Tag Archives: ddos

Cyber: No Protection Against Complacency

Cybersecurity insurance appears to be enjoying a heyday. While it’s been around for some time, the perceived need for it has never been greater, as DDoS attacks and major hacks grab headlines and fray nerves.

As recently reported in The Hill, Lloyd’s of London approximates that “average cloud service events of varying severity range from $4.6 billion in total damages for a ‘large’ attack to $53.1 billion for an ‘extreme’ one. In the vulnerability example, the average costs range from $9.7 billion for a large event to $28.7 billion for an extreme one.”

Lloyd’s suggests that we ought to insure cyberattacks as we do natural disasters. Ransomware imposes its own sort of multiplier effect, measured in business loss, damage to reputations and (customer) privacy and, of course, in out-of-pocket outlays paid handsomely in Bitcoin.

But in treating cybersecurity insurance as an essential check-off item for organizations, the last thing underwriters, businesses and consumers need is complacency. We rightly regard insurance as protection; we pay for it, and may or may not alter our behavior to actually diminish the threat of the event itself.

And that’s the risk that insurance doesn’t mitigate against; indeed, it can aggravate it, by conferring on businesses a false sense of, pardon the term, security. Cloud security isn’t like filling out a job application; it’s not a matter of checking boxes and moving on. Piecemeal approaches to security never work. Patching a hole or fixing a bug, and then putting it “behind” you – that’s hardly the stuff of which effective security policies are made. Because security is a moving target, scattershot repairs ignore the hundreds or even thousands of points of vulnerability that a policy of continuing monitoring can help mitigate. And that insurance can address only after the fact of potentially catastrophic loss.

See also: 2018 Predictions on Cybersecurity 

Cloud security policies must be in place before, during and after the ink is dry on any cybersecurity insurance policy. Any cloud provider worth its salt brings to the task a phalanx of time-tested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. So while data is considerably safer in the cloud than beached on equipment under someone’s desk, no cyberinsurance policy can substitute for active vigilance – accent on active, because “vigilance” is definitely a verb.

Absent both the right mindset and proper policies and guidelines, cybersecurity insurance can prove pointless.

About that mindset: Sound security planning requires assessing threats, choosing tools to meet those threats, implementing those tools, assessing the effectiveness of the tools implemented – and repeating this process continually. Security is a process, not an event.

On the premise that the best defense is understanding the real nature of the offense – or, in this case, offenses, because cybersecurity insurance addresses a multi-front battleground – it may be helpful to think in terms of a basic four-tier model that defines the broad steps businesses can take to maximize their safety. With that model, it’s possible to match the level of protection to the class of threat a given organization faces. Users need to be familiar with online threats and at least somewhat conversant with tools to arrest them; no single system can circumvent vulnerabilities that haven’t been patched.

Below, this prototypical four-level gauntlet:

First line of defense: The first line consists of a firewall supported by intrusion detection and prevention technology, along with anti-virus and anti-malware software, which is limited to blocking items downloaded over unencrypted protocols.

Second line of defense: The second line centers on the trained, educated user – someone sufficiently cognizant of threats to think before executing a link or downloading an attachment: a user, in other words, who is attuned to the real and present danger inherent in viruses and malware, and who acts accordingly.

Third line of defense: The third line is composed of patch management and locally installed anti-virus and anti-malware software, working together to effectively block attacks. Proper implementation of third-line defense means fewer bugs and optimized performance.

See also: How to Eliminate Cybersecurity Clutter  

Fourth line of defense: In the event that malware or ransomware hits a system, it’s possible to restore the server via application-consistent snapshot technology on a storage area network, a rollback process that takes just minutes and restores the server to its exact state prior to the attack.

It may be helpful to treat these lines as concentric circles. Remember that the human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early, before it festers and productivity suffers; think smoke detectors vs. sprinkler systems. And just as regular brush clearance in fire zones is a necessary precursor to maintaining fire insurance coverage, so these measures prepare businesses for cybersecurity insurance – and underscore the wisdom of making that purchase.

Cyber Threats: Big One Is Out There

Approximately a year after the zombie malware Marai took some major websites off-line for much a day, cybersecurity researchers recently identified a potentially more potent threat called Reaper. Experts warn that Reaper has the capability to take down the entire internet.

Marai Zombie Malware

In late 2016, an online infrastructure firm called Dyn was the victim of a massive distributed denial of service (DDoS) attack attributed to Marai, an IoT attack malware. The DDoS attacker deliberately overloads a target server with an abnormal amount of traffic, using an army of infected computers, known as a “botnets,” to carry out the information requests. This often results in a crashed server, knocking the target website offline, effectively disrupting normal business. As more and more common household devices become connected to the internet, attackers are able to leverage an ever-growing army of devices to carry out these attacks.

Marai weaponized IoT devices, such as digital video recorders (DVRs), wireless routers and CCTV cameras, by exploiting factory-default or hard-coded usernames and passwords. A number of Dyn’s high-profile clients, including Twitter, Amazon and Netflix, were taken offline.

The Grim News About Reaper

CheckPoint, an Israeli cybersecurity firm, has said that the Reaper IoT malware is “forming to create a cyber-storm that could take down the internet.” Reaper is exponentially more dangerous than Marai because it exploits at least nine security vulnerabilities across a wider range of devices. Those vulnerabilities are identified on the CheckPoint website.

CheckPoint warned that Reaper is expanding “at a far greater pace and with more potential damage than the Marai botnet of 2016,” and it estimated that more than a million organizations worldwide already have been affected. Noted cyber security reporter Brian Krebs further noted: “It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at internet pressure points. Attacks like these can cause widespread internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless internet users.”

See also: How to Keep Malware in Check  

Cost of a DDoS Attack

For many victims of a DDoS attack, lost internet traffic can equate to staggering costs and lost revenue. According to a survey Dyn sponsored and published in August 2016, the majority of companies surveyed calculate that an internet outage costs them a minimum of $1,000 per minute.

Protective Measures

Today’s connected enterprises definitely should fear the Reaper (apologies to 1970s rock band Blue Oyster Cult). But there are a number of steps companies can take to mitigate the risk of being taken offline by Reaper or other IoT attack malware. And because 100% prevention against the risk is impossible, companies also should consider transferring the residual risk through insurance.

Avoid or Mitigate the Impact of a DDoS Attack

There are several strategies an organization can deploy to prevent a DDoS attack or at least mitigate the effects of one, including:

  • Set traffic thresholds: Companies can track how many users typically visit their website on any given day, hour and minute. Volume can change based on a number of factors. By having this historical knowledge, thresholds can be installed and real-time alerts can be generated to advise of abnormal traffic.
  • Blacklist and whitelist: Control who can and cannot access your network with whitelists and blacklists for specific IP addresses. However, be mindful that certain IP addresses may generate false positives and be blacklisted when they are in fact legitimate traffic. By temporarily blocking traffic, a business can see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. A good resource to help begin the process of whitelisting and blacklisting can be found on the DNS whitelist. Here you will find IP addresses, domain names and e-mail contact addresses. Each IP address is given a trustworthiness level score.
  • Reroute traffic with additional servers. By having additional servers on standby to handle an abnormal increase in traffic, a business can improve the odds against one server being overwhelmed. While this is likely the most cost-effective method, it is difficult to tell how many might be needed because the size of the attack can vary.
  • Consider using content-delivery networks (CDN). This method involves using external resources to identify illegitimate traffic and diverting it to a cloud-based infrastructure.
  • There may be contractual obligations that are affected during and after a DDoS attack. As such it is important to review contractual liability implications with customers and business partners. Review contracts with an eye toward the following:
    Revise unfavorable service-guarantee language due to downtime resulting from a DDoS attack. Allocate liability for potential outages as appropriate. Clauses that require security-incident notification under contract may be detrimental, especially when not required by law. Be sure your attorney reviews language related to this specific issue.
  • Terminate traffic as soon as a DDoS attack starts. Terminate unwanted connections or processes on servers and routers and tune their TCP/IP settings. If the bottleneck is a particular feature of an application, temporarily disable that feature.
  • Analyze traffic and adjust defenses. If possible, use a network-analyzer tool to review the traffic. Create a network-intrusion-detection system signature to differentiate between benign and malicious traffic. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic, to avoid adding unnecessary packets to the network.
  • Notify and activate your incident-response team, if one is already in place. Contact the company’s executive and legal teams. Upon their direction, consider involving law enforcement and collaborate with your business-continuity/disaster-recovery team.
  • Create a communication plan. A company can easily become overwhelmed with inquiries from customers, business partners and media during a DDoS attack. Create a status page with a statement explaining the circumstances of the event. In addition, a template letter can be created to automatically respond to customers that contact a business for information.
  • During a DDoS attack, immediate efforts should be made to document facts in an incident report. It should be used to document what happened, why it happened, decisions made and how the organization will prevent future attacks. Review and document the load and logs of servers, routers, firewalls, applications and other affected infrastructure. The incident report may be read by a wide audience, and it is therefore important that it’s written in a language that is not overly technical.

