Tag Archives: dark web

How to Determine Your Cyber Coverage

Public agencies and organizations around the world are making cyber risk their top priority. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws and significant increases in targeted attacks, such as ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three- or even four-fold by 2020.

Deciding how much cyber insurance to buy is no inconsequential matter, and the responsibility rests squarely with the board of directors (BoD). Directors and executives should have the highest-level view of cyber risk across the organization and are best-positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and external factors.

See also: New Approach to Cyber Insurance  

So, how much does your organization stand to lose from a supply chain shut down, a web site outage or service downtime?

Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high-profile breaches helps ensure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout; related costs and losses are often incurred for years afterward due to customer and market response as well as legal and regulatory enforcement actions.

In 2013, Target suffered a very public breach that resulted in the resignation of the CEO, a 35-year employee. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled $252 million, with some lawsuits still open.

Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers – the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach-related expenses of $161 million, including a consumer-driven class action settlement of $20 million.

These cases illustrate the need for thoughtful discussion when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable and can rise quickly due to cascading effects. Cases in point: the bizarre events surrounding Sony’s breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.

Organizations need to review their security posture and threat environment on a regular basis and implement mechanisms for incessant improvement. The technology behind cyber security threats and countermeasures is on a sharp growth curve; targets, motives and schemes shift unpredictably. Directors may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.

Most policy premiums are currently based on self-assessments. The more accurate the information provided in your application, the more protected the organization will be. Most policies stipulate obligations the insured must meet to qualify for full coverage; be sure to read the fine print and seek expert advisement.

A professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.

Review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and dark web exploits. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.

See also: Promise, Pitfalls of Cyber Insurance  

As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market; boards and executives need to keep an eye on developments. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies and purchasing security software isn’t sufficient.

My advice is to lead from the top. Organizations need to ensure risk assessments are thorough and up-to-date, policies are communicated and enforced and security technology is properly configured, patched and monitored.

Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. Cyber insurance may soften the financial blows, but it only works in conjunction with an enterprise-wide commitment to security fundamentals and risk management.

Dark Web and Other Scary Cyber Trends

We have all heard the continued drum beat regarding hacking. Anthem, Sony, Target, Home Depot, Experian and various government and military branches have all been hacked and have received their fair share of negative press. In each case, people were harmed, leaders were fired, brands were damaged and no one was really surprised.

I am not a singularly focused cybersecurity expert, but I have been up to my neck in tech for 30 years and have a knack for seeing emerging patterns and macro trends and stitching those together to synthesize consequences and outcomes. In the case of the Dark Web, none of that is good news; The emerging patterns should worry us all. As English historian (1608-1661) Thomas Fuller wrote, “Security is the mother of danger and the grandmother of destruction.”

See also: Best Practices in Cyber Security

Below is my list of the “Top 10 Scary Macro Cyberthreat Trends” –and this is still early days for them.

1. The Dark Web Pareto 

Over the last decade, the hacker population has gone from 80% aficionados/hacktivists/deep-end-of-the-pool techies and 20% professional criminals to 80% professional criminals and 20% “other.” To be clear, by “professional criminal” I mean organized criminals who are there for the money, not just to someone who broke the law.

2. “Lego-ization” of the Dark Web

Over the last few years, technology in the Dark Web has been changed from intricate, end-to-end hacks to a place where one merely assembles “legos” that are commercially available (albeit inside an anonymized criminal environment.) People don’t just buy tool kits with instructions but also the ability to buy “lego-ized” services like illicit call center agent time for more complex criminal activities such as getting access to someone’s bank account. Parts of the Dark Web look like IKEA without the assembly difficulty or the inevitable leftover parts.

3. The Dark Web embraces the capital-lite approach

Of course, the Dark Web has embraced the cloud-computing model for the reasons we see in the enterprise world. What this means to the criminal hacker or, more likely, hacker organization, is that they can now go asset-free and rent the assets they need when they need them.

For example, there are services for running a few hundred million password permutations in less than an hour for a few hundred dollars. Hackers no longer need to infect a massive amount of computers to fire up a denial-of-service hack; they can simply rent time on a botnet, a massive amount of “hijacked” computers up for sale in the Dark Web. Most companies still do not have a botwall to deflect bots.

