Tag Archives: John Farley

Cyber Threats: Big One Is Out There

Approximately a year after the zombie malware Marai took some major websites off-line for much a day, cybersecurity researchers recently identified a potentially more potent threat called Reaper. Experts warn that Reaper has the capability to take down the entire internet.

Marai Zombie Malware

In late 2016, an online infrastructure firm called Dyn was the victim of a massive distributed denial of service (DDoS) attack attributed to Marai, an IoT attack malware. The DDoS attacker deliberately overloads a target server with an abnormal amount of traffic, using an army of infected computers, known as a “botnets,” to carry out the information requests. This often results in a crashed server, knocking the target website offline, effectively disrupting normal business. As more and more common household devices become connected to the internet, attackers are able to leverage an ever-growing army of devices to carry out these attacks.

Marai weaponized IoT devices, such as digital video recorders (DVRs), wireless routers and CCTV cameras, by exploiting factory-default or hard-coded usernames and passwords. A number of Dyn’s high-profile clients, including Twitter, Amazon and Netflix, were taken offline.

The Grim News About Reaper

CheckPoint, an Israeli cybersecurity firm, has said that the Reaper IoT malware is “forming to create a cyber-storm that could take down the internet.” Reaper is exponentially more dangerous than Marai because it exploits at least nine security vulnerabilities across a wider range of devices. Those vulnerabilities are identified on the CheckPoint website.

CheckPoint warned that Reaper is expanding “at a far greater pace and with more potential damage than the Marai botnet of 2016,” and it estimated that more than a million organizations worldwide already have been affected. Noted cyber security reporter Brian Krebs further noted: “It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at internet pressure points. Attacks like these can cause widespread internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless internet users.”

See also: How to Keep Malware in Check  

Cost of a DDoS Attack

For many victims of a DDoS attack, lost internet traffic can equate to staggering costs and lost revenue. According to a survey Dyn sponsored and published in August 2016, the majority of companies surveyed calculate that an internet outage costs them a minimum of $1,000 per minute.

Protective Measures

Today’s connected enterprises definitely should fear the Reaper (apologies to 1970s rock band Blue Oyster Cult). But there are a number of steps companies can take to mitigate the risk of being taken offline by Reaper or other IoT attack malware. And because 100% prevention against the risk is impossible, companies also should consider transferring the residual risk through insurance.

Avoid or Mitigate the Impact of a DDoS Attack

There are several strategies an organization can deploy to prevent a DDoS attack or at least mitigate the effects of one, including:

  • Set traffic thresholds: Companies can track how many users typically visit their website on any given day, hour and minute. Volume can change based on a number of factors. By having this historical knowledge, thresholds can be installed and real-time alerts can be generated to advise of abnormal traffic.
  • Blacklist and whitelist: Control who can and cannot access your network with whitelists and blacklists for specific IP addresses. However, be mindful that certain IP addresses may generate false positives and be blacklisted when they are in fact legitimate traffic. By temporarily blocking traffic, a business can see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. A good resource to help begin the process of whitelisting and blacklisting can be found on the DNS whitelist. Here you will find IP addresses, domain names and e-mail contact addresses. Each IP address is given a trustworthiness level score.
  • Reroute traffic with additional servers. By having additional servers on standby to handle an abnormal increase in traffic, a business can improve the odds against one server being overwhelmed. While this is likely the most cost-effective method, it is difficult to tell how many might be needed because the size of the attack can vary.
  • Consider using content-delivery networks (CDN). This method involves using external resources to identify illegitimate traffic and diverting it to a cloud-based infrastructure.
  • There may be contractual obligations that are affected during and after a DDoS attack. As such it is important to review contractual liability implications with customers and business partners. Review contracts with an eye toward the following:
    Revise unfavorable service-guarantee language due to downtime resulting from a DDoS attack. Allocate liability for potential outages as appropriate. Clauses that require security-incident notification under contract may be detrimental, especially when not required by law. Be sure your attorney reviews language related to this specific issue.
  • Terminate traffic as soon as a DDoS attack starts. Terminate unwanted connections or processes on servers and routers and tune their TCP/IP settings. If the bottleneck is a particular feature of an application, temporarily disable that feature.
  • Analyze traffic and adjust defenses. If possible, use a network-analyzer tool to review the traffic. Create a network-intrusion-detection system signature to differentiate between benign and malicious traffic. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic, to avoid adding unnecessary packets to the network.
  • Notify and activate your incident-response team, if one is already in place. Contact the company’s executive and legal teams. Upon their direction, consider involving law enforcement and collaborate with your business-continuity/disaster-recovery team.
  • Create a communication plan. A company can easily become overwhelmed with inquiries from customers, business partners and media during a DDoS attack. Create a status page with a statement explaining the circumstances of the event. In addition, a template letter can be created to automatically respond to customers that contact a business for information.
  • During a DDoS attack, immediate efforts should be made to document facts in an incident report. It should be used to document what happened, why it happened, decisions made and how the organization will prevent future attacks. Review and document the load and logs of servers, routers, firewalls, applications and other affected infrastructure. The incident report may be read by a wide audience, and it is therefore important that it’s written in a language that is not overly technical.

