Tag Archives: cybersecurity

How CAT Models Are Extending to Cyber

The insurance industry relies heavily on catastrophe modeling to set capital adequacy, adhere and respond to evolving regulatory requirements and stress test portfolios. The same is now increasingly true of the cyber catastrophe sphere, in which key areas of focus include how models can help with capital allocation, stress testing and informing development of underwriting guidelines and insurance products. Parallels can be drawn from the cyber catastrophe and natural catastrophe risk management sectors when modeling these risks.

The introduction of models provided critical insight into the potential for catastrophic claims for all risk policies or policies without clear exclusionary language. Historical events such as the April 1906 San Francisco earthquake (leading to unanticipated claims for fire policies), 2005 Hurricane Katrina flooding (resulting in unanticipated claims for homeowners wind policies) or the 9/11 U.S. terrorist attacks (experiencing unanticipated war exclusion interpretation and definition of a single event), and the current unfolding of the coronavirus pandemic crisis highlight the criticality of understanding the triggers and correlation of potential loss due to a single event.

In many cases, insurers paid losses to avert “reputational risk” and have since used models to provide insight into realistic structuring of policy, reinsurance and other risk transfer vehicles. Clear exclusionary language, endorsements and coverage-specific terms evolved over the decades in concert with evolving scientific knowledge of the risks and modeled loss potential. 

Today, we are seeing the same evolution with respect to insuring cyber risk, but over a highly compressed period, without the decades of experience of systemic insured loss events. Many cyber catastrophe risk managers attempt to apply the same lens of current natural catastrophe model availability of data resolution, data quality, catastrophic event knowledge and model validation expectations. But by embracing the commonality of lessons learned from the evolution of the property catastrophe insurance market, we can prepare for an event considered to be a case of not “if” but “when.”

The role of data in models

A first common theme is to recognize that the understanding and availability of information for a rapidly evolving risk means that there is value in aggregate data in the absence of detailed data. This has been and is still the case for property catastrophes and is also the case for cyber catastrophe risk models. Confidentiality obligations in portfolio data as well as the lack of high-quality data is an issue for all models. However, new sources of data as well as sophisticated data science and artificial intelligence analytics are being incorporated into models that provide an increased confidence in assessing the potential risk to an individual company or entity. 

See also: Coronavirus Boosts Cyber Risk

A second related common theme is the ability of catastrophe risk models to augment lack of risk-specific data capture at the time of underwriting. This is where all catastrophe risk models add significant value, where context for what should be captured as well as what can be captured is provided. In the case of cyber, this can include access to both inside-out (behind the firewall) and outside-in (outside the firewall) data. Inside-out data refers to aggregate data for segments of the economy, measuring the anonymized trends of security behaviors (such as frequency of software patching). Outside-in data is made up of specific signals that can be identified from outside an organization and that give indications of overall cybersecurity maturity (such as the use of unsupported end-of-life products). 

A third commonality is the value in extrapolating the impact of past events into the future given evolving available data on the changing causes of frequency and severity of cyber events. The property catastrophe arena is grappling with very similar issues relative to the rapid and uncertain evolution of climate models. For cyber risks, history is not a predictor of the future in terms of modeling threat actors, the methods they deploy and the vulnerabilities they exploit. However, it is possible to examine historic data and the types of cyber incidents that have occurred while addressing the challenges in the way that information is collected, curated and used. This historic data is used against the backdrop of a near-term threat actor and technological trends to understand future potential systemic losses due to large-scale attacks on bigger and more interconnected entities. 

The role of probabilistic models

At the enterprise level, the market is struggling with how to assess potential aggregations within and across business lines. Event clash due to a single event causing multiple loss triggers to policies and reinsurance treaties is a key concern across all lines of business. Use of common cyber and other catastrophe risk loss metrics that can be combined across perils and lines of business are being explored. In addition, regulatory groups are considering requirements similar to property catastrophe risk to address solvency requirements relative to cyber risk. 

In this environment, consistent and structured definitions of risk measures are critical for assessing and communicating potential systemic catastrophic loss. Both deterministic cyber scenario event analyses as well as probabilistic stochastic cyber event analyses are required. Given this context, cyber catastrophe risk models that can withstand validation scrutiny similar to property catastrophe risk models require the same level of rigorous attention to transparency in communication of model methodology.

Similarities… but some differences

There are some key differences between the systemic risks of natural disasters and cyber events. One material contrast is that cyber perils manifest with active adversaries seeking to cause malicious damage to individuals and companies globally. The factors affecting modeling include the changing nature of geopolitical threats, the dramatic increase in the use of digital means for criminal enterprises, the hyperconnectivity of developed economies and an ever-increasing reliance on networked technologies. Cyber event scenarios are developed to represent a range of potential systemic events in which technological dependencies affect individual insured companies, due to a common vulnerability or a “single point of failure.” Examples include common cloud service providers, payment systems, mobile phone networks, operating systems and other connected technologies. 

See also: Risks, Opportunities in the Next Wave  

There are limitations in any model relating to cyber risk, given the inherent uncertainties. Nevertheless, these models provide valuable insights to better decision-making relating to capital planning, reinsurance and addressing regulatory issues. By learning from previous insurance shocks, we can support a more stable and resilient cyber risk insurance market.

How Machine Learning Halts Data Breaches

Although we hear a lot about major cybersecurity breaches in non-insurance organizations – Target, Experian, the IRS, etc. – there have been breaches in the insurance industry, too, albeit less publicized. Nationwide faces a $5 million fine from a breach back in 2012. Horizon Blue Cross Blue Shield is still the defendant in a class action suit over a 2013 breach that affected 800,000 of its insured. 

As hard as organizations try to secure their data and systems, hackers continue to become more sophisticated in their methods of breaching. This is why innovation in risk management and insurance is so important.

Can Machine Learning Improve Cybersecurity (and Vice Versa)?

The short answer is yes. Because machine learning can collect and process huge amounts of data, the technology can analyze historical cyber-attacks, predict types that may occur and set up defenses against them

Here is a very simple example:

An on-site employee has decided to use his computer to access some shopping sites during his lunch break. One of those sites has elements that alert the machine of a potential security threat. The security team is notified immediately. It is then possible to block access permission from that computer to any data that could be useful to hackers until a full investigation can be completed. 

See also: How Machine Learning and AI Reduce Risk  

This may be a rather far-fetched example because most organizations limit private use of their computers in advance. But consider the Horizon breach – two laptops were stolen from a facility, and access was obtained. Or the case of Target, where a third-party contractor did not have appropriate security in place, and hackers were able to access the company’s systems through this third-party. Machine learning can help to reduce these threats through a proper alert system, and remote shutdowns can then occur.

Common Types of Data Breaches that ML Can Help Thwart

1. Spear Phishing

Company employees receive emails every day, in their company inboxes. Some of these, from sources that may not be known, can include malicious links. 

There are now ML algorithms that can identify and classify language patterns – email subject lines, links, body content/communication patterns, phrases and even punctuation patterns. Anomalies can be flagged, and security analysts can investigate, even catching the emails before they are opened, if the system is set up correctly. Some of these emails, for example, may be very poor translations from foreign languages, certainly not professional translations from services like The Word Point. Poor translations will alert machines that spear phishing is a possibility.

2. Ransomware

Most everyone is familiar with this security threat. Users’ files are “kidnapped” and locked. Users must then pay up to get an encryption key that will unlock those files. Often, these files house critical client data, other proprietary information or system files that are necessary for business operations. The other type of ransomware attack will simply lock a user’s computer and not allow access until the demanded amount is paid.

To train a machine to identify potential ransomware requires some pretty deep learning. Data sets of historical ransomware files must be loaded, along with even larger sets of clean files, so the machine can learn to distinguish between the two. Again, so-called micro-behaviors (e.g., language patterns) are then classified as “dirty” or “clean,” and models are developed. A ransom file can then be checked against these models, and necessary action taken before files are encrypted or computer access locked.

3. Watering Hole

Employees, especially insurance agents who are out in the field, may have their favorite spots for coffee or lunch breaks. Or, suppose, a group of employees have favorite food joints from which they frequently order food for delivery or takeout. Whether they are using the Wi-Fi in that watering hole or accessing that business’s website to place an order, there is far less security and an ideal place for hackers to enter a user’s access/credentials through that backdoor. 

Sometimes this is called “remote exploitation” and can include a situation like what occurred with Target – a third party is used as the “door” to get in.

ML algorithms can be developed that will track and analyze the path traversals of an external website that employees may be accessing on devices they are using either on- or off-site. Users can be directed to malicious sites while they are “traveling” to a destination site, and this is what ML can detect.

See also: How Machine Learning Transforms Insurance

4. Webshell

A Webshell is nothing more than a small piece of code. It is loaded into a website so that a hacker can get in and make changes to the server directory. The hacker then gains access to that system’s database. Most often, hackers look to take banking and credit card information of customers/clients, and this type of attack occurs most often with e-commerce websites. However, medical practices and insurance companies are certainly at risk, too, because they house lots of personal data. When the insured set up automatic payments from their bank accounts, the activity is even more attractive to these hackers. Payments are simply routed somewhere else.

Machines can be trained to recognize normal patterns of behavior and to flag those that are not normal. Machines can also be used to identify webshells preemptively and then prevent them from exploiting a system.

The Requirement? Machines and Humans Must Work Together

Will machines ultimately eliminate the need for in-house or contracted cybersecurity experts? Highly unlikely. At this point, machines cannot engage in the deeper investigations that analysts perform once they are aware of potential breaches or once aberrant behaviors have been detected. But innovation in risk management and insurance should certainly include machine learning. Humans simply cannot gather and analyze data as fast as machine algorithms can. Incorporating ML as a solid part of cybersecurity just makes sense.

5 Questions That Thwart Ransomware

This past summer was something of a perfect storm for small businesses, which weathered an increase in ransomware attacks, which in many cases started with an IT vendor or managed service provider (MSP).

Ransomware incidents reported to our company were up 37% in the third quarter when compared with the first three months of the year, and 24% were confirmed to be caused by a vendor or MSP.

Those statistics are bad news for small businesses that manage their IT resources with the help of a MSP and worse news for small businesses that outsource their entire IT operation to the MSP, which includes everything from building the network and managing applications to servicing any and all IT requests.

In fact, in the first nine months of last year, 63% of all the ransomware incidents reported to our breach response unit came from small businesses, many of which rely on an MSP. Why is that figure so high? MSPs make ripe targets for ransomware attacks.

They have to balance, on the one hand, a need for speed and convenience when it comes to being able to respond to clients and, on the other hand, the need to have the right security controls in place. Too often, speed and convenience win out over security controls.

For example, in many cases, MSPs have reused credentials across clients so that MSP employees can service multiple clients more quickly. Similarly, MSPs might not enable multi-factor authentication (MFA) on the remote access point they use to pivot to client environments.

See also: How Municipalities Avoid Ransomware  

In many incidents in the third quarter, attackers exploited the remote management application that connects the MSP to the client. The same MSP user account would log into multiple client environments and install ransomware. If the MSP had set up individual user accounts for each of its clients, it is more likely that the exploitation of the single set of credentials would have only enabled unauthorized access to a single client’s environment, diminishing the risk to their clients.

Further, an MSP user account often has to have full administrative access to assist with regular IT functions, so, when credentials were compromised, the attackers had full administrative access to clients’ environments.

So, why the increase in MSP ransomware attacks this summer? According to Bill Siegel, CEO and co-founder of ransomware response platform Coveware, hackers have found a way to magnify the attacks on MSPs. Specifically, developers of Sodinokibi ransomware are now using techniques employed originally by GandCrab ransomware to make the attacks on MSPs more profitable.

These MSP ransomware attacks over the summer exposed incident response challenges. For small businesses that completely rely on outsourced IT, a massive ransomware attack across clients draws on the MSP’s resources and inevitably leaves many businesses in the dark. Small business owners without a technical background struggle to understand and assist the external legal and forensics vendors who are hired to help them respond to the attack.

The response is further complicated when the MSP itself is also infected with ransomware. Where an attack group knows it has hit an MSP, and infected downstream clients, the group may refuse to negotiate with the end clients and instead only respond to the MSP to increase ransom demands. This tactic can also leave clients with little to no control over their data software recovery.

For all of these reasons, we urge small businesses to ask the following important questions when vetting a potential MSP:

  1. Is there a security program in place, including periodic risk assessments to identify areas for improvement?
  2. Is there continuing security awareness training across the organization?
  3. Is there a SSAE 18 SOC 2 Type II report or similar type of report available to customers, attesting to security control environment?
  4. If access to personally identifiable information or protected health information is necessary, how is this protected at the vendor (e.g. encryption, secure remote connections, restricted access, logging and monitoring)?
  5. Are security and availability requirements enforced in master service agreement contracts (e.g. sensitive data protection, up-time guarantee/service level agreements, security incident reporting/coordination, regulatory compliance requirements)?

Our third-quarter statistics clearly show that small businesses and MSPs are big targets for hackers. It is absolutely critical that small businesses are working hand-in-hand with all their IT vendors to prevent ransomware attacks from happening in the first place.

Why Cyber Must Be a Focus for SMEs

Small business cybersecurity must be taken seriously. The days of hackers focusing on major businesses have given way to a new era. Small businesses are the new target. The Verizon 2019 Data Breach Investigations Report found that 43% of data breaches hit small businesses. The next most common industry for breaches – the public sector – was hit by just 16% of security events. Small businesses are a high-priority target for attackers, and a Ponemon Institute study found that 67% of small businesses were hit by a cyber attack in the year prior to its study, which was released in late 2018.

These are tough statistics for small business owners. The problem doesn’t stop here. Small businesses aren’t just targets; they are also less likely to be able to handle the costs of a data breach. A study from IBM Security and the Ponemon Institute found the average total cost of a data breach was $3.9 million in 2018. That figure has been rising over the past few years.

Small business cybersecurity is a mission-critical situation. It’s something that poses real challenges for small business owners who lack the resources to invest in robust IT systems.

Understanding the Scope of the Cybersecurity Threat

The high costs of a data breach are influenced by major security incidents affecting large corporations. You may not think you have almost $4 million to lose in a cyberattack because you simply don’t have that kind of money in the first place. But that’s the problem. You may not be hit by a hacker trying to steal highly regulated data, leading to the kinds of fines that cause huge costs. But how much cash do you have lying around? If you’re hit by a ransomware attack – a security event in which a hacker uses malware to encrypt your data so you can’t access it and demands a ransom – do you have the funds to respond? Even a $50,000 ransom can have a huge impact on a small business.

See also: Hidden Dangers for Cybersecurity  

Dealing with the Costs of Attacks

The costs that come with a data breach stem from a variety of sources. If you’re lucky, you won’t lose any information, or have it stolen. For example, two types of common attacks don’t steal data; they just kill productivity.

The first of those is ransomware. The cost here comes from lost productivity while data is inaccessible, and the price of paying the ransom to recover your data. The second is distributed denial of service (DDoS), an attack in which servers are overloaded by constant attempts to access your website. This makes it impossible for legitimate customers to interact with you.

When data is stolen, the costs escalate, particularly if customer information is lost. In this case, you often have to:

  • Cover the costs of credit tracking for those affected by the breach.
  • Deal with regulatory fines if it’s found that you weren’t in compliance with an industry standard.
  • Face lost trust from customers, something that often hurts the bottom line.
  • Scramble to deal with the source of the attack and fix any IT problems that existed.

Whether you’re hit by something like ransomware or face a full data breach, the costs can escalate quickly, to the point that a single security event can put you out of business. Investing in small business cybersecurity is critical in dealing with these situations.

Looking at Common Attack Types

Cyber criminals are constantly shifting their methods as they identify vulnerabilities. They’re also aware that many small business cybersecurity efforts are lacking. This has made small businesses targets for a wide range of attack types, including:

  • Phishing schemes that use legit-looking emails to trick users into downloading malware.
  • Account takeovers in which criminals use stolen login details to access user accounts and steal private data.
  • Social engineering efforts that allow hackers to pose as an account-holder to gain access to sensitive data.

None of these attack types is technically demanding. They are cheap for hackers to act on. As such, criminals can easily attack small businesses in multiple ways. The hackers just sit back hoping that one method will get through. The Verizon study found that almost 40% of all cyber attacks stemmed from organized crime groups. Hackers are working in smarter, more efficient ways. Small business cybersecurity tactics need to shift as a result.

Exploring Why Small Businesses Are Targets

Imagine you’re a hacker. You’re looking for a target that will give you valuable data you can sell to third parties. Just about every business today is based heavily on digital resources. Why would you target highly defended large corporations when small businesses often have valuable data, but fewer defenses?

See also: 4 Ways to Boost Cybersecurity  

This logic is shaping the modern small business cybersecurity sector. Small businesses typically lack strong security measures to identify threats and safeguard data from intruders. Hackers can send phishing emails to thousands of business email addresses at minimal cost. All they need is to have a few people fall for the scam, and hackers have access to company data and systems.

Overcoming the Resource Crunch 

With hackers today, a single data breach could be expensive enough to put you out of business. With this in mind, think about making some IT updates, training staff and using similar strategies to bolster your defenses. Whether you tweak your budget to create space for cybersecurity spending or seek funding to boost your capabilities, it’s time to start rethinking your defenses. Take action before your business becomes the next target.

Why Hasn’t Cyber Security Advanced?

Despite major advancements in technology, the global approach to cybersecurity has remained the same for decades: Respond and recover. The same vulnerabilities are repeatedly exploited in similar ways, and this trend shows no signs of slowing because current security tools do not actually address the roots of attacks. Even new artificial intelligence and machine learning techniques have mostly been aimed at improving response efficiency – as though there is nothing we can do but prepare for the worst and recover as quickly as possible. To slow the frequency of dangerous and costly cyberattacks, companies should be shifting their efforts toward focusing on disrupting adversaries.

