A SecurityWeek Event

A VIRTUAL EVENT FOR 2023

An Exclusive Forum For
Information Security Leaders

June 13-14th, 2023

2023 Diamond Sponsor

https://www.cisoforum.com/wp-content/uploads/2020/09/Palo_Alto-Networks-logo.png

2023 Platinum Sponsors

https://www.cisoforum.com/wp-content/uploads/2023/05/Abnormal-logo-black.png
https://www.cisoforum.com/wp-content/uploads/2023/05/CardinalOps_Logo.png

2023 Gold Sponsors

https://www.cisoforum.com/wp-content/uploads/2021/08/ReversingLabs_logo.png

ReversingLabs

https://www.cisoforum.com/wp-content/uploads/2023/05/Uptycs-Logo-1-320x95.png

Proofpoint

https://www.cisoforum.com/wp-content/uploads/2023/05/Lacework-Logo-320x53.png

Eclypsium

https://www.cisoforum.com/wp-content/uploads/2023/05/Saviynt-Logo.png

Synopsys

2023 Featured Speakers

Adam Ely

Adam Ely

Fidelity
CISO

Shaun Marion

Shaun Marion

McDonald’s
VP, CISO

Kathy Wang

Kathy Wang

Discord
CSO

Lena Smart

Lena Smart

MongoDB
CISO

Jason Shockey

Jason Shockey

Cenlar FSB
SVP, CISO

Igor Varnava

Igor Varnava

Five9
SVP, CISO

Brian Markham

Brian Markham

EAB
CISO

Chris Castaldo

Chris Castaldo

Crossbean
CISO

Michael Piacente

Michael Piacente

Hitch Partners
Managing Partner

Evan Wolff

Evan Wolff

Crowell & Moring
Partner

Evan Wolff

Jonathan Jaffe

Lemondade
CISO

2023 Agenda is Coming Soon

Designed for senior level cybersecurity leaders to discuss, share and learn innovative information security and risk management strategies, SecurityWeek’s CISO Forum, will take place in 2023 as a virtual event.

Throughout this two-day virtual event, sessions will have a strong focus on participation from CISOs in panel discussions along with talks from industry experts, analysts and other end users, and thought leadership, strategy and technical sessions.

Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, subject-specific discussion areas, and sponsor booths in a virtual expo hall.


An Exclusive Executive Forum Focused on Cybersecurity Leadership and Strategy

Virtual Event – View Event Website

Throughout this two-day virtual event, sessions will have a strong focus on participation from CISOs in panel discussions along with talks from industry experts, analysts and other end users, and thought leadership, strategy and technical sessions.

Through a cutting-edge platform, attendees will be able to interact with speakers and sponsors, and visit networking lounges, subject-specific discussion areas, and sponsor booths in a virtual expo hall.

Previous CISO Forum Speakers

Adrian Stone

Adrian Stone

Peloton
VP, CISO

Anne Marie Zettlemoyer

Anne Marie Zettlemoyer

Mastercard
VP, Security Engineering

Caleb Sima

Caleb Sima

Robinhood
CISO

Allan Friedman

Allan Friedman

Cybersecurity and Infrastructure Security Agency (CISA)
SBOM Champion

Summer Craze Fowler

Summer Craze Fowler

Argo AI
CISO/CIO

Fredrick Lee

Fredrick ‘Flee’ Lee

Gusto
Chief Security Officer

Shaila Shankar

Shaila Shankar

Cisco
SVP and General Manager of Cisco Cloud Network and Security

Jonathan Jaffe

Jonathan Jaffe

Lemonade
CISO

Aanchal Gupta

Aanchal Gupta

Microsoft
VP, Azure Security

Lena Smart

Lena Smart

MongoDB
CISO

Sounil Yu

Sounil Yu

JupiterOne
CISO

Theresa Payton

Theresa Payton

Former White House CIO
Star of CBS TV series, “Hunted”, and Leading Cybersecurity Expert

City of Atlanta Ransomware Attack Proves Costly

05/07/2018 0

City of Atlanta Ransomware Attack Showcases Ethical Problem in Whether to Pay a Ransom or Not

(Kevin Townsend – SecurityWeekOver the course of the last week, it has become apparent that the City of Atlanta, Georgia, has paid out nearly $3 million dollars in contracts to help its recovery from a ransomware attack on March 22, 2018 — which (at the time of writing) is still without resolution.

