Ransomware
Closed this issue · 14 comments
Is there a concern that ransomware may affect scientific file stores?
Absolutely, at least in my opinion. Worth calling out with a specific example?
RuthAnne Bevier
On Oct 31, 2016, at 3:57 PM, Donald Petravick <notifications@github.commailto:notifications@github.com> wrote:
Is there a concern that ransomware may affect scientific file stores?
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com//issues/42, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AROAirJufXp7DyDJmZWcqCj-05gvgxQWks5q5nJNgaJpZM4Klm_F.
I’ve never been a victim, but it’s the first real threat I am worried about an an enhanced level, as it
is a threat to data that is monitored, and I understand that, for example hospitals have been victims.
On Oct 31, 2016, at 6:02 PM, thanne23 notifications@github.com wrote:
Absolutely, at least in my opinion. Worth calling out with a specific example?
RuthAnne Bevier
On Oct 31, 2016, at 3:57 PM, Donald Petravick <notifications@github.commailto:notifications@github.com> wrote:
Is there a concern that ransomware may affect scientific file stores?
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com//issues/42, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AROAirJufXp7DyDJmZWcqCj-05gvgxQWks5q5nJNgaJpZM4Klm_F.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #42 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/ACjm0nh-uHTJI8a18am3xfShlKgs1dpMks5q5nOigaJpZM4Klm_F.
I was just talking to a counterpart today who had this exact thing happen at his site, affecting a shared file repository used by a lab. I'll write something up this week and see if we want to include it.
RuthAnne Bevier
On Oct 31, 2016, at 4:07 PM, Donald Petravick <notifications@github.commailto:notifications@github.com> wrote:
I've never been a victim, but it's the first real threat I am worried about an an enhanced level, as it
is a threat to data that is monitored, and I understand that, for example hospitals have been victims.
On Oct 31, 2016, at 6:02 PM, thanne23 <notifications@github.commailto:notifications@github.com> wrote:
Absolutely, at least in my opinion. Worth calling out with a specific example?
RuthAnne Bevier
On Oct 31, 2016, at 3:57 PM, Donald Petravick <notifications@github.commailto:notifications@github.commailto:notifications@github.com> wrote:
Is there a concern that ransomware may affect scientific file stores?
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com//issues/42, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AROAirJufXp7DyDJmZWcqCj-05gvgxQWks5q5nJNgaJpZM4Klm_F.
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #42 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/ACjm0nh-uHTJI8a18am3xfShlKgs1dpMks5q5nOigaJpZM4Klm_F.
You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com//issues/42#issuecomment-257446384, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AROAin6W0udKGa2gpRwvJ_XHo7DCcRc5ks5q5nSagaJpZM4Klm_F.
oops I meant monitized (apple spell checker)
On Oct 31, 2016, at 6:14 PM, thanne23 notifications@github.com wrote:
I was just talking to a counterpart today who had this exact thing happen at his site, affecting a shared file repository used by a lab. I'll write something up this week and see if we want to include it.
RuthAnne Bevier
On Oct 31, 2016, at 4:07 PM, Donald Petravick <notifications@github.commailto:notifications@github.com> wrote:
I've never been a victim, but it's the first real threat I am worried about an an enhanced level, as it
is a threat to data that is monitored, and I understand that, for example hospitals have been victims.On Oct 31, 2016, at 6:02 PM, thanne23 <notifications@github.commailto:notifications@github.com> wrote:
Absolutely, at least in my opinion. Worth calling out with a specific example?
RuthAnne Bevier
On Oct 31, 2016, at 3:57 PM, Donald Petravick <notifications@github.commailto:notifications@github.commailto:notifications@github.com> wrote:
Is there a concern that ransomware may affect scientific file stores?
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHubhttps://github.com//issues/42, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AROAirJufXp7DyDJmZWcqCj-05gvgxQWks5q5nJNgaJpZM4Klm_F.
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #42 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/ACjm0nh-uHTJI8a18am3xfShlKgs1dpMks5q5nOigaJpZM4Klm_F.You are receiving this because you commented.