Gameover ZeuS is a massive example of a botnet with one variant able to generate 10,000 domains a day with more than three million zombie computers — just in the U.S. Botnets are sometimes referred to as “zombie armies” (surely there’s a TV series in there somewhere.) The Bredolab botnet may have had as many as 30 million zombie computers.

See also: Demystifying “The Dark Web”

4. Clandestine versus brazen 

The bragging rights for revealing a hacking “accomplishment” was once a hallmark of this space. Over the past decade or so, that factor has greatly diminished. The criminal enterprise would like nothing more than to go unnoticed. The recent massive Experian hack only came to light after the Secret Service let Experian know some of its stuff had been found for sale in the Dark Web. Focusing on avoiding detection by adopting smarter methods, targets, distribution models and revenue capture is better business and is in line with a longer, sustainable view of profit. None of the criminal organizations have boards of directors that pressure them to hit the quarterly sales and operating income figures. A hack is not a moment in time; if a hacker can go undetected, he or she can milk the hack for years. This is worrisome.

5. The total available market has grown and is target-rich 

The target space for crime connected to an IP node has grown tremendously, and so has the value of the content. The massive increase in mobile IP addresses, the online transactions we do and IP-related things like stored value cards or mileage points makes a rich target for crime. It is 100x bigger than what it was just 10 to 15 years ago.

The target space’s growth is accelerating. After banking regulations on the minimum size of banks were relaxed in 1900, 2,000 banks were added in two years along with growth in the relatively new credit union sector. This increase in “target space” spawned bank robbers. The target space for Dark Web crime loves the increase in the target area and doesn’t mind that the “banks” are smaller. The number of people using the Web and the average amount of time spent on the Web continues to increase. I think with the advent of things like the Internet of Things, 5G, Li-Fi and a quantum leap in cloud computing capacity per unit cost, this increase will accelerate.

6. Small many versus big few 

Over the past decade, the trend in conjunction with the above items moved toward smaller “heists” but a lot more of them. Someone in Venezuela took $2 a month off my credit card for 18 months before it stopped. How many people would miss a dollar or two off a stored value card/account that has an auto-refill function like my Skype account does?

What sort of statistical controls would you put on your revenue flows (as a business) to even recognize that leakage? Of course, there are still big hacks going on, but a lot of those are just the front end of a B2B transaction that then sells off that big pool of hacked data to buyers in the criminal bazaar. Small, often and dispersed is harder to catch and more clandestine by nature.

7. Automation of the Dark Web

Timing is everything. As the Dark Web evolved into a scale-based, organized criminal environment, it leveraged modern automation from provisioning to tool sets to communications and even to billing.

Blackshades creepware is a great example of automation extending into the consumer product end. Available for $50, it has a point-and-click interface and has internalized all of the complexity and has automated hacking even for actors with very low-level tech skills. It allows the bad actor to browse files, steal data/passwords and use the camera (often relating to extortion). Blackshades infected more than 500,000 computers in more than 100 nations. A lot of the people who bought this did not have the skills to do any hacking without this kind of automation.

8. Tech getting better, faster, cheaper while talent improves

Late last year, TalkTalk, an ISP quad-play provider in the U.K., got hacked and held for ransom by four teenagers. The company estimates $90 million of cost tied to this hack, and no one really knows what the cost of the brand damage has been. There’s also a third of the company’s market cap gone, and it lost 95,000 customers. In all fairness, TalkTalk’s security was poor. The point here is that the technology in the Dark Web is getting faster, better and cheaper. At the same time, the average talent level is rising, which may not be the case in the non-criminal tech world.

There are three factors at play:

  1. Communities of collaboration and learning are becoming commonplace. Blackshades is a great example of a malicious tool with a super-low point of entry (price and tech skills) backed up by great online help and a community site.
  2. The likes of the Metropolitan Police Cyber Unit (London), the FBI, Interpol, etc. are all very effective and are continually improving organizations that stop crime and lock up cyber criminals. In some ways, this is a culling of the herd that also serves to create a positive Darwinian push on the average talent in the Dark Web.
  3. The giant upside financial opportunity to using tech skills for nefarious purposes creates a big gravitational pull that is only enhanced by recent economic and national turmoil, especially in places like Eastern Europe, Russia and Ukraine. In addition to that, state-sponsored or affiliated hackers with military-like rigor in their training can often make money moonlighting in the criminal world.

