[HN Gopher] New Ransomware Reporting Rules for US Financial Inst...
___________________________________________________________________
New Ransomware Reporting Rules for US Financial Institutions
Author : keydutch
Score : 65 points
Date : 2021-11-19 08:09 UTC (14 hours ago)
(HTM) web link (www.cpomagazine.com)
(TXT) w3m dump (www.cpomagazine.com)
| indymike wrote:
| I like the idea of a payment ban because it will force most
| companies to look at the systems that should be in place to
| prevent attacks. So many companies don't have working backups,
| and have not partitioned their systems in ways that prevent an
| attack (or accident, or corruption) from spreading from system to
| system. The disappointment is real when you tell the ransomware
| guy, "We're not paying. We just restored from backup."
| RattleyCooper wrote:
| >The disappointment is real when you tell the ransomware guy,
| "We're not paying. We just restored from backup."
|
| Worked at a trucking company as a software dev and this exact
| thing happened. Got hit with ransomware attack but our IT team
| had daily backups of EVERYTHING. This was when ransomware was
| first "taking off" and they weren't even 100% sure if the
| attack was real.
|
| I wish I got to see the ransomware's operator's reaction, but I
| honestly feel like they probably had enough people falling for
| it so I doubt they really got that upset.
| aaomidi wrote:
| The US stole money and resources from developing countries to get
| to where it is. Now the US is realizing they can get fucked as
| well. On a far far far smaller scale.
|
| Watching the government and people freak out about this has been
| very amusing.
| crate_barre wrote:
| The irony of all of this is that the finance industry is
| providing all the liquidity for bitcoin so that their ransomware
| payments are actually worth something.
| ryanlol wrote:
| There's no irony here.
|
| Ransomware would keep going if cryptocurrency disappeared
| tomorrow, these people have the infrastructure to receive and
| launder huge wire transfers.
|
| Even the far less sophisticated african groups manage that,
| read the Hushpuppi indictment for an example.
| pas wrote:
| can you please provide a tldr on that wire transfer
| laundering thing? :o
| ryanlol wrote:
| There's a vast industry of people supplying services to
| cash out illicit wire transfers. The complexity depends on
| the amount.
|
| For individual amounts below 20-30k (craigslist scams, etc)
| you'll be looking at personal bank accounts, usually
| created with fake IDs, but also sometimes using victims of
| various hiring scams. The fees you pay will largely depend
| on the country around 50% for US accounts, 20% or so for
| EU/UK accounts.
|
| For slightly bigger amounts (fancier craigslist scams, BEC)
| up to a quarter million or so, you'll see lots of pretty
| plain corporate accounts. The fees remain pretty much the
| same.
|
| For the huge amounts (pretty much just BEC) like 5 million
| usd or more it starts to get complicated. At this point you
| begin to see offshore accounts for the first time, Hong
| Kong or just straight up PRC. But anything is possible,
| even US accounts can be arranged. Often someone will take
| over an existing business and their bank accounts, and then
| quickly run millions through them. At this level it's hard
| to give an estimate on the fees, they are negotiable.
| tata71 wrote:
| Everywhere not the US & allies
| ryanlol wrote:
| Bullshit, these people have US and Canadian corporate
| accounts capable of cashing out millions at a time.
|
| You can easily get thousands of US personal accounts at
| short notice if you need them.
| toolz wrote:
| Ransomware predates crypto. It does not rely on crypto, crypto
| just has some superior characteristics which make it attractive
| to both legal and illegal ventures. Criminals regularly adopt
| new tech faster than businesses as they are naturally less risk
| averse. The implication that someone or some industry is acting
| antisocial simply because they utilize a tech that criminals
| also utilize is short sighted.
| MereInterest wrote:
| Sporadic instances of ransomware predate cryptocurrencies.
| However, ransomware didn't start becoming dominant until the
| early 2010s, with the rise of Bitcoin. Before then, building
| a botnet was the profit motive for most viruses.
