Tag Archives: cybersecurity

Increased Threats for Manufacturers

Let’s be honest: Operational motivations are about speed and efficiency, not security. For manufacturing organizations to effectively manage cyber risk, they first need to understand that the global digital transformation making businesses run smarter and more efficiently is also creating a widening security gap that must be addressed. 

Creating Industry 4.0

In manufacturing, investments are largely motivated by the pursuit of increased operational effectiveness and efficiency: doing more for a lower per-unit cost. Often, these investments manifest as new operational technology (OT), for instance to enable higher degrees of automation, accelerated assembly timelines and improved real-time insights. New OT gets added to a large information technology (IT) stack, which has often been built over several decades; in that time, the IT stack has become a complex mix of legacy, aging and modern solutions held together by vulnerable protocols and a “don’t touch what isn’t broken” stability strategy.

Industry 4.0, driven by the pursuit of OT, is the connection of industrial equipment that accesses and analyzes centralized operational data. In essence, this is the next industrial revolution in advanced manufacturing and smart, connected, collaborative factories. This new paradigm is characterized by the action of the physical world becoming a type of information system through sensors and actuators embedded in objects and linked through networks. Beyond having the potential to completely change material and manufacturing processes, Industry 4.0 is expected to contribute to more efficient operations by aggregating data across all facilities, letting companies monitor, measure and improve performance. 

This digital transformation introduces new generations of intelligent solutions and integrates these solutions into existing manufacturing processes and technologies including SCADA/ICS and PLCs. In many cases, this collection is controlled by a manufacturing execution system (MES), which is tightly integrated into the manufacturing organization’s ERP system.

See also: The Rules of Digital Transformation

The Threats Grow

Unfortunately, this pursuit of improved operations comes with an unintended consequence: a widening security gap. As manufacturing has become more connected, the threat surface—the collection of points an attacker can use to try to gain access—has increased substantially and now extends from endpoints and networks into cloud services. In fact, the entire manufacturing process (and, by extension, the company that depends on that process running effectively) is more vulnerable to cyberattacks. From opportunistic attacks using commodity malware as a service, to sophisticated hands-on-keyboard attacks that surgically evade defenses, to advanced persistent threats that can operate for years undetected, to industrial espionage using legitimate credentials harvested from phishing campaigns—the list is long, and the consequences can be devastating. 

Modern threats can readily bypass legacy antivirus solutions and take advantage of vulnerability windows. Organizations need solutions that can harden endpoints, prevent polymorphic malware and fileless attacks, mitigate malicious code execution and provide investigation and remediation capabilities with dynamic response to security incidents. 

As the knowledge of the growing threat landscape solidifies, tension develops between two core factions: OT and IT. Security was a distant priority when vendors created their new OT solutions, yet IT understands the security risks and best practices and wants to take the time to do things as safely as possible. OT is under pressure to hit targets and can feel like IT is slowing them down by unnecessarily overstating the risks. Plus, manufacturers must grapple with systemic vulnerabilities in operating systems and control systems. For instance, it’s important to recognize that many industrial communication standards don’t even consider security because they are based on the old firewall model of complete trust within the network. 

But from the shadows comes a third party: attackers. These bad actors see highly connected, unprotected systems built by vendors that know very little about system security and that are content to pass risk to their customer—the manufacturing organization. 

Additionally, the supply chain is vulnerable. As trusted partners, third-party vendors often become the overlooked or unwitting accomplice in criminal activities. A Spiceworks survey of 600 IT and security decision-makers that asked about supply chains highlights this risk. 

While the majority of respondents felt confident in their vendors to keep data safe, nearly half (44%) of firms had experienced a significant, business-altering data breach caused by a vendor. Human error and stolen passwords accounted for 26% of the breaches, while malware played a key role in half of the attacks. 

While past attacks against major manufacturers and industrial facilities were espionage believed to be sponsored by nation states and based on ideology, many of the latest attacks are the work of cyber criminals motivated purely by profit. Of course, criminals don’t need to shut down a facility to extract payment. In many cases they exfiltrate sensitive information (trade secrets, proprietary data and intellectual property, financial details, private emails, account credentials) and then threaten to release it publicly if a ransom isn’t paid. In some cases, attackers have even weaponized regulations like GDPR, which impose fines when breaches compromise personal information. 

See also: Will COVID-19 Be Digital Tipping Point?