In May 2000, one unwitting user on a computer in the Philippines used Microsoft Outlook to open an email message with the subject line “ILOVEYOU” and an attached file named “LOVE-LETTER-FOR-YOU.txt.” The attachment contained malicious code – a worm that moved through the user’s computer, overwriting random files and sending an email with a copy of itself to every address in the user’s Windows Address Book. Just 10 days later, the ILOVEYOU worm had spread around the world, infecting over 50 million computers. Far from spreading love, the worm caused more damage than any previous cybersecurity incident: an estimated
$5.5 billion to $8.7 billion worldwide.

See also: Quest for Reliable Cyber Security  

Seventeen years later, Microsoft announced a vulnerability within a resource-sharing protocol in widespread use across versions of the ubiquitous Windows XP operating system. The company quickly released a patch to fix the vulnerability, but countless systems had not been patched by the time the WannaCry ransomware attack began two months later. WannaCry eventually affected more than 200,000 computers across 150 countries and caused estimated damages ranging from hundreds of millions to billions of dollars.

Despite significant changes to the state of technology and the internet between 2000 and 2017, these two cyberattacks were very similar. Both propagated by using relatively simple vulnerabilities in Microsoft operating systems, and both were successful because of a lack of proactive cybersecurity.

Not only do the same kinds of attacks continue to work, responses to cyberattacks have not changed much, either. Despite all our advances in technology, cybersecurity is generally still focused on response and recovery: Identify the infected computers, take them offline, rebuild or replace them, file a data breach disclosure… rinse and repeat.

Is it impossible to defend against these vulnerabilities? Are hackers just too smart? Not necessarily. Response and recovery treats cyberattacks like natural disasters – inevitable, unstoppable and caused by forces outside our control. Meanwhile, adversaries continue to enjoy the fruits of their illicit labors. Popular methods of attack remain consistently successful because cybersecurity has failed to evolve to a posture of true prevention.

A needed evolution

The continued success of these cyberattack methods (and others) hinge on exploiting a limited number of key vulnerabilities that are commonly known to good and malicious actors alike. So, why are they still effective? The answer is that standard cybersecurity methods are designed to respond to incidents but rarely, if ever, actively disrupt the adversary’s attempted attack. For example, cyberattacks or intrusions are generally handled via alerting after a breach has already occurred. The alert triggers a cybersecurity team to go in and clean up the affected systems, then set up or modify a firewall to block future attacks. Afterward, companies are required by law to file a data breach notification.

The most common approach to blocking attacks involves analyzing past and current threats, then distilling the results into indicators of compromise (IoC), such as IP addresses, domain names or hashes of known bad files. These IoCs are fed into available cybersecurity tools, which are wielded like a giant hammer, blocking or denying any traffic associated with them.

This method aims to prevent attacks that are exactly like prior attacks. This perpetuates the problem, however, as hackers know about these protection methods and adjust. Subsequent attacks are designed to differ just enough from prior attacks to elude being blocked and ensure they avoid the new protections. This process is repeated time and time again. The cybersecurity industry is almost entirely locked in this detect-respond-recover approach, with little to no effort being made to actually prevent cyberattacks in the first place.

Embrace a new approach to stem the flow of cyberattacks

Rather than treat the cyber threat like a natural disaster, the cybersecurity industry needs to embrace a fundamentally new approach. Instead of relying solely on insufficient incident response and recovery methods that have been used for many years, a more sophisticated approach is needed to prevent current cyberattacks and to predict and prevent future ones on a meaningful scale.

At Trinity Cyber, for instance, we provide this preventive assurance by invisibly monitoring threats outside a network’s perimeter and adapting to the adversary’s techniques to intercept and neutralize cyberattacks before they get in.

Operational challenges in the cyber realm have been exacerbated by an ever-growing landscape of disparate endpoints, heightened sophistication of cyber-attackers and an increasing number of cybersecurity tools. While these challenges led to the development and implementation of SOAR platforms, which add efficiencies, most tools remain inherently reactive.

See also: Best Practices in Cyber Security  

Cyberattacks or attempts at compromising a system are human-made events within a human-made environment. By focusing on disrupting the adversary’s methods, analysts can determine tactics, techniques and procedures (TTP) and then use those to develop solutions that provide truly preventive cybersecurity.