Insurance Issues

For companies that are either the direct target of a DDoS attack or that are indirectly affected by an attack on a third party, significant business interruption costs, including lost income and other expenses, can be incurred. Consequently, affected companies should scrutinize their insurance policies to determine if they have coverage under either scenario.

Because there is no standard cyber insurance policy form, it is important for the insured to review its specific policy form and determine whether it provides coverage for a DDoS attack. Here are some issues to consider in that regard:

  • DDoS Provisions.
    • Is there an exclusion for DDoS attacks;
    • Is coverage limited to attacks targeted at the insured’s network;
    • Is there broader coverage for an attack that indirectly affects the insured;
    • Does the definition of “security event,” “security failure” or any relevant similar term include or exclude a DDoS attack?
  • Business Interruption Coverage.
    • Is coverage triggered only following a direct attack on the insured company;
    • Is contingent business interruption coverage available;
    • How long is the business interruption waiting period;
    • Is coverage triggered only by a complete business interruption or also by a degradation in business operations caused by the DDoS attack;
    • Is there coverage for professionals, including accountants retained by the policyholder, required to calculate and submit the claim?

Insureds are urged to consult with experienced insurance brokers and advisers to ensure that they obtain appropriate coverage for losses resulting from a DDoS attack. Cyber insurers often are open to negotiation of their policy forms, so insureds are encouraged to work with their insurance professionals to optimize coverage.

See also: How to Immunize Against Cyber Attacks  

Further, business interruption insurance may not be made available for every company. Companies can make themselves a better candidate for coverage by implementing a strong disaster recovery/business continuity plan.

Cyber Insurance: Coming of Age in ’17?

2016 was definitely the year of cyber insurance emergence. As large-scale attacks and disclosures of massive data-breaches were recurring, we realized once again that allocating tremendous efforts and resources to your cybersecurity defense does not provide any guarantee you won’t experience an incident.

Executives and security professionals are gradually accepting that it is not a matter of if but a matter of when their organization will be hit by a cyber-attack. With this understanding, many businesses acknowledge cyber insurance as an important tool in the multilayer cybersecurity defense approach and declare it is an essential part of their risk mitigation strategy.

