Posted on: September 20, 2023, 09:18h.
Last updated on: September 20, 2023, 09:18h.
Caesars paid. That’s one of the few important things we know so far about the two recent cyberattacks on the two largest casino operators in Las Vegas. It is not known whether MGM Resorts International paid its cyber attackers after they gained access to its systems on Sept. 10, though outward appearances point to its resisting any such demands.
Casino.org asked Lisa Plaggemier, executive director of the National Cyber Security Alliance, whether it’s better for big corporations to pay or not to pay.
Q: According to the Wall Street Journal, Caesars Entertainment paid $15 million of the $30 million ransom that hackers originally demanded. MGM has already suffered much worse consequences than Caesars — to the tune of possibly $8.4 million per day. Assuming that this is because it refuses to pay, is this a better response than Caesars’?
A: Just like the FBI or Department of Homeland Security — or any federal law enforcement agency — will tell you, the best way to deal is not to pay. The more organizations pay, the more the criminals are going to keep doing it. As long as it’s profitable for them, they’re going to keep doing it. It’s as simple as that.
But actually, the best way to deal with a ransomware attack is to practice having one — to do tabletop exercises. You bring in outside consultants, a third party that runs you through an exercise where you practice having an incident and everybody knows like what they what role is and how it would be handled. That can help you find weaknesses — maybe in the way your backups are being handled or the way you’re architected.
I also recommend having a policy solution for this. I’ve worked for organizations where they had a written policy that was approved by the senior leadership that said, ‘If this happens to us, then we will not pay.’ If you know that this is who you are as an organization — that you just won’t give money to criminals — that allows you to manage an attack accordingly.
It allows you to know what you need to do to be prepared — what investments you need to make — so you’re not having to make a decision like that when your hair is on fire.
Q: According to a communique allegedly posted by the hackers, MGM caused most of its own problems by shutting down its systems pre-emptively. What do you make of this claim?
A: I’ve read it. It’s interesting. But whether or not I feel like they have credibility, that’s another question. I mean, they’re criminals. But I think there’s a lot of evidence suggesting that MGM’s network was not properly segmented. There should never be a situation where something bad happens in your payment card system and some of your slot machines don’t work. That’s like if breaking into one store in the mall gets a criminal into every store in the mall.
Organizations really need to be prepared. They need to make the investments in their IT infrastructure to make sure that they’ve got good backups, because that’s the antidote to ransomware — to be able to just go to your backups, which need to be segmented so they’re also not infected, and you can keep on going.
Also, I’ve never seen a data breach or a security incident that didn’t have one or more human errors along the way somewhere that opened the door, and it’s usually multiple points of failure. So organizations must design systems in a way that presumes there will be human failure and limits the damage it can cause.
Q: It’s been believed that MGM has $200 million in cyber insurance to cover losses, including ransoms, suffered by large corporations in a cyberattack. Isn’t this a bad crutch to lean on if your goal is to discourage cybercrime?
Q: It was kind of a panacea in the early days of cyber insurance. I’m not an expert in this area, but I’ve heard of some instances, where if you’re not taking reasonable precautions, then the insurance is not your get-out-of-jail-free card. So every instance is probably different.
But I think that apathy, that feeling of the inevitability of a cyberattack, can lead people to actually do the wrong thing. ‘Since this is going to happen, I’m just not even going to bother trying to prepare.’ That’s far, far worse than doing something. You just don’t ever want to be the easiest company to hack. Cybercriminals are busy and their time is money. They’re going to move on to the next victim if hacking you is too hard.
Q: Of course, the biggest problem with paying ransoms to cybercriminals is that you have no guarantee that it’s even going to work.
A: Exactly. Will you even get your data back? And was it already for sale on the dark web? Also, is the data encrypted? Because, if you run into technical difficulties with the encryption keys, they don’t exactly have incentive to provide customer support.
At the end of the day, they’re criminals. Considering that you know these are individuals who did this in the first place, are you really going to take their word for it? Because that’s all you have, and you’re assuming honor amongst thieves, which I think is always an iffy proposition.
Q: People like debating whether Vegas is better off with corporations running the show than when the mafia did. In a way, cyberattacks have placed organized crime back in charge.
A: Absolutely. It’s just a different mob now.