Australia Post Ransomwared Its Own Staff

nadnerB

So what do you do when staff stop responding to your orgaisations phisihing tests?
Well, you could try ransomwaring them...

For those in an "OMGWTFBBQ!" flap already, they stopped after the pilot test.

https://www.itnews.com.au/news/why-australia-post-ransomwared-its-own-staff-454987

When Australia Post employees stopped responding to internal phishing campaigns designed to test staff security awareness, the organisation's infosec team knew they had to shake things up.
...

While ^ sounds like the synopsis for a B grade movie, it's definitely worth a read.

One point I'd like to make is that I feel that they're doing the tests too often. If their users are lackadaisical about the fall out of failing a phishing test or picking the wrong option "for the lulz", then it's time to rethink the strategy.

While I did get a good chuckle about scaring the living daylights out of end users with fake ransomware, it serves to highlight that the policy is too invasive/restrictive and/or repetitive (not as invasive as ransomware, but more like ads on TV invasive... you ignore it eventually) and there's no tangible repercussions or consequences. So it's a well-intended-but-still-bad policy.

...
The experiment fell too far into the “bad cop” category for the team to forge ahead with their planned full-scale ransomware simulation campaign.
...
The plan now is to educate users about ransomware to get them used to the concept, the same way they became familiar with standard email phishing attempts.

BUT THEIR NOT GETTING IT!!!!!!!!!!! This was highlighted in the first paragraph! How is it ideal that they be as "familiar" with ransomware as they were the phishing education? They were IGNORING it.

If end users are getting blasé about your current security education strategy, then yes, of course it's time to change it up, but do you really want your end users getting blasé about this level of infection?

I like the concept but it's not something I'd be pushing in that format. Perhaps as a last resort.

scottalanmiller

Sounds like typical security "professionals" who think that over the top security is the only answer and forget that people have jobs to do and can't sit around being security people all day, every day. They get so caught up in their little world that they disconnect from reality - a dangerous place for "security" people to be because their top threat is wetware failures. If they don't understand the wetware, they aren't suitable for security roles.

When I worked in an extreme security shop, we had fake phishing attacks to see how well people performed. If you failed, the penalties were high. A counsel of managers, security and your peers would review you, many people would cry if these meetings. They were harsh and questioned your suitability to come to work. And your track record would be reviewed to see if this was a unique mistake or a part of a trend. And they absolutely used it as part of a checklist for firing people, I saw people fire and get dismissed.

And even if you didn't get fired, not only was it put on your record it was a public record and the results sent to everyone in the company. Every meeting you were in, people would have this information pop up in front of them for a while. People commented on it to you. You knew that people knew you were a sucker and a risk.

Reid Cooper

I would call this "security fatigue".

Dashrender

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

Sounds like typical security "professionals" who think that over the top security is the only answer and forget that people have jobs to do and can't sit around being security people all day, every day. They get so caught up in their little world that they disconnect from reality - a dangerous place for "security" people to be because their top threat is wetware failures. If they don't understand the wetware, they aren't suitable for security roles.

When I worked in an extreme security shop, we had fake phishing attacks to see how well people performed. If you failed, the penalties were high. A counsel of managers, security and your peers would review you, many people would cry if these meetings. They were harsh and questioned your suitability to come to work. And your track record would be reviewed to see if this was a unique mistake or a part of a trend. And they absolutely used it as part of a checklist for firing people, I saw people fire and get dismissed.

And even if you didn't get fired, not only was it put on your record it was a public record and the results sent to everyone in the company. Every meeting you were in, people would have this information pop up in front of them for a while. People commented on it to you. You knew that people knew you were a sucker and a risk.

Wow - I don't know if that is awesome or cruel and unusual punishment.

scottalanmiller

@Dashrender said in Australia Post Ransomwared Its Own Staff:

Wow - I don't know if that is awesome or cruel and unusual punishment.

Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.

Dashrender

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

@Dashrender said in Australia Post Ransomwared Its Own Staff:

Wow - I don't know if that is awesome or cruel and unusual punishment.

Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.

yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.

scottalanmiller

@Dashrender said in Australia Post Ransomwared Its Own Staff:

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

@Dashrender said in Australia Post Ransomwared Its Own Staff:

Wow - I don't know if that is awesome or cruel and unusual punishment.

Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.

yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.

Although most places, security doesn't matter. Like where you are... is there any data that any one would actually want to steal?

JaredBusch

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

@Dashrender said in Australia Post Ransomwared Its Own Staff:

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

@Dashrender said in Australia Post Ransomwared Its Own Staff:

Wow - I don't know if that is awesome or cruel and unusual punishment.

Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.

yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.

Although most places, security doesn't matter. Like where you are... is there any data that any one would actually want to steal?

Exactly.