Insurance Issues

For companies that are either the direct target of a DDoS attack or that are indirectly affected by an attack on a third party, significant business interruption costs, including lost income and other expenses, can be incurred. Consequently, affected companies should scrutinize their insurance policies to determine if they have coverage under either scenario.

Because there is no standard cyber insurance policy form, it is important for the insured to review its specific policy form and determine whether it provides coverage for a DDoS attack. Here are some issues to consider in that regard:

  • DDoS Provisions.
    • Is there an exclusion for DDoS attacks;
    • Is coverage limited to attacks targeted at the insured’s network;
    • Is there broader coverage for an attack that indirectly affects the insured;
    • Does the definition of “security event,” “security failure” or any relevant similar term include or exclude a DDoS attack?
  • Business Interruption Coverage.
    • Is coverage triggered only following a direct attack on the insured company;
    • Is contingent business interruption coverage available;
    • How long is the business interruption waiting period;
    • Is coverage triggered only by a complete business interruption or also by a degradation in business operations caused by the DDoS attack;
    • Is there coverage for professionals, including accountants retained by the policyholder, required to calculate and submit the claim?

Insureds are urged to consult with experienced insurance brokers and advisers to ensure that they obtain appropriate coverage for losses resulting from a DDoS attack. Cyber insurers often are open to negotiation of their policy forms, so insureds are encouraged to work with their insurance professionals to optimize coverage.

See also: How to Immunize Against Cyber Attacks  

Further, business interruption insurance may not be made available for every company. Companies can make themselves a better candidate for coverage by implementing a strong disaster recovery/business continuity plan.

Aggressive Regulation on Data Breaches

Below is an excerpt from John Farley’s new book: “Online and Under Attack: What Every Business Needs To Do Now To Manage Cyber Risk and Win Its Cyber War.

The Internet of Things

Every one of us lives in a brave new connected world. For most of us, our first foray into the online world occurred at work, as business discovered the internet provided a means to efficiencies that made them more competitive. The convenience of the internet has spilled over in dramatic fashion into our personal lives. The average home contains 13 internet-connected devices, and that number is growing fast. It has given birth to the term we know today as the Internet of Things (IoT). According to the FTC’s 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World,” the number of internet-connected devices surpassed the number of people living on the earth several years ago. As of 2015, there were an estimated 25 internet-connected devices. The FTC estimates that this number will double to 50 billion by 2020.

Consumers love the convenience that these products bring, and manufacturers recognize this. There has been a tremendous rush to the market, as everything from security cameras, DVRs, routers, TVs, cars, thermostats and children’s toys are being designed to connect to the internet. The list grows daily. Unfortunately, recent history has shown that as manufacturers hurry to capture their share of the market for these devices, many have ignored the concept of security at the design stage. Instead, the focus was to get products manufactured quickly and economically. Extra steps in the product design stage, such as addressing security, would likely increase design time, make them more difficult for the consumer to set up and ultimately increase cost. As a result, many products in our homes lack basic cybersecurity controls and are subject to online threats as demonstrated earlier in this book in the Dynamic Network Systems attack in October 2016. Many products come with easily guessed passwords or none at all. When security flaws are recognized by manufacturers, they are often not easily patchable.