As operation and information technologies converge following an almost predictable path of profit-driven natural selection, the leaders of each group have yet to attain a similar level of integration. The operational groups lack the security expertise of their IT counterparts, and IT experts are often excluded from operational decisions, creating an inherent vulnerability that reaches to the top of the organization.

Cybersecurity is not an IT problem to solve; it’s a business risk to manage. Until manufacturers realize that OT and IT are not in competition with each other, they will remain easy prey for cybercriminals who recognize this philosophical flaw and are willing to exploit it.

How CAT Models Are Extending to Cyber

The insurance industry relies heavily on catastrophe modeling to set capital adequacy, adhere and respond to evolving regulatory requirements and stress test portfolios. The same is now increasingly true of the cyber catastrophe sphere, in which key areas of focus include how models can help with capital allocation, stress testing and informing development of underwriting guidelines and insurance products. Parallels can be drawn from the cyber catastrophe and natural catastrophe risk management sectors when modeling these risks.

The introduction of models provided critical insight into the potential for catastrophic claims for all risk policies or policies without clear exclusionary language. Historical events such as the April 1906 San Francisco earthquake (leading to unanticipated claims for fire policies), 2005 Hurricane Katrina flooding (resulting in unanticipated claims for homeowners wind policies) or the 9/11 U.S. terrorist attacks (experiencing unanticipated war exclusion interpretation and definition of a single event), and the current unfolding of the coronavirus pandemic crisis highlight the criticality of understanding the triggers and correlation of potential loss due to a single event.

In many cases, insurers paid losses to avert “reputational risk” and have since used models to provide insight into realistic structuring of policy, reinsurance and other risk transfer vehicles. Clear exclusionary language, endorsements and coverage-specific terms evolved over the decades in concert with evolving scientific knowledge of the risks and modeled loss potential. 

Today, we are seeing the same evolution with respect to insuring cyber risk, but over a highly compressed period, without the decades of experience of systemic insured loss events. Many cyber catastrophe risk managers attempt to apply the same lens of current natural catastrophe model availability of data resolution, data quality, catastrophic event knowledge and model validation expectations. But by embracing the commonality of lessons learned from the evolution of the property catastrophe insurance market, we can prepare for an event considered to be a case of not “if” but “when.”

The role of data in models

A first common theme is to recognize that the understanding and availability of information for a rapidly evolving risk means that there is value in aggregate data in the absence of detailed data. This has been and is still the case for property catastrophes and is also the case for cyber catastrophe risk models. Confidentiality obligations in portfolio data as well as the lack of high-quality data is an issue for all models. However, new sources of data as well as sophisticated data science and artificial intelligence analytics are being incorporated into models that provide an increased confidence in assessing the potential risk to an individual company or entity. 

See also: Coronavirus Boosts Cyber Risk

A second related common theme is the ability of catastrophe risk models to augment lack of risk-specific data capture at the time of underwriting. This is where all catastrophe risk models add significant value, where context for what should be captured as well as what can be captured is provided. In the case of cyber, this can include access to both inside-out (behind the firewall) and outside-in (outside the firewall) data. Inside-out data refers to aggregate data for segments of the economy, measuring the anonymized trends of security behaviors (such as frequency of software patching). Outside-in data is made up of specific signals that can be identified from outside an organization and that give indications of overall cybersecurity maturity (such as the use of unsupported end-of-life products). 

A third commonality is the value in extrapolating the impact of past events into the future given evolving available data on the changing causes of frequency and severity of cyber events. The property catastrophe arena is grappling with very similar issues relative to the rapid and uncertain evolution of climate models. For cyber risks, history is not a predictor of the future in terms of modeling threat actors, the methods they deploy and the vulnerabilities they exploit. However, it is possible to examine historic data and the types of cyber incidents that have occurred while addressing the challenges in the way that information is collected, curated and used. This historic data is used against the backdrop of a near-term threat actor and technological trends to understand future potential systemic losses due to large-scale attacks on bigger and more interconnected entities. 

The role of probabilistic models

At the enterprise level, the market is struggling with how to assess potential aggregations within and across business lines. Event clash due to a single event causing multiple loss triggers to policies and reinsurance treaties is a key concern across all lines of business. Use of common cyber and other catastrophe risk loss metrics that can be combined across perils and lines of business are being explored. In addition, regulatory groups are considering requirements similar to property catastrophe risk to address solvency requirements relative to cyber risk. 

In this environment, consistent and structured definitions of risk measures are critical for assessing and communicating potential systemic catastrophic loss. Both deterministic cyber scenario event analyses as well as probabilistic stochastic cyber event analyses are required. Given this context, cyber catastrophe risk models that can withstand validation scrutiny similar to property catastrophe risk models require the same level of rigorous attention to transparency in communication of model methodology.

