Tag Archives: judy selby

Cyber Threats: Big One Is Out There

Approximately a year after the zombie malware Marai took some major websites off-line for much a day, cybersecurity researchers recently identified a potentially more potent threat called Reaper. Experts warn that Reaper has the capability to take down the entire internet.

Marai Zombie Malware

In late 2016, an online infrastructure firm called Dyn was the victim of a massive distributed denial of service (DDoS) attack attributed to Marai, an IoT attack malware. The DDoS attacker deliberately overloads a target server with an abnormal amount of traffic, using an army of infected computers, known as a “botnets,” to carry out the information requests. This often results in a crashed server, knocking the target website offline, effectively disrupting normal business. As more and more common household devices become connected to the internet, attackers are able to leverage an ever-growing army of devices to carry out these attacks.

Marai weaponized IoT devices, such as digital video recorders (DVRs), wireless routers and CCTV cameras, by exploiting factory-default or hard-coded usernames and passwords. A number of Dyn’s high-profile clients, including Twitter, Amazon and Netflix, were taken offline.

The Grim News About Reaper

CheckPoint, an Israeli cybersecurity firm, has said that the Reaper IoT malware is “forming to create a cyber-storm that could take down the internet.” Reaper is exponentially more dangerous than Marai because it exploits at least nine security vulnerabilities across a wider range of devices. Those vulnerabilities are identified on the CheckPoint website.

CheckPoint warned that Reaper is expanding “at a far greater pace and with more potential damage than the Marai botnet of 2016,” and it estimated that more than a million organizations worldwide already have been affected. Noted cyber security reporter Brian Krebs further noