[BreachExchange] Ransomware at the U of C; Where do we go from here?

Audrey McNeil audrey at riskbasedsecurity.com
Fri Jul 15 15:14:52 EDT 2016


http://www.itworldcanada.com/blog/ransomware-at-the-u-of-c-where-do-we-go-from-here/384920

In June the University of Calgary, while recovering from a significant
malware incident, chose to pay a $CDN 20,000 ransom for a decryption key
related to a piece of ransomware.

Several weeks later Linda Dalgetty, Vice-President Finance and Services at
the University of Calgary, was quoted in the Calgary Herald that while the
University’s cyber insurance policy did not cover the ransom, it was
instrumental in helping the school recover after the attack.

I have no doubt there were exceptional efforts made, and tough decisions
taken using the best information available at the time, that will remain
known only to those directly involved with the efforts to protect the
University’s data assets and recover its systems. But the public
information available about this incident leads to the conclusion that
cost, both in terms of outlay by the University, and lost staff time, was
the primary factor in making the decisions related to this incident.

And if that is truly the case then that is of concern, particularly in
relation to the choice to pay the ransom.

>From a financial perspective, paying the ransom may have been the best
decision for the University. But by doing so, the University provided a
compelling incentive for ongoing unethical and criminal behavior. And many
of the future victims of the malware that the University chose to finance
will not possess the financial and technical resources that a large
organization, like the University, can bring to bear to recover from their
victimization.

Universities, because of their role in our society, must be held to a
higher standard than private organizations. While there would be some
consideration made for self disclosure, if a U of C student or faculty
member were to reveal that they had paid $20,000 to a criminal organization
to advance their studies or research, there would be serious repercussions.
So I fail to understand why, when it comes to the administration of their
information technology, the University appears to feel that financing
criminal activity is the appropriate thing to do?

This topic came up in discussion with my parents, who are 81 and 88, and
worked to send all three of their children to the University of Calgary.
While they use tablets and computers, they have no background in IT
administration. But their position was unsolicited, unequivocal, and based
on a lifetime of experience; paying the ransom was the wrong thing to do.

The University of Calgary is hardly unique in considering cost as the
primary factor when making decisions related to information systems. But
this incident provides a good case for the examination of whether in
today’s Canada, where we are entirely dependent on Information Systems for
our academic, financial, and civic functions, and where our information
systems are increasingly interconnected and interdependent, we can continue
to let decisions related to IT be made based solely on the short term
outcomes of an individual organization.

Perhaps it is time to establish foundational baselines of acceptable
professional practices in Information Systems, just as we have chosen to do
in finance, engineering, and medicine.

The upside of this situation is that the University of Calgary, unlike most
organizations who will fall victim to ransomware, has at its disposal the
talent, resources, and facilities to provide meaningful support to its
community and stakeholders to mitigate some of the harm that will result
from their action.

I would hope that going forward the University will choose to become a
leader in seeking out and working with exceptional students, outstanding
faculty, IS professional groups, and IT product and service providers,
towards meaningful progress improving the practice of Information Systems
in Canada, and the reliability and trustworthiness of the information
systems we all rely upon.

For in the long run, that will accomplish more than trying to redress a
regrettable decision made in the heat of a crises.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.riskbasedsecurity.com/pipermail/breachexchange/attachments/20160715/58232db0/attachment.html>


More information about the BreachExchange mailing list