See also: Firms Ally to Respond to Data Breaches  

The FTC has taken notice and made its concerns heard in January 2017 by filing a lawsuit against Taiwanese D-Link and its U.S. subsidiary, D-Link Systems. In the complaint, the FTC alleges the company made deceptive claims about the security of its products and engaged in unfair practices that put U.S. consumers’ privacy at risk. D-Link sells networking equipment that integrates consumers’ home networks, such as routers, internet protocol (IP) cameras, baby monitors and home security cameras. These devices allow consumers to do things like monitor their homes and children in real time. Consumers simply access the live feeds from their home cameras using their mobile devices or any computer.

The crux of the lawsuit alleges that D-Link failed to protect consumers from “widely known and reasonably foreseeable risks of unauthorized access.” There are several allegations made by the FTC where it alleges D-Link failed to do the following:

  • Take reasonable software testing and remediation measures to protect its routers and IP cameras against well-known and easily preventable software security flaws that would potentially allow remote attackers to gain control of consumers’ devices.
  • Take reasonable steps to maintain the confidentiality of the “signature” key that D-Link used, which resulted in the exposure of the private key on a public website for approximately six months.
  • Use free software, available since at least 2008, to secure users’ mobile app login credentials, instead storing those credentials in clear, readable text on users’ mobile devices.

The case is especially noteworthy because it is not alleging a known breach of security in D-Link devices. Instead, the FTC appears to be taking measures against the company, and not waiting for a successful cyberattack to occur before acting. So we may refer back to the FTC 2015 staff report “Internet of Things: Privacy and Security in an Interconnected World” for guidance. In that report, the following recommendations are made by the FTC:

  • Build security measures into devices from the outset and at every stage of development—don’t wait to implement retroactive security measures after the devices have already been produced and sold.
  • Consistently maintain up-to-date software to secure consumer personal information, and ensure regular software testing. Any identified vulnerabilities should be remediated promptly; connected devices should be monitored throughout their life cycles; and security patches should be issued to cover known risks.
  • Take steps to implement reasonable access-control measures for IoT devices, including making sure proprietary device signatures remain confidential.
  • Accurately describe the products’ safety and security features in marketing and promotional materials.

See also: Data Breach Law Could Hurt Consumer

New Approach to Cyber Insurance

The most active players in the fledgling but fast-growing cyber insurance market are hustling to differentiate themselves.

The early adopters and innovators are doing so by accelerating the promotion of value-added services—tools and systems that can help companies improve their security postures and thus reduce the likelihood of ever filing a cyber damages claim.

As more businesses look to purchase cyber liability policies, insurance sellers are striving to dial up the right mix of such services, a blend that can help them profitably meet this pent-up demand without taking on too much risk.

The incentive is compelling: Consultancy PricewaterhouseCoopers estimates that the cyber insurance market will grow from about $2.5 billion in 2014 to $7.5 billion by 2020. European financial services giant Allianz goes a step further with its prediction that cyber insurance sales will top $20 billion by 2025.

This anticipated growth in demand for cyber liability coverage—coupled with the comparatively low level of loss claims—has created strong competition in this nascent market.

The Insurance Information Institute estimated last year that about 60 companies offered standalone cyber liability policies. In total, more than 500 insurers provide some form of cyber risk coverage, according to a recent analysis by the National Association of Insurance Commissioners.

“There are quite a few players, so they are looking for ways to differentiate themselves and find competitive edges,” says David K. Bradford, co-founder and chief strategy officer for Advisen, an insurance research and analysis company.

Insurance companies make adjustments

Insurance carriers hot after a piece of this burgeoning market are beginning to offer value-added services to make their cyber offerings stand out.

See also: 8 Points to Consider on Cyber Insurance  

Rather than growing these services in-house, most are partnering with vendors and consultants that specialize in awareness training, network security and data protection. Services that boost the value of cyber policies are being supplied for free, or offered at a discount.  Typical cyber insurance valued-added services include:

  • Phishing and cyber hygiene awareness training
  • Incidence response planning
  • Security risk assessments
  • Best practices web portals and software-as-a-service tools
  • Threat detection services
  • Employee and customer identity theft coverage
  • Breach response services

One measure of value-added services gaining traction comes from the Betterley Report, which recently surveyed 31 carriers that offer cyber policies. Betterley found that about half offered “active avoidance services,” while nearly all offered some sort of pre-breach planning tools.

Rick Betterley, president of Betterley Risk Consultants, which publishes the Betterley Report, says there is still a long way to go. “There’s much more that can be done to help the insureds be better protected,” he says.