| toolz wrote:
| Ransomware might end up costing in the hundreds of billions
| a year (according to some random security blog I googled
| just now, point is there's a lot of money at risk here).
| Are you implying that without an easier way to move wealth
| around criminals are just going to leave billions on the
| table? Seems unlikely given todays criminal landscape of
| global sex trafficking among other far more difficult
| crimes to pull off than moving fiat around undetected.
|
| I'm sure it's just a vocal minority but this implication I
| keep happening across that ransomware would drastically
| decrease without crypto around seems rather obviously
| false. As mentioned, sex trafficking still exists in high
| quantities and possibly affects less money than ransomware.
| Certainly both types of crime move billions of dollars
| yearly.
|
| edit: further - I would suggest trying to shame people out
| of their desire to buy crypto is as fruitless as the war on
| drugs. Crypto is here and it's here to stay. It's every bit
| as impossible (if not more) to regulate out of existence as
| drugs. If this is true, it seems rather toxic to blame
| (implied or otherwise) the prosocial players in crypto
| (which represent the _vast_ majority) for the bad apples.
| marcosdumay wrote:
| > Are you implying that without an easier way to move
| wealth around criminals are just going to leave billions
| on the table?
|
| That's what they did before that way to move wealth
| appeared.
|
| And by the way, it didn't increase because bitcoin is
| easy to collect, but because it's easy to trace. Before
| bitcoin, the ransomware author would never actually
| decrypt the data after they were paid. That's the main
| difference that made the scam explode.
|
| Anyway, yes, it's fruitless to argue people into not
| using bitcoin. It being the cause of something bad does
| not lead immediately to policy viability.
| ryanlol wrote:
| >That's what they did before that way to move wealth
| appeared.
|
| What are you basing this on? It doesn't line up with
| reality.
|
| Zeus (and spyeye) gangs were very succesful in stealing
| huge amounts long before cryptocurrency was a thing.
| Sure, those techniques have evolved. BEC is easier, earns
| more money than ransomware. Yet, somehow, the evolution
| of BEC has no obvious link with cryptocurrency.
| ARandumGuy wrote:
| Before cryptocurrency, how was a ransomware attacker
| supposed to get paid without immediately getting caught
| by authorities? Bank transfers or checks don't work,
| because a bank account contains a bunch of contact
| information that law enforcement can access. Western
| Union or gift cards can work, but they have practical
| transfer limits, putting a cap on the amount of money an
| attacker can receive. There's always cash, but that
| requires the attacker to go to a specific place, which is
| very risky.
|
| Ransomware attacks can certainly happen without
| cryptocurrency. However, there was no practical way for
| criminals to get multi-million dollar payouts previously.
| This payout potential changes the attack risks
| significantly. Few criminals will bother to target
| hospitals or gas pipelines if all they can get is a few
| thousand dollars worth of gift cards.
| ryanlol wrote:
| Google winlockers, they were plentiful before
| "ransomware" term became popular. Ransomware was already
| booming when cryptocurrency first hit the cybercrime
| scene after the Liberty Reserve seizure.
|
| Gift cards were a common method of cashing out, you can
| anonymously cash out millions of those at around 80% of
| face value. IRS scammers still use gift cards for this
| reason.
|
| > However, there was no practical way for criminals to
| get multi-million dollar payouts previously.
|
| This is just bullshit. Read up on Zeus, SpyEye and
| various contemporary BEC gangs.
|
| Read up on the craigslist scammers stealing billions
| selling non existent cars.
| ARandumGuy wrote:
| I'm not disputing that before cryptocurrency people made
| a lot of money stealing, scamming, and hacking people.
| And people will continue to do so as long as we have
| money and computers.
|
| What's new is demanding millions of dollars in ransom
| against large companies and organizations. This is a
| fundamentally different scale then locking grandma's
| computer and demanding some iTunes gift cards. Without
| cryptocurrency, most "ransomware" relied on getting a
| small amount of money from a lot of victims. These high
| profile attacks rely on getting a lot of money from a
| single victim. _That 's_ what changed with
| cryptocurrency.
