I realize my view on whether it is ever okay to pay #ransom in a #hackandleak situation is contentious.
-
RE: https://infosec.exchange/@amvinfe/116567370386921171
I realize my view on whether it is ever okay to pay #ransom in a #hackandleak situation is contentious. Great thanks to @amvinfe for asking me to articulate my views. #incidentresponse #mitigation #responsibility #ethics
-
RE: https://infosec.exchange/@amvinfe/116567370386921171
I realize my view on whether it is ever okay to pay #ransom in a #hackandleak situation is contentious. Great thanks to @amvinfe for asking me to articulate my views. #incidentresponse #mitigation #responsibility #ethics
@PogoWasRight @amvinfe Nowadays even having common sense is contentious
. I tell my customers to never pay ransom and, should they ever do, to leave me completely out of it.
-
@PogoWasRight @amvinfe Nowadays even having common sense is contentious
. I tell my customers to never pay ransom and, should they ever do, to leave me completely out of it.
@masek Is that your advice even for encryption situations where your customer has no backup? Are there no exceptions to your advice?
-
R relay@relay.infosec.exchange shared this topic
-
@PogoWasRight @amvinfe There may be exceptions, where I would perhaps judge differently.
An example is: Someone will die if I don't pay up. But I have never seen those in cybercrime.
Guideline should be like: Would you rob a bank (commit a crime, put others at risk) for your harm to be reduced?
I would not do that to save my company, but if my wife's life were at risk?
-
@PogoWasRight @amvinfe There may be exceptions, where I would perhaps judge differently.
An example is: Someone will die if I don't pay up. But I have never seen those in cybercrime.
Guideline should be like: Would you rob a bank (commit a crime, put others at risk) for your harm to be reduced?
I would not do that to save my company, but if my wife's life were at risk?
@masek If the sole reason for paying is to reduce harm to the company or entity, then I tend to agree with you.
But let's look at the Instructure situation. It was a #hackandleak situation with data that is not particularly valuable, so why pay, right?
But then the attackers escalated and disrupted Finals week for tens of thousands of schools and millions of students.
And if Instructure hadn't paid, would ShinyHunters keep attacking them and disrupting their ability to provide the software schools rely on? My bet is that they would have.
When Instructure paid, I viewed it as them paying to stop the attacks more than to (just) allegedly delete data.
And that was not to reduce harm to the business, although Lord knows, their reputation was taking quite a hit, but paying reduced the disruption and harm to the students and teachers and schools.
And I'm okay with that. Does the payment reward criminals and make more crime more likely? Maybe. But even if the answer is "definitely," the company had a duty to mitigate harm to those who entrusted them with their data. And if that means paying, then their first duty is still to the ultimate victims and not to other companies.
I feel even more strongly when the target is a healthcare entity and patient services are delayed, or emergency services are diverted elsewhere.
I know, I know.... some people probably hate me for this opinion. To those who disagree with me strongly:
Change my mind. And show me some actual data about how often some gangs do or do not keep their word.
-
@masek If the sole reason for paying is to reduce harm to the company or entity, then I tend to agree with you.
But let's look at the Instructure situation. It was a #hackandleak situation with data that is not particularly valuable, so why pay, right?
But then the attackers escalated and disrupted Finals week for tens of thousands of schools and millions of students.
And if Instructure hadn't paid, would ShinyHunters keep attacking them and disrupting their ability to provide the software schools rely on? My bet is that they would have.
When Instructure paid, I viewed it as them paying to stop the attacks more than to (just) allegedly delete data.
And that was not to reduce harm to the business, although Lord knows, their reputation was taking quite a hit, but paying reduced the disruption and harm to the students and teachers and schools.
And I'm okay with that. Does the payment reward criminals and make more crime more likely? Maybe. But even if the answer is "definitely," the company had a duty to mitigate harm to those who entrusted them with their data. And if that means paying, then their first duty is still to the ultimate victims and not to other companies.
I feel even more strongly when the target is a healthcare entity and patient services are delayed, or emergency services are diverted elsewhere.
I know, I know.... some people probably hate me for this opinion. To those who disagree with me strongly:
Change my mind. And show me some actual data about how often some gangs do or do not keep their word.
@PogoWasRight @amvinfe @euroinfosec Counter-question: Do you believe that this averted more ill than it will cause in the long run?
I don't think so.
I understand the dilemma the decision makers were in. I would have probably argued against paying, but I don't know the full details and have a safe emotional distance.
Where the potential troubles for others the main reason for paying up or did they secretly hope it would safe their own asses?
If a significant part of the ransom came from the execs, that would be an indicator that avoiding ill was the main reason.
-
@PogoWasRight @amvinfe @euroinfosec Counter-question: Do you believe that this averted more ill than it will cause in the long run?
I don't think so.
I understand the dilemma the decision makers were in. I would have probably argued against paying, but I don't know the full details and have a safe emotional distance.
Where the potential troubles for others the main reason for paying up or did they secretly hope it would safe their own asses?
If a significant part of the ransom came from the execs, that would be an indicator that avoiding ill was the main reason.
@masek @PogoWasRight @euroinfosec
I agree with @PogoWasRight on certain points that, in my view, are quite straightforward.
Let’s start from the premise that, in the vast majority of cases, the affected entities do not adequately protect their data - any kind of data. And here lies the strict liability of those who, on the contrary, should have ensured its security.
If a cybercriminal claims to be in possession of exfiltrated data, they generally also provide proof files and a file tree. Consequently, if the attacker’s claims are true, the affected entity is already aware of both the volume of the exfiltrated data and its nature.
Third point: a data breach always causes harm. Personally, I wouldn’t dwell too much on the damage suffered by the affected entity; I’m much more interested in the consequences that damage causes - or could cause - to “indirect victims” (students, school staff, patients…), that is, all those people who have entrusted their data and their trust to third parties such as schools, universities, hospitals, and other organizations. Of course, we can also assess the severity of the damage on a scale of 1 to 10, but the damage remains nonetheless, and when personal data is exposed, the perception of severity is always subjective.
The fact remains, however, that if a person entrusts sensitive data to a third party, that party has not only a legal obligation to protect it without any negligence but also a moral duty to prevent someone’s private life from being publicly exposed.
Finally, I find the behavior of numerous entities affected by cyberattacks involving data exfiltration and encryption to be very disappointing: they often inform the “indirect victims” only after many months and, in some cases, even years later.