Dashrender

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

@Dashrender said in Australia Post Ransomwared Its Own Staff:

@scottalanmiller said in Australia Post Ransomwared Its Own Staff:

@Dashrender said in Australia Post Ransomwared Its Own Staff:

Wow - I don't know if that is awesome or cruel and unusual punishment.

Both, perhaps. But when security actually matters, how can you do any less? You must weed out the people who can't think and act securely.

yeah - I agree. Personally, I would love to do this here, and frankly everywhere, because the weak link in most businesses, is the personal.

Although most places, security doesn't matter. Like where you are... is there any data that any one would actually want to steal?

That's a joke right? medical data is highly valuable for fraud purposes, and other types of manipulation. Warren Buffet lives in Omaha, let's assume he was a patient - his data would possibly be good for blackmail reasons, or causing his stock to get hurt, etc... so yeah, medical data is valuable.

scottalanmiller

@Dashrender said in Australia Post Ransomwared Its Own Staff:

That's a joke right? medical data is highly valuable for fraud purposes, and other types of manipulation. Warren Buffet lives in Omaha, let's assume he was a patient - his data would possibly be good for blackmail reasons, or causing his stock to get hurt, etc... so yeah, medical data is valuable.

Not a joke and I can't figure out how this would be useful in the real world. Let's assume Warren Buffet lives in Omaha, how much would it cost to track him to your systems and guess that something that could be used for blackmail is there? How would someone use medical data that can't be verified for blackmail in the first place? Medical data is nearly useless for fraud on any cost effective scale.

Instead of assuming the one richest man scenario, talk about the real world. Unless you have Warren Buffet or Bill Gates as clients, you've pointed out how absurd the belief that medical data is valuable - it's like saying "this datacenter isn't reliable because a meteor could hit it!"

If you have to go to that extreme to come up with a case where theft might be valuable, you know it's not a real threat.

scottalanmiller

In the real world, medical data is useless. Knowing someone's social security number and address is not super useful and can be found from any number of sources. Targeted people will have this compromised without needing to get into medical systems. Non-targeted people are worth essentially zero. What possible use would someone have with random healthcare data. Knowing someone's healthcare record has about zero value.

The standard calculation for stealing data comes down to value of the theft vs. cost to commit the crime. With medical data, the value of the data is insanely low and the cost of the crime is moderately high. Because you can't effectively target an individual nor can you know if there is even any data worth a penny and because the criminal penalties are so high, it makes for an essentially worthless target. The only crimes of this nature I've ever heard of come from the medical facilities themselves, not outside actors. All reasonable threats are internal, from people who already have access to the data and can determine the value of a crime before committing it.

scottalanmiller

@Dashrender said in Australia Post Ransomwared Its Own Staff:

...so yeah, medical data is valuable.

Valuable in data theft terms means millions of dollars. Are you telling me that you, right now, could take the data in your systems and sell it for millions of dollars? You have data that someone would give you that kind of money for today on the black market?

Dashrender

OK I see where you're going with that - the actual medical data itself isn't valuable - maybe... but the identity stuff definitely is. Huge amounts of medical fraud in Florida where stolen identities are used to file fake insurance claims. It's definitely true that much of this is committed by those who already have legal access to the the EHR.

I guess the reason the government cares about this is all FUD then? just a way to waste tax payer money? Not saying that's not possible or even likely...

scottalanmiller

@Dashrender said in Australia Post Ransomwared Its Own Staff:

I guess the reason the government cares about this is all FUD then? just a way to waste tax payer money? Not saying that's not possible or even likely...

No, the government cares because it's reckless and negligent not to have a minimum about of security and takes essentially zero effort. The industry was so careless across the board with this stuff that they had to do something. HIPAA is such a trivial, minimal level of security that you can't think of it as the government making anything happen, it doesn't even require that medical offices do as much as they should have been doing anyway. So not one penny is being wasted, meeting HIPAA requirements is so basic that not meeting it is really a problem.

Is the purpose of HIPAA largely just to make people feel better? Of course, I'm shocked that there is a feeling that it was ever anything else. The only thing that makes medical data special is that the government controls your medical access and therefore doctors are government representatives and if they lose your data there is a responsibility that goes worlds beyond that of a private business doing it. Because it is data that is essentially "taken from you by force" all responsibility for its safety falls to the medical businesses. It's not like your data that you share with the bank or store that you do so voluntarily. So while the data has little value, it carries high risk.

It's not that it is valuable to steal, it is risky in case it is lost. The damage done is not to the patient, but to the government and medical institution.

scottalanmiller

@Dashrender said in Australia Post Ransomwared Its Own Staff:

I guess the reason the government cares about this is all FUD then?

Why else did you think that HIPAA has no real value. It doesn't require that things be even remotely secure and doesn't create any security practices that good IT and management would have been worlds beyond already. So given that its purpose clearly wasn't to secure data but to pretend to secure data, what else could it be for?