Similarities… but some differences

There are some key differences between the systemic risks of natural disasters and cyber events. One material contrast is that cyber perils manifest with active adversaries seeking to cause malicious damage to individuals and companies globally. The factors affecting modeling include the changing nature of geopolitical threats, the dramatic increase in the use of digital means for criminal enterprises, the hyperconnectivity of developed economies and an ever-increasing reliance on networked technologies. Cyber event scenarios are developed to represent a range of potential systemic events in which technological dependencies affect individual insured companies, due to a common vulnerability or a “single point of failure.” Examples include common cloud service providers, payment systems, mobile phone networks, operating systems and other connected technologies. 

See also: Risks, Opportunities in the Next Wave  

There are limitations in any model relating to cyber risk, given the inherent uncertainties. Nevertheless, these models provide valuable insights to better decision-making relating to capital planning, reinsurance and addressing regulatory issues. By learning from previous insurance shocks, we can support a more stable and resilient cyber risk insurance market.

How Machine Learning Halts Data Breaches

Although we hear a lot about major cybersecurity breaches in non-insurance organizations – Target, Experian, the IRS, etc. – there have been breaches in the insurance industry, too, albeit less publicized. Nationwide faces a $5 million fine from a breach back in 2012. Horizon Blue Cross Blue Shield is still the defendant in a class action suit over a 2013 breach that affected 800,000 of its insured. 

As hard as organizations try to secure their data and systems, hackers continue to become more sophisticated in their methods of breaching. This is why innovation in risk management and insurance is so important.

Can Machine Learning Improve Cybersecurity (and Vice Versa)?

The short answer is yes. Because machine learning can collect and process huge amounts of data, the technology can analyze historical cyber-attacks, predict types that may occur and set up defenses against them

Here is a very simple example:

An on-site employee has decided to use his computer to access some shopping sites during his lunch break. One of those sites has elements that alert the machine of a potential security threat. The security team is notified immediately. It is then possible to block access permission from that computer to any data that could be useful to hackers until a full investigation can be completed. 

See also: How Machine Learning and AI Reduce Risk  

This may be a rather far-fetched example because most organizations limit private use of their computers in advance. But consider the Horizon breach – two laptops were stolen from a facility, and access was obtained. Or the case of Target, where a third-party contractor did not have appropriate security in place, and hackers were able to access the company’s systems through this third-party. Machine learning can help to reduce these threats through a proper alert system, and remote shutdowns can then occur.

Common Types of Data Breaches that ML Can Help Thwart

1. Spear Phishing

Company employees receive emails every day, in their company inboxes. Some of these, from sources that may not be known, can include malicious links. 

There are now ML algorithms that can identify and classify language patterns – email subject lines, links, body content/communication patterns, phrases and even punctuation patterns. Anomalies can be flagged, and security analysts can investigate, even catching the emails before they are opened, if the system is set up correctly. Some of these emails, for example, may be very poor translations from foreign languages, certainly not professional translations from services like The Word Point. Poor translations will alert machines that spear phishing is a possibility.

2. Ransomware

Most everyone is familiar with this security threat. Users’ files are “kidnapped” and locked. Users must then pay up to get an encryption key that will unlock those files. Often, these files house critical client data, other proprietary information or system files that are necessary for business operations. The other type of ransomware attack will simply lock a user’s computer and not allow access until the demanded amount is paid.

To train a machine to identify potential ransomware requires some pretty deep learning. Data sets of historical ransomware files must be loaded, along with even larger sets of clean files, so the machine can learn to distinguish between the two. Again, so-called micro-behaviors (e.g., language patterns) are then classified as “dirty” or “clean,” and models are developed. A ransom file can then be checked against these models, and necessary action taken before files are encrypted or computer access locked.

3. Watering Hole

Employees, especially insurance agents who are out in the field, may have their favorite spots for coffee or lunch breaks. Or, suppose, a group of employees have favorite food joints from which they frequently order food for delivery or takeout. Whether they are using the Wi-Fi in that watering hole or accessing that business’s website to place an order, there is far less security and an ideal place for hackers to enter a user’s access/credentials through that backdoor. 

Sometimes this is called “remote exploitation” and can include a situation like what occurred with Target – a third party is used as the “door” to get in.

