Tag Archives: hackers

How to Create Resilient Cybersecurity Model

As data breaches increase in type, severity and number, more companies plan to purchase cyber insurance. While cyber insurance premiums in 2016 in the U.S. were $5 billion, projections indicate they will increase to $20 billion by 2020. Complex cyber crimes mean insurers find themselves facing contentiously complex relationships with their insureds. To create a resilient business model, both of these parties need to communicate effectively and understand the overt and hidden risks they face.

The Underwriting Communication Gap

Information forms the basis of strong underwriting. With traditional general liability policies, insurers can easily gather information on a company’s financial solvency by reviewing publicly available documents such as annual financial reports or credit ratings. With cybersecurity policies, attack vectors extend in a variety of directions, making information less tangible for underwriters.

With a compounded annual growth rate of 41%, cyber insurers need insight into the full range of their insureds’ risks. The present model relies on questionnaires from applicants; however, when insureds misrepresent or misunderstand their risks, insurance companies suffer billions in losses. Often, the cost of a breach exceeds the limits of a policy’s liability, meaning that even those companies with insurance find themselves underinsured. Because courts generally agree that general liability policies do not cover cyber loss, business continuity plans require appropriate insurance aggregates to fully cover losses.

Even the most sophisticated companies find themselves unaware of their biggest cyber risks. When insureds lack data, underwriters cannot effectively write policies. Thus, the communication gap poses a risk for both the insureds that remain underinsured and the insurance companies that may be overextending their books of business. Security ratings act as a tool that allow better communication between insurers and their insureds when establishing a cyber security policy relationship, similar to credit ratings in the general liability arena.

See also: Roadblocks to Good Customer Relations  

The Claims Communication Gap

Insureds use insurance to protect their internal and external stakeholders. However, the communication gap creates a claims problem for insureds. Coverage litigation costs and a sense of betrayal ruin relationships between companies that share the economic ecosystem.

The Equifax breach offers a contemporary example. Most recent estimates place Equifax’s breach costs at $275 million, but the company retained only $75 million in cybersecurity insurance. A single employee’s failure to patch a known vulnerability in the Apache Struts Java application created an opportunity for hackers. Equifax’s failure to understand its own patching cadence led to its underinsured status and, ultimately, its severe losses.

Information Enables Resilience

The information security community focuses on resilience. When a distributed denial of service attack causes a company to shut down services for days or weeks, the company lacks cybersecurity resilience.

An insurance company’s resilience requires setting aside financial reserves to cover claims costs. Because cyber policies often cover business interruption costs, businesses that lack cyber resiliency too often claim losses and file insurance claims. Security ratings provide insight into an insured’s resilience. Because data breaches are inevitable, even companies with strong security ratings may be hacked, but their continued attention to their environments means they will have strong disaster recovery protocols limiting business interruption. To remain financially stable and resilient, insurance companies need to adequately estimate potential losses so that premiums adequately align with their risk acceptance.

Insurance companies and their customers need shared visibility into the protected cyber ecosystem. Otherwise, insurers continue to dissuade financial safety by overestimating premiums while companies risk their solvency by underinsuring their business. This business model promotes neither economic stability nor resiliency.

Continuous Monitoring Builds Continuous Relationships

Remedying the information and communication gap between insurers and insureds provides the only solution to the current resilience problem. Companies often prove, through audit reports, that they engage in information security, yet those documents show proof of only a single moment in time. Insurers need tools providing visibility into their insureds’ ecosystems on a continual basis, such as security ratings.

Organizations face data security threats from both their IT environments and those of their vendors. One breached vendor creates a domino effect of cyber insurance claims as the damage travels through the supply chain. Insurers and insureds need to be able to communicate both visible and hidden cyber risks. Security ratings continuously monitor insureds’ endpoint security, IDS and antivirus, while also providing a shared language so they can effectively communicate with insurers. Insurers, conversely, can use the shared language of security ratings to communicate to insureds the impact that security vulnerabilities have on insurance premiums and coverage.

