• Skip to primary navigation
  • Skip to content
  • Skip to primary sidebar

Red Sift Blog

Red Sift Blog
  • redsift.com
  • Featured
  • Who are we?
  • Get in touch
You are here: Home / Cybersecurity / 6 Questions we shouldn’t be asking about the HSE cyberattack – and why

6 Questions we shouldn’t be asking about the HSE cyberattack – and why

by Rois Ni Thuama
May 19, 2021September 1, 2022Filed under:
  • Cybersecurity

Last week we learned that the Health and Safety Executive (HSE) in Ireland were subject to a ransomware cyber attack which locked them out of vital records and disrupted their operations. And so this past weekend, I spent most of my time answering various questions from various journalists about it.

Usually, when this happens, my answers are instructive. But by the end of this past weekend, it had become abundantly clear that I was in fact being asked the wrong questions all along – both in substance and approach.

So now, I’m going to share these questions with you, in the hope that explaining exactly why they are wrong might prove helpful in how we all approach and question cyber attacks going forward.

Question 1: What do we know about the HSE cyberattack?

Absolutely nothing. In the early days of an attack, even the people with access to the systems struggle for answers. This is exactly why these kinds of ransomware attacks work. The people closest to action don’t know and they know the most. They can’t answer. They’re too busy!

Useful insight about a cyber attack is rarely delivered fast, instead it takes experts days of investigation and analysis to be able make a sensible determination. So, always exercise caution when reading detailed insight in the immediate aftermath of a cyber attack, and know that this question isn’t going to get you far to begin with.

Question 2: What sort of ransom demand would HSE be looking at?

There’s no doubt that HSE will have received a demand, and they will have an exact figure. But it’s absent from their public statement, so it’s not possible for anyone to say how much it is with any degree of accuracy. All that we can say is ransom demands scale.

If we compare to recent attacks in this field, we know that Colonial Pipeline paid out nearly US$5 million when they were hit, while the Metropolitan Police Department in Washington, D.C was asked for US$4m (a demand they refused).

So, from this, we can put HSE’s figure in the region of US$5 million. This is in line with recent demands and so is not wildly speculative.

Regardless of this, I read unsupported figures in the press which put the demand as high as US$30 million, which would make the HSE demand the most expensive in ransom history!

What’s wrong with digging for clues about how much targeted organisations are paying out? Well, the figure above wasn’t quoted because it is based on any real insight, instead it was used because it makes your eyes pop and your head swivel: it’s sensational.

Personally, I’m not a fan of fear, uncertainty and doubt (FUD) and it’s deeply cynical of vendors to try to capitalise on the pain of the victims by presenting baseless figures.

Question 3: Was it a sophisticated attack?

This is actually a good question, because it shows that we are seeing an evolution in the understanding of cyber threats.

For a long time firms have escaped censure when cyberattacks happen because they were attributed to nation state actors (a government sponsored group which targets other governments to steal, damage, or change information). But this completely overlooks the fact that a child of 12 could have instigated the same attack, and worse allows the organization to pass off the attack as unavoidable.

So back to the question. While this is a good one, it’s not the right one, because it suggests that sophisticated actors launch sophisticated attacks. But this doesn’t always follow. Whether the malware was sophisticated or crude, the question should be: what was the angle of entry?

And spoiler alert: in the case of HSE, I don’t know.

What I do know is that the Intelligence Community on both sides of the Atlantic have long warned about Business Email Compromise (BEC). This is also referred to as phishing, CEO Fraud, Friday Afternoon Fraud, Invoice Fraud and so on. It’s essentially when an attacker poses as a member of your organisation, using your domain to get you to approve a fake invoice or click a malicious link. I also know that email is the starting point for 96% of these targeted cyber attacks and 90% of ransomware attacks. Let that sink in.

So instead of asking whether it was sophisticated, the questions we should be asking are:

  • was this attack reasonably foreseeable?
  • was this attack avoidable?

The answer to the first question is yes, it was reasonably foreseeable. Ransomware is well known, understood, and on the rise. It’s now even possible to hire ransomware tools, Ransomware as a Service (RaaS), meaning that even the least sophisticated bad actor can launch such an attack.

As for the second question, the answer is that it depends. First to a large extent on the angle of entry (i.e. did it come via email) and second whether the HSE had taken steps to manage well-known email vulnerabilities with global standard protocols.

Question 4: Could the information security team have done more?

I don’t know. Maybe, maybe not. But again it’s not the right question. Cyber threats and cyber risk are corporate matters and are the responsibility of the entire board, the whole of the management team, the information security team, and their lawyers.

