Insurtechs Mitigate Intel Cyber Scare

With Meltdown and Spectre very much in the news, raising the possibility of major data breaches, here are answers to some common questions about the flaws that can be exploited, about what the vulnerabilities are and about how insurers can use insurtechs to protect themselves. Meltdown and Spectre relate to a 20-year-old design flaw in Intel microprocessors, the sorts of chips that function as the brains for laptops, mobile phones and just about every other electronics product these days. It’s now clear that other microprocessors likely have similar flaws, but the Intel flaw has drawn attention both because Intel chips are so widely used and because Meltdown and Spectre have shown exactly how the Intel issue can be exploited. The vulnerability has been known for months by Intel and the largest tech companies, but, despite the knowledge of the vulnerability and the recent scramble to patch it, there is still much uncertainty about the precise implications. Who Discovered the Flaw? An engineer with Project Zero, a team at Google that looks for flaws that cyber criminals can exploit, found the vulnerability in the Intel microprocessors. Jann Horn discovered the problem while developing a processor-specific application that required deep access into the chip hardware. Since then, several other researchers discovered the flaw from a different angle, while looking at a technique where, to increase efficiency, processor operations are run out of order. Research papers were published in the microprocessor community about this technique and the possible implications. Several groups created simulations and discovered the obscure flaw in the Intel chip. One prominent group of researchers out of Graz University of Technology in Austria reported the flaw to Intel. Intel had already known for seven months at that point, but the discovery was now breaking news and came to light last week. How Does the Flaw Work? A computer’s processor executes code out of order to circumvent bottlenecks and speed the work. The CPU doesn’t just read code like a book, from front cover to back cover. The process is more like preparing a complicated recipe, where parts of the process need to be started at different times to keep the work moving smoothly. This technique is referred to as “speculative execution” – the CPU is taking its best guess about what work needs to be started when. Speculative execution has been used for 20 years. Spectre exploits the technique. Developed by Horn to show the Intel flaw, Spectre intervenes in the speculative execution to have an application store sensitive or private data in the processor’s cache – the memory that is built into the processor itself. (As fast as the speed of light is, a processor simply takes too long if it has to grab all its information from separate memory chips, even inches away, rather than from elsewhere on the processor chip.) Spectre has the private data stored in particular places in the cache where an attacker can retrieve it later. Data can be accessible within several nanoseconds (billionths of a second). Meltdown is the process of retrieving the sensitive data. Meltdown uses incredibly precise timing – remember, we’re operating in billionths of a second here – to grab the sensitive data. Meltdown does so in between the processor’s reads and writes – in other words, between the times the processor is reading data from cache and the times it is writing, or storing, data in cache. The operating system kernel provides the clock that allows events to be coordinated with such precision. See also: Cyber: The Spectre of Uninsurable Risk?   The particularly alarming aspect of this vulnerability is that it can be exploited from front-end Javascript code, which is used just about everywhere. This means that browsing web pages is one of the attack vectors that could be used to extract otherwise-secret data from your session. What Is Being Done? Spectre and Meltdown work hand in hand, so browser companies have removed application access to interfaces that measure precise timing intervals. FireFox has published steps to limit and remove access to the timing function. However, removing access is only a temporary fix. The underlying flaw still exists. A fundamental change in chip design is required for a truly secure solution. Companies like Amazon, Google and Microsoft have recently been rebooting so-called virtual machines (VMs) to clear the cache. VMs act like separate pieces of equipment as far as customers are concerned but, in fact, share hardware with other customers. (Software defines the boundaries of the “machine” within the physical piece of equipment. VMs make data centers far more efficient: Machines no longer sit idle simply because a particular customer doesn’t have work to do at that moment; someone else grabs the CPU time.) Sharing of physical hardware between customers could mean that your secret data was left in the processor cache, to be extracted through this process of speculative execution and precise timing from another company’s front-end apps. After all, you’re sharing the same physical processor. Who Does It Affect? The chip vulnerability affects all modern microprocessors, including those in desktops, laptops, mobile phones and IoT devices. Speculative execution is a technique used throughout the chip industry. Besides Intel, other chip manufacturers like AMD and Arm Holdings are implementing similar patches that are also focused on limiting access to cache timing. How Does the Insurance Industry Respond? Despite the panic, the insurance industry should stay the course. Providers of insurance services should follow the same cyber security methodologies they follow in times of certain vulnerabilities as they do in times of uncertain vulnerabilities. First, implement all security patches and updates for all hardware in your organization. This should be done with caution because logic in the patches could significantly slow hardware. Second, rely on the products and services of leading cyber security insurtechs. According to ITL’s Innovator’s Edge, there are 250 cyber security insurtechs globally, and many are making good progress. The insurtechs fall into three main categories: Threat Prevention Threat prevention, as the name implies, stops an attack before it occurs. This typically includes services like penetration testing, simulated attacks and system hardening. 30% of the cyber security insurtechs in Innovator’s Edge are assisting insurance providers with these activities. RiskIQ, for example, uses big data, analytics and simulations. The company’s RiskIQ Digital Footprint maps all your IT assets and determines if they are hardened from a security standpoint. Threat Detection Threat detection is the process of being alerted when a breach does occur. Detection is most often made possible by security monitoring. Monitoring varies from conventional network monitoring to sophisticated machine-learning-based monitoring. 42% of cyber security insurtechs tracked by Innovator’s Edge mitigate cyber risk through threat detection. For instance, TesseractGlobal’s Peerlox EDR focuses on detecting targeted cyber attacks through machine learning. The strategy for leveraging artificial intelligence and data analytics is an ideal second line of defense for an organization. See also: Cyber Threats: Big One Is Out There   Threat Management Threat management most often relies on consulting. Threat management is applied when a breach occurs, there is damage done, and there is a mess to clean up. As you can imagine, this is highly specialized work. According to Innovator’s Edge, 14% of the cyber insurtechs have these capabilities. SeraBrynn, for one, assists insurance providers after they have become the victims of a breach. The team consists of industry leaders in cyber security who have assisted the NSA. The combination of the strategies that insurtechs offer can help minimize the reverberations created by something like Spectre and Meltdown. The capabilities are a hedge against the negligence of the technology industry, whose insatiable pursuit of Moore’s law has come at the expense of security. Luckily for the insurance industry, there is an Insurtech for that.