Tag Archives: distributed denial of service

3 Reasons Insurance Is Changed Forever

We are entering a new era for global insurers, one where business interruption claims are no longer confined to a limited geography but can simultaneously have an impact on seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.

On Friday, Oct. 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites — including Twitter, Amazon, Netflix and GitHub — inaccessible to many users. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs and CCTV cameras to overwhelm DNS provider Dyn, effectively hampering internet users’ ability to access websites across Europe and North America. The attack was carried out using an IoT botnet called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.

The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:

1. The proliferation of systemically important vendors

The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.

The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy and the 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.

See also: Who Will Make the IoT Safe?

There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites — and some of these vendors may not have the kind of security that exists within providers like AWS.

2. Insecurity in the Internet of Things (IoT) built into all aspects of the global economy

The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring and connected vehicles is another key development. Estimates state that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.

Symantec’s research on IoT security has shown the state of IoT security is poor:

  • 19% of all tested mobile apps used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud.
  • 40% of tested devices allowed unauthorized access to back-end systems.
  • 50% of tested devices did not provide encrypted firmware updates — if updates were provided at all.
  • IoT devices usually had weak password hygiene, including factory default passwords; for example, adversaries use default credentials for the Raspberry Pi devices to compromise devices.

The Dyn attack compromised less than 1% of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices.

Outages like these are just the beginning.

Shankar Somasundaram, senior director, Internet of Things at Symantec, expects more of these attacks in the near future.

3. Catastrophic losses because of cyber risks are not independent, unlike natural catastrophes 

A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.

In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).

First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:

  • 34% from China
  • 26% from the U.S.
  • 9% from Russia
  • 6% from Germany
  • 5% from the Netherland
  • 5% from the Ukraine
  • Long tail of adversaries from Vietnam, the UK, France and South Korea

Groups such as New World Hacking often replicate attacks. Understanding where they are targeting their time and attention and whether there are attempts to replicate attacks is important for an insurer to respond to a one-off event.

See also: Why More Attacks Via IoT Are Inevitable  

A key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult — and, in some cases, not possible.

What does this mean for global insurers?

The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:

  1. Recognize that cyber as a peril expands far beyond cyber data and liability from a data breach and could be embedded in almost all major commercial insurance lines.
  2. Develop and hire cyber security expertise internally — especially in the group risk function — to understand the implications of cyber perils across all lines.
  3. Understand whether basic IoT security hygiene is being undertaken when underwriting companies using IoT devices.
  4. Partner with institutions that can provide a multi-disciplinary approach to modeling cyber security for insurers, including:
  • Hard data (for example, attack trends across the kill chain by industry);
  • Intelligence (such as active adversary monitoring); and
  • Expertise (in new IoT technologies and key points of failure).

Symantec is partnering globally with leading insurers to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.

Who Will Make the IoT Safe?

After reading about the “distributed denial of service” (DDOS) attack that shut down major sites across the internet in late October, it is amazing to me that, conceptually, my refrigerator could be used by evildoers to attack servers in the cloud. I miss the old birdcage refrigerator that we had in our basement.. but I sure like looking on the internet to see just how old the milk is when I am in the grocery store.

To my knowledge, this is the first such attack using internet-connected devices, or the Internet of Things (IoT).

One weakness to the Internet of Things is that (as we have attached more of our home devices to the internet), there was no one overriding body responsible for creating a minimum security level to limit access by the wrong people to our microwave ovens.

But if such a body is created, then it could be more difficult for small and creative companies to make anything. Another problem with a central body creating security levels is that it really would only increase manufacturing costs. And, knowing oversight bodies, I’m sure we would then be using outdated technology in all of the devices, without really making anything secure, My internet espresso maker could then cost $1,200 instead of $1,000 and still would make bad cappuccinos when I went on my phone from by bedroom and turned it on.

See also: Insurance and the Internet of Things  

Finance companies such as banks and credit card companies, medical organizations, the phone companies and computer companies have significant financial incentives to create secure devices. Yet they have had significant problems keeping their information and systems secure from the internet mischief makers.