|
| > Read up on Zeus, SpyEye and various contemporary BEC
| gangs.
|
| I spent a bit of time reading up on those, and none of
| those seem like ransomware to me. Ransomware involves
| locking down a computer (or group of computers), then
| demanding a ransom to unlock it. That's a different
| attack then stealing bank account information or social
| engineering scams.
| ryanlol wrote:
| > That's what changed with cryptocurrency.
|
| Do you have any evidence to suggest that cryptocurrency
| was the driving force here, rather than just natural
| evolution of ransomware operations? I don't believe so.
|
| Winlockers blew up right before cryptocurrency showed up,
| the early ones were very unsophisticated but hugely
| profitable. I believe they would have naturally evolved
| towards bigger payments even without cryptocurrency, it's
| easier to process the occasional wire for $10M than to
| process tens of thousands of payments for $100.
|
| I've never seen anyone actually familiar with the
| cybercrime market try to argue that cryptocurrency is a
| driving factor behind ransomware. You hear it from
| apparently highly qualified "infosec professionals", but
| most of those people have never interacted with this
| scene.
|
| > I spent a bit of time reading up on those, and none of
| those seem like ransomware to me. Ransomware involves
| locking down a computer (or group of computers), then
| demanding a ransom to unlock it. That's a different
| attack then stealing bank account information or social
| engineering scams.
|
| Of course, the point was about their ability to receive
| huge payouts pre-cryptocurrency. Ransomware groups
| wouldn't have any trouble accepting tens of millions of
| usd by wire transfer, especially since they can penalize
| the company if the money doesn't land.
|
| Oh yeah, check this out https://twitter.com/malwaretechbl
| og/status/14010033030858752...
| noduerme wrote:
| I think forced reporting is a great idea, and a payment ban is an
| excellent idea. Here's why. A rational and responsible company
| that had invested wisely in its own IT infrastructure should not
| be under threat of a ransomware attack. If proper measures have
| been taken and they _do_ come under attack, they should call on
| law enforcement to track down the adversary and call on public
| resources to mitigate the attack, all of which costs taxpayer
| money.
|
| As it stands, companies have incentive to cover up attacks
| because they won't invest in proper security. To an individual
| company, that's shortsighted and costly; to the country, in
| aggregate, it's both a national security threat and a huge drain
| on public and private resources which end up going to the worst
| possible place - to bolster scammers abroad.
|
| The government is well within its right to prevent large cash or
| crypto transfers overseas, even in normal circumstances. Ringing
| this bell will force more companies to take measures to shore up
| their rickety systems.
|
| There are 6-figure jobs aplenty out there to go into ABC Valve
| Manufacturing, rip out all their Win95 boxen and tell them what
| to buy, set it up and secure it for them.
| ideksec wrote:
| While I agree with the sentiment around not paying, I don't
| think it's as simple as that. Calling on law enforcement to
| "track down the adversary" is not easy, and when you track it
| back to a random Russian cybercrime group what can you do with
| that information?
|
| A lot of these payments are not fortune 500 companies with
| unlimited IT budget, it's small or medium businesses with a 3
| person IT team. Should they have proper off-site backups? Yes.
| Should we just let these companies go out of business until
| organizations learn their lesson? I would say no.
|
| I really like the idea of making payment more difficult and
| mandating organizations to report these incidents. You're
| correct, companies do have the incentive to cover things up.
| Banning payment won't stop that.
|
| I'm interested to see how people will circumvent this if the
| bill passes. If you pay a third-party company who "deal with
| the issue" on your behalf, all under legal privilege of course,
| would you still need to report?
