF) | ISBN 9780776627939 (EPUB) | ISBN 9780776627946 (Kindle) Subjects: LCSH: Hacking—Moral and ethical aspects—Case studies. | LCGFT: Case studies. Classification: LCC HV6773 .M38 2019 | DDC 364.16/8—dc23 Legal Deposit: First Quarter 2019 Library and Archives Canada © Alana Maurushat, 2019, under Creative Commons License Attribution— NonCommercial-ShareAlike 4.0 International (CC BY-NC-SA 4.0) https://creativecommons.org/licenses/by-nc-sa/4.0/ Printed and bound in Canada by Gauvin Press Copy editing Robbie McCaw Proofreading Robert Ferguson Typesetting CS Cover design Édiscript enr. and Elizabeth Schwaiger Cover image Fragmented Memory by Phillip David Stearns, n.d., Personal Data, Software, Jacquard Woven Cotton. Image © Phillip David Stearns, reproduced with kind permission from the artist. The University of Ottawa Press gratefully acknowledges the support extended to its publishing list by Canadian Heritage through the Canada Book Fund, by the Canada Council for the Arts, by the Ontario Arts Council, by the Federation for the Humanities and Social Sciences through the Awards to Scholarly Publications Program, and by the University of Ottawa.
    [Show full text]
  • Introduction
    Introduction Toward a Radical Criminology of Hackers In the expansive Rio Hotel and Casino in Las Vegas, I stood in line for around an hour and a half to pay for my badge for admittance into DEF CON 21, one of the largest hacker conventions in the world. The wad of cash in my hand felt heavier than it should have as I approached the badge vendor. DEF CON is an extravagant affair and attendees pay for it (though, from my own readings, the conference administrators work to keep the costs reduced). The line slowly trickled down the ramp into the hotel con- vention area where the badge booths were arranged. As I laid eyes on the convention, my jaw dropped. It was packed. Attendees were already mov- ing hurriedly throughout the place, engaged in energetic conversations. Black t- shirts— a kind of hacker uniform— were everywhere. Las Vegas- and gambling- themed décor lined the walls and floors. Already, I could see a line forming at the DEF CON merchandise booth. Miles, a hacker I had gotten to know throughout my research, mentioned that if I wanted some of the “swag” or “loot” (the conference merchandise), I should go ahead and get in line, a potential three- to four-hour wait. Seemingly, everyone wanted to purchase merchandise to provide some evidence they were in attendance. Wait too long and the loot runs out. After winding through the serpentine line of conference attendees wait- ing for admittance, I approached the badge vendors and (dearly) departed with almost $200. Stepping into the convention area, I felt that loss in the pit of my stomach.
    [Show full text]
  • Significant Cyber Incidents Since 2006 This List Is a Work in Progress That We Update As New Incidents Come to Light. If You
    Significant Cyber Incidents Since 2006 This list is a work in progress that we update as new incidents come to light. If you have suggestions for additions, send them to [email protected]. Significance is in the eye of the beholder, but we focus on cyber-attacks on government agencies, defense and high tech companies, or economic crimes with losses of more than a million dollars. July 2020. Canada, the UK, and the U.S. announced that hackers associated with Russian intelligence had attempted to steal information related to COVID-19 vaccine development July 2020. The UK announced that it believed Russia had attempted to interfere in its 2019 general election by stealing and leaking documents related to the UK-US Free Trade Agreement July 2020. Media reports say a 2018 Presidential finding authorized the CIA to cyber operations against Iran, North Korea, Russia, and China. The operations included disruption and public leaking of information. July 2020. President Trump confirmed that he directly authorized a 2019 operation by US Cyber Command taking the Russian Internet Research Agency offline. June 2020. Uyghur and Tibetan mobile users were targeted by a mobile malware campaign originating in China that had been ongoing since 2013 June 2020. A hacking group affiliated with an unknown government was found to have targeted a range of Kurdish individuals in Turkey and Syria at the same time as Turkey launched its offensive into northeastern Syria. June 2020. The most popular of the tax reporting software platforms China requires foreign companies to download to operate in the country was discovered to contain a backdoor that could allow malicious actors to conduct network reconnaissance or attempt to take remote control of company systems June 2020.