The combination of forces raising the talent level and the continued improvement of technology make for a bad combo. The Dark Web is also embracing open sourcing. Peer-to-peer bitcoin-based plays may become the next dark commerce platform.

9. The Dark Web itself

The Dark Web has evolved over the past decade or so from a foggy, barely penetrable space to a labyrinth of loosely connected actors and now to a massive, modernized bazaar thriving with commercial activity with a huge neon sign on the front door saying “Open for Business.” It is not just a bazaar, it is a huge B2B marketplace where the best criminals can resell their wares whole or in “lego-ized” pieces. Some of these criminals even offer testimonials and performance guarantees!

The Dark Web has moved from what economists call “perfect competition” to a more imperfect model trending toward oligopoly. In simpler terms, it is not a sea of malevolent individuals but, rather, the domain of organized businesses that happen to be largely illegal. These are organizations of scale that must be run like a business. This new structure will evolve, adapt and grow so much faster than the prior structure because these organizations have mission-focus and cash-flow pressures. Of course, the market forces common in a bazaar will winnow out low-value and defective products quickly, simply because word travels fast and customers vote with their wallets. 

10. The truly ugly “What’s next?” section

Like many thriving businesses, there is a tendency to move into adjacencies and nearby markets. This has already happened.

There is a lot of money in fiddling with clickstreams and online advertising flows. Bots account for about 50% of the traffic on the Internet; of those, about 60% are bad bots.

There is money to be made in transportation. One can buy fake waybills on the Dark Web to ship a crate to, say, Kiev at a fraction of the price FedEx or UPS would charge, even though the package will travel through FedEx or UPS.

Here are four emerging and even more worrisome areas that could be leveraged (in a bad way) by sophisticated, tech-savvy commercial criminal enterprises that are alive and thriving today in the Dark Web.

  • Internet of Things – It is just the beginning for the IoT. If you click here, you can read a paper on what may drive the amazing growth and where the potential is. The available talent who know how to secure devices, sensors and tags from hacks and stop those hacks from jumping five hops up a network are few and far between, and they don’t normally work in the consumer and industrial spaces that make stuff and that have decided to make an IP-enabled model. Few boards in the Fortune 500 can have an intelligent conversation about cybersecurity at any level of detail that matters. In short, over the next few years, IoT may be a giant hunting ground. For instance, what if a hacker goes through the air conditioning control system to point-of-sale devices and steals credit card info? That is a target with a big bull’s eye on it. (That is what happened to Target.)
  • Robotics – This is a little further out, and the criminal cash flow is a little harder to predict, but IP-connected robots is a space that will grow exponentially over the next decade and be at key points in manufacturing, military and medical process flows. What is the ransom for holding a bottling plant hostage? The Samsung SGR -1 (no, not a new phone) is a thermal imaging, video-sensing robot with a highly accurate laser targeting gun that can kill someone from 3,000 yards out. The Oerlikon GDF005 is a less-sophisticated antiaircraft “gunbot” that is, in part, designed to be turned on and left to shoot down drones. These things are both hackable. 
  • Biochem – What if some of the above Dark Web trends extend into this area, renting assets and expertise, point-and-click front-end designs? The bad news is that this seems to have started. 
  • The over-the-horizon worries – Nanotech, Li-Fi, AI, synthetic biology, brain computer interface (BCI) and genomics are all areas that, at some point in their evolution, will draw a critical mass of criminal Dark Web interest. The advances in these areas are at an astounding pace. They are parts of the near future, not the distant future. If you have not looked at CRISPR, google it. Things like CRISPR, coupled with progressively better economics, are going to supercharge this space. Li-Fi, coupled with 5G and the IoT (including accelerated growth in soft sensors), will create a large target space. The Open BCI maker community is growing quickly and holds enormous promise. Take a look at the Open BCI online shop and see what you could put together for $2,000 or  $10,000. The Ultracortex Mark IV is mind-blowing (not literally) and only $299.

All of this is going to get worse before it gets better. This is clearly not a fair fight. This is a target-rich environment that is growing faster than almost anyone anticipated. The bad actors are progressively getting better organized, smarter and better built for “success.” Interpol, the FBI and other law enforcement agencies do great work, but a lot of it is after-the-fact.

