Hardening NHS Security With Better Device Configuration

In today’s digital age, data protection and security are paramount, especially within the healthcare sector. The National Health Service (NHS) in the UK recognizes the importance of safeguarding sensitive patient information and maintaining the integrity of its critical network infrastructure.

However, as cyber threats evolve and become more sophisticated, the NHS faces the challenge of addressing misconfigurations and vulnerabilities effectively. This blog explores the significance of configuration management and remediation in bolstering the NHS’s cybersecurity efforts.

The growing threat of misconfigurations

The healthcare sector, including the NHS, has increasingly become a prime target for cyberattacks. Alarmingly, manual security measures have often fallen short, leaving organisations vulnerable to a myriad of threats. Recent statistics from Microsoft reveal that a staggering 80% of ransomware attacks are directly linked to configuration errors. Unlike vulnerabilities that can be patched, misconfigurations place the onus on operators to remediate issues promptly.

Challenges in remediating device configurations

Device Misconfigurations are particularly difficult, as unlike vulnerabilities, you as the operator are responsible for the remediation, no patching! Let’s talk about the Detection and Remediation

Detection

Determining whether a device has slipped into a misconfiguration state or deviated from the ideal golden image can be quite a daunting task, especially when dealing with a substantial device count, often numbering well beyond a few hundred.

Traditionally, organizations have turned to methods like penetration testing, red teaming, and blue teaming to gain some visibility into misconfigurations. However, it’s essential to note that these approaches are neither real-time nor continuous, and they certainly lack automation.

Root cause analysis

To effectively tackle misconfigurations, it’s crucial to understand their primary sources, which include:

• Human Error
• Default Configurations (e.g., LLMNR, SMBV)
• Unapplied Policies (e.g., GPO, Intune)
• Non-Patchable Vulnerabilities (e.g., “Print Nightmare”)

Then it’s a case of understanding the potential risk, devices affected and the prioritization of the risk, in order to start reducing the attack surface and remediating  

Reconfiguration

Once misconfigurations are identified, the next hurdle is remediation. This phase often involves a complex web of stakeholders. Security teams focus on pinpointing exploitable risks, while the responsibility for closing these gaps falls on the shoulders of SecOps, infrastructure teams, and IT operations.

This siloed approach can lead to conflicts, as the latter groups are often reluctant to implement changes, fearing they might inadvertently disrupt operations. In some cases, there might simply not be enough resources, time, or clarity on how to effectively close these gaps. This fragmented process can hinder the timely resolution of misconfigurations and leave the organization exposed to potential security risks.

A holistic approach to configuration security

To address these challenges, the NHS relies on the Data Protection and Security Toolkit (DPST), governed by NHS Digital. This toolkit emphasizes configuration security, which includes:

• Understanding configurable items and employing baseline and last known good builds.
• Managing change and validation processes.
• Whitelisting software and automating decision-making.
• Regular patching and maintenance of operating systems and software.

The NHS aligns its practices with guidance from the National Cyber Security Centre (NCSC), particularly its “10 Steps to Cyber Security.” Secure Configuration is a crucial component of these guidelines, aiming to make compromise and disruption more challenging for attackers. NCSC provides recommended configurations for various platforms, including Android, Chrome OS, iOS, macOS, Ubuntu, and Windows.

“Applying secure configurations to servers and end-user devices to restrict the options available to an attacker”

Real-time guidance

One limitation is that these configurable guidance standards are not always up-to-date. For instance, as of the last available information:

• MacOS guidance was last updated in August 2021.
• Ubuntu guidance was last updated in April 2023.
• Windows guidance was last updated in May 2022.

To effectively manage configuration and remediation, NHS requires solutions that offer:

• Continuous monitoring of all devices for configuration risks.
• Visibility into the potential impact of remediation actions.
• Automated remediation processes.
• Rollback capabilities for safety.
• Integration with IT operational workflow tools, including ticketing systems.

Technology to help bridge the gap

GYTPOL is a security assurance platform focusing on endpoint configurations. It empowers both Security and IT teams to harden devices and ensure that their PCs, laptops and servers are compliant with defined policies (regardless of the operating system). Platform functionality includes:

• Continuous detection
• Push-button zero-risk remediation
• Auto re-apply (for new or newly misconfigured devices).
• Rollback on demand
• Task scheduling (to coordinate remediation with scheduled maintenance)
• Seamless API integration with SIEM, ticketing systems, et al
• Ongoing exposure research and system enrichment

Conclusion

In an era marked by escalating cyber threats, the NHS’s commitment to secure configuration management and remediation is pivotal. By leveraging tools like GYTPOL and aligning with industry guidelines, the NHS can proactively address misconfigurations, reduce risks, and safeguard patient data effectively. In doing so, they exemplify their dedication to providing secure and efficient healthcare services.

The typical productivity yield per device when analyzing the manual effort saved through automation with GYTPOL, per device is between 2-4 hours, allowing GYTPOL to significantly reduce the cost of ownership delivering a considerable ROI.

Moreover, GYTPOL doesn’t stop at just managing configurations and remediation. It also offers proactive protection against zero-day vulnerabilities, a critical feature in the context of today's vulnerability bonanza.