    [Show full text]
  • WORLD WAR C : Understanding Nation-State Motives Behind Today’S Advanced Cyber Attacks
    REPORT WORLD WAR C : Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks Authors: Kenneth Geers, Darien Kindlund, Ned Moran, Rob Rachwald SECURITY REIMAGINED World War C: Understanding Nation-State Motives Behind Today’s Advanced Cyber Attacks CONTENTS Executive Summary ............................................................................................................................................................................................................................................................................................................... 3 Introduction ............................................................................................................................................................................................................................................................................................................................................... 4 A Word of Warning ................................................................................................................................................................................................................................................................................................................. 5 The FireEye Perspective ...........................................................................................................................................................................................................................................................................................
    [Show full text]
  • Chapter 2 the Hacker Group R
    Chapter 2 The hacker group R. Gevers CHAPTER OUTLINE Introduction 15 The hacker as social reformer 16 The hacker as combatant 17 The hacker group 19 Disciplines 20 Conclusions 39 n INTRODUCTION Since the information revolution the Internet has been a driving force behind many—if not most—social reforms. From the 1% marches to the Arab Spring: The Internet was used to fuel, coordinate, and facilitate protests. The Internet turned out to be a safe haven for liberal thinkers and was used to establish contacts with other like-minded individuals at the other end of the globe. The global nature of the Internet makes (targeted) communica- tion accessible to anyone. This was at the core of many great revelations: WikiLeaks being the first, The Intercept and Edward Snowden following quickly. In the early days the Internet was a safe haven for free thinkers; there was no censorship and no laws were directly applicable. This opened up opportuni- ties on the Internet to influence governments and their laws. However, this situation has changed: The Internet has become securitized and militarized. Whereas the Internet used to be a place aimed at free and unhindered flow of information and ideas, now it is increasingly influenced by State actors and large non-State actors. Whereas any individual could tread onto the Internet and fight for a cause, nowadays you need to tread carefully. 15 Cyber Guerilla Copyright © 2016 Elsevier Inc. All rights reserved. 16 CHAPTER 2 The hacker group Chapter 1 has described the essence of cyber guerilla strategy, tactics, and the concepts of favorable and unfavorable terrain.
    [Show full text]
  • How Hackers Think: a Mixed Method Study of Mental Models and Cognitive Patterns of High-Tech Wizards
    HOW HACKERS THINK: A MIXED METHOD STUDY OF MENTAL MODELS AND COGNITIVE PATTERNS OF HIGH-TECH WIZARDS by TIMOTHY C. SUMMERS Submitted in partial fulfillment of the requirements For the degree of Doctor of Philosophy Dissertation Committee: Kalle Lyytinen, Ph.D., Case Western Reserve University (chair) Mark Turner, Ph.D., Case Western Reserve University Mikko Siponen, Ph.D., University of Jyväskylä James Gaskin, Ph.D., Brigham Young University Weatherhead School of Management Designing Sustainable Systems CASE WESTERN RESERVE UNIVESITY May, 2015 CASE WESTERN RESERVE UNIVERSITY SCHOOL OF GRADUATE STUDIES We hereby approve the thesis/dissertation of Timothy C. Summers candidate for the Doctor of Philosophy degree*. (signed) Kalle Lyytinen (chair of the committee) Mark Turner Mikko Siponen James Gaskin (date) February 17, 2015 *We also certify that written approval has been obtained for any proprietary material contained therein. © Copyright by Timothy C. Summers, 2014 All Rights Reserved Dedication I am honored to dedicate this thesis to my parents, Dr. Gloria D. Frelix and Dr. Timothy Summers, who introduced me to excellence by example and practice. I am especially thankful to my mother for all of her relentless support. Thanks Mom. DISCLAIMER The views expressed in this dissertation are those of the author and do not reflect the official policy or position of the Department of Defense, the United States Government, or Booz Allen Hamilton. Table of Contents List of Tables ....................................................................................................................