| noduerme wrote:
| I'm a one-man IT show for a few small- and mid-sized
| companies, and I had to manage an incident a few years ago
| where one of the companies was taken down for several days
| under a massive dDOS attack. This was accompanied by a ransom
| email to me. I disclosed the email to the company owner and
| he asked if we should pay it. I told him I wouldn't pay it if
| he ordered me to. I was sleeping on the floor for an hour at
| a time - the host handling the dedicated server basically
| said we had to go and threatened me that I would have to pay
| for their downtime, and the attack was large enough to shut
| down their connection to the transatlantic cable, so I had to
| fight around it for 48 hours while trying to quietly
| exfiltrate our data off the server through another one I had
| in Europe at the moments I could connect. I was contacted by
| the FBI and ultimately they found the assailants and one of
| the people behind it went to prison for a couple years; I got
| a judgment against him for my cost mitigating the attack
| (although it's symbolic, obviously. I'm sure I won't see a
| dime of it). He was just some schmuck in Florida.
|
| TL;DR - if everyone refused to pay there would be no profit
| in it. And if everyone had to have IT staff who were
| competent, or worry about being fined for malfeasance, there
| would be no question of paying a third party to deal with
| something quietly. It's right and proper that authorities get
| involved. Even if they do find it's some troll farm in
| Russia, they can sanction and block in a way that small
| companies cannot. It's one of those situations where you
| stand together or die separately.
| FDSGSG wrote:
| >if everyone refused to pay there would be no profit in it
|
| Of course it's very saintly of you to refuse to pay, but
| often not paying is a very bad business decision. You can
| be sure that enough people will pay for your refusal to not
| make any difference.
| Tuna-Fish wrote:
| > Of course it's very saintly of you to refuse to pay,
| but often not paying is a very bad business decision. You
| can be sure that enough people will pay for your refusal
| to not make any difference.
|
| And this is something where the law can help. Paying a
| ransom in these kinds of situations needs to be a felony.
| The punishment needs to be dealt to everyone who acted or
| knew and didn't report, and it needs to be harsh enough
| that even in the worst cases people would rather call the
| cops and report than risk it. (Or, at least some employee
| in the organization would report it and save their own
| hide than risk it to protect their boss.)
|
| The ramsomware crisis is really bad now, and it keeps
| getting worse. It will not stop getting worse until the
| money dries up. Small businesses cannot be expected to
| have the level of IT knowledge that they absolutely can't
| be hacked. The reason they weren't victimized before at
| this level was that the money wasn't there. There are
| enough places in the world where the authorities will
| look the other way (or actively cheer on the criminals),
| meaning this will not end until the flow of money is
| stopped.
|
| If you want to mitigate the losses caused by ransomware
| gangs, create a subsidized insurance system that helps
| the victims. Just, that insurance is not allowed to pay
| off the criminals, just help the business get back on
| it's feet.
| FDSGSG wrote:
| Companies would still pay even if making ransomware
| payments was a felony. The ransomware gangs would not go
| away, companies would just have a bigger incentive to
| hide ransomware attacks.
|
| These groups aren't going to go away even if 95% of
| companies suddenly stopped paying, deploying ransomware
| costs next to nothing. There's also a huge incentive for
| ransomware actors to punish this sort of regulation.
|
| > The ramsomware crisis is really bad now, and it keeps
| getting worse.
|
| How come everybody is crying about the "ransomware
| crisis", but you never hear about a "BEC crisis"? BEC
| losses are bigger than ransomware losses, and they keep
| getting worse.
| noduerme wrote:
| It wasn't for saintly reasons; I saw clearly that it
| would do no good. If we paid, there was no guarantee the
| attack wouldn't come back the next day. It would solve
| nothing - actually, it would be worse because it would
| put us at their mercy. If we couldn't overcome it, get
| back online and block the next attack, then I didn't
| deserve my job and the company would have been better
| without me. Paying wouldn't make the problem go away, it
| would have made it infinitely worse for me.
|
| So saintly? No way.