Reply to this email directly, view it on GitHubhttps://github.com//issues/42#issuecomment-257446384, or mute the threadhttps://github.com/notifications/unsubscribe-auth/AROAin6W0udKGa2gpRwvJ_XHo7DCcRc5ks5q5nSagaJpZM4Klm_F.
—
You are receiving this because you authored the thread.
Reply to this email directly, view it on GitHub #42 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/ACjm0oUpaUlErQ0eOuvmad_mJediN4DHks5q5nZrgaJpZM4Klm_F.
I think having Ransomware as an example (as described in Issue #44) is a fine thing. I want to be careful though in calling Ransomeware a risk, as it as an attack vector will come and go, and really the risk is the unavailability of the data the attack causes.
(p.s. Thanks Don for the suggestion.)
Should I add it to the document? I figured I'd start by just writing up a draft example.
On Mon, Nov 07, 2016 at 04:51:54PM -0800, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44) is a fine
thing. I want to be careful though in calling Ransomeware a risk, as it as an
attack vector will come and go, and really the risk is the unavailability of
the data the attack causes.(p.s. Thanks Don for the suggestion.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.*
RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
ruthanne@caltech.edu
626-395-2671
I vote yes.
On Nov 7, 2016, at 7:55 PM, thanne23 <notifications@github.com mailto:notifications@github.com> wrote:
Should I add it to the document? I figured I'd start by just writing up a draft example.
On Mon, Nov 07, 2016 at 04:51:54PM -0800, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44) is a fine
thing. I want to be careful though in calling Ransomeware a risk, as it as an
attack vector will come and go, and really the risk is the unavailability of
the data the attack causes.(p.s. Thanks Don for the suggestion.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.*RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
ruthanne@caltech.edu mailto:ruthanne@caltech.edu
626-395-2671—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub #42 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AAITFzSVPPfLoegb5lNWZwa_BxoUz8epks5q78iSgaJpZM4Klm_F.https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png https://github.com/trustedci/OSCRP mailto:nruthanne@caltech.edu #42 (comment)
Calling it a "risk" may be understandable to users but does not reflect
the root of the chain of events and therefore the root risk.
Unavailability isn't even the original risk. In this case
unavailability is just a consequence of being able to modify the data.
The risk is really unauthorized data modification, which allows
encryption, deletion and tampering; unavailability is a possible
consequence. Every attack vector that allows unauthorized modification
of data allows encryption and can be converted into ransom, even without
the use of ransomware.
Ransomware isn't an attack vector, it's a payload from a previous
successful attack which is converted into extortion. Ransomware
requires first compromising a user account. The attack vector is what
gives the account compromise. It can be social engineering, phishing or
co-installation of malware bundled with legitimate software, etc...
Pascal
On 11/07/2016 07:51 PM, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44) is a fine thing. I want to be careful though in calling Ransomeware a risk, as it as an attack vector will come and go, and really the risk is the unavailability of the data the attack causes.
(p.s. Thanks Don for the suggestion.)
From a cybersecurity perspective I agree with you. From a scientist's perspective, the risk is their data (or infrastructure) being unavailable and I believe we need to keep that perspective front and center.
On Nov 8, 2016, at 6:06 AM, lacunapremise <notifications@github.com mailto:notifications@github.com> wrote:
Calling it a "risk" may be understandable to users but does not reflect
the root of the chain of events and therefore the root risk.
Unavailability isn't even the original risk. In this case
unavailability is just a consequence of being able to modify the data.
The risk is really unauthorized data modification, which allows
encryption, deletion and tampering; unavailability is a possible
consequence. Every attack vector that allows unauthorized modification
of data allows encryption and can be converted into ransom, even without
the use of ransomware.Ransomware isn't an attack vector, it's a payload from a previous
successful attack which is converted into extortion. Ransomware
requires first compromising a user account. The attack vector is what
gives the account compromise. It can be social engineering, phishing or
co-installation of malware bundled with legitimate software, etc...Pascal
On 11/07/2016 07:51 PM, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44) is a fine thing. I want to be careful though in calling Ransomeware a risk, as it as an attack vector will come and go, and really the risk is the unavailability of the data the attack causes.
