British Library cyber attack – lessons learned

British Library cyber attack – lessons learned

 

On 8 March 2024, The British Library published a report on the ransomware attack that they suffered in October 2023. The report follows an extensive forensic investigation by the Library, examines the implications of the attack, and highlights lessons learned. Credit to The British Library for their transparency, and willingness to help others learn from their experience. In this article, we will examine a few learning points from the report and consider how organisations can better secure themselves against cyber-attack.

Infrastructure

Taken from the report, the nature of The British Library’s infrastructure contributed to the severity of the impact of the attack in two specific ways:

  • The historically complex network topology allowed the attackers wider access to the network than would have been possible in a more modern network design, allowing wider compromise of systems and services.

So what? Correct application of network segmentation and access control with the appropriate monitoring would reduce an attacker’s ability to freely traverse the network.

  • Reliance on legacy infrastructure is the primary contributor to the length of time that the Library will require to recover from the attack.

So what? These legacy systems will in many cases need to be migrated to new versions, substantially modified, or even rebuilt from the ground up, either because they are unsupported and therefore cannot be repurchased or restored, or because they simply will not operate on modern servers or with modern security controls.

Processes & Systems

The terminal server was protected by firewalls, but access was not subject to Multi-Factor Authentication (MFA). It is considered likely that the absence of MFA contributed to the attackers’ ability to enter the system via this route. Absence of MFA within domain services in the estate were identified and classed as a mitigated risk but the consequences were under-appraised.

The Library’s monitoring software intervened in some, but not all, intrusions and so the need for enhanced intrusion detection has been recognised. Older defensive software on the Library’s server estate was unable to resist the attack, but this is now being replaced in the new infrastructure that is being rolled out.

So what?  Comprehensive business continuity plans need to be understood and regularly rehearsed to ensure all involved know what to do in the event of an outage of all systems. Implementing a robust and resilient backup service as part of the plan is also a worthwhile investment.

Organisational

The Library recognise that although they had security measures in place prior to the attack, there is much that they could have understood better and prioritised differently. A lack of detailed understanding of systems and the complexity of services the Library offers lead to sub-optimal decision-making. Other organisational considerations include:

  • Prioritising the essential modernisation of the IT estate.
  • Implementing a holistic approach to cyber security and cyber risk.
  • Correct risk management modelling of lower-level risks.
  • Greater understanding and buy-in from senior management with regards to cyber-risk to allow optimised strategic investment in the areas that most require it.
  • Collaborating with sector peers to stay informed of best practices and common threats.
  • Implementing and maintaining Government standards such as Cyber Essentials Plus and ensuring the IT estate is maintained to retain the relevant accreditation.

Human Factors

Cyber security is not just about firewalls and network defences, and organisations are made up of people who all have their part to play.  A few learning points have emerged from the report that other organisations may wish to consider:

  • Post incident, the Library has determined there is a need for a cultural change across different parts of the organisation with regards to cyber security. As such, was there a lack of buy-in to cyber security as a natural way of business prior to the attack?
  • The Library has difficulties in attracting and retaining sufficient IT talent. There is now a realisation post-incident that there is a need to grow capacities and skill sets in high-demand IT areas, and to remunerate correctly to attract and retain staff.
  • The technology department was overstretched and the reliance on outsourcing to third party contractors opened the attack surface and risk of compromise through inconsistent end user exposure and access to systems.
  • There was a lack of understanding of the potential risks faced, and there needs to be greater investment in staff training with regards to evolving risks with a review of acceptable personal use of IT policies and guidance.

How can Arcanum help?

Our team of cyber security consultants can assist your organisation to improve your cyber security posture and build a greater understanding of the points raised above. The British Library cited the importance of Cyber Essentials Plus as part of their improvement plan. As a Cyber Essentials Plus certification body, we can not only provide you with certification, but also guide you to ensure your organisation is best placed to defend against cyber threats. Get in touch to find out more.