| Jach wrote:
| Still, the GP's point stands. Especially as attackers
| create a "brand" and establish trust -- if a few quick
| searches show other people reporting that they paid and
| things were restored, then you can bet people will feel
| much more at ease with the idea of paying and actually
| being left alone after. When a business depends on it,
| when data loss is at play instead of just downtime, even
| more so. People will pay.
| bluGill wrote:
| But if people don't pay the attackers give up on
| attacking the next target. By paying out your are
| rewarding the attackers for being evil.
| FDSGSG wrote:
| Yeah, but this just completely detached from real life.
| Companies will always pay, even if you make it illegal,
| companies will still pay.
|
| Will fewer companies pay? Sure. Does it matter? No.
| Ransomware gangs wouldn't go anywhere even if their
| average payments got cut down by 90%, and the stuff they
| might switch to (BEC) isn't going to go away either.
| bluGill wrote:
| Maybe, but even if just a few don't pay, they will do
| other things. The attacks ransomware uses will become
| harder and harder to exploit. (already it is a lot harder
| than 20 years ago). More things will be invented to
| prevent them in the first place. Maybe formal proofs of
| all code? There are a lot of things that companies who
| aren't going to pay will start demanding of their vendors
| who they will pay.
| FDSGSG wrote:
| > Maybe, but even if just a few don't pay, they will do
| other things
|
| You're joking. There are already many who don't pay,
| payment rates could fall by 90% and it wouldn't slow them
| down a bit. You clearly have no idea how hugely
| profitable ransomware is.
|
| If less companies pay, the ransomware operations will
| just scale up their customer support teams and further
| automate deployment. This really isn't going to be a
| problem for them.
|
| > Maybe formal proofs of all code? There are a lot of
| things that companies who aren't going to pay will start
| demanding of their vendors who they will pay.
|
| Haha. Funny. Have you ever worked with formal proofs in a
| software context?
| bluGill wrote:
| > There are already many who don't pay, payment rates
| could fall by 90% and it wouldn't slow them down a bit.
| You clearly have no idea how hugely profitable ransomware
| is.
|
| You misunderstand. Those who don't pay still have the
| problem. They will invest in solutions. Some (like good
| well tested backups) only affect them, but others like
| hardening software make it harder for ransomeware to get
| anyone in the first place.
|
| > f less companies pay, the ransomware operations will
| just scale up their customer support teams and further
| automate deployment. This really isn't going to be a
| problem for them.
|
| True. Though the less companies that pay, the more
| examples of not paying get out there and so the more
| likely it is other companies will get good protection for
| themselves.
|
| Probably not enough to really affect profits too much,
| but still helpful to limit the amount of investment "big
| evil" can afford to do.
|
| > Have you ever worked with formal proofs in a software
| context
|
| Just a little bit. I'm looking to work with them more
| because for my area quality is important and we have
| reached the limits of what unit and manual testing can
| do. (but not the limits of other automatic code analysis
| which I'm also looking into)
| FDSGSG wrote:
| >You misunderstand. Those who don't pay still have the
| problem. They will invest in solutions. Some (like good
| well tested backups) only affect them, but others like
| hardening software make it harder for ransomeware to get
| anyone in the first place.
|
| Even those who pay are also investing in solutions, but
| the reality is that throwing money at this isn't going to
| make ransomware go away. Billions have been poured into
| this, and billions more will follow. What does that money
| get us? Mostly snake oil antivirus products, and big full
| page ads in the Economist for said snake oil products. I
| can't imagine that we're going to see significant results
| on a timeframe that you'd consider acceptable, maybe in
| 20 years.
|
| >True. Though the less companies that pay, the more
| examples of not paying get out there and so the more
| likely it is other companies will get good protection for
| themselves.
|
| >Probably not enough to really affect profits too much,
| but still helpful to limit the amount of investment "big
| evil" can afford to do.
|
| Honestly, I think stories of companies paying out huge
| amounts has more of a chilling effect on ransomware than
| stories of companies refusing to pay. The huge ransom
| payment gives everyone a concrete number to be afraid of,
| a refusal to pay is a non-story unless it causes
| devastating damage to the company in question.
