Long-Term vs. Short-Term: Deciding Whether to Pay Ransom for a Bank

Video Activity
Start your free 3-day trial and become one of the 3 million Cybersecurity professionals advancing their career goals
Sign up with
OR

Already have an account? Sign In »

Time
2 hours 8 minutes
Difficulty
Advanced
CEU/CPE
2
Video Transcription
00:00
Well, you ready for another one? Uh, sure. Let's go with this, dude. Um, so you're a system for we'll call it a small community bank. Okay, Your network has just been attacked by ransomware, and you have no access to any other devices on your book.
00:15
You can't conduct any business until the network is recovered from the attack and your organization is losing a pretty significant amount of money,
00:22
but every you know, second, I worked for Capital One. Barclays.
00:26
Yeah, it was a little time, right? Right. Not a great situation. Every transaction going through goes down. It's not good, right? Tankers, air demanding a pretty hefty sob about seven and 1/2 $1,000,000
00:40
in exchange for the decryption key. Do you pay it or not?
00:45
For the bank, I'm actually gonna have to not pay that one. And interesting. And the reason the first reason. But behind me, not paying that one is you said community bank. So
00:58
I'm gonna make an assumption that this the deposits are insured by the FBI. See? Yes. So I'm not really worried about my, uh,
01:07
customer's deposits.
01:10
The network being down is
01:14
unfortunate up. I'm probably not able to process payments. Lo's new applications might even receive right transfers.
01:25
But I think that's ah, safer option, especially for bank. Um,
01:30
because now you are in critical infrastructure.
01:34
Um,
01:37
you don't know what larger, you know, financial system that bank may be a part of,
01:42
You know, they may be going at the swift, you know, money transfer a system. So now you have, Ah,
01:49
myriad. A different regulators coming in looking at that from multiple anger angles. You know, the secret Service is involved How the FBI's definitely there. And I think you know that the option would absolutely be to not pay. You know,
02:06
it's unfortunate that
02:08
people may not be able to access their money the A. T M machine if the network is down.
02:15
But I believe because the money's still there, banks tend to have
02:23
backups on, and they're more regulated. So I feel better in that situation about not actually, uh, paying the ransom, right.
02:35
How about if you, um
02:38
if you were a larger bank,
02:39
um, I'm probably gonna
02:47
still stick to the not pan because the larger the bank,
02:53
I'm still making assumptions, but you know what they say when you assume, but
02:58
that you know, the deposits are still insured, and
03:01
it is just still Ah, not a the right business decision at that 0.2
03:10
pay. Um, and
03:14
we've seen that ransomware attacks against banks, but we're seeing supply chain attacks. Where Have a specific example. Where ah, lot of 18 machines At least a couple of years ago. We're still running Windows X P embedded, which is basically, um,
03:30
hard, hard coded onto into the system. So the way that gets updated is they have reboot cycles called pixie boots, but not to get too, you know, technical and they'll pull down. Update the image just embedded. So it was a smaller bank that got
03:51
acquired into a larger banking system,
03:53
and the Attackers went after the smaller bank because it was no easier target on, and they replaced the boot image that was called a piece applied on the next update cycle. So when that happened that 18 machines, it's not working. But
04:09
they
04:11
embedded admin access
04:13
to access the ATM machines, so they recruited people via social media. Nona's anonymously thio go out to a T M machines and empty um yeah Thio MP a. While and, you know, send them a portion of the money back.
04:30
And they were actually pretty successful in that until a cop one night.
04:34
Um, so
04:36
guides a T m machine duffel bag type in code
04:42
empty. Hates him seeing it. You know, I got arrested and asked like, haven't you get the admin code to a T M machine? And they traced it back. It was actually a group out of Eastern Europe, but they have been doing this for a while. But that would be, you know, one of the reasons just going back to Why? I don't think it would be a good idea
05:01
to pay, because the ransomware attack
05:03
may be masking something else that they're doing behind the scenes, Jer. And if you pay, you may not do proper due diligence. You just be focused on, actually, you know, decrypting the data and getting the network back up right? At that point, you probably need to do some level of rip and replace and starting over anyway
05:23
on dhe like so I'm assuming you have is a bank, we have backups.
05:27
Um, even if not,
05:30
