Tag Archives: cyber attacks

Attacks on Email Systems Are Rising

Companies have increasingly turned to the cloud for their email solution. Cybercriminals or attackers have watched this trend and are finding ways to access email hosted in the cloud, which is known in the security community as a Business Email Compromise (BEC). Unfortunately, many companies are implementing cloud-based email without an understanding of how attackers are getting in and what safeguards help prevent an attack.

The vectors for compromised email attacks are the same as many other types of system or network occurrences. The most common attack vectors are phishing or spear phishing emails, which contain an attachment containing malware or a malicious link that brings the user to a legitimate-looking website and prompts the user for credentials. When the email recipient clicks on the link and provides credentials or opens the attachment from a phishing email, the attacker is able to get a foot in the “door” of the company, so to speak. The security community refers to this as gaining a foothold, and this is the first step in a cyberattack.

Credential stuffing is another attack vector often used, which involves using stolen credentials, typically obtained from successful data breaches, to access the cloud-based email environment. Attackers find that credential stuffing works well because many people use the same username and passwords for multiple accounts across the internet. Credential stuffing involves the automated entry of stolen credentials into online accounts in an attempt to gain access to accounts or systems. Sites such as haveibeenpwned.com allows users to determine if their email address account has been compromised from discoverable past breaches.

Once an attacker has access to the cloud-based email environment, it is easy to view email within the account to identify any information of value. Additionally, the attacker may try to gain access to other systems in the environment or launch other phishing attacks using the compromised account to make the phishing emails look legitimate. If the attacker has or gains administrative access to cloud-based email environment, the attacker may even modify rules within the system to forward emails to an external email account or even create her/his own email account on the system.

The goal of the attacker is typically monetary gain. There are several methods, many of which are often very creative and are used to obtain money from the company. The first involves fraudulent wire transfers where the attackers attempt to impersonate an executive in the office via email instructing someone in finance to wire money to a particular account, usually for the alleged reason of paying an invoice. The second method often used (if sufficient anti-fraud procedures are in place to prevent the wire transfer) is to obtain and modify invoices that have not been issued with payment instructions redirecting the funds to an account the cybercriminal has set up. The attacker then issues the modified invoice to a client of the company from the company’s cloud-based email, thus making the invoice look legitimate. Here, the attacker relies on the client paying the invoice without verifying the modified bank information.

See also: How Can Insurers Leverage the Cloud?  

Unfortunately, these attacks are often successful despite security practices in place to prevent them. For example, most users do not have administrative rights to the cloud-based email environment. Restricting rights is one of the basic components of security, called the principle of least privilege (POLP). But attackers have ways of escalating privileges by searching for cached credentials, using key loggers that track users’ keystrokes, and a variety of other means. Once the administrative credentials are located, the attacker can escalate their compromised accounts to higher levels and set rules that are not obvious to the average user. This allows the attacker to move throughout the email environment without being noticed and helps the attacker to cover her/his trail.

Now that the attacker has the proverbial “keys to the kingdom,” the attacker will typically modify rules so that she/he can monitor the organization’s email content and traffic. Oftentimes, this includes having email of key personnel, such as the CEO, CFO or HR personnel, forwarded to the attacker. At present, most attacks involve locating banking credentials and information to help attempt wire fraud, but as companies get better at prevention, attackers will likely morph their methods for other financial gain. For example, email communications may provide attackers with information to attempt to extort an organization or an employee.

Most organizations discover an attacker’s presence only after the attacker has executed some fraudulent activity; however, there are times when perceptive IT personnel may see evidence of the attack such as modified rules or the addition of email accounts. Once an attack is detected, the company should start an investigation.

While investigating, it is important to make sure the attacker is no longer in the environment; then the focus can turn to what information may have been compromised. As a first step, the company should change passwords and enable two-factor authentication. Additionally, the settings, including whether any forwarding rules are in place, should be reviewed. Unfortunately, even if the attacker was unsuccessful in achieving financial gain, the company’s information, potentially including personally identifiable information (PII), or protected health information (PHI) may have been exposed.

Reporting requirements for exposed PII vary among states. In some, access to PII may be reportable even if there is no evidence the information was acquired. So, it is important to involve outside counsel to examine if there are reporting requirements. Use of forensic experts can also prove beneficial in understanding how the attacker got in, whether the attacker is still in the environment and what information was accessed or acquired while the attacker was there.