Enterprises need new approaches to network-centric compartmentalized security. New thinking about upstream behavioral preventative design is needed for robustly secure IoT plays.

National organizations in law enforcement and intelligence need to think through fighting a borderless, adaptive, well-funded, loosely coupled, highly motivated force like those under the Dark Web umbrella. Those national organizations probably need to play as much offense as defense. Multiple siloed police and intelligence units that are bounded geographically, organizationally, financially and culturally probably will start out with a disadvantage.

This article was originally published on SandHill.com. The story can be found here.

Demystifying “The Dark Web”

We often hear reference to the “deep” or “dark” web. What exactly is the deep or dark web? Is it as illicit and scary as it is portrayed in the media?

This article will provide a brief overview and explanation of different parts of the web and will discuss why you just might want to go there.

THE SURFACE WEB

The surface web or “Clearnet” is the part of the web that you are most familiar with. Information that passes through the surface web is not encrypted, and users’ movements can be tracked. The surface web is accessed by search engines like Google, Bing or Yahoo. These search engines rely on pages that contain links to find and identify content. Search engine companies were developed so that they can quickly index millions of web pages in a short time and to provide an easy way to find content on the web. However, because these search engines only search links, tons of content is being missed. For example, when a local newspaper publishes an article on its homepage, that article can likely be reached via a surface web search engine like Yahoo. However, days later when the article is no longer featured on the homepage, the article might be moved into the site’s archive format and, therefore, would not be reachable via the Yahoo search engine. The only way to reach the article would be through the search box on the local paper’s web page. At that time, the article has left the surface web and has entered the deep web. Let’s go there now…

THE DEEP WEB

The deep web is a subset of the Internet and is not indexed by the major search engines. Because the information is not indexed, you have to visit those web addresses directly and then search through their content. Deep web content can be found almost anytime you do a search directly in a website — for example, government databases and libraries contain huge amounts of deep web data. Why does the deep web exist? Simply because the Internet is too large for search engines to cover completely. Experts estimate that the deep web is 400 to 500 times the size of the surface web, accounting for more than 90% of the internet. Now let’s go deeper…

THE DARK WEB

The dark web or “darknet” is a subset of the deep web. The dark web refers to any web page that has been concealed because it has no inbound links, and it cannot be found by users or search engines unless you know the exact address. The dark web is used when you want to control access to a site or need privacy, or often because you are doing something illegal. Virtual private networks (VPNs) are examples of dark web sites that are hidden from public access unless you know the web address and have the correct log-in credentials.

One of the most common ways to access the dark web is through the Tor network. The Tor network can only be accessed with a special web browser, called the Tor browser. Tor stands for “ The onion router” and is referred to as “Onionland.” This “onion routing” was developed in the mid-1990s by a mathematician and computer scientists at the U.S. Naval Research Laboratory with the purpose of protecting U.S. intelligence communications online. This routing encrypts web traffic in layers and bounces it through random computers around the world. Each “bounce” encrypts the data before passing the data on to its next hop in the network. This prevents even those who control one of those computers in the chain from matching the traffic’s origin with its destination. Each server only moves that data to another server, preserving the anonymity of the sender.

Because of the anonymity associated with the Tor network and dark web, this portion of the Internet is most widely known for its illicit activities, and that is why the dark web has such a bad reputation (you might recall the infamous dark web site, Silk Road, an online marketplace and drug bazaar on the dark web). It is true that on the dark web you can buy things such as guns, drugs, pharmaceuticals, child porn, credit cards, medical identities and copyrighted materials. You can hire hackers to steal competitors’ secrets, launch a DDOS (distributed denial of service) attack on a rival, or hack your ex-girlfriend’s Facebook account. However, the dark web accounts for only about .01% of the web.