See also: The New Agent-Customer Relationship  

In the cyber insurance space, increased claim complexity degrades the symbiotic relationship. As insureds shop around for better premiums, insurers lose valuable business. To promote continued business relationships, the two parties can both benefit from automated tools that enable continuous communication about continuous monitoring. Tools to facilitate visibility help establish metrics for the appropriate pricing of risk to cover potential losses and set reasonable premiums.

Insureds must communicate with their insurance companies; however, companies focusing on the daily tasks of conducting business lose track of communication and time. Therefore, insurance companies need to protect themselves by monitoring their insureds. Security ratings are poised to help promote resiliency between, as well as within, industries by offering publicly facing data. With the right continuous monitoring metrics, SaaS platforms can enable continuous relationships that reinvigorate the insurer-insured symbiotic relationship.

Quest for Reliable Cyber Security

As we still struggle to improve physical security in the brick and mortar world, we are also greatly challenged by security issues in the cyber world. The layers of cyber protections are melting away quickly (Figure 1) as evidenced by an exponential growth in cyber crime. We are all racing rapidly away from the shores of the brick and mortar world, chasing after irresistible and addictive internet-based technology.

The Cyber War Statistics and Projections

Figure 2 shows the Lloyd’s of London estimated worldwide cyber damages in U.S. dollars for 2013 (100 Billion) and 2015 (400 Billion). The Jupiter Research projection for 2019 is $2 trillion. Cybersecurity Ventures projects $6 trillion of damage for 2021. If these projections become reality, that represents a 60-fold increase in cyber damages for the eight-year period between 2013 and 2021.

An independent Ponemon Institute study sponsored by Hewlett Packard said that, in 2016, the average U.S. firm reported cybercrime damages of $17 million. The average cyber damages were much less in non-U.S. countries, but the growth in such crimes is also increasing exponentially. The U.S. National Small Business Association study said that, on average, small businesses that had their bank accounts hacked lost an average of $32,000.

See also: 10 Cyber Security Predictions for 2017  

The Cyber War Defender Sentiment

Various IT expert surveys tell us that the majority of defenders feel that we are losing this cyber war. Here are some key disturbing sentiments:

  • An iSense Solutions survey of 250 IT professionals was conducted for Bitdefender among companies that were breached. Those that suffered cyber breaches in the last year convey the disturbing news that 74% of those that were breached don’t know how the breach happened.
  • A survey by the Ponemon Institute revealed that it took between 98 and 197 days to detect the fact that a security breach has happened.
  • An AT&T (Cybersecurity Insights) report surveyed 5,000 companies worldwide that were launching Internet of Things (IoT) devices. Only 10% of IoT developers felt that they could secure those devices against hackers. It is estimated that 10 billion devices were connected to the internet in early 2016 and that the number will grow to 30 billion devices by 2020.
  • Another Ponemon Institute survey in 2016 consisting of 643 IT experts revealed that only one-third of the IT experts surveyed consider the cloud safe from cyber attacks.
  • Cyberventures estimates that $1 trillion will be spent on cyber security products and services between 2017 and 2021.
  • Cyber experts tell us that just meeting compliance is the beginning of cyber security and not the end.
  • The World Economic Forum (WEF) stated that a “significant” amount of cybercrime and espionage still goes undetected.
  • Hacker tools are cheap, fast and becoming easier to use, providing disturbing attacker advantages.

The Cyber War Executive Summary

Let’s summarize this gloomy situation. We are in an exponential growth period of cybercrime. Anywhere from 67% to 90% of experts surveyed can relate to these comments:

  • They distrust the cloud.
  • Most do not know how or when they were hacked, if they were hacked.
  • Most do not know how to fully protect the old and new flood of internet connected devices from future hacks.
  • Just meeting compliance is insufficient against hacks and cyber attacks.
  • When hacks are noticed, they are noticed three to six months-plus after the fact.

This raises the question of how IT and security professionals will spend their security budget if they have been so unsuccessful in the past and present. This is clearly a high-risk environment and getting worse.

See also: How to Stir Dialogue on Cyber Security  

Can Cyber Strategies Rescue Us?

