As the post-mortem on WannaCry continues, we look at practical solutions for cash strapped healthcare providers tasked with defending their Windows XP estate.
Nearly 3 weeks before WannaCry was released, Deep Secure warned that the NHS was particularly vulnerable to attack from threat actors, whether driven by criminal or ideological motives. Now, in the aftermath of the cyber attack, it’s time to consider how best to deal with the risks going forward.
Picture the scene. You’ve several multi-million pound medical scanners, each of which has a controller running an embedded Windows XP operating system (the o/s vulnerable to attack from WannaCry). The operating system itself is of course out of support and represents an unacceptable security risk. Chances are the vendor that originally put the system in is no longer in business. Upgrading the controller to a more modern (and less vulnerable) operating system isn’t an option anyway. Embedded systems are exactly that and an upgrade would effectively mean commissioning a wholly new piece of critical software. Air gapping the systems isn’t possible. The scanners need to communicate with other internal systems to share records. Even if air-gapping was do-able the costs of completely re-plumbing the network are huge and anyway, the air-gap will be circumvented by users if it introduces latency into the process of delivering effective healthcare.
So what is the most effective (and cost-effective) approach to protecting assets like this from WannaCry and the WannaCrys of the future?
Actually there is a solution. Using the Deep Secure Content Threat Removal platform enables healthcare organisations to deploy a “digital moat” around the XP estate. The platform works by creating a boundary around the vulnerable Windows XP systems and only allowing those protocols necessary for the sharing of information with the rest of the organisation to cross the boundary – email, web services and file transfer. These protocols are subject to a protocol break and a process of transformation is used whereby information is extracted from incoming data leaving behind any malware. The information is then used to build new data to carry it to the destination on the other side of the protocol break. This method does not rely on distinguishing good and bad, any threat is removed not reduced and the business gets the information it needs.
This approach is in marked contrast to the failed approaches of the past. Anti-virus scanners, next generation firewalls, intrusion detection systems, web and email gateways that try to detect known malware using signatures can’t stop a determined cyber criminal and are ineffective against zero day threats.
The platform supports a wide range of application-to-application and general business communication across the boundary and has a number of benefits. It works against unknown attacks. It does not need to maintain a list of known attacks and attack techniques. It works without needing to interact with the vendor. There is no need for signature updates to be brought in regularly from the Internet. There is no need to report behaviour to a central control system for correlation.
Un-supported embedded operating systems such as Windows XP require special attention. They run many of the critical systems on which we all depend. In the absence of up-to-date patches and in the face of the failed attempts by the cyber security industry to detect threats a new approach is needed. Using the Deep Secure Content Threat Removal platform as a “digital moat” enables healthcare providers to protect their critical systems from threat actors like those responsible for WannaCry.