Betterley is a big proponent of adding risk-management services to cyber policies. He calls the approach Cyber 3.0, adding that it’s akin to the notion of insuring a highly protected risk in a property insurance policy. Cyber value-added services, he says, are the equivalent of fire insurance companies requiring sprinklers.

“It’s not required that insurance companies provide the services, but it’s required that they help insureds identify what services are likely to generate a reduction in premiums,” Betterley says.

Sector faces new challenges

That said, the cyber insurance sector is still finding its way. With auto crashes, fire or natural disasters, losses are well defined and fully understood. Cyber exposures, by contrast, are hard to pin down. Network vulnerabilities are extremely complex and continually evolving. And historic data on insurance claims related to data breaches remains, at least for the moment, in short supply.

An added challenge, Betterley says, is that insurance companies are unable to satisfactorily measure the effectiveness of security technologies and services in preventing a data breach.

Advisen’s Bradford agrees. “It’s a rapidly evolving area that changes day to day, and underwriters are definitely wary of recommending a particular vendor or approach,” he says.

Eventually, the insurance industry will figure out how to make meaningful correlations and separate the wheat from the chaff.

“In bringing in these value-added services, we can help shore up some of those areas where we’re seeing human error,” observes Dave Wasson, cyber liability practice leader at Hays Cos., a commercial insurance brokerage and risk management consultancy. “We’ll be at a point where we’ll know what makes a difference, and we can put our money, time and efforts into those solutions.”

Eric Hodge, director of consulting at IDT911 Consulting, part of IDT911, which underwrites ThirdCertainty.com, concurs. One ironic result of the recent spike of ransomware attacks aimed at businesses, Hodge says, is that more hard data is getting generated that is useful for calculating loss profiles.

See also: Another Reason to Consider Cyber Insurance  

Along the same lines, settlements of class-action lawsuits related to breaches of high-profile retailers, such as Target and Sony, is helping amass data that will help the industry flesh out evolving actuarial tables.

“Losses from cyber attacks and data breaches are becoming easier to quantify,” Hodge says. “And market forces are absolutely lining up to reward the wider use of these activities. It’s harder to ignore the fiscal argument for an insurer to go the extra mile in helping the insured organizations make sure that a costly breach doesn’t occur.”

AIG blazes trail

One notable proponent leading the way is multinational insurance giant AIG, which is nurturing partnerships with about a half-dozen cybersecurity vendors.

AIG services—some of which are offered to policyholders at no cost—range from threat intelligence and cyber risk maturity assessments to active detection and vulnerabilities assessments.

RiskAnalytics, one of AIG’s partner vendors, provides threat intelligence services, including a service that detects and shuns blacklisted IP addresses. Any AIG insured with a minimum $5,000 policy can participate at no additional cost.

The company’s partnership is exclusive to AIG, and appears to be very popular.

“We’re bringing in multiyear contracts, and the average sales price is on an impressive trajectory,” says RiskAnalytics Chief Operative Officer Kurt Lee. “It’s all born out of (customers) using that (introductory) service through the policy.”

Recognizing the trend, more vendors are seizing the opportunity to market their services to insurance carriers.

Vendors are willing to jump through the many hoops because a partnership with an insurance company is an opportunity to get a soft introduction to a potential client, says Mike Patterson, vice president of strategy at Rook Security, a managed security services provider (MSSP) that is reaching out to carriers.

Dismantling roadblocks

As with any new approach, broad adoption of cyber insurance value-added services isn’t without hurdles. One major obstacle is the “’this-isn’t-how-we’ve-always-done-it’ way of thinking,” says IDT911’s Hodge. “It’s like trying to change our election processes—people resist altering a system that has been in place for a couple hundred years.”

Another barrier is cost. Insurance companies tend to reserve free or discounted added services for heavyweight clients that spend small fortunes on annual premiums, says John Farley, vice president and cyber risk practice leader at insurance brokerage HUB International.

“Carriers can’t give away a lot of resources, so the smaller premium payers are not getting a lot of these services,” Farley says. “But if they can streamline and automate resources and figure out how to get customizable, usable information to the insurance buyer, that insurance carrier will probably stand out.”

Brian Branner, RiskAnalytics’ executive vice president, says that’s exactly one of the benefits that AIG derives from their partnership.