Precise details on the Atlanta contracts are confused and confusing — but two consistent elements are that SecureWorks is being paid $650,000 for emergency incident response services, and Ernst & Young is being paid $600,000 for advisory services for cyber incident response. The total for all the contracts appears to total roughly $2.7 million. The eventual cost will likely be more, since it doesn’t include lost staff productivity nor the billings of a law firm reportedly charging Atlanta $485 per hour for partners, and $300 per hour for associates. The ransom demand was for around $51,000.

The ransomware used in the attack was SamSam. In February this year, SecureWorks published a report on SamSam and attributes it to a group it knows as Gold Lowell. Gold Lowell is unusual in its ransomware attacks since it typically compromises its victim networks in advance of encrypting any files.

SecureWorks makes two specific points about Gold Lowell that might be pertinent to the Atlanta incident. Firstly, “In some cases where the victim paid the initial ransom, GOLD LOWELL revised the demand, significantly increasing the cost to decrypt the organization’s files in an apparent attempt to capitalize on a victim’s willingness to pay a ransom.” Atlanta officials have always declined to comment on whether they paid, or attempted to pay, the ransom

Secondly, “GOLD LOWELL is motivated by financial gain, and there is no evidence of the threat actors using network access for espionage or data theft.” Atlanta officials were quick to claim that no personal data was lost in the attack.

Also worth considering is the SamSam attack on Hancock Health reported in January this year. Hancock chose to pay a ransom of around $55,000, and recovered its systems within a few days. It later admitted that it would not have been able to recover from backups since the attackers — which sound like the Gold Lowell group — had previously compromised them.

The extended dwell time by the Gold Lowell group prior to encrypting files and making a ransom demand would explain the extreme difficulty that Atlanta is experiencing in trying to recover from the attack. The Hancock incident suggests that rapid payment might have resulted in file recovery, but SecureWorks also suggests it might have led to a further demand.

There are also indications that Gold Lowell’s dwell time could have been extensive and effective. According to WSB-TV, Atlanta officials had been warned months in advance that at least one server was infected with malware, and that in February it contacted a blacklisted IP address associated with known ransomware attacks. Whether the incidents are directly connected will only come out with forensic analysis.

However, the few facts that are known raises a very complex ethical issue. Atlanta seems to have chosen to pay nearly $3 million of taxpayer money rather than just $51,000, possibly on a point of principle. That principle is supported by law enforcement agencies around the world who advise that ransoms should not be paid. In this case, the sheer disparity between the cost of the ransom and the ransomware restitution (more than 50-to-1 and growing), all of which must be paid with someone else’s money, makes it reasonable to question the decision.

There is no simple answer. Atlanta does, however, get almost unequivocal support from the CISO of another U.S. city, who spoke to SecurityWeek requesting anonymity. “Unless paying the ransom provided details of how they were breached, what would it really get them?” he asked. “Firstly, they don’t know if they would actually get the decrypt keys; secondly, they don’t know if they would simply get hit again; and thirdly, it would only encourage more of the same kind of action.

“By bringing in emergency support,” he continued, “they probably now have a much better picture of their security posture, most likely have cleaned up a number of issues, and are now on track to pay more attention to this business risk.” His only criticism is that the money should have been spent to prevent ransomware rather than to recover from it. “The real lesson,” he said, “is for probably 10-20% of the cost of the emergency support they could have brought in the same people to help with the same issues prior to the incident. Would that guarantee it would not happen? No — but it would improve the odds greatly, would limit the damage done, and improve recovery efforts if it happened.”

Ilia Kolochenko, CEO of web security company High-Tech Bridge, has a different view. “The ethical dilemma whether to pay or not to pay a ransom becomes very complicated today. This incident is a very colorful, albeit sad, example that refusing to pay a ransom may be economically impractical and detrimental for the victims.”

He agrees that Atlanta should have been better prepared. “Taking into consideration the scope and the disastrous consequences of this incident, one may reasonably suggest that Atlanta has a lot of space for improvement in cybersecurity and incident response. Spending 50 times more money to remediate the consequences of the attack, instead of investing the same money into prevention of further incidents, is at least questionable.”

But he disagrees with one of the primary arguments of those who advocate not paying. “Refusing to pay a ransom is unlikely to demotivate cybercriminals from conducting further attacks, as they will always find someone else to pay.”

In the final analysis, he believes that each case needs to be decided on its own merits, but adds, “In some cases, paying a ransom is the best scenario for a company and its economic interests. Otherwise, you risk spending a lot of valuable resources with no substantial outcome.”


Leave a Reply

Your email address will not be published. Required fields are marked *


Subscribe for Event News