    [Show full text]
  • Why “Hacktivism” Can and Should Influence Cybersecurity Reform
    INVESTING IN A CENTRALIZED CYBERSECURITY INFRASTRUCTURE: WHY “HACKTIVISM” CAN AND SHOULD INFLUENCE CYBERSECURITY REFORM Brian B. Kelly INTRODUCTION ........................................................................................ 1664 I. CYBERCRIME, HACKTIVISM, AND THE LAW ......................... 1671 A. The Current State of Cybercrime ............................................... 1671 B. Defining Hacktivism and Anonymous’s Place Within the Movement .................................................................................. 1676 1. Hacking and Hacktivism ..................................................... 1676 2. Anonymous ......................................................................... 1678 C. Current Cybersecurity Law ....................................................... 1683 1. Federal Statutes ................................................................... 1683 2. National Defense Systems ................................................... 1684 3. State Monitoring Systems .................................................... 1685 4. International Coalitions ....................................................... 1686 II. CURRENT REFORM PROPOSALS ............................................... 1687 A. Obama Proposal ........................................................................ 1687 B. Republican Task Force Proposal .............................................. 1689 III. THE CYBERSECURITY REFORM SOLUTION ........................... 1692 A. Similarities in the Reform Models ............................................
    [Show full text]
  • Bugs in the Market: Creating a Legitimate, Transparent, and Vendor-Focused Market for Software Vulnerabilities
    BUGS IN THE MARKET: CREATING A LEGITIMATE, TRANSPARENT, AND VENDOR-FOCUSED MARKET FOR SOFTWARE VULNERABILITIES Jay P. Kesan* & Carol M. Hayes** Ukraine, December 23, 2015. Hundreds of thousands of homes lost power. Call center communications were blocked. Authorities reported that 103 cities experienced a total blackout. The alleged cause? BlackEnergy malware. With so much of our daily lives reliant on computers, is modern civilization just a stream of ones and zeroes away from disaster? Malware like BlackEnergy relies on uncorrected security flaws in computer systems. Sometimes, the system owner fails to install a patch. Other times, there is no patch because the software vendor either did not know about or did not correct a critical security flaw. Meanwhile, the victim country’s government or its allies may have knowledge of the same flaw, but kept the information secret so that it could be used against its enemies. There is an urgent need for a new legal and economic approach to cybersecurity that will curtail socially harmful behavior by security researchers and governments. Laws aimed at curbing cyberattacks typically focus on punishment, with little to no wiggle room provided for socially beneficial hacking behavior. Around the world, governments hoard zero-day vulnerabilities while permitting software vendors to sue security researchers who plan to demonstrate critical security flaws at industry conferences. There is also a growing market for buying and selling security flaws, and the buyers do not always have society’s best interests in mind. This Article delves into the world of cybersecurity and software and provides an interdisciplinary analysis of the current crisis, contributing to the limited but growing literature addressing these new threats that cannot be contained by traditional philosophies of war and weaponry.
    [Show full text]
  • Revolution Hacking
    Revolution Hacking by Nikolay Koval Chapter 6 in Kenneth Geers (Ed.), Cyber War in Perspective: Russian Aggression against Ukraine, NATO CCD COE Publications, Tallinn 2015 Nikolay Koval, head of Ukraine’s Computer Emergency Response Team (CERT-UA) during the revolution, describes in Chapter 6 how cyber attacks rose in parallel with ongoing political events, in both number and severity. In 2012, hackers ‘defaced’ Ukrainian government websites with politically motivated digital graffiti. In 2013, network defenders discovered new and more menacing forms of malware, such as RedOctober, MiniDuke, and NetTraveler. In 2014, hacktivist groups such as CyberBerkut published stolen Ukrainian Government docu- ments. Koval analyses in detail the most technically advanced attack investigated by CERT-UA: the May 2014 compromise of Ukraine’s Central Election Commission (CEC). He closes by appealing to the Ukrainian Government to allocate greater funds to hire and retain qualified personnel. Disclaimer This publication is a product of the NATO Cooperative Cyber Defence Centre of Ex- cellence (the Centre). It does not necessarily reflect the policy or the opinion of the Centre or NATO. The Centre may not be held responsible for any loss or harm arising from the use of information contained in this publication and is not responsible for the content of the external sources, including external websites referenced in this publica- tion. Digital or hard copies of this publication may be produced for internal use within NATO and for personal or educational use when for non-profit and non-commercial purpose, provided that copies bear a full citation. Please contact publications@ccdcoe. org with any further queries.