(p.s. Thanks Don for the suggestion.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub #42 (comment), or mute the thread https://github.com/notifications/unsubscribe-auth/AAITFzuHBV1JN0WgsFpMtp6c7Tx6ZgBGks5q8FehgaJpZM4Klm_F.https://cloud.githubusercontent.com/assets/143418/17495839/a5054eac-5d88-11e6-95fc-7290892c7bb5.png https://cloud.githubusercontent.com/assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png https://github.com/trustedci/OSCRP #42 (comment)
If we just list it in our badness examples section, it seems to me that we don't have to characterize ransomware per se as a risk, any more than we characterize "trojaned ssh binaries" specifically as a risk. Ransomware is another way that a security incident can negatively impact a science project, though.
On Tue, Nov 08, 2016 at 04:47:05AM -0800, Von Welch wrote:
From a cybersecurity perspective I agree with you. From a scientist's
perspective, the risk is their data (or infrastructure) being unavailable and I
believe we need to keep that perspective front and center.On Nov 8, 2016, at 6:06 AM, lacunapremise <notifications@github.com
mailto:notifications@github.com> wrote:Calling it a "risk" may be understandable to users but does not reflect
the root of the chain of events and therefore the root risk.
Unavailability isn't even the original risk. In this case
unavailability is just a consequence of being able to modify the data.
The risk is really unauthorized data modification, which allows
encryption, deletion and tampering; unavailability is a possible
consequence. Every attack vector that allows unauthorized modification
of data allows encryption and can be converted into ransom, even without
the use of ransomware.Ransomware isn't an attack vector, it's a payload from a previous
successful attack which is converted into extortion. Ransomware
requires first compromising a user account. The attack vector is what
gives the account compromise. It can be social engineering, phishing or
co-installation of malware bundled with legitimate software, etc...Pascal
On 11/07/2016 07:51 PM, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44) is a
fine thing. I want to be careful though in calling Ransomeware a risk, as it as
an attack vector will come and go, and really the risk is the unavailability of
the data the attack causes.(p.s. Thanks Don for the suggestion.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <https://github.com/trustedci
/OSCRP/issues/42#issuecomment-259108941>, or mute the thread <https://
github.com/notifications/unsubscribe-auth/
AAITFzuHBV1JN0WgsFpMtp6c7Tx6ZgBGks5q8FehgaJpZM4Klm_F>.<https://cloud.githubusercontent.com/assets/143418/17495839/
a5054eac-5d88-11e6-95fc-7290892c7bb5.png> <https://cloud.githubusercontent.com/
assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png> <https://
github.com/trustedci/OSCRP> <#42
issuecomment-259108941>—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.*
RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
ruthanne@caltech.edu
626-395-2671
+1
Sent from my iPhone.
On Nov 8, 2016, at 2:53 PM, thanne23 notifications@github.com wrote:
If we just list it in our badness examples section, it seems to me that we don't have to characterize ransomware per se as a risk, any more than we characterize "trojaned ssh binaries" specifically as a risk. Ransomware is another way that a security incident can negatively impact a science project, though.
On Tue, Nov 08, 2016 at 04:47:05AM -0800, Von Welch wrote:
From a cybersecurity perspective I agree with you. From a scientist's
perspective, the risk is their data (or infrastructure) being unavailable and I
believe we need to keep that perspective front and center.On Nov 8, 2016, at 6:06 AM, lacunapremise <notifications@github.com
mailto:notifications@github.com> wrote:Calling it a "risk" may be understandable to users but does not reflect
the root of the chain of events and therefore the root risk.
Unavailability isn't even the original risk. In this case
unavailability is just a consequence of being able to modify the data.
