Introduction:
1、Penetration testing by ethical Hackers/Crackers should be trusted?
2、Should Hackers Be Paid Their Ransomware Demands
Penetration testing by ethical Hackers/Crackers should be trusted? ♂
There are a few drawbacks to hiring a blackhat "hacker" instead of a security company.
They are harder to trust
Apart from backdooring your system, I would not trust a blackhat I pick off the street to keep his findings about my network confidential. Hackers like to boast to their peers. The knowledge they obtain about your security can bite you in the ass in more than one way.
They are adrenaline junkies
OK, that's a bit strong. But a hacker who is just in it for the fun and not for the money, will focus on what he finds fun. I have worked with both professional penetration testers and "recreational hackers", and the latter kind performs a different kind of test. If you find yourself a good hacker, he may have more knowledge than the professional penetration tester, but he will not deliver the same quality report. He will find a fun way to enter your network and exploit that fully, while the penetration tester will see if there are multiple ways in, will weigh the issues he finds against the actual risk, and can give you a less black-and-white advice about how to solve the issues.
They are harder to do business with
Think in terms of planning, deadlines, availability for status updates et cetera.
So, if you find yourself the perfect gentleman hacker with knowledge of the underground, who will keep your findings confidential, propose realistic solutions, and do the test from the perspective of what is useful to you instead of just what is fun for him, then you have a winner. Good luck finding him :-)
Should Hackers Be Paid Their Ransomware Demands ♂
The Severity of Cyber Attacks and Ransomware Payments
So how bad are cyber attacks and ransomware payments? So bad that even the government may step in and make them illegal.
Background: The Foreign Corrupt Practices Act (FCPA)
There is a law called the FCPA (Foreign Corrupt Practices Act). What does that mean? What does it have to do with cyber attacks? Well, many years ago, almost 30 years ago now, companies, when they went to another country to build a new factory, develop, or start a division—maybe to put a satellite branch in another country—found that in many other countries besides the US, there was a lot of corruption. The government would come in and say, “Look, if you want to set up a factory, you have to pay us, you know, $500,000,” or, “If you want to get this approval, you have to pay us a $2 million bribe.”
Corporate Response to Bribes
It was just blatant. It was a bribe. It wasn’t hidden as anything else. Companies were paying this money for a long time, and the companies didn’t want to do it. So, the corporate industry went to the US and said, “We want you to pass a law that says it’s illegal to pay bribes to other countries’ governments for business.”
The Impact of the FCPA
The Foreign Corrupt Practices Act, that’s what it is—FCPA. So, if another country said to you, “Hey, you want to build a factory? You have to pass a bribe,” you could say, “Hey, I would do it, but it’s illegal. I can’t pay it. I don’t want to go to jail. I don’t want to get a fine.” So, they made it illegal, which gave the companies an out. It gave them a third-party excuse like, “Hey, we can’t do it.” It’s kind of like that whole, “We don’t negotiate with terrorists” thing, right? We don’t negotiate with kidnappers kind of thing.
Workarounds and Parallels to Ransomware Laws
It worked for the most part. Yeah, there are still some workarounds where, instead of paying a bribe, you can promise to hire, you know, the prime minister’s son for a no-show job. There are other ways of getting around it, but it really put a crimp on it. The government’s looking at similar laws for ransomware attacks. There’s so much of it going on, and the companies don’t like doing it, and the insurance companies don’t like doing it, that the government is starting to talk about making it illegal, making it a crime, making laws against paying ransom.
The Insurance Perspective and Government Involvement
Right now, if you have cyber insurance, your cyber insurance company has claims. They pay for a lot of other things, but they could pay the ransomware. They pay for monitoring. They pay for response. They pay for IT repairs. Many other things—losses if you lose money because your customers can’t buy from you—they pay a lot of things. The smallest percentage of the payout, a lot of times, is the ransomware. Usually, the other costs are more.
Potential Changes in Ransomware Coverage
The government is starting to talk to insurance companies, saying, “Look, you can’t insure the ransomware payment. You can pay for everything else, but not the ransomware.” If that’s done, that will put a big crimp in the operations of these companies.
Your Thoughts on Ransomware Payments
So, your thoughts? Do you think there should be a law or rule discouraging the payment of these ransoms? Maybe, at that point, the hackers will stop asking for them. Or, do we need to have that protection in the system?
The Role of Cyber Insurance
Either way, cyber insurance, and you can get more information from the link below, is a good way to prevent, disrupt, dispute, and then react to any kind of attack on your business. There are a lot of tools that go into a policy. There’s active monitoring. They put little monitoring clips on your servers to see if there’s a hack in progress or being set up over weeks before it happens. They have a response team. They’ll be able to deal with your vendors, your accounts payables, your accounts receivable to make sure you don’t get disrupted. Right now, at least, they at least pay for your ransom.
评论已关闭