As Ben Franklin said, “An ounce of prevention is worth a pound of cure.” This holds true when it comes to cyber security. It is difficult to build a house that is impenetrable, because people need to get in and out and commerce needs to continue. However, there are some actions that should be considered by IT security, including:

  1. Using dual-factor or two-factor authentication (2FA);
  2. Reviewing email security settings to ensure adequate controls;
  3. Monitoring traffic for unusual activity – consider using an email gateway to help monitor traffic;
  4. Keeping email authentication and trace logs for as long as possible;
  5. Training employees to recognize phishing attacks.

See also: Cloud Apps Routinely Expose Sensitive Data  

As companies continue to migrate to the cloud, cybercriminals will continue to target the cloud as a gateway to commit crimes. Prior to migration, companies should consider these risks and make sure the security measures in place are as strong as possible. Doing so will help make the cloud a less lucrative target and can help reduce the volume of attacks.

Until then, the Rolling Stones song “Get Off of My Cloud” seems to be a fitting warning to cybercriminals: “Hey, you, get off of my cloud.”

A Case For Cyber Insurance

The Need Is There

There were more than 26 million new strains of malware released into circulation in 2011, the last year with solid data on malware. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records.  The Ponemon Group whose Cost of Data Breach Study is widely followed every year indicated a total cost per record of $194 in 2011, an increase of over 40% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent.  NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability” forum the results of their analysis of 153 data or privacy breach claims paid by insurance between 2006 and 2011.  On average, the study said, payouts on claims made in the first five years total $3.7 million per breach.

And, attacks simply don’t target large companies. According to Symantec’s 2010  SMB Protection report (again the last report with good data on SME), small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report’s opinion that 96% of such breaches could have been prevented with appropriate controls.

Seemingly, not a week goes by without a reference to cyber risk hitting the mainstream press. Recently, a cyber attack was successfully launched against ATMs in 27 countries withdrawing over $40 million in over 30,000 transactions in less than 10 hours.  The New York Times recently reported that universities are facing a rising barrage of cyberattacks, mostly from China.1   And last year saw a number of denial of service attacks against financial institutions brought by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against the U.S. infrastructure.

All This Has Prompted Insurers To Enter The Market (And Make A Nice Profit To Boot)

Cyber-insurance began in earnest in 2000 when American International Group’s AIG eBusiness Risk Solutions unit launched AIG netAdvantage. Starting from scratch, premium jumped to over $100 million by the time the unit was merged into larger subsidiaries of AIG, just four years after its creation. AIG eBusiness was extremely profitable with estimates of loss ratio in the extremely low double digits.

Fast forwarding to today, the cyber-insurance market, according to the 2012 Betterley Report is “in the $1 billion range” in terms of premium (up from $800 million in the 2011 report) with close to 40 insurance carriers providing a standalone insurance policy.  Premium continues to increase with most carriers, accordingly to Betterley, reporting increases from 25% to 100% year over year.  Hard profit figures are difficult to come by; however, strong anecdotal evidence suggests that this line of insurance continues to be highly profitable.  Third party litigation continues to be slow to develop outside the privacy arena and first party claim losses, outside of breach funds, is non-existent.

From an underwriting point of view, some attention should be paid to theft of personal identifiable information (PII), especially with respect to first party costs associated with forensics and customer notification costs.  However, there are established methods to manage this risk successfully for the underwriter.  Indeed, in a widely followed report, Verizon reports that 90% of all breaches can be prevented with proper risk management guidelines.   Of course, like any other portfolio of business, care must be taken with respect to avoidance of catastrophic exposure, adverse selection and moral hazard.  There are underwriting guidelines and processes that can be developed to manage these exposures.

Yet The Market Still Has Plenty Of Room To Grow

Despite the increased attention to cyber incidents, most reports indicate only a minority of companies currently purchase cyber-insurance.  According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about cyber risk. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy. A risk area with a high level of concern but little purchase of insurance? That’s an insurance carrier’s dream

It is unclear why there aren’t more buyers, but most of the industry believes it’s a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber is covered under their general corporate liability.