|
| >Just a little bit. I'm looking to work with them more
| because for my area quality is important and we have
| reached the limits of what unit and manual testing can
| do. (but not the limits of other automatic code analysis
| which I'm also looking into)
|
| The problem here is that you will never be able to
| produce a useful formally proven general purpose desktop
| software stack that would present meaningful advantages
| over current systems. Formal verification really only
| works for very simple pieces of software, and in any
| case, formal verification is only as good as the model
| you are verifying against.
|
| We're not going to see formally verified web browsers,
| nor are we going to get a formally verified microsoft
| office suite.
| noduerme wrote:
| I think paying is a dumb move, regardless of the "brand"
| of extortionist you're dealing with. It just signals that
| you're a mark. It might briefly make an executive's life
| easier, but it'll come back and bite you.
|
| I didn't refuse to pay because I thought it would be
| inspirational or set an example or bla bla bla. It was
| because I'm not a dumb mark, and I'm not going to let my
| clients be. And personally, I'd rather burn my house to
| the ground than let someone rob it.
| FDSGSG wrote:
| Paying can't be a dumb move when your business continuity
| depends on an attacker returning your encrypted files.
|
| I agree that with DDoS extortion the situation is way
| more complicated, and the attacker will eventually move
| on if you don't pay.
|
| > And personally, I'd rather burn my house to the ground
| than let someone rob it.
|
| I think we can all agree that this is just plain stupid.
| Cutting off your nose to spite your face.
| FpUser wrote:
| >"And personally, I'd rather burn my house to the ground
| than let someone rob it."
|
| That is your personal choice and you're more than welcome
| to go up in flames if that is what you wish. You should
| have no rights however to force your personal choice upon
| the others. They might have a different perspective.
| mistrial9 wrote:
| very telling how the "real" people fight over how much
| they can deny any and all "saintly" motivations ; _edit-
| apologies to noduerme who appears to have dealt with a
| serious situation_ respect .
|
| second thought - here in the USA in the mid-2000s there
| were waves of identity theft and also mortgage fraud..
| massive waves, very large numbers of accounts and even
| larger dollar amounts. I believe it was BANK-related
| employess and USA-based people who knew the credit
| system, performing quite a bit of all of that, with eyes
| open! the reputed phrase was "you wont be here, I wont be
| here" about the consequences down the road.
|
| Sure, name-your-enemy Eastern Europeans are caught doing
| these things, outside of the reach of the casual US law..
| but is it ONLY outsiders? or, you just dont know how
| badly your own money system employees are stealing from
| you now.
| ideksec wrote:
| There are countless reports, studies, Gov intel
| briefings, even whole books, all pointing towards Russia
| and neighboring countries being a huge exporter of these
| style of attacks. I'm not saying ALL ransomware is from
| that region, but the industry agrees that a huge
| percentage is.
|
| Do you have something to the contrary, or is this just a
| hunch?
| mistrial9 wrote:
| my interest in this is more on the "saintly" side, so
| please take all my comments as naive
|
| It appears from a casual read of spy-versus-spy sort of
| documents, like tell-all books or dramatic movie scripts,
| that "false flag" is a standard play, since forever.
| Second, mysterious enemies that speak in unintelligible
| tongues, are the perfect cover for any institution
| failing its own constituents.
|
| My experience in life is that money people are attracted
| to money jobs which then handle money with imperfect
| rules. Experience also says that business is often a dog-
| eat-dog world where company loyalty is repaid with
| termination or lower wages. When confronted with the
| dichotomy of "thats just business" alcohol and pain-
| killer abuse are common responses of an injured
| individual. Multiply that by thousands and mortgage
| pressure, kids college pressure, or just skid-row
| entrance behavior, and you get "corruption"
|
| creative examples from the 2000s when aforementioned
| mortgage fraud ran like fire through the USA: a middle-
| aged immigrant meeting discreetly at a restaurant,
| discussing with a colleague a long-term siphoning and
| fraud scheme, gets back into their mid-range luxory car
| and goes to their suburban home in the USA; an alcholic
| single-mother forges a few signatures while on ordinary
| day duty with no one watching; an up-and-coming sales guy
| with a sports background wants to "level up" on their
| property purchase next year.