See also: 10 Cyber Security Predictions for 2017  

Here are some of my personal predictions for the cyber insurance market this year:

  1. An increasing number of security vendors will provide insurance guarantees. 2016 signaled a new path in the cybersecurity industry as few emerging startups started to offer a cyber insurance coverage of as much as $1 million per organization that will be fully covered with their defense solutions (e.g. SentinelOne and Cymmetria). I expect this trend to intensify through 2017, and well-established vendors will gradually follow to offer a bundle of protection plus insurance.
  2. We will see an increase in the number of insurance companies that will start to offer cybersecurity services. As cyber insurance is emerging and as many new insurance companies are entering the market (currently, approximately 70 insurers offer stand-alone cyber insurance products), there is a race for the best cybersecurity talent to assess the risks and provide pre- and post-breach services as monitoring, incident response, forensics, etc. In this atmosphere, insurers will acknowledge the revenues they can make from cyber insurance and adjacent security services to their clients, and will (and already do) expand their teams with the cybersecurity professionals and tools through aggressive hiring and M&As.
  3. Cyber extortion coverage will take the lead as the most demanded cyber insurance product. Ransomware is exploding across geographies, industries and all sizes of businesses. Following the massive distributed denial of service (DDoS) attacks on Krebs on Security and Dyn, the IoT world is open to a new world of DDoS attacks that no load balancer can mitigate. I expect that cyber extortion will become the biggest problem for organizations and individuals and that it will surpass data breaches as the main threat.
  4. Adoption of advanced tools for risk assessment will increase. There is a high demand for tools that will give insurers an accurate, scalable and affordable risk assessment that will streamline the entire (mainly manual) questionnaire-based risk quantification methodology that is the common practice today.
  5. New regulations will be introduced and will support the expansion of the cyber insurance market. There are high chances that more U.S. states will introduce regulations that support internal risk assessments on a regular basis of third party vendors and enforce security policies on organizations as suggested by the new NY proposal for the big financial institutes that was released last September.
  6. The penetration rate of cyber insurance among SMBs will be the driving force in the industry. As awareness of cyber-attacks increases among small- and medium-sized business, they’ll realize that cyber insurance is an essential security tool, particularly because of their limited cybersecurity resources. I expect to witness higher percentages of the SMB segment that will purchase cyber insurance coverage, leading to an increase in total market size, as current estimates rely on low adoption rates in these segments.
  7. Insurers will introduce personal cyber insurance coverage. As ransomware becomes a threat to any operating system and any device, it is forecasted that it will gradually become a serious problem for individuals, as well, and will lead cyber insurance companies to offer personal cyber insurance coverage.

Cyber insurance is here to stay, and insurers, brokers, business and individuals will benefit as this market continues to evolve. Growth will be sustained mainly in the U.S. market and is highly likely to expand worldwide, especially in the EU as GDPR starts to be effective.

See also: Understand the Nuts and Bolts of Cyber

No matter which part of the IT security eco-system you fit into, you should explore the benefits cyber insurance can bring to you — revenues, financial hedge and cyber peace of mind.

5 Predictions for the IoT in 2017

The IoT continued its toddler-like growth and stumbles in 2016. Here are five trends to look for in 2017 as the IoT enters its adolescence and how to benefit from them.

1. Ecosystems begin to determine winners and losers

Previously these were nice in-the-future concerns; now they will really count. Filling out a whole product value proposition through partnerships has repeatedly proven its importance across B2B and enterprise software sectors. In the IoT, they will be even more critical.

As an example, the Industrial Internet Consortium (IIC) is driving the definition of platforms and test beds and should show results in 2017. In the meantime, expect some IoT companies to fail when they can’t gain traction.

If you’re developing IoT infrastructure or platforms, it’s time to get real, regarding building great partnerships, developer programs, tools, incentives and joint marketing programs. Without them, your platform may appear like an empty shopping mall.

If you’re a device manufacturer or application developer, it’s time to place your platform bets so you can focus your resources. If you’re implementing IoT-based systems, you’ve been through this before. Welcome to the next round of the industry’s favorite game, “choose your platform.” Make sure you also evaluate vendors based on their financial health, business models and customer service — not just technology. Learn more in Monetizing IoT: Show me the Money in the section “Ecosystems as the driver of value.”