Regardless of the reason, with respect to foreign corporations whose securities are traded on U.S. exchanges, a recent “Guidance” report2 published by the U.S. Securities and Exchange Commission on October 13, 2011 is likely to increase sales.  The report begins simply enough:

For a number of years, registrants (companies who register their securities with the SEC) have migrated toward increasing dependence on digital technologies to conduct their operations. As this dependence has increased, the risks to registrants associated with cybersecurity has also increased … As a result, we determined that it would be beneficial to provide guidance that assists registrants in assessing what, if any, disclosures should be provided about cybersecurity matters in light of each registrant’s specific facts and circumstances.

The “guidance” report goes on to specify five “suggested” disclosures that may be “appropriate” to companies trading with securities registered with the SEC.  The fifth suggestion is the one that caught the eye of the insurance industry.  It reads simply:

Description of relevant insurance coverage.

This is the first time that I am aware that the SEC included insurance in one of their guidance reports.  The SEC tends to start investigations 18-24 months after issuing a guidance report. It is difficult to imagine how a general counsel would be able to meet this disclosure without an investigation, at least, of specific cyber insurance.  This is especially true given that over the course of the last few years, general liability underwriters have continued to tighten up any language in a general liability policy to a point where an insured would be foolish to even think the policy applies to cyber risks.3

Thus, it is then perhaps not surprising that the Betterley 2012 market report stated “we think this (cyber) market has nowhere to go but up.”  Although, they quickly qualified,  “as long as carriers can still write at a profit.”

And With A Private-Public Partnership There Is Even More Potential

Unlike many other countries, 80% or more of the critical infrastructure of the United States is in private hands.  As we have seen in the last year, cyber attacks are increasingly being brought by companies associated with hostile nation states.  Cyber-terrorism – even cyber-war – is close at hand and, in some minds, is already here.  The insurance industry can and should play a vital role in providing private sector incentives to foster increased network security in the critical infrastructure.  However, the insurance industry cannot do this alone.  The answer lies in a private-public partnership between the insurance industry and the federal government.  Productive discussions are already underway between the Department of Homeland Security and the insurance industry with specific proposals to safeguard and enhance our country’s security being reviewed.

For more details on the need for this public-private partnerships, and what is going on to bring it about, stayed turned for our next article.

1 Universities Face a Rising Barrage of Cyberattacks

2 Cybersecurity

3 While from time to time, this is tested by insureds (see Sony vs. Zurich), almost all commentators have admitted that the “die is cast.”

A Look At Cyber Risk Of Financial Institutions

Overview Of The Risk
There were more than 26 million new strains of malware released into circulation in 2011. Such a rate would produce nearly 3,000 new strains of malware an hour! Almost two-thirds of U.S. firms report that they have been the victim of cyber-security incidents or information breaches. The Privacy Rights Clearinghouse reported that since 2005, more than 534 million personal records have been compromised. In 2011, 273 breaches were reported, involving 22 million sensitive personal records. The Ponemon Group, whose Cost of Data Breach Study is widely followed every year, indicated a total cost per record of $214 in 2011, an increase of over 55% ($138) compared to the cost in 2005 when the study began.

Other surveys are consistent. NetDiligence, a company that provides network security services on behalf of insurers, reported in their “2012 Cyber Risk and Privacy Liability Forum” the results of their analysis of 153 data or privacy breach claims paid by insurance companies between 2006 and 2011. On average, the study said, payouts on claims made in the first five years total $3.7 million per breach, compared with an average of $2.4 million for claims made from 2005 through 2010.

And attacks simply don't target large companies. According to Symantec's 2010 SMB Protection report, small busineses:

  • Sustained an average loss of $188,000 per breach
  • Comprised 73% of total cyber-crime targets/victims
  • Lost confidential data in 42% of all breaches
  • Suffered direct financial losses in 40% of all breaches

Indeed, according to the 2011 Verizon Data Breach Report, in 2010, 57% of all data breaches were at companies with 11 to 100 employees. Interestingly, it was the Report's opinion that 96% of such breaches could have been prevented with appropriate controls. Bottom line: cyber attacks are here to stay — and in many ways, they are getting worse.

A Look At The Financial Institution Sector
Willy Sutton once infamously remarked that he robs bank because “that's where the money is.” According to Professor Udo Helmbrecht, the Executive Director of the European Networking and Information Security Agency, if Willy Sutton was alive today, he would rob banks online.