    [Show full text]
  • Building Hacker Collective Identity One Text Phile at a Time: Reading Phrack
    Media History Monographs 11:2 (2008-2009) ISSN 1940-8862 Building Hacker Collective Identity One Text Phile at a Time: Reading Phrack Brett Lunceford University of South Alabama Research concerning computer hackers generally focuses on how to stop them; far less attention is given to the texts they create. Phrack, an online hacker journal that has run almost continuously since 1985, is an important touchstone in hacker literature, widely read by both hackers and telephone and network security professionals. But beyond its instantiation as a compendium of illicit technical knowledge, Phrack was, above all, a rhetorical publication. The files in each issue of Phrack created a shared rhetorical vision concerning the place of the hacker underground within society and in relation to law enforcement officials, as well as what it means to be a hacker. This essay examines two important events in the evolution of the hacker movement through the lens of Phrack—Operation Sundevil and the arrest of Kevin Mitnick. How these events were framed in Phrack both shaped and reflected emerging shifts in hacker collective identity. ©2009 Brett Lunceford Media History Monographs 11:2 Lunceford: Reading Phrack Building Hacker Collective Identity One Text Phile at a Time: Reading Phrack Stephen Segaller describes the formation of Managers that Helps Protect Corporate Data the Internet as “one of the twentieth century’s from Assaults by the Hackers” and “The most productive accidents,” explaining that the World of Data Confronts the Joy of Hacking,” “seeds of the Internet were planted by the U.S. which begins, “The recent electronic government in the wake of nationwide concern escapades of a group of Milwaukee youths over the Soviet launch of Sputnik.”44 Hackers have brought national attention to the growing were an integral part of the construction of this problem of computer security,”47 demonstrate network.
    [Show full text]
  • Vulnerability Assessments in Ethical Hacking
    American Journal of Engineering Research (AJER) 2016 American Journal of Engineering Research (AJER) e-ISSN: 2320-0847 p-ISSN : 2320-0936 Volume-5, Issue-5, pp-01-05 www.ajer.org Research Paper Open Access Vulnerability Assessments in Ethical Hacking Ashiqur Rahman1, Md. SarwarAlam Rasel2, Asaduzzaman Noman3, Shakh Md. Alimuzjaman Alim4 1(M.Sc in Information Technology (IT), Jahangirnagar University, Bangladesh) 2(CSE, Royal University of Dhaka, Bangladesh) 3(CSE, Royal University of Dhaka, Bangladesh) 4(EEE, Royal University of Dhaka, Bangladesh) ABSTRACT: Ethical hackers use the same methods and techniques to test and bypass a system's defenses as their less-principled counterparts, but rather than taking advantage of any vulnerabilities found, they document them and provide actionable advice on how to fix them so the organization can improve its overall security. The purpose of ethical hacking is to evaluate the security of a network or system's infrastructure. It entails finding and attempting to exploit any vulnerabilities to determine whether unauthorized access or other malicious activities are possible. Vulnerabilities tend to be found in poor or improper system configuration, known and unknown hardware or software flaws, and operational weaknesses in process or technical countermeasures. One of the first examples of ethical hacking occurred in the 1970s, when the United States government used groups of experts called "red teams" to hack its own computer systems. It has become a sizable sub-industry within the information security market and has expanded to also cover the physical and human elements of an organization's defenses. A successful test doesn't necessarily mean a network or system is 100% secure, but it should be able to withstand automated attacks and unskilled hackers.
    [Show full text]