cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
AppDefects
Community Champion

IT Director Booted After Paying Ransom

After suffering a ransomware attack that crippled municipal systems, the city of Lake City in Florida, USA, has fired its director of information technology. Wake up people this could be precedent setting!

5 Replies
CISOScott
Community Champion

It would be interesting to find out why. Was he:

1) Incompetent - He was so bad at his job that he created the perfect environment for this attack?

2) Competent but indecisive on getting the systems fixed? He knew about the problems but didn't do anything to fix it.

3) Falling on the sword? They told him "We need someone to take the fall for this and 'Tag' you're it!"

Flyslinger2
Community Champion

Lake City paid $400K ransom. The last number that I saw regarding Baltimore was $17M.  So either Baltimore had an insurance policy to cover it, which means everyone's policies will reflect that rate increase, or the good citizens of MD are footing that bill. If that is the case then I can understand the politicians response.  They don't care how much money they pilfer from the hard working people.  The politicians think they have an endless supply of it or they will tax them for more.

So lets separate feelings from logic.  I'm getting that a lot of people feel it is wrong to pay these perps a few bitcoin to get the key back. The term used is reward.  I understand but how about those citizens who are getting hamstrung by services or money that helps them get by on a day by day basis?  It's better to let them suffer then to give out a few coin? What if, heaven forbid, someone dies because a critical piece of the infrastructure isn't working and an ambulance is either not dispatch or is sent to the wrong place?  Fire. Police.  etc. How do you put a price on life?

 

From the logic side I can't get past the cost of a few coin versus the total cost of either an insurance payout or funded through taxpayer revenue.  The perp has already gotten his reward-their hack worked!  Until they get caught someone will ultimately pay them. Not everyone is going to take the hard line of never paying them.  And not quantifiable is the fallout from all of the services that were shutdown.  That would probably double the total cost if added to the estimate.  

 

I think that the IT manager did right. If I was in his shoes I would sue for wrongful termination.And I'm not a litigious person at all.

rslade
Influencer II

> AppDefects (Contributor III) posted a new topic in Industry News on 08-02-2019

 

> After suffering a ransomware attack that crippled municipal systems, the city of
> Lake City in Florida, USA, has fired its director of information technology.
> Wake up people this could be precedent setting!

 

Oh, this is pretty standard. It's always the CISO, or whoever else warned people that this could happen, who gets fired when it happens.

 

"If you have responsibility for security, but have no authority to
set rules or punish violators, your own role in the organization
is to take the blame when something big goes wrong.
- Spaf's First Principle of Security Administration


............

Other posts: https://community.isc2.org/t5/forums/recentpostspage/user-id/1324864413

This message may or may not be governed by the terms of
http://www.noticebored.com/html/cisspforumfaq.html#Friday or
https://blogs.securiteam.com/index.php/archives/1468
CISOScott
Community Champion


@rslade wrote:

 

"If you have responsibility for security, but have no authority to
set rules or punish violators, your own role in the organization
is to take the blame when something big goes wrong.
- Spaf's First Principle of Security Administration


If I was working somewhere where I had no authority to set rules or punish violators AND I was unable to change that, then I would be changing my place of employment. One of the first things I do when I come into an organization is this: Understand the organization's culture. Not the mission statement, not the vision, not the "core competencies", etc.  If you fail to understand what motivates people and drives them to their decisions, then your great ideas will be met with failure.

Here are some of the organizational cultures I have run into.

1) The ostrich- "No one knows who we are so we won't ever be attacked!" Ignored years of failed inspection reports and failed to make any progress. Thought that even though security was terrible, it was actually OK because nothing had been hacked yet! Very reluctant to make security decisions, even best practices because it would point out their ineptitude.

2) The boogeyman - Afraid to act because they might get fired. Always wanting to delay decisions until tested to death.

3) The cheapskate - Go ahead and quit! I can find someone cheaper anyways. Also very chaotic and untrusting work environment. The most toxic work environment I have ever been at.

 

Understand how an organization functions if you want to be successful.

Caute_cautim
Community Champion

How do we know the full facts?  Did the IT Director have formal authority i.e. written, e-mailed evidence they were given authority to pay the ransom?  Or did the said person act on their own accord which led to their employment being terminated?  There is a great deal of conjecture here, and without the full facts, we are not in a position to make a judgement either way. 

 

I can imagine the pressure, on the organisation in that same situation, but didn't the Incident Response Plan cater for this situation and have a planned approach to dealing with it? 

 

Did they in fact have an Incident Response Plan and had they worked different scenarios and tested it?

 

Regards

 

Caute_cautim