they tend to hold on the paper records log and most industries as well. That is very true. So, yeah, I think I think the loss there is really a round in the big time. Lost time, inconvenience for customers. But also, like, you know,
05:46
the transaction charges on your credit cards, right? Right. Those kinds of things, though, that's actually where the volume can come in here
05:55
you can, You know, if your your capital one or chase right, have millions of credit cards out there, and you're making a rare cent per transaction or something like that,
06:06
right? Right. To be a substantial amount of money. Have you given the number of transactions that go through? But, you know, looking at longer term?
06:15
Absolutely. So it's a much more short term versus long term kind of dilemma as well. Um, something that makes sense.
06:23
Um,
06:24
so I got a couple more lightning round. Yeah, absolutely. Um,
06:30
by the way, on the hip aside. Fantastic course on a site on our site. Um uh, I can Underhill, you got to check it out. And there is a ransomware example there. If you want to check out more about this. Um
06:46
Okay. So we had one a couple ones that we were talking about, but earlier. So that kind of those competing forces of community verse in individual s o supporting your spirit of the board of directors was one of the dilemmas that was out there. You've got some experience with.
07:03
This is the one where I have to say, you know, my comments are minding my only that yes, my lawyer No. No, absolutely not.
07:14
Um, but, uh, yes, Um, in the cyber security round, there are, you know, that their privacy and regulatory concerns and that the pace that business moves,
07:28
um
07:29
you know, security is typically seen as a cost center and almost all organizations, so it's not the most well funded. But as
07:41
we see this rise of the machines, so to speak, of the rise of the actual, you know, attacks that becoming more prevalent,
07:49
doing the business, the business opportunities cos a dorm or due diligence around company cybersecurity postures. And they're asking Maur specific questions and asking to provide more evidence of your security resiliency. Posser, what have you So
08:09
you know they're being the instances that ah, you know, I've heard about, uh that,
08:16
you know, leadership sometimes will take shortcuts
08:20
in some of those security mandates of questionnaires, um,
08:26
to to win business? Sure. Ah, drive revenue at the you know, and that the board's clearly aren't, you know, aware of this especially,
08:37
um, a CZ. You see, you know, we're talking about New York a lot. They're requiring companies, especially financial companies, to have someone on the board with cybersecurity experience that expertise so
08:50
the wolf can't be pulled over their eyes, so to speak by, you know, management teams that are put in place so that
09:00
in that particular scenario, you
09:03
for me, a lease. You know, we have to go with what the board wants, because
09:09
it's gonna come back at some point because you can continually hide. You know, it's like a cyber positive, so to speak, at some point you have to pay up, and if you get breached, then it's all over. So you may as well, you know, be transparent upfront and just deal with it. And
09:28
no use that to justify your budget going forward, um, so that you can be, you know, secure and truthful. So in the event that something does happen, you know we live in the society or the mindset went, if
09:46
you know when it happens not if, um, you can at least sleep a little bit better at night knowing that at least you did your due diligence. Um, and that would put a lot of, you know, executives on the, uh,
10:01
you know, civil side of things too, if you know, they sign off on something that's not necessarily true. Uh, you know, a lot of boards. Now there's a seeking financial, uh, you know, uh, re conference? Yeah. Or you could get criminal penalties. Yeah,
10:18
a cz. Well, for not having proper adequate cybersecurity control
10:22
in place, let alone if you falsify or said shoot it so that just just compound. So you might as well, just, you know, yeah. Be truthful upfront. Yeah, even though you may lose now, but long term, you win.
10:37
At least that's the way I see. Absolutely. And and And that is that short term versus long term dilemma, right? Like of, um, of who you go with on that mimics a lot of sense. I mean, working the banking sector is
10:50
there's always someone who pays for situations like that, right? Orange. If you're the one who does it, It's It's you. You will pay for that. So exactly somebody is going to be an escape boat? Absolutely. Someone's gotta pay, so
Up Next
Ethical Leadership

In this ethical leadership training is taught by Cybrary’s own Leif Jackson. We will give you a framework on how to make ethical decisions from a leadership perspective - delving into the common use cases and rationale behind modern day professional dilemmas.

Instructed By