|
| I do understand that non-US people, non-English speaking
| people, do run blatent scams. I myself have caught a PHP
| hook script on a server I ran, which pullled from some
| Bulgarian hacker board, an infection via a single ID
| number, like a menu. Of course that is true! but I object
| to fueling prejuidices by nationality, of people.. human
| beings.
|
| Most humans are _innocent_ of _all_ of this activity.
| Yet, almost every single Western adult must have money in
| an account somewhere. The fundemental divisiveness of the
| Western monetary system, now under pressure from
| lockdowns, retirement and health problems, appears to me
| to be reaching East Germany levels, and I object to
| wholly and readily attributing this to "outsiders"
| FDSGSG wrote:
| https://imgur.com/a/oBEj3Jy
|
| Try to find a not-russian site with as many people
| discussing this stuff. It really do be like that
| sometimes.
| [deleted]
| mistrial9 wrote:
| > It really do be like that
|
| are you accustomed to talking like that? why do you have
| those screenshots?
| FDSGSG wrote:
| >are you accustomed to talking like that?
|
| It's a "meme". Unless you refer to the really badly
| google translated screenshot, in which case yes, but I've
| now learned sufficient Russian that it's easier for me to
| read without.
|
| >why do you have those screenshots?
|
| I follow a bunch of these forums for intelligence
| gathering purposes. There are companies paying ridiculous
| amounts for a few of these screenshots and a little
| accompanying text, it's apparently called "threat
| intelligence".
| mistrial9 wrote:
| so you get paid to repeat that "the Russians did it" and
| show a BBS screenshot .. OK, good to know that
| FDSGSG wrote:
| At least I have more than empty words to support my
| claim.
| pjmlp wrote:
| When a mom and pop restaurant doesn't do the proper cleaning
| in the kitchen, the health inspection closes the shop, this
| is no different.
| horsawlarway wrote:
| I really don't think it is.
| gopher_space wrote:
| > Should they have proper off-site backups? Yes. Should we
| just let these companies go out of business until
| organizations learn their lesson? I would say no.
|
| Can you expand on that? Bad management leading to criminal
| interaction seems like something we'd be better off without.
| ideksec wrote:
| An organization going out of business isn't just a case of
| bad management being eliminated.
|
| I wrote that line thinking of the clients I've worked with
| who've been hit by ransomware and didn't realize IT were
| not doing their job until it was too late. In some cases
| it's a failure on their part - not investing enough time or
| resources and seeing IT as "the guy who installs windows".
| More often than not, they were assured it was taken care
| of. I don't expect a manager of a car dealership to know if
| their Exchange server is running recent patches. If
| companies like SolarWinds and Kaseya can get popped and
| compromise their downstream customers, think of the number
| of small MSPs causing that same issue every day. I don't
| think a business should go under with people losing their
| jobs because IT screwed up.
|
| We would be better off without leadership who take no
| interest in security, and once a company is hit with a 100k
| ransomware bill you can bet they'll care going forward.
| throw0101a wrote:
| > _More often than not, they were assured it was taken
| care of. I don 't expect a manager of a car dealership to
| know if their Exchange server is running recent patches._
|
| You're not wrong, but would the same dealership be as
| blase about the assurances from their accountant that all
| their taxes are being paid?
|
| Certainly no one can be an expert in everything, but
| regular audits from third parties of one's business at
| semi-regular intervals is prudent. We call in an external
| IT security auditor regularly ourselves to make sure
| we're not missing things and still following best
| practices.