See also: Insurance and the Internet of Things

2. Vendors get serious about experimenting with business models and monetization

This was a big theme at Gemalto’s recent LicensingLive conference and was further driven home by solution partners like Aria Systems. Tech won’t sell if it’s not packaged so that buyers want to buy. Look for innovation in business models and pricing, including subscription models, pay per use, recurring revenue, subsidization or replacement of hardware device revenues with service revenues, monetizing customer data and even pay-per-API call models. If you’re marketing whole solutions, be sure to avoid the “partial solution trap” as described in my article, The Internet of Things: Challenges and Opportunities.

3. Big Data gets “cloudier” (pun intended)

No doubt there will be a lot more data with billions of new connected devices. Not just text and numbers but also images, video and voice can all add significant monetization opportunities to different participants in the value chain. More devices mean more data, more potential uses and more cooks in the kitchen. This is a complex cluster of issues: Do not expect a resolution of ownership, privacy or value in 2017.

Instead, approach this by building a clear vision of what you want and don’t want with respect to data rights as you enter these discussions. And try to anticipate the genuine needs of your partners. Device manufacturers will likely have a going-in desire to own data produced by their devices; and apps developers, the data they handle; others may be okay with aggregated info. Buyers should make sure they understand what’s happening with their potentially sensitive data. We have already started to see partnerships and deals stall out over intense discussion on data ownership and rights.

4. You’ll need to prove your security, with privacy not far behind

2017 IoT systems are going to need to up their game. No one is going to stand for hacked doorlocks, video cameras or Mirai botnet/DDoS attacks via connected devices much longer. Similar events will come with very high price tags. So far, the IoT has dodged any major incidents with large losses suffered directly by end users.

We could see growth flatten if a major hack of thousands of end users occurs in 2017, especially if hardware devices are ruined or people get hurt. At that point, users will need to receive greater guarantees of security, privacy and integrity. This risk needs to be mitigated if the industry wants to avoid an “IoT winter.”

Vendors will need to invest more in security development and testing before deployment and offer assurances, possibly including insurance. Installers and integrators will need to ensure ecosystem integrity, and buyers will look for these guarantees. Just one flaw could be very expensive: Gartner believes that by 2018 20% of smart buildings will suffer digital vandalism through their HVAC, thermostats and even smart toilets.

5. Voice-powered, AI virtual assistants drive a next round of platform wars

Voice will become increasingly important to control IoT systems and computing infrastructure. Google Assistant, Apple Siri, Amazon Alexa, Microsoft Cortana and Samsung’s Viv Labs acquisition underscore the importance of these new AI-assisted voice interfaces. They’ll be used across multiple devices like phones, PCs, tablets, cars, home appliances and other machinery. By 2020, Gartner believes smart agents will facilitate 40% of mobile interactions. This is the beginning of a new round of platform battles that you need to recognize, internalize and prepare for.

See also: How the ‘Internet of Things’ Affects Strategic Planning

What do you think? Email me with your predictions, comments or war stories.

You can find the original article here.

Who Will Make the IoT Safe?

After reading about the “distributed denial of service” (DDOS) attack that shut down major sites across the internet in late October, it is amazing to me that, conceptually, my refrigerator could be used by evildoers to attack servers in the cloud. I miss the old birdcage refrigerator that we had in our basement.. but I sure like looking on the internet to see just how old the milk is when I am in the grocery store.

To my knowledge, this is the first such attack using internet-connected devices, or the Internet of Things (IoT).

One weakness to the Internet of Things is that (as we have attached more of our home devices to the internet), there was no one overriding body responsible for creating a minimum security level to limit access by the wrong people to our microwave ovens.

But if such a body is created, then it could be more difficult for small and creative companies to make anything. Another problem with a central body creating security levels is that it really would only increase manufacturing costs. And, knowing oversight bodies, I’m sure we would then be using outdated technology in all of the devices, without really making anything secure, My internet espresso maker could then cost $1,200 instead of $1,000 and still would make bad cappuccinos when I went on my phone from by bedroom and turned it on.

See also: Insurance and the Internet of Things  

Finance companies such as banks and credit card companies, medical organizations, the phone companies and computer companies have significant financial incentives to create secure devices. Yet they have had significant problems keeping their information and systems secure from the internet mischief makers.