“If we can get the insureds to use the services we provide, we should lower AIG’s loss ratio because they’ll be safer organizations, and AIG should receive less claims,” he says.

Hidden costs of a breach can affect a large enterprise for years, and prove catastrophic to a small business. So insurance companies in the vanguard are looking to find business clients that are taking information security seriously.

See also: The State of Cyber Insurance  

As more companies buy cyber policies, and use any attendant services, the result could be a halo effect, says IDT911’s Hodge.

“This is certainly something that the insurers are counting on,” Hodge says. “A more secure buyer is a lower actuarial risk to the insurer.”

Meanwhile, policyholders should steadily become better equipped to securely do business in an internet-centric economy riddled with evolving exposures.

Hodge says: “In my experience, the buyer is often pleasantly surprised by the improvement that can come about quickly in terms of knowing their risk, being compliant with their industry standards and being able to indicate to the marketplace that they are taking good care of their customer’s information.”

This post originally appeared on ThirdCertainty. It was written by Rodika Tollefson.

When Hackers Take the Wheel

Operator errors, driving under the influence, and product defects have long been blamed for catastrophic accidents in the transportation industry. However, recent headlines revealed how cyber risk has emerged as a new and disturbing threat to airlines, railways, auto manufacturers and ocean cargo carriers.

Those in the transportation sector have embraced the “Internet of Things” and transformed what were once far-reaching concepts into some of the most common components of the cars they manufacture and the planes they fly. They often rely on a secure internet connection to function safely and efficiently. Recent headlines, however, raised concern and started a debate: Can the transportation sector be hacked? If so, what are the consequences?

Automobiles

In July 2015, Fiat Chrysler announced a recall of 1.4 million vehicles after white hat hackers demonstrated that they could take control of a Jeep Cherokee’s braking systems, change vehicle speed and affect operation of the transmission, air conditioning and radio controls. Hackers gained remote access by exploiting a software vulnerability in the vehicle’s Uconnect entertainment system.

The stakes have been raised even higher with recent advances made in the development of driverless cars, as more vehicles will become completely reliant on secure technology. Safety concerns were raised after a series of crashes allegedly caused by the failures of Tesla’s Autopilot technology, resulting in the death of a passenger. This prompted Tesla to announce efforts to improve its Autopilot software, including “advanced processing of radar signals.”

See also: How to Measure ‘Vital Signs’ for Cyber Risk  

The Department of Transportation has also recognized the risks associated with technology. In January 2016, the department entered into an agreement with 17 major automakers to enhance driver safety, including information sharing to prevent cyberattacks on vehicles. According to the agreement, the National Highway Traffic Safety Administration will propose industry guidance for safe operation for fully autonomous vehicles.

Planes

Boeing recently became the subject of a hacker demonstration when a security researcher accessed the entertainment systems of one of the company’s planes in mid-flight. Boeing was adamant that the hacker could not have gained access to the aircraft’s critical functions due to segregation of the two networks. However, the incident raised concerns throughout the airline industry, and an FBI investigation followed.

Railway Systems

German security researchers SCADA Strangelove demonstrated, without naming the rail systems in question, that they, too, are vulnerable. Their December 2015 report highlighted vulnerabilities related to outdated software, default passwords and lack of authentication. Moreover, entertainment and engineering systems were operating on the same network, leading to speculation that if one system is compromised hackers could gain access to the other. Because rail switches are automated and dependent on properly operating networks, the theory of a system compromise leading to a head-on collision with another train was explored in the report.

Marine Shipping

An investigation by Verizon Risk concluded that modern-day pirates are increasingly relying on network intrusions as a means to carry out crimes on the high seas. Verizon concluded that an unidentified shipping company’s networks were penetrated by hackers, giving them precise information on which ships were carrying the most valuable contents. Hackers then targeted their attacks on specific vessels, using bar codes to focus on individual shipping containers.

As of this writing, we have not seen any incidents of bodily injury or loss of life in the transportation sector directly attributed to a deliberate network compromise. Yet the findings of various researchers across multiple transportation sectors lead to some alarming conclusions. Law enforcement and transportation safety regulators have taken these findings seriously and conducted investigations of their own.

