Breach and Leak - Guilt and Atonement of Affected Companies

Breach and Leak

Guilt and Atonement of Affected Companies

Marc Ruef
by Marc Ruef
on May 25, 2023
time to read: 9 minutes

Keypoints

This is why Ransomware Victims are Perpetrators Too

  • Ransomware is a special type of classic computer virus
  • The aim is to extort money by encrypting data
  • Since backups can solve this problem, the attackers steal the data and threaten to publish it
  • This is only possible if several security measures have not been followed
  • For this reason, the affected companies share the blame

It is undisputed that Ransomware is considered the main risk of today. Since the appearance of WannaCry in May 2017, incidents that make it into the daily press have been increasing. Victims are forced to make payments or face the release of sensitive data. This article sheds light on whether and to what extent victims are partly to blame for their crises.

Ransomware is a special type of classic computer viruses. Traditionally, data is encrypted on an infected system. The victim is contacted and can buy back access to their data by paying a ransom. However, if there is a backup of the data, the victim can bypass this coercion. Ransomware gangs have therefore started to first exfiltrate the data over the network before making it inaccessible through local encryption. In this double-exfiltration, restoring a backup is no longer enough. This is because if the ransom payment is not met, the stolen data will be made public. The victims are forced to agree to the payment even if they have found alternative ways to access their data.

The Debt

Our technocratic society demands a digital transformation of everyday life. Companies must follow this duty of digitalization in order to gain acceptance and remain competitive. This leads to electronic information offerings, communication channels and automated data processing. This can ensure greater flexibility and efficiency. Above all, the latter is sought by companies of their own free will in order to be able to achieve economic optimization.

But this digital transformation must not happen without taking the issue of cybersecurity into account. It is possible to implement a full-scale digitalization without it. But by doing so, you increase your risks. Every person, every company is allowed to take risks. But you have to be aware that you have to be able to bear the risks. Anyone who has decided to take risks should not complain when the worst possible situation occurs. Very few of us sit down in front of the steering wheel without a seatbelt, drive 80 mph in a village or cross a busy intersection without looking. Those who do so nevertheless accept damage to vehicles, people and the environment. It plays a subordinate role whether one has accepted these consequences intentionally or negligently.

Drivers must take other road users into account. In digital transformation, these are employees, partners and customers. So if you do digitization without cybersecurity, you largely don’t care if they will also suffer damage. This is, there is no other way to put it, base and despicable.

But why do I even dare to assume that many a victim has deliberately or negligently not taken the issue of cybersecurity seriously? If we study the individual cases, it often becomes immediately clear that this must have been the case. Let’s look at the individual steps required for a compromise with ransomware:

Step Successful Action Protective Measure has Failed
1. Employee received virus contaminated file Antivirus solution on mail gateway, antivirus solution on client
2. Virus contaminated file was executed Employee not well trained, hardening of mail client
3. Malware can establish itself on system Hardening of operating system
3. Malware can propagate in the network Network segmentation, firewalling, file permissions on network shares, logging and alerting
4. Ransomware can exfiltrate files Traffic analysis anomalies, data loss prevention
5. Ransomware can encrypt data Local file permissions, anomalies in access analysis, no backup
6. Ransomware can perform backdooring Patches/updates, hardening, antivirus solution on systems

This list illustrates that a successful ransomware attack must pass through several phases and therefore involves a relatively high degree of complexity. In each of these phases, there are several time-tested measures that can be consistently established with manageable effort. If only one or two of these measures had been in place, this would have been enough to interrupt the successful process and thus avert the attack. The fact that a large part of these measures are missing or not properly implemented is primarily due to the negligence of the victim. Art. 7 para. 1 DSG puts it in a nutshell:

Personal data must be protected against unauthorised processing through adequate technical and organisational measures.

The Atonement

No company wants to be in the media with negative headlines. Reluctant to bite the bullet after an incident, most of those affected delay publication. The ostrich principle is thus consistently continued, but in this phase for different motives. One hopes that the problem will solve itself.

The consequence of this hesitation is often that the people affected – employees, partners and customers – do not learn about the incident, or learn about it late. Yet the company would have a moral obligation – and sometimes a legal requirement (e.g., Art. 34 (1) GDPR) – to inform them about the impending risks. After all, they could now become victims of targeted phishing, social engineering, data theft or extortion. But no, companies continue their unprofessional selfishness, leaving the real victims to their blameless fate.

The Primary Data Protection Regulation of the European Union (GDPR) provides that in certain cases draconian penalties can be imposed for negligent or incorrect handling of data (Art. 58 para. 2 as well as Art. 83 GDPR). The revision of the Data Protection Act of Switzerland (DSG) also wants to introduce such. However, legal discretionary powers not infrequently lead to laws acting like toothless paper tigers. They are not able to cause the pain afterwards, in order to prevent stupidities and impertinences before.

Thus, in the end, only the affected parties remain, primarily the customers, who can enforce the just atonement. By consistently avoiding providers who do not care about data security, a signal could be set. And by implementing advertisements, a signal could also be sent at the legal level. But customers are lazy and forget too quickly. What do they care about the breach six months ago? And where do they want to switch to? To another provider who won’t take the issue seriously? A vicious circle in which there are only losers. Only the lawyers are able to break it. Companies and decision-makers must be held consistently accountable. And not just tomorrow, but today.

Conclusion

Ransomware incidents have been on the rise over the past few years. Looking at the cases in detail, it becomes clear that they are based on a lack of or faulty understanding of the topic of cybersecurity. Companies are negligently or deliberately accepting risks that could have been mitigated early and sustainably through individual measures. It is not uncommon for third parties to be affected who have no direct influence on the security level of a company and thus become defenseless victims. This is where legislation should take a consistent approach and hold negligent companies accountable.

About the Author

Marc Ruef

Marc Ruef has been working in information security since the late 1990s. He is well-known for his many publications and books. The last one called The Art of Penetration Testing is discussing security testing in detail. He is a lecturer at several faculties, like ETH, HWZ, HSLU and IKF. (ORCID 0000-0002-1328-6357)

Links

Is your data also traded on the dark net?

We are going to monitor the digital underground for you!

×
Specific Criticism of CVSSv4

Specific Criticism of CVSSv4

Marc Ruef

scip Cybersecurity Forecast

scip Cybersecurity Forecast

Marc Ruef

Voice Authentication

Voice Authentication

Marc Ruef

Bug Bounty

Bug Bounty

Marc Ruef

You want more?

Further articles available here

You need support in such a project?

Our experts will get in contact with you!

You want more?

Further articles available here