(A quick digression: The U.S. government severely punishes private companies when there is a breach. Not only did their data go away, not only did their sales drop because of a reputation problem, not only did their customers sue them, but then, as a cherry on top, rather than helping the victim of the data breach the government fines them. Yes, I know the company should have been more diligent with the data, but…. Note that a hack of the IRS hack has cost the U.S. government more than $30 million in payments on fraudulent tax returns, and the IRS has yet to fine itself for the breach.)

Most of the people I know who have spent any time thinking about about purchasing self-driving automobiles have said they worry that hackers could take over their car (their underlying concern seems to be that it will then be driven into the San Francisco Bay, where they could not open the doors or roll down the windows to get out). There is (and should be) far more concern over the loss of control of a car than loss of control of a pizza oven, but to me it is all really part of the same problem.

So my first question was: “Is there a locus or specific place where we can plug in some type of security to help stop the mischief?”

Looking for insight, I charged down to Best Buy and asked one of the Geek Squad folks if there was such a place or way to limit outside access or control to my internet-connected electronic toothbrush? (I did come out of Best Buy with a brand new, three-year software internet security program for my new computer for only $49.95, discounted to $9.95 because I was going to look at the possibility of purchasing an internet-connected pet feeder)

The Geek Squad person said that the best opportunity for such security is the routers in homes, but, no, there is no Ronco device ($19.99 and… if you call in the next two minutes… you can have TWO Ronco internet security devices. He also said that, fortunately, my floss is still not internet-connected, so I would not have to worry about one of my teeth being yanked out by an evildoer from Nigeria who was trying to get that pesky $25 million out of the country….)

So here are some follow-up questions:

  1. Should there be an oversight body for all devices that will be responsible for creating a minimum standard for security for all of the internet-connected heating systems in the world? (The NSA will still want back-door access to all of the data from your garage opener.) If there is an oversight body, and it creates a minimum security program or level, will it be enough to keep the evildoers out of my kitchen? (I think not.)
  2. Who will go on Shark Tank with the next device (Ronco??) to help create some sort of security for all of the devices in your home? This seems like a great opportunity for someone.
  3. Perhaps it is the cable operators (those who supply the infrastructure of the connections) who should be held responsible for identifying viruses as they go across the cables and stop them. (That is where the NSA gets all of its data, anyway.)
  4. Will I ever be able to look at my internet Ronco coffee maker the same way and not wonder if it is actually a drone for a hacker in Uzbekistan? Will the hackers burn my pizza for me instead of me burning it? Or, worse, will they undercook things? Will a hacker drive my car (in two years, Uber’s car) off the Golden Gate Bridge? (And will I actually be in the car when he does?)
  5. Will the evildoers now open my garage door and take my Xmas stuff i have on the back wall? (There is really a serious question of personal security that will get larger as the bad guys find out how to easily get into businesses and buildings.)
  6. Will the government take over my sprinkler systems and stop me from wasting water? (In California, this is a serious issue, and the underlying question of how much will or can the federal state and local government eventually do with the Internet of Everything will be an interesting battleground for the next 15 years.)
  7. Who has the data, and where are all of the devices? Information is king (and queen) nowadays, and knowing where the devices are will allow the evildoers to attack the weakest links. I bet they first hacked the companies who sell the devices to find out where they are. (Should you sign up for a warranty if that information will result in telling the mischief makers where you are and how you are connected?)
  8. Just how safe is the cloud? The attack in October was a distributed denial of service attack, but can the evildoers use my internet-connected fireplace to hack the cloud?
  9. Will all of these security problems have anything to do with privacy issues? What if the miscreants leak my information to Wikileaks about the fact that I have peanut butter in the refrigerator?

As the saying goes: Inquiring minds want to know.

There is an amazing amount of mischief that can be created if we do not have secure devices.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

Think about it… and perhaps unplug your internet-connected litter robot until you know it will only be used by your cat for its original purpose.