We can therefore expect with some degree of certainty that the transportation sector may be held to higher cybersecurity standards and will see increased regulatory scrutiny that has been witnessed in other industries, such as healthcare and financial services. When networks containing sensitive data may be compromised, regulators that oversee that industry often propose protection standards that ultimately become mandates. Failure to comply often leads to lawsuits, settlements, fines and significant reputational harm.

See also: Protecting Institutions From Cyber Risks  

Until then, the transportation sector can start by following the best practices as outlined in the National Highway Traffic Safety Administration’s “A Summary of Cybersecurity Best Practices,” published in October 2014 . Key observations and recommendations include:

  • Cybersecurity is a life-cycle process that includes elements of assessment, design, implementation and operations as well as an effective testing and certification program.
  • The aviation industry has many parallels to the automotive industry in the area of cybersecurity.
  • Strong leadership from the federal government could help the development of industry-specific cybersecurity standards, guidelines and best practices.
  • Sharing learning with other federal agencies is beneficial.
  • Use of the NIST cybersecurity standards as a baseline is a way to accelerate development of industry-specific cybersecurity guidelines.
  • International cybersecurity efforts are a key source of information.
  • Consider developing a cybersecurity simulator. It could facilitate identification of vulnerabilities and risk mitigation strategies and can be used for collaborative learning (government, academia, private sector, international).
  • Cybersecurity standards for the entire supply chain are important.
  • Foster industry cybersecurity groups for exchange of cybersecurity information.
  • Use professional capacity building to address and develop cybersecurity skill sets, system designers and engineers.
  • Connected vehicle security should be end-to-end; vehicles, infrastructure and V2X communication should all be secure.

The transportation sector is yet another industry that must learn to adapt to the systemic nature of cyber risk. Because of ever-increasing reliance on evolving technology, cyber risk will certainly begin to move toward the top of the list of transportation safety concerns. The captains of this industry can no longer claim ignorance to cybersecurity issues or completely delegate responsibility. They owe a duty to safeguard the flow of information that effectively keeps our planes airborne and our cars on the road. Failure to do so could be catastrophic.

Hacking the Human: Social Engineering

Virtually every business relies on a network to conduct its daily operations. This often involves the collection, storage, transfer and eventual disposal of sensitive data. Securing that data continues to be a challenge for organizations of all sizes and across multiple business sectors. Social Security numbers, W-2 forms, payment cards and intellectual property have significant value on the black market and provide motivation for hackers to steal.

Many corporate IT departments respond to these threats by devoting vast amounts of resources to technological defenses. Criminal perpetrators, however, seem to remain one step ahead of even the best cybersecurity efforts. They have altered their strategies by perpetrating human-based fraud. One emerging tactic involves what we have come to know as “social engineering.” This type of fraud occurs in a multi-stage process. Criminals first gather information, form relationships with key people and finally execute their plan.

By exploiting our natural tendencies to trust others, criminals have been highly successful in convincing people to hand over some of their most valuable data assets. In fact, according to the FBI, from October 2013 to August 2015, more than 8,000 social engineering victims from across the U.S. were defrauded of almost $800 million (the average loss amounted to $130,000.)

See also: Dark Web and Other Scary Cyber Trends

There are several methods of social engineering that are seen frequently, including the following seven:

  • ­Bogus Invoice: A business that has a long-standing relationship with a supplier is asked to wire funds to pay an invoice to an alternate, fraudulent account via email. The email request appears very similar to one from a legitimate account and would need scrutiny to determine if it was fraudulent.
  • ­Business Executive Fraud/Email Phishing: The email accounts of high-level business executives (CEO, CFO, etc.) may be mimicked or hacked. A request for a wire transfer or other sensitive information from the compromised email account is made to someone responsible for processing transfers. The demand is often made in an urgent or time-sensitive manner.
  • ­Interactive Voice Response/Phone Phishing (aka “vishing”): Using automation to replicate a legitimate-sounding message that appears to come from a bank or other financial institution and directs the recipient to respond to “verify” confidential information.
  • ­Dumpster Diving and Forensic Recovery: Sensitive information is collected from discarded materials — such as old computer equipment, printers, paper files, etc.
  • ­Baiting: Malware-infected removable media, such as USB drives, are left at a location where an employee may find them. When an employee attaches the USB to her computer, criminals can ex-filtrate valuable data.
  • ­Tailgating: Criminals gain unauthorized access to company premises by following closely behind an employee entering a facility or by presenting themselves as someone who has official business with the company.
  • ­Diversion: Misdirecting a courier or transport company and arranging for a package/delivery to be taken to another location.