Classic and logical-sounding cyber strategies have been and are being rendered useless by hackers and cyber-sharks. Figure 3 depicts the sad state of worldwide cyber security. Why are most cyber strategies not working? Maybe because they focus too much on the technical and do not engage all of the enterprise resources and its culture as an additional layer of defense.

Figure 4 reminds us of the words of MIT Professor Bill Aulet, derived from the original quote by the famous management consultant Peter Drucker: “Culture eats strategy for breakfast, operational excellence for lunch and everything else for dinner.”  If our cyber strategy does not harness and engage the enterprise culture as a partner in this cyber war, we should expect only limited successes.

Can Artificial Intelligence (AI) Rescue Us?

Some are touting AI and machine learning as the “last hope” for cyber security, but some experts are also quick to confess that not all AI strategies are effective and that the cyber protection industry is only at the beginning of this journey to apply AI to cyber security. This confidence in AI also assumes that the “bad guys” will not use AI to become better hackers.

Can High-Reliability Organizational (HRO) Techniques Rescue Us?

Decades ago, high-risk organizations like nuclear submarines, aircraft carriers and nuclear power plants developed a highly successful culture-based management system that was later designated as high-reliability organizations (HRO). HROs have achieved zero-incident safety records even though they are considered high-risk. Now that every organization is thrust into the high-risk cyber world, it’s time to consider the HRO playbook and assess our cultures against custom HRO cyber criteria. Airlines, railroads, power plants, hospitals and other organizations are starting to customize HRO principles to meet their stretch goals for employee, customer and patient safety.

See also: Paradigm Shift on Cyber Security  

Figure 5 shows one of the first basic enterprise system and cultural assessments required to lay the foundation for HRO cyber thinking across all layers of the organization. Such assessments will require anonymous inputs from all stakeholders and levels to ensure that all skeletons in the closet and the taboo talk rules that limit cyber successes are exposed.

The pursuit of becoming a high-reliability cyber organization is not for the faint of heart, and it is not a quick fix. It is a set of highly disciplined principles that affect the behaviors, attitudes, decision making and accountability for every level of the enterprise cascade as summarized in Figure 6. If any of the cyber security elements in the cascade has a weak link, cyber security will be at risk. The last line of defense against cyber attacks needs to be organizational and cultural and not just technical or centered on compliance.

As the world moves toward the shocking new reality of annual multitrillion-dollar cyber damages, organizations will need to combine technical and non-technical best practices for reliability to counter cyber threats. Unfortunately, it might take one or more big business failures or a major worldwide cyber calamity before more organizations start to see the value of a combined high-performance culture and technical strategy. Great successes of HRO organizations should teach us that a combined culture and technical strategy is the best way to defend ourselves in this expanding cyber world war.

When Hackers Take the Wheel

Operator errors, driving under the influence, and product defects have long been blamed for catastrophic accidents in the transportation industry. However, recent headlines revealed how cyber risk has emerged as a new and disturbing threat to airlines, railways, auto manufacturers and ocean cargo carriers.

Those in the transportation sector have embraced the “Internet of Things” and transformed what were once far-reaching concepts into some of the most common components of the cars they manufacture and the planes they fly. They often rely on a secure internet connection to function safely and efficiently. Recent headlines, however, raised concern and started a debate: Can the transportation sector be hacked? If so, what are the consequences?

Automobiles

In July 2015, Fiat Chrysler announced a recall of 1.4 million vehicles after white hat hackers demonstrated that they could take control of a Jeep Cherokee’s braking systems, change vehicle speed and affect operation of the transmission, air conditioning and radio controls. Hackers gained remote access by exploiting a software vulnerability in the vehicle’s Uconnect entertainment system.

The stakes have been raised even higher with recent advances made in the development of driverless cars, as more vehicles will become completely reliant on secure technology. Safety concerns were raised after a series of crashes allegedly caused by the failures of Tesla’s Autopilot technology, resulting in the death of a passenger. This prompted Tesla to announce efforts to improve its Autopilot software, including “advanced processing of radar signals.”

