AI Autopsy: Advanced Data Breach

Kate O’Flaherty asks what lessons can be learned from a detailed ICO investigation

In August 2022, NHS supplier Advanced Computer Software Group was hit by a major cyber attack, with adversaries taking control of systems, stealing data and demanding a ransom. It disrupted critical services like the NHS 111 support line, and healthcare staff were unable to access patient records. Personal information belonging to 79,404 individuals was taken, including details of how to gain entry into the homes of those receiving care.

It could have been easily prevented, concluded the Information Commissioner’s Office (ICO), when issuing a £3.07m fine. Its report tells us much about the state of cybersecurity in many smaller UK firms, and what CISOs need to do to improve corporate security posture.

Patch, patch, patch

The Advanced breach might have been prevented if the firm had patched its systems in a timely manner. In fact, due to “ad hoc patch management”, adversaries were able to exploit a critical flaw (Zerologon), despite a fix being released by Microsoft in 2020, according to the ICO .

The vulnerability was so serious that it became the subject of a National Cyber Security Centre (NCSC) warning after it was found to be used in attacks. The flaw was given a CVSS score of 10, which the ICO said “made it one of the most serious, active vulnerabilities in existence”.

One of the primary lessons learned from the Advanced breach is therefore the “critical need” for timely patching and updates, says Matt Riley, director for information security at Sharp UK and Europe. Organisations must ensure that all software and systems are regularly updated to protect against known vulnerabilities, he tells Assured Intelligence.

Look for weaknesses that could catch you out

Another weakness in Advanced’s security posture was “a lack of mature vulnerability management scanning mechanisms”, according to the ICO. The NCSC advises this is done at least once a month, which the ICO found was not happening at Advanced.

“Having a human validate more advanced weaknesses is important” Sean Wright

The regulator also found a need for further in-house penetration testing at Advanced, which was “infrequent for each product” and had even revealed flaws that were “later exploited in the incident”.

Advanced had been performing some vulnerability scanning alongside these tests, but not regularly enough, the ICO said.

Organisations need to be mindful that adversaries will look for any flaws and weaknesses they can use in attacks, Sean Wright, head of application security at Featurespace, tells Assured Intelligence. “What might seem trivial or unimportant to you could actually be the entry point for an attacker,” he continues. “This is why it is important to focus on all findings from the results of a scan or penetration test and deal with them accordingly.”

As part of this effort, it’s important to have periodic manual penetration tests, says Wright. “While automated scanning is good to detect trivial security defects, having a human validate more advanced weaknesses is important,” he adds. “Manual tests also help validate that processes and tooling are functioning as expected.”

Manage third-party suppliers

The NHS uses numerous suppliers for critical services, and Advanced’s multiple failings are a stark reminder of the associated risks. Even for organisations with advanced cybersecurity measures, third party incidents like this remain among the “most likely, and potentially damaging”, Pierre Noel, field CISO EMEA at Expel tells Assured Intelligence.

“The Advanced breach might have been prevented if the firm had patched its systems in a timely manner”

Firms therefore need to be “relentless” in ensuring that third parties with sensitive access “maintain a security posture proportionate to their risk level”, he says. “Too often, organisations simply rely on questionnaires, collect the responses, and leave it there. This is not sufficient.”

Noel advises organisations to categorise third-party risks, identify which category each supplier falls into, review this at least annually, and apply appropriate cybersecurity evaluation measures, including onsite audits where necessary.

Prepare for ransomware

Advanced isn’t the first ransomware attack to impact the NHS. WannaCry famously caused havoc back in 2017. However, it’s important for CISOs to first understand the risk in order to minimise the damage.

Ransomware remains “one of the most persistent and lucrative tactics” used by cybercriminals, says Noel. While no system is completely impenetrable, layering defences and understanding the risk makes it more difficult for attackers to succeed, he argues.

Cyber resilience is important. This includes “good security hygiene, continuous monitoring for unusual activity, and leveraging cyber-threat intelligence to stay ahead of emerging risks”, says Noel.

This is in addition to “immutable backups” that cannot be overwritten or encrypted, which he says “provide a critical safety net when ransomware hits”, so organisations can return to operations without paying the ransom.

Use MFA and other best practices

The ICO’s investigation concluded that Advanced’s health and care subsidiary did not have the appropriate technical and organisational measures in place to keep its systems fully secure. As well as a lack of comprehensive vulnerability scanning and inadequate patch management, it found gaps in the deployment of multi-factor authentication (MFA).

“The security measures of Advanced’s subsidiary fell seriously short of what we would expect from an organisation processing such a large volume of sensitive information,” information commissioner John Edwards said.

“The ICO report tells us much about the state of cybersecurity in many smaller UK firms”

While Advanced had installed MFA across many of its systems, the lack of complete coverage meant hackers could still gain access. First and foremost, “you cannot protect what you don’t know about”, Featurespace’s Wright warns. “My advice is to firstly understand the assets you have, especially those that are exposed to the public internet.”

In principle, no system should only be protected by a username and password, says Sharp’s Riley. “Businesses that utilise Microsoft 365 should ensure MFA is turned on. Some systems and application suppliers may charge more to turn on MFA or single sign-on (SSO) – but it is strongly recommended to always pay for these additional security layers if they’re available.”

It’s also important that firms have strong, unique passwords in place. During the Advanced breach, the first foothold into the environment was simple. “The threat actor simply logged into the system with a correct username and password,” Rob O’Connor EMEA CISO at Insight tells Assured Intelligence.

While it’s not known how the hackers obtained the credentials, common tactics include carrying out a phishing attack or exploiting passwords that have been reused across multiple platforms, he says.

Have an incident response plan in place

A breach is a matter of “when” rather than “if”, says Featurespace’s Wright. With this in mind, organisations need to consider what to do when that day comes.

Having robust processes and controls in place to deal with this is vital. “Not doing so will almost certainly make a bad situation even worse,” Wright continues. “On the other hand, having a robust process in place could actually help turn around the situation and even improve public perception.”

Important lessons for all

Advanced itself says it has learnt from the breach. “What happened over two and a half years ago is wholly regrettable,” an Advanced spokesperson tells Assured Intelligence. “With threat actors operating with increasing sophistication, it is upon all businesses to ensure their cyber posture is continually strengthened. Cybersecurity remains a primary investment across our business, and we have learned a great deal as an organisation since this attack.”

Hopefully, many more organisations can also learn from this cautionary tale. Cyber-hygiene best practices are simply non-negotiable given today’s threat landscape.