How to avoid being defrauded in the first place:

Given the rising incidence of social engineering fraud, all companies should implement basic risk avoidance measures, including these eight:

  • Educate your employees so they can learn to be vigilant and recognize fraudulent behavior;
  • Establish a procedure requiring any request for funds or information transfer to be confirmed in person or via phone by the individual supposedly making the request.
  • Consider two-factor authorization for high-level IT and financial security functions and dual signatures on wire transfers greater than a certain threshold.
  • Avoid free web-based email and establish a private company domain, and use it to create valid email accounts in lieu of free, web-based accounts.
  • Be careful of what is posted to social media and company websites, especially job duties/descriptions, hierarchical information and out-of-office details.
  • Do not open spam or unsolicited email from unknown parties, and do not click on links in the email. These often contain malware that will give subjects access to your computer system.
  • Do not use the “reply” option to respond to any financial emails. Instead, use the “forward” option and use the correct email address or select it from the email address book to ensure the intended recipient’s correct email address is used.
  • Beware of sudden changes in business practices. For example, if a current business contact suddenly asks to be contacted via a personal email address when all previous official correspondence has been on a company email, the request could be fraudulent.

Despite these efforts, organizations can still fall victim to a social engineering scheme. These incidents can be reported to the joint FBI/National White Collar Crime Center – Internet Crime Complaint Center (IC3) at www.ic3.gov.

See also: Best Practices in Cyber Security

The initial concern after such an event often focuses on the amount of stolen funds. However, there could be an even greater threat because these incidents often involve the compromise of personally identifiable information, which can later be used for identity thefts from multiple people. This prospect for more theft will often trigger legal obligations to investigate the matter and to communicate to affected individuals and regulators. The thefts often then lead to litigation and significant financial and reputational harm to businesses. Costs can include fines, legal fees, IT forensics costs, credit monitoring services for affected individuals, mailing and call center fees and public relations costs.

Fortunately, the insurance industry has developed insurance policies that can transfer these risks. Crime insurance policies can cover fraudulent funds transfers, while cyber insurance policies may cover costs related to unauthorized access of personally identifiable information. However, the insurance buyer needs to be wary of various policy terms and coverage limitations. For example, some crime policies can contain exclusionary language for cases involving voluntary transfer of funds, even though they were unknowingly transferred to a criminal. Other insurers might add policy language to crime policies to cover this situation.

Cyber insurance policies can be customized to offer coverage for the following:

  • ­Network Security Liability: Liability to a third party as a result of a failure of your network security to protect against destruction, deletion or corruption of a third party’s electronic data; denial of service attacks against Internet sites or computers; or transmission of viruses to third-party computers and systems.
  • Privacy Liability: Liability to a third party as a result of the disclosure of confidential information collected or handled by you or under your care, custody or control. Includes coverage for your vicarious liability where a vendor loses information that had been entrusted to it in the normal course of business.
  • Electronic Media Content Liability: Coverage for personal injury and trademark and copyright claims arising out of creation and dissemination of electronic content.
  • Regulatory Defense and Penalties: Coverage for costs associated with response to a regulatory proceeding resulting from an alleged violation of privacy law causing a security breach.
  • Breach Event Expenses: Expenses to comply with privacy regulations, such as notification and credit monitoring services for affected customers. This also includes expenses incurred in retaining a crisis management firm, outside counsel and forensic investigator.
  • Cyber Extortion: Payments made to cybercriminals to decrypt data that has been encrypted by ransomware.
  • Network Business Interruption: Reimbursement of your loss of income or extra expense resulting from an interruption or suspension of computer systems because of a failure of network security or system failure. Includes sub-limited coverage for dependent business interruption.
  • Data Asset Protection: Recovery of costs and expenses you incur to restore, recreate or recollect your data and other intangible assets (i.e., software applications) that are corrupted or destroyed by a computer attack.

In summary, businesses need to be vigilant in addressing the ever-evolving risks related to their most valuable assets. The most effective risk management plans aim to prevent social engineering fraud incidents from happening and to mitigate the damages if they do. Turning your employees from your weakest link into your greatest assets in the battle is one way; risk transfer to insurance products is another.