Thoughts on the British Library's Cyber Incident Review

Earlier this month, the British Library published a review from the cyber incident it suffered in October 2023. On reading this publication, it is a comprehensive and transparent account of the ransomware attack it faced. Which sheds light on detail such as the suspected point of entry and methodology of the attackers. In the hopes that other organisations take on board the library’s lessons learnt, and adequately secure themselves against similar threats. ?

There were a few aspects of the incident that piqued my interest from a cyber security perspective, so I thought I’d share some of my thoughts here whilst highlighting some of the points raised within the review. ?

The risk of legacy systems?

"Major software systems cannot be brought back in their pre-attack form"

The reason being these legacy systems were no longer supported by vendors. This poses the question for organisations with equally vast amounts of data on unsupported software, is it worth the effort to shift all of this data onto a newer software, especially if the existing systems have been serving their purpose with no issues? ?

The risk here is if software is unsupported, security updates are no longer applied, leaving a plethora of vulnerabilities that attackers can exploit. Naturally the security which can be put in place for these systems is limited and the vulnerabilities will only grow over time.?

The legacy and ‘historically complex’ state of the library’s infrastructure is also what allowed the attackers wider access, due to the lack of segregation which a modern infrastructure would have in place.?

However, the library’s existing security measures were not futile, one of its implemented software systems successfully prevented the attack from affecting laptops and PCs, however it was the older software on the server which did not have the capability to resist the attack. ?

The existence of legacy systems and whether to upgrade them is truly a topic of controversy, but regardless of the choice to leave as is, or upgrade, security surrounding these systems should always be a top risk for any organisation.?

The importance of MFA and universal cyber awareness?

When considering how the attackers initially gained entry, the first detected unauthorised access was via a server put in place for trusted external partners and internal IT admins, with accounts having various levels of access up to privileged administrator. These accounts notably did not have Multi-Factor Authentication (MFA).?

Evidence suggests one of these accounts became compromised via either phishing or brute force attack. The lack of MFA was indeed flagged as a risk prior to the incident, and if the latter attack method was indeed used, MFA would have acted as a defensive measure.?

With phishing being the potential other avenue in which the attackers gained privileged access into the estate, it must be emphasised how all individuals must stay vigilant and be cyber aware, especially third-party individuals such as suppliers and maintenance who often have higher levels of access than the typical user. ?

Backups for resilience and the future?

The British Library had backups of its corporate and collection data which were unaffected by the attack. A reminder of the importance of segregated backups for recovery purposes. Segregated meaning that the backups are separated from their origins so if a cyber attack compromises the original data, these backups cannot be consequently affected. ?

In its public document, the British Library makes clear its crisis response and recovery procedures, including key personnel who have been engaged. Additionally, it has kept its staff and customers supported and informed throughout. Despite the circumstances, the library has made it clear it is to use this opportunity to the fullest to renew, modernise, and secure its technology infrastructure, providing benefit to its existing and future customers. ?

The British Library did not pay any ransom – and remind the public, including any ransomware gangs, that the NCSC strongly suggest this as the advised response to this type of incident.? ?