See also: How to Measure ‘Vital Signs’ for Cyber Risk  

The Department of Transportation has also recognized the risks associated with technology. In January 2016, the department entered into an agreement with 17 major automakers to enhance driver safety, including information sharing to prevent cyberattacks on vehicles. According to the agreement, the National Highway Traffic Safety Administration will propose industry guidance for safe operation for fully autonomous vehicles.

Planes

Boeing recently became the subject of a hacker demonstration when a security researcher accessed the entertainment systems of one of the company’s planes in mid-flight. Boeing was adamant that the hacker could not have gained access to the aircraft’s critical functions due to segregation of the two networks. However, the incident raised concerns throughout the airline industry, and an FBI investigation followed.

Railway Systems

German security researchers SCADA Strangelove demonstrated, without naming the rail systems in question, that they, too, are vulnerable. Their December 2015 report highlighted vulnerabilities related to outdated software, default passwords and lack of authentication. Moreover, entertainment and engineering systems were operating on the same network, leading to speculation that if one system is compromised hackers could gain access to the other. Because rail switches are automated and dependent on properly operating networks, the theory of a system compromise leading to a head-on collision with another train was explored in the report.

Marine Shipping

An investigation by Verizon Risk concluded that modern-day pirates are increasingly relying on network intrusions as a means to carry out crimes on the high seas. Verizon concluded that an unidentified shipping company’s networks were penetrated by hackers, giving them precise information on which ships were carrying the most valuable contents. Hackers then targeted their attacks on specific vessels, using bar codes to focus on individual shipping containers.

As of this writing, we have not seen any incidents of bodily injury or loss of life in the transportation sector directly attributed to a deliberate network compromise. Yet the findings of various researchers across multiple transportation sectors lead to some alarming conclusions. Law enforcement and transportation safety regulators have taken these findings seriously and conducted investigations of their own.

We can therefore expect with some degree of certainty that the transportation sector may be held to higher cybersecurity standards and will see increased regulatory scrutiny that has been witnessed in other industries, such as healthcare and financial services. When networks containing sensitive data may be compromised, regulators that oversee that industry often propose protection standards that ultimately become mandates. Failure to comply often leads to lawsuits, settlements, fines and significant reputational harm.

See also: Protecting Institutions From Cyber Risks  

Until then, the transportation sector can start by following the best practices as outlined in the National Highway Traffic Safety Administration’s “A Summary of Cybersecurity Best Practices,” published in October 2014 . Key observations and recommendations include:

  • Cybersecurity is a life-cycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program.
  • The aviation industry has many parallels to the automotive industry in the area of cybersecurity.
  • Strong leadership from the federal government could help the development of industry-specific cybersecurity standards, guidelines and best practices.
  • Sharing learning with other federal agencies is beneficial.
  • Use of the NIST cybersecurity standards as a baseline is a way to accelerate development of industry-specific cybersecurity guidelines.
  • International cybersecurity efforts are a key source of information.
  • Consider developing a cybersecurity simulator. It could facilitate identification of vulnerabilities and risk mitigation strategies and can be used for collaborative learning (government, academia, private sector, international).
  • Cybersecurity standards for the entire supply chain are important.
  • Foster industry cybersecurity groups for exchange of cybersecurity information.
  • Use professional capacity building to address and develop cybersecurity skill sets, system designers and engineers.
  • Connected vehicle security should be end-to-end; vehicles, infrastructure and V2X communication should all be secure.

The transportation sector is yet another industry that must learn to adapt to the systemic nature of cyber risk. Because of ever-increasing reliance on evolving technology, cyber risk will certainly begin to move toward the top of the list of transportation safety concerns. The captains of this industry can no longer claim ignorance to cybersecurity issues or completely delegate responsibility. They owe a duty to safeguard the flow of information that effectively keeps our planes airborne and our cars on the road. Failure to do so could be catastrophic.

Pokémon Go Highlights Disruptive Technology

If you hear employees talking about spending their stardust and candies, chances are they’re caught up in the latest pop culture fixation: Pokémon Go. The mobile phone game sensation has fans roaming the country with their handhelds out to capture the “Pocket Monsters” scattered virtually throughout the real world.