ML algorithms can be developed that will track and analyze the path traversals of an external website that employees may be accessing on devices they are using either on- or off-site. Users can be directed to malicious sites while they are “traveling” to a destination site, and this is what ML can detect.

See also: How Machine Learning Transforms Insurance

4. Webshell

A Webshell is nothing more than a small piece of code. It is loaded into a website so that a hacker can get in and make changes to the server directory. The hacker then gains access to that system’s database. Most often, hackers look to take banking and credit card information of customers/clients, and this type of attack occurs most often with e-commerce websites. However, medical practices and insurance companies are certainly at risk, too, because they house lots of personal data. When the insured set up automatic payments from their bank accounts, the activity is even more attractive to these hackers. Payments are simply routed somewhere else.

Machines can be trained to recognize normal patterns of behavior and to flag those that are not normal. Machines can also be used to identify webshells preemptively and then prevent them from exploiting a system.

The Requirement? Machines and Humans Must Work Together

Will machines ultimately eliminate the need for in-house or contracted cybersecurity experts? Highly unlikely. At this point, machines cannot engage in the deeper investigations that analysts perform once they are aware of potential breaches or once aberrant behaviors have been detected. But innovation in risk management and insurance should certainly include machine learning. Humans simply cannot gather and analyze data as fast as machine algorithms can. Incorporating ML as a solid part of cybersecurity just makes sense.

5 Questions That Thwart Ransomware

This past summer was something of a perfect storm for small businesses, which weathered an increase in ransomware attacks, which in many cases started with an IT vendor or managed service provider (MSP).

Ransomware incidents reported to our company were up 37% in the third quarter when compared with the first three months of the year, and 24% were confirmed to be caused by a vendor or MSP.

Those statistics are bad news for small businesses that manage their IT resources with the help of a MSP and worse news for small businesses that outsource their entire IT operation to the MSP, which includes everything from building the network and managing applications to servicing any and all IT requests.

In fact, in the first nine months of last year, 63% of all the ransomware incidents reported to our breach response unit came from small businesses, many of which rely on an MSP. Why is that figure so high? MSPs make ripe targets for ransomware attacks.

They have to balance, on the one hand, a need for speed and convenience when it comes to being able to respond to clients and, on the other hand, the need to have the right security controls in place. Too often, speed and convenience win out over security controls.

For example, in many cases, MSPs have reused credentials across clients so that MSP employees can service multiple clients more quickly. Similarly, MSPs might not enable multi-factor authentication (MFA) on the remote access point they use to pivot to client environments.

See also: How Municipalities Avoid Ransomware  

In many incidents in the third quarter, attackers exploited the remote management application that connects the MSP to the client. The same MSP user account would log into multiple client environments and install ransomware. If the MSP had set up individual user accounts for each of its clients, it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment, diminishing the risk to their clients.

Further, an MSP user account often has to have full administrative access to assist with regular IT functions, so, when credentials were compromised, the attackers had full administrative access to clients’ environments.

So, why the increase in MSP ransomware attacks this summer? According to Bill Siegel, CEO and co-founder of ransomware response platform Coveware, hackers have found a way to magnify the attacks on MSPs. Specifically, developers of Sodinokibi ransomware are now using techniques employed originally by GandCrab ransomware to make the attacks on MSPs more profitable.

These MSP ransomware attacks over the summer exposed incident response challenges. For small businesses that completely rely on outsourced IT, a massive ransomware attack across clients draws on the MSP’s resources and inevitably leaves many businesses in the dark. Small business owners without a technical background struggle to understand and assist the external legal and forensics vendors who are hired to help them respond to the attack.

The response is further complicated when the MSP itself is also infected with ransomware. Where an attack group knows it has hit an MSP, and infected downstream clients, the group may refuse to negotiate with the end clients and instead only respond to the MSP to increase ransom demands. This tactic can also leave clients with little to no control over their data software recovery.

For all of these reasons, we urge small businesses to ask the following important questions when vetting a potential MSP:

  1. Is there a security program in place, including periodic risk assessments to identify areas for improvement?
  2. Is there continuing security awareness training across the organization?
  3. Is there a SSAE 18 SOC 2 Type II report or similar type of report available to customers, attesting to security control environment?
  4. If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g. encryption, secure remote connections, restricted access, logging and monitoring)?
  5. Are security and availability requirements enforced in master service agreement contracts (e.g. sensitive data protection, up-time guarantee/service level agreements, security incident reporting/coordination, regulatory compliance requirements)?