| nobody9999 wrote:
| >Certainly no one can be an expert in everything, but
| regular audits from third parties of one's business at
| semi-regular intervals is prudent. We call in an external
| IT security auditor regularly ourselves to make sure
| we're not missing things and still following best
| practices.
|
| You're absolutely correct, up to a point.
|
| As an InfoSec professional, I've been on both sides of
| such audits. Sometimes they're quite good. Sometimes
| they're awful. Usually, they're somewhere in between.
|
| What's more, just because an audit has been performed
| (even a really thorough one), there's no guarantee that
| the recommendations will be applied, or even if they are,
| that they will be applied competently.
|
| Leaving that aside and assuming that everything is done
| properly and thoroughly, regardless of all that hard
| work, it just takes one non-technical resource to click
| _one_ link, and ransomware could be loosed on your
| network.
|
| There are, of course, mitigations and, hopefully they are
| all in place and just the one desktop/laptop system is
| compromised.
|
| All that said, many organizations don't have the time,
| money or expertise to properly secure their environment,
| let alone bring in outside auditors.
|
| Medium/large companies with such resources should
| absolutely do all of those things. But the vast majority
| of companies in the US are SMBs who likely don't have
| those resources.
|
| I'm not making a value judgement either way about the
| value of mandatory reporting, but I don't agree with your
| assessment.
|
| Edit: Fixed typo (word --> work).
| tomc1985 wrote:
| > An organization going out of business isn't just a case
| of bad management being eliminated.
|
| Being _dispersed_. Those people are still around and will
| go to "work" for someone else
| ryanlol wrote:
| How about you stop dressing so slutty?
| JumpCrisscross wrote:
| > _when you track it back to a random Russian cybercrime
| group what can you do with that information?_
|
| Having solid evidence of state-sponsored (or egregiously
| tolerated) criminal attacks on Americans is the first step to
| building will to launch (cyber) counterattacks, or at least
| credibly threatening them.
| ebiester wrote:
| ABC Valve Manufacturing is running on a 6% profit margin. That
| cost wipes out their entire profit margin for the year. (They
| are competing against people in other countries without the
| same constraint.)
|
| Now, perhaps this is an upstream problem. Perhaps the problem
| is that we have built systems that are nigh impossible to
| secure for small businesses. Perhaps we need laptop computers
| with no USB slots (no external keyboards.. no external mice..
| no external monitors..) and no ability to install anything
| without going through an app store.
|
| This company (that makes its own operating system) also will
| tell you exactly the systems you can use. Everything is
| certified by this company to be secure and you pay them a
| yearly protection racket fee to assume liability. In return,
| you have no control over your computer. Very strict internet
| filters are on these computers - no stack overflow, no hacker
| news, just the systems that the business has paid for.
|
| This sounds dystopian to me. I'd hate to work there. However,
| that's literally the only solution I see for many businesses,
| because the current IT system is failing us.
| tantalor wrote:
| > cost wipes out their entire profit margin
|
| Comment suggested "calling on public resources to mitigate
| the attack" implying some sort of government funded program
| to upgrade old IT.
| KennyBlanken wrote:
| This is of no utility until the DoJ and courts start punishing
| corporations for breaking laws and regulations in some meaningful
| way.
|
| Right now, even egregious violation of regulations results in a
| trivial financial payment and the charges are put on the shelf -
| and forgotten about if the corporation "behaves." In theory. In
| reality, companies can keep breaking the law, violating those
| agreements to 'behave' - and the DoJ / courts never pursue the
| matter.
| pas wrote:
| you seem to be mixing up reporting regulations with the "we
| both know you did something shady but it was likely not
| explicitly illegal back then, so let's not go to court and
| waste each other's time, but let's never try that, and for this
| courtesy you pay us a few billion USD, mmkay?" deferred
| prosecution agreements.
|
| reporting regs are clear (clearer at least) than the other
| stuff.
___________________________________________________________________
(page generated 2021-11-19 23:02 UTC)