The kid in me chuckles at this innovative use of augmented reality (AR) technology. But my cyber risk side looks at AR and sees potential issues involving malware, privacy, data disclosure and employee safety.

Real-World Risks

Computer and online games become instant targets for malware, through such things as fake and cracked versions in app stores. Hackers could gain control over a phone and thus a wealth of data about its user. For companies with bring your own device (BYOD) programs, enterprise email accounts and other data could be exposed.

See also: Better Way to Assess Cyber Risks?

Of course, BYOD risks are not limited to Pokémon Go. For example, sensitive information can be exposed through employees’ social media postings and other activities.  But apps that are addictive and seemingly innocent can blind users to the risks of downloading.

AR technology combines elements of the digital and physical worlds into a single view, allowing data, text or images to be superimposed on a live video feed. In Pokémon Go, AR allows for the game map to align with a real-world map and players to find and even photograph their monsters in physical locations.

What if a Pokémon is located inside your company’s office? If a user shares a photo or screenshot of such a location, it poses a risk of inadvertent loss of sensitive company or customer information. And there are issues around invasion of privacy for people/places that don’t want to be involved in the game.

Managing Risk

As surely as Pikachu evolve into Raichu, technology like AR will morph and bring new risks. Businesses may try to block or limit employees’ access to AR and similar technology, but that may only provide temporary relief before the next threat emerges.

See also: Cyber Risk: The Expanding Threat  

So as with all cyber risks, when it comes to Pokémon Go, organizations should make sure they don’t focus only on prevention. Among the steps to bolster response and recovery, businesses can:

  • Educate employees about the risks.
  • Conduct regular cyber risk assessments and audits to identify threats and assets at risk.
  • Develop and test disaster recovery, business continuity and incident response plans in conjunction with law enforcement, regulators and others.
  • Purchase cyber insurance to deal with the inevitable risks that slip through the cracks.

AR and other disruptive technologies are here to stay, and promise to benefit companies and consumers. Risk professionals will need to be nimble as they manage the accompanying risks.

Hacking the Human: Social Engineering

Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social Security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide motivation for hackers to steal.

Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as “social engineering.” This type of fraud occurs in a multi-stage process. Criminals first gather information, form relationships with key people and finally execute their plan.

By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the U.S. were defrauded of almost $800 million (the average loss amounted to $130,000.)

See also: Dark Web and Other Scary Cyber Trends

There are several methods of social engineering that are seen frequently, including the following seven:

  • ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
  • ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
  • ­Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
  • ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
  • ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
  • ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
  • ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

How to avoid being defrauded in the first place:

Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures, including these eight:

  • Educate your employees so they can learn to be vigilant and recognize fraudulent behavior;
  • Establish a procedure requiring any request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
  • Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
  • Avoid free web-based email and establish a private company domain, and use it to create valid email accounts in lieu of free, web-based accounts.
  • Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchical information and out-of-office details.
  • Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
  • Do not use the “reply” option to respond to any financial emails. Instead, use the “forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.

See also: Best Practices in Cyber Security

The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat because these incidents often involve the compromise of personally identifiable information, which can later be used for identity thefts from multiple people. This prospect for more theft will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. The thefts often then lead to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.

Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers, while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation.

Cyber insurance policies can be customized to offer coverage for the following:

  • ­Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion or corruption of a third party’s electronic data; denial of service attacks against Internet sites or computers; or transmission of viruses to third-party computers and systems.
  • Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information that had been entrusted to it in the normal course of business.
  • Electronic Media Content Liability: Coverage for personal injury and trademark and copyright claims arising out of creation and dissemination of electronic content.
  • Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
  • Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
  • Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
  • Network Business Interruption: Reimbursement of your loss of income or extra expense resulting from an interruption or suspension of computer systems because of a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
  • Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and to mitigate the damages if they do. Turning your employees from your weakest link into your greatest assets in the battle is one way; risk transfer to insurance products is another.