(A quick digression: The U.S. government severely punishes private companies when there is a breach. Not only did their data go away, not only did their sales drop because of a reputation problem, not only did their customers sue them, but then, as a cherry on top, rather than helping the victim of the data breach the government fines them. Yes, I know the company should have been more diligent with the data, but…. Note that a hack of the IRS hack has cost the U.S. government more than $30 million in payments on fraudulent tax returns, and the IRS has yet to fine itself for the breach.)

Most of the people I know who have spent any time thinking about about purchasing self-driving automobiles have said they worry that hackers could take over their car (their underlying concern seems to be that it will then be driven into the San Francisco Bay, where they could not open the doors or roll down the windows to get out). There is (and should be) far more concern over the loss of control of a car than loss of control of a pizza oven, but to me it is all really part of the same problem.

So my first question was: “Is there a locus or specific place where we can plug in some type of security to help stop the mischief?”

Looking for insight, I charged down to Best Buy and asked one of the Geek Squad folks if there was such a place or way to limit outside access or control to my internet-connected electronic toothbrush? (I did come out of Best Buy with a brand new, three-year software internet security program for my new computer for only $49.95, discounted to $9.95 because I was going to look at the possibility of purchasing an internet-connected pet feeder)

The Geek Squad person said that the best opportunity for such security is the routers in homes, but, no, there is no Ronco device ($19.99 and… if you call in the next two minutes… you can have TWO Ronco internet security devices. He also said that, fortunately, my floss is still not internet-connected, so I would not have to worry about one of my teeth being yanked out by an evildoer from Nigeria who was trying to get that pesky $25 million out of the country….)

So here are some follow-up questions:

  1. Should there be an oversight body for all devices that will be responsible for creating a minimum standard for security for all of the internet-connected heating systems in the world? (The NSA will still want back-door access to all of the data from your garage opener.) If there is an oversight body, and it creates a minimum security program or level, will it be enough to keep the evildoers out of my kitchen? (I think not.)
  2. Who will go on Shark Tank with the next device (Ronco??) to help create some sort of security for all of the devices in your home? This seems like a great opportunity for someone.
  3. Perhaps it is the cable operators (those who supply the infrastructure of the connections) who should be held responsible for identifying viruses as they go across the cables and stop them. (That is where the NSA gets all of its data, anyway.)
  4. Will I ever be able to look at my internet Ronco coffee maker the same way and not wonder if it is actually a drone for a hacker in Uzbekistan? Will the hackers burn my pizza for me instead of me burning it? Or, worse, will they undercook things? Will a hacker drive my car (in two years, Uber’s car) off the Golden Gate Bridge? (And will I actually be in the car when he does?)
  5. Will the evildoers now open my garage door and take my Xmas stuff i have on the back wall? (There is really a serious question of personal security that will get larger as the bad guys find out how to easily get into businesses and buildings.)
  6. Will the government take over my sprinkler systems and stop me from wasting water? (In California, this is a serious issue, and the underlying question of how much will or can the federal state and local government eventually do with the Internet of Everything will be an interesting battleground for the next 15 years.)
  7. Who has the data, and where are all of the devices? Information is king (and queen) nowadays, and knowing where the devices are will allow the evildoers to attack the weakest links. I bet they first hacked the companies who sell the devices to find out where they are. (Should you sign up for a warranty if that information will result in telling the mischief makers where you are and how you are connected?)
  8. Just how safe is the cloud? The attack in October was a distributed denial of service attack, but can the evildoers use my internet-connected fireplace to hack the cloud?
  9. Will all of these security problems have anything to do with privacy issues? What if the miscreants leak my information to Wikileaks about the fact that I have peanut butter in the refrigerator?

As the saying goes: Inquiring minds want to know.

There is an amazing amount of mischief that can be created if we do not have secure devices.

See also: How the ‘Internet of Things’ Affects Strategic Planning  

Think about it… and perhaps unplug your internet-connected litter robot until you know it will only be used by your cat for its original purpose.