Some would say that the dark web has a bad rap, as not everything on the dark web is quite so “dark,” nefarious or illegal. Some communities that reside on the dark web are simply pro-privacy or anti-establishment. They want to function anonymously, without oversight, judgment or censorship. There are many legitimate uses for the dark web. People operating within closed, totalitarian societies can use the dark web to communicate with the outside world. Individuals can use the dark web news sites to obtain uncensored new stories from around the world or to connect to sites blocked by their local Internet providers or surface search engines. Sites are used by human rights groups and journalists to share information that could otherwise be tracked. The dark net allows users to publish web sites without the fear that the location of the site will be revealed (think political dissidents). Individuals also use the dark web for socially sensitive communications, such as chat rooms and web forums for sensitive political or personal topics.

Takeaway

Don’t be afraid – dive deeper!

Download the Tor browser at www.torproject.org and access the deep/dark web information you have been missing. Everything you do in the browser goes through the Tor network and doesn’t need any setup or configuration from you. That said, because your data goes through several relays, it can be slow, so you might experience a more sluggish Internet than usual. However, preserving your privacy might be worth the wait. If you are sick of mobile apps that are tracking you and sharing your information with advertisers, storing your search history, or figuring out your interests to serve you targeted ads, give the Tor browser a try.

How to Lower Your Cyber Risk

As we approach the close of 2014, virtually no one needs to be reminded that cyber liability is real and here to stay. Data breaches and cyber security incidents are on the rise. New York’s attorney general reported that breaches tripled between 2006 and 2013, and, according to a recent study, 43% of companies experienced a breach last year.

What are some of the key issues accounting for this increase? First, information is the new oil, and it has value. Stolen financial and medical data can be purchased on the “dark web” and used for identity theft and fraudulent billing. Second, computer networks can be attacked relentlessly by hackers thousands of miles away, with little risk to the hackers. Third, entities are creating and storing more data than ever. It is estimated that the volume of data is doubling every two years, and too many entities have adopted a keep-everything approach to information management.

Given this reality, it’s no wonder that sales of cyber insurance are rising. Cyber insurance can fill gaps left by traditional policies and provide a lifeline to entities affected by a breach or security incident. But cyber insurers require prospective insureds to complete detailed applications that address various areas relevant to cyber liability. Among the areas of inquiry are:

  • Records and Information Management — including identification of the types and volume of sensitive information the company handles. For example, do you handle or store payment card information, intellectual property of others or medical records?
  • Management of Computer Networks — including security management, intrusion testing, auditing, firewalls, use of third party vendors and encryption.
  • Corporate Policies — for privacy, information security, use of social media and BYOD (bring your own device), among others. Insurers often ask if the policy was prepared by a qualified attorney and how often it is reviewed and updated. Some insurers require such policies to be attached to the completed application.
  • Employment Issues — including whether employees go through criminal background checks. Many insurers also ask if the company has a chief privacy officer, chief information officer and chief technology officer.

The following are some basic steps a company can take to better position itself to complete the cyber application and obtain optimal cyber coverage.

Locate Your Data

You can’t manage and secure information if you don’t know what you have or where it is. Creating a map or inventory of all enterprise information is an invaluable step toward getting your data house in order. Paper records and data stored on inactive media and on mobile devices should not be forgotten.

Delete What You Don’t Need

It is estimated that between 60% and 70% of stored information has no business value. Keeping all this useless information is not a sustainable business practice. Disposing of data can reduce storage, e-discovery costs and security risks, and improve employee efficiency. Legally defensible deletion of useless information and adoption of a sound record retention and deletion policy are important parts of a successful information management policy.

Control Access

Entities should permit access to information, particularly sensitive information, on a need-to-know basis. A large number of data breaches result from employee negligence and disgruntled or rogue employees. Restricting access to sensitive data is an important step to mitigating that risk.

Improve Policies and Training

Depending on business activities, entities should consider adoption of policies that relate to cyber liability, including privacy, record retention and deletion, use of passwords, email and use of social media. Policies should be reviewed by a qualified attorney, updated regularly and enforced. Employee training and re-training is an important component of successful policy implementation. Conducting data breach workshops, where the entity can rehearse its response to a breach incident, can pay big dividends in the event of a breach.

Because cyber applications require entities to take a close look at their information management and cyber vulnerabilities, it’s no wonder that a recent Ponemon study found that 62% of surveyed companies report that their ability to deal with security threats improved following the purchase of cyber insurance. Taking the steps outlined above in connection with applying for cyber coverage makes good business sense and can help an entity obtain the best cyber policy to protect itself against growing threats.