The risk is really unauthorized data modification, which allows
encryption, deletion and tampering; unavailability is a possible
consequence. Every attack vector that allows unauthorized modification
of data allows encryption and can be converted into ransom, even without
the use of ransomware.Ransomware isn't an attack vector, it's a payload from a previous
successful attack which is converted into extortion. Ransomware
requires first compromising a user account. The attack vector is what
gives the account compromise. It can be social engineering, phishing or
co-installation of malware bundled with legitimate software, etc...Pascal
On 11/07/2016 07:51 PM, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44) is a
fine thing. I want to be careful though in calling Ransomeware a risk, as it as
an attack vector will come and go, and really the risk is the unavailability of
the data the attack causes.(p.s. Thanks Don for the suggestion.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <https://github.com/trustedci
/OSCRP/issues/42#issuecomment-259108941>, or mute the thread <https://
github.com/notifications/unsubscribe-auth/
AAITFzuHBV1JN0WgsFpMtp6c7Tx6ZgBGks5q8FehgaJpZM4Klm_F>.<https://cloud.githubusercontent.com/assets/143418/17495839/
a5054eac-5d88-11e6-95fc-7290892c7bb5.png> <https://cloud.githubusercontent.com/
assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png> <https://
github.com/trustedci/OSCRP> <#42
issuecomment-259108941>—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.*RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
ruthanne@caltech.edu
626-395-2671—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub, or mute the thread.
Yes, I like that solution.
Andrew
On Tue, Nov 8, 2016 at 5:53 PM, thanne23 notifications@github.com wrote:
If we just list it in our badness examples section, it seems to me that we
don't have to characterize ransomware per se as a risk, any more than we
characterize "trojaned ssh binaries" specifically as a risk. Ransomware is
another way that a security incident can negatively impact a science
project, though.On Tue, Nov 08, 2016 at 04:47:05AM -0800, Von Welch wrote:
From a cybersecurity perspective I agree with you. From a scientist's
perspective, the risk is their data (or infrastructure) being
unavailable and I
believe we need to keep that perspective front and center.On Nov 8, 2016, at 6:06 AM, lacunapremise <notifications@github.com
mailto:notifications@github.com> wrote:Calling it a "risk" may be understandable to users but does not reflect
the root of the chain of events and therefore the root risk.
Unavailability isn't even the original risk. In this case
unavailability is just a consequence of being able to modify the data.
The risk is really unauthorized data modification, which allows
encryption, deletion and tampering; unavailability is a possible
consequence. Every attack vector that allows unauthorized modification
of data allows encryption and can be converted into ransom, even
without
the use of ransomware.Ransomware isn't an attack vector, it's a payload from a previous
successful attack which is converted into extortion. Ransomware
requires first compromising a user account. The attack vector is what
gives the account compromise. It can be social engineering, phishing or
co-installation of malware bundled with legitimate software, etc...Pascal
On 11/07/2016 07:51 PM, Von Welch wrote:
I think having Ransomware as an example (as described in Issue #44)
is a
fine thing. I want to be careful though in calling Ransomeware a risk,
as it as
an attack vector will come and go, and really the risk is the
unavailability of
the data the attack causes.(p.s. Thanks Don for the suggestion.)
—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub <
https://github.com/trustedci
/OSCRP/issues/42#issuecomment-259108941>, or mute the thread <https://
github.com/notifications/unsubscribe-auth/
AAITFzuHBV1JN0WgsFpMtp6c7Tx6ZgBGks5q8FehgaJpZM4Klm_F>.<https://cloud.githubusercontent.com/assets/143418/17495839/
a5054eac-5d88-11e6-95fc-7290892c7bb5.png> <https://cloud.
githubusercontent.com/
assets/143418/15842166/7c72db34-2c0b-11e6-9aed-b52498112777.png>
<https://
github.com/trustedci/OSCRP> <https://github.com/trustedci/
OSCRP/issues/42#
issuecomment-259108941>—
You are receiving this because you commented.
Reply to this email directly, view it on GitHub, or mute the thread.*RuthAnne Bevier
Chief Information Security Officer
California Institute of Technology
ruthanne@caltech.edu
626-395-2671—
You are receiving this because you are subscribed to this thread.
Reply to this email directly, view it on GitHub
#42 (comment), or mute
the thread
https://github.com/notifications/unsubscribe-auth/AFjhgvAJ15h4szoerhIvr-vQ3VeavohSks5q8P2GgaJpZM4Klm_F
.
+1
Example was added, thanks!