Our third-quarter statistics clearly show that small businesses and MSPs are big targets for hackers. It is absolutely critical that small businesses are working hand-in-hand with all their IT vendors to prevent ransomware attacks from happening in the first place.

Why Cyber Must Be a Focus for SMEs

Small business cybersecurity must be taken seriously. The days of hackers focusing on major businesses have given way to a new era. Small businesses are the new target. The Verizon 2019 Data Breach Investigations Report found that 43% of data breaches hit small businesses. The next most common industry for breaches – the public sector – was hit by just 16% of security events. Small businesses are a high-priority target for attackers, and a Ponemon Institute study found that 67% of small businesses were hit by a cyber attack in the year prior to its study, which was released in late 2018.

These are tough statistics for small business owners. The problem doesn’t stop here. Small businesses aren’t just targets; they are also less likely to be able to handle the costs of a data breach. A study from IBM Security and the Ponemon Institute found the average total cost of a data breach was $3.9 million in 2018. That figure has been rising over the past few years.

Small business cybersecurity is a mission-critical situation. It’s something that poses real challenges for small business owners who lack the resources to invest in robust IT systems.

Understanding the Scope of the Cybersecurity Threat

The high costs of a data breach are influenced by major security incidents affecting large corporations. You may not think you have almost $4 million to lose in a cyberattack because you simply don’t have that kind of money in the first place. But that’s the problem. You may not be hit by a hacker trying to steal highly regulated data, leading to the kinds of fines that cause huge costs. But how much cash do you have lying around? If you’re hit by a ransomware attack – a security event in which a hacker uses malware to encrypt your data so you can’t access it and demands a ransom – do you have the funds to respond? Even a $50,000 ransom can have a huge impact on a small business.

See also: Hidden Dangers for Cybersecurity  

Dealing with the Costs of Attacks

The costs that come with a data breach stem from a variety of sources. If you’re lucky, you won’t lose any information, or have it stolen. For example, two types of common attacks don’t steal data; they just kill productivity.

The first of those is ransomware. The cost here comes from lost productivity while data is inaccessible, and the price of paying the ransom to recover your data. The second is distributed denial of service (DDoS), an attack in which servers are overloaded by constant attempts to access your website. This makes it impossible for legitimate customers to interact with you.

When data is stolen, the costs escalate, particularly if customer information is lost. In this case, you often have to:

  • Cover the costs of credit tracking for those affected by the breach.
  • Deal with regulatory fines if it’s found that you weren’t in compliance with an industry standard.
  • Face lost trust from customers, something that often hurts the bottom line.
  • Scramble to deal with the source of the attack and fix any IT problems that existed.

Whether you’re hit by something like ransomware or face a full data breach, the costs can escalate quickly, to the point that a single security event can put you out of business. Investing in small business cybersecurity is critical in dealing with these situations.

Looking at Common Attack Types

Cyber criminals are constantly shifting their methods as they identify vulnerabilities. They’re also aware that many small business cybersecurity efforts are lacking. This has made small businesses targets for a wide range of attack types, including:

  • Phishing schemes that use legit-looking emails to trick users into downloading malware.
  • Account takeovers in which criminals use stolen login details to access user accounts and steal private data.
  • Social engineering efforts that allow hackers to pose as an account-holder to gain access to sensitive data.

None of these attack types is technically demanding. They are cheap for hackers to act on. As such, criminals can easily attack small businesses in multiple ways. The hackers just sit back hoping that one method will get through. The Verizon study found that almost 40% of all cyber attacks stemmed from organized crime groups. Hackers are working in smarter, more efficient ways. Small business cybersecurity tactics need to shift as a result.

Exploring Why Small Businesses Are Targets

Imagine you’re a hacker. You’re looking for a target that will give you valuable data you can sell to third parties. Just about every business today is based heavily on digital resources. Why would you target highly defended large corporations when small businesses often have valuable data, but fewer defenses?

See also: 4 Ways to Boost Cybersecurity  

This logic is shaping the modern small business cybersecurity sector. Small businesses typically lack strong security measures to identify threats and safeguard data from intruders. Hackers can send phishing emails to thousands of business email addresses at minimal cost. All they need is to have a few people fall for the scam, and hackers have access to company data and systems.

Overcoming the Resource Crunch 

With hackers today, a single data breach could be expensive enough to put you out of business. With this in mind, think about making some IT updates, training staff and using similar strategies to bolster your defenses. Whether you tweak your budget to create space for cybersecurity spending or seek funding to boost your capabilities, it’s time to start rethinking your defenses. Take action before your business becomes the next target.