Criminals today can operate miles, or even oceans, away from the target. “The number and sophistication of malicious incidents have increased dramatically over the past five years and is expected to continue to grow,” according to Gordon Snow, Assistant Director of the Cyber Division of the Federal Bureau of Investigation (testifying before the House Financial Services Committee, Subcommittee on Financials Institutions and Consumer Credit). “As businesses and financial institutions continue to adopt Internet-based commerce systems, the opportunity for cybercrime increases at the retail and consumer level.” Indeed, according to Snow, the FBI is investigating 400 reported account takeover cases from bank accounts of US businesses. These cases total $255 million in fraudulent transfers and has resulted in $85 million in actual losses.

According to the FBI, there are eight cyber threats that expose both the finances and reputation of financial institutions: account takeovers, third-party payment process breaches, securities and market trading company breaches, ATM skimming breaches, mobile banking breaches, insider access, supply chain infiltration, and telecommunications network disruption.

It was telecommunications network disruption that dominated the news in 2012.

Otherwise known as a distributed denial of service attack, US banks were attacked repeatedly throughout the year by sophisticated cyber “criminals” whose attacks were eventually sourced to the nation of Iran in what would truly be considered a Cyber War attack against this country's infrastructure.

Among the institutions hit were PNC Bank, Wells Fargo, HSBC, and Citibank, among many others. Big or small, it made no difference. At the end of the day, as many as 30 US banking firms are expected to be targeted in this wave of cyber attacks, according to the security firm RSA. And it is likely that we are not at the end of the day. On January 9, 2013, the computer hacking group that has claimed responsibility for cyber attacks on PNC Bank vowed to continue trying to shut down American banking websites for at least the next six months.

That is not to say that financial situations only had to worry about distributed denial of service attacks launched by hostile nation states in 2012.

On December 13, 2012 the Financial Services Information Sharing and Analysis Center, which shares information throughout the financial sector about terrorist threats, warned the US financial services industry that a Russian cyber-gangster is preparing to rob American banks and their customers of millions of dollars. According to the computer security firm, McAfee, the cyber criminal, who calls himself the “Thief-in-Law,” already has infected hundreds of computers of unwitting American customers in preparation to steal that bank account data.

Of course not all threats look like they come from the latest 007 flick. On October 12, 2012, the Associated Press reported TD Bank had begun notifying approximately 260,000 customers from Maine to Florida that the company may been affected by a data breach. Company spokeswoman Rebecca Acevedo confirmed to the Associated Press that unencrypted data backup tapes were “misplaced in transport” in March 2012. She said the tapes contained personal information, including account information and security numbers. It is unclear why the bank waited until October to notify customers. Over 46 states now have mandatory notification laws that dictate prompt notification to bank customers of missing or stolen “Personally Identifiable Information.” Failure to make timely notification can, and often does, prompt customer lawsuits and regulatory investigations.

The bottom line: you cannot be a financial institution operating in the 21st Century and not have a cyber risk management plan which includes the purchase of cyber insurance.

The Cyber Insurance Market
With these facts, it is not surprising that the cyber insurance market has grown tremendously from its initial beginning in 2000. Starting with what was the brainchild of AIG and Lloyds of London, the market has grown to over 40 insurance providers. A widely accepted statistic is that the market now produces over $1 billion in premium to insurance carriers on a worldwide basis.

Despite the increasing claim activity, informal discussions with the market continue to indicate that cyber risk is a profitable business. Perhaps, it is for this reason, cyber premium rates are flat to down 5% according to industry reports in the market where rates in property-casualty are generally increasing.

Carriers also see this as an area where there are many non-buyers, and statistics seem to back them up. According to the “Chubb 2012 Public Company Risk Survey: Cyber,” 65% of public companies surveyed do not purchase cyber insurance, yet 63% of decision-makers are concerned about this cyber risk. A risk area with a high level of concern but little purchase of insurance is an insurance broker's dream. In a recent Zurich survey of 152 organizations, only 19% of those surveyed have bought cyber insurance despite the fact that 76% of companies surveyed expressed concern about their information security and privacy.

It is unclear why there aren't more buyers but most of the industry believes it's a lack of education. For example, previous surveys indicated that over 33% of companies incorrectly believe that cyber risk is covered under their general corporate liability policy.

It is then perhaps not surprising that the Betterley 2012 market report stated “we think this market has nowhere to go but up” Although, they quickly qualified, “as long as carriers can still write at a profit.”