While the role of HSE as a non-profit is not wealth generation, directors exercising reasonable care, skill and diligence should consider value preservation as a strategic imperative. As part of their governance, risk and compliance framework, they should be considering cyber governance and cyber risk at the top of their agenda.

Risk appetite and the budgets needed to process global standards to combat known cyber threats are all set at C-Suite. So it’s neither fair nor accurate to look solely to the Information Security team who are usually under-financed and under-resourced when these attacks happen.

Questions should be directed towards the board. For example, what is the entity’s risk appetite? Are they considering cyber threats and risk at board level? If not, why not? Are they investing in solutions that will materially improve their cybersecurity posture? If not, why not?

Question 5: Are the HSE and other state agencies now vulnerable going forward?

100% yes. If you’re connected, you’re vulnerable, and there’s risk inherent in everything. But that’s not to say that things can’t be managed better.

Ireland is a small country, and it would be straightforward to implement global standard solutions to known significant cyber threats.

While people are worried about ‘emerging threats’ or sophisticated attacks, it’s the known significant threats that are being left unaddressed. That’s the biggest problem. The good news is for the most significant cyber threats, there’s a fix.

Question 6: What must be done to ensure this doesn’t happen again?

The harsh fact is that we can’t ensure anything of the kind. But let’s compare cyber and email security to road safety. We’ve had cars on the roads for decades and whether because of a mechanical failure or driver error (reckless or accidental) we continue to see fatalities from road traffic collisions (RTC).

While we cannot ensure RTCs don’t happen again, we can mitigate the risks through a multi-layered approach. By adopting various sensible safety measures, it has been possible to reduce the number and severity of RTCs.

How we made the car safer: three point safety belt, air bags and collapsible steering columns.

How we made the roads safer: introduction of legislation to compel road users to wear their safety belts (front and back), criminalising drink-driving and reckless driving.

So what can we take from this? We can’t ensure that this never happens again, but governments can put in the right measures in their businesses and network supply chain to mitigate risk.

So what do I really think?

I think that Ireland’s commitment to not paying the ransom demand is an excellent decision. It gives me confidence that we have the right leadership in place. But with a sense of urgency, the government must make our digital space safer now by compelling firms to implement global standard protocols, like DMARC, without exception.

Provided the Irish government does this, it can materially reduce the risks for the future, protecting the economy and livelihoods. It will also set a golden example for other authorities in the same position.

Get in touch

Share this:

  • Click to share on Twitter (Opens in new window)
  • Click to share on LinkedIn (Opens in new window)

Related

Tagged:
  • Disruption
  • DMARC
  • HSE Ireland
  • Ransomware

Post navigation

Previous Post OnDMARC by Red Sift wins Multiple Awards at Global InfoSec Awards during RSA Conference 2021
Next Post Exact impersonation isn’t an unsolvable problem: 5 takeaways from our chat with WHO

Primary Sidebar

Subscribe to our blog and be the first to get updates!

Categories

  • AI
  • BEC
  • BIMI
  • Brand Protection
  • Coronavirus
  • Cybersecurity
  • Deliverability
  • DMARC
  • DORA
  • Email
  • Finance
  • Labs
  • News
  • OnINBOX
  • Partner Program
  • Red Sift Tools
  • Work at Red Sift
  • February 2023
  • January 2023
  • December 2022
  • November 2022
  • October 2022
  • September 2022
  • August 2022
  • July 2022
  • June 2022
  • May 2022
  • April 2022
  • March 2022
  • February 2022
  • January 2022
  • December 2021
  • November 2021
  • October 2021
  • September 2021
  • August 2021
  • July 2021
  • June 2021
  • May 2021
  • April 2021
  • March 2021
  • February 2021
  • January 2021
  • December 2020
  • November 2020
  • October 2020
  • September 2020
  • July 2020
  • June 2020
  • May 2020
  • April 2020
  • March 2020
  • February 2020
  • January 2020
  • December 2019
  • November 2019
  • October 2019
  • September 2019
  • August 2019
  • July 2019
  • June 2019
  • May 2019
  • April 2019
  • March 2019
  • February 2019
  • January 2019
  • December 2018
  • November 2018
  • October 2018
  • September 2018
  • August 2018
  • July 2018
  • June 2018
  • May 2018
  • April 2018
  • March 2018
  • February 2018
  • January 2018
  • December 2017
  • November 2017
  • October 2017
  • September 2017
  • July 2017
  • June 2017
  • May 2017
  • April 2017
  • March 2017
  • October 2016

Copyright © 2023 · Milan Pro on Genesis Framework · WordPress · Log in