News + Resources

What happened 

The British Library has been through an appalling few months dealing with the aftermath of the Rhysida ransomware attack in October 2023. They recently issued a report which details what happened, why, and what they are doing about it. This makes sobering reading for anyone concerned with cyber security, because it shows not only what the issues were but also the direction in which best practice is heading in the future. Whilst we hope that none of our clients go through this, we believe that the lessons learned are illustrative, important, and applicable to all, whether vessel owners, operators, or dealing with ports, terminals or other land-based infrastructure – or indeed any other organisation to whom we’ve talked in the last four years. 

Why is this relevant? 

The British Library was a prime target for anybody to attack: large, public sector, dedicated to the protection, curation and efficient management of information (literary or otherwise). The fact that it was attacked showed the shameless and sick nature of the attackers  – it brought them no commercial gain and damaged an important national institution .   

It is also clear that the BL had not understood the true nature of the threat and the risks it was running.  In one key statement in its report, the BL concedes that its systems were a jumble of older systems brought together because of organisations merging and/or functions changing.  As a result, there were multiple systems doing different things with no common architecture or protective interfaces. Whilst some of that heterogeneity protected some of its systems, it was clear that control of the whole had been lost in the mix; some software was so old it could not run on updated systems (we hear that a lot), and access from outside was far too easy.  There were gaps in authentication and privileges were not managed.  These types of gaps can affect everyone. 

Learn the lessons 

We very much welcome the openness demonstrated by the publication of this report.  It shows that with greater information sharing, the travails of one organisation can benefit the many.  We’re circulating these recommendations as a type of primer or checklist for all our friends and colleagues. If you are coming up short on any one of these dimensions, you will be at risk. The full costs of this breach are yet to be known.  But even without the ransom (which the library bravely refused to pay), they will be large.  And the library will be implementing new systems for a long while yet. 

We set out below the key findings and a brief comment as to why these are significant from our perspective.  We hope you find them useful. 

Main recommendations – and comments 

1. a best practice network design, implementing proper segmentation with a defence in-depth approach.  (Astaara comment:  to prevent malware freely travelling around your networks)  

2. a hybrid compute landscape that securely leverages all the benefits of the cloud for development, application, and virtualisation (Astaara comment: BL’s cloud services were not hacked – but many
   on-premise services were.  And in many cases, it’s the on-premise systems that are more vulnerable and exposed to internet-based attack) 

3. a best practice role-based-access control setup for domain and storage services, enshrining the principle of least privilege across the organisation. (Astaara comment: trust no-one; see only what you need to see to do your job:  limit the ability of the malware to spread)  

4. a robust and resilient backup service, providing immutable and air-gapped copies, offsite copies, and hot copies of data with multiple restoration points on a 4/3/2/1 model (Astaara comment: 
   4 copies, 3 locations, 2 off-site, 1 off-line. Test them regularly, scan them frequently) 

5. a holistic, integrated security suite that covers the whole organisation, backed by managed security partners for improved incident response, detection, and remediation (Astaara comment: don’t just rely on one thing to protect you – see point 1. But make sure you get an integrated picture of what is going on) 

6. substantially enhanced MFA on-premises capabilities (Astaara comment:  MFA may be a pain, but it will save your systems) 

7. substantially enhanced management of third party network access via Privileged Access Management (PAM): (Astaara comment: disguise wider than third parties in our view since privileged access also refers to internal account holders as much as external Third party access. As with zero trust architecture, you need to manage user privileges to prevent attacks seeking highly privileged credentials and then travelling to your most precious data)  

8. improvements in cyber incident, event, and vulnerability management: (Astaara comment:  you need to recognise that you may not be able to forestall every incident or plug every vulnerability.  But you need to know what they are and where they are, and take steps to ensure that unauthorised access can be contained and business interruption reduced as a result of a good plan)  

9. a clear and defined set of policies, processes, and standard operating procedures to govern and manage the IT lifecycle, enshrining security in each phase of the IT lifecycle and unlocking efficiency and velocity gains through standardisation in Development  (Astaara Comment: enough said!) 

10. compliance with mandated standards and frameworks (Astaara comment:  this needs to be written down so that you have evidence of your compliance. This can help mitigate any final penalty should one be appropriate, and demonstrate that the organisation at least made an attempt to document and evidence what it was doing) 

11. stronger and more embedded governance structures to manage the rapid delivery of security enabled applications to the business. (Astaara comment:  governance is key since it provides the environment in which everything else happens. It exposes risk and enables those responsible to understand if that risk is acceptable. You cannot manage what you can’t see: and while governance does not need to be over-heavy, it is there to protect the business.)   

As always, we are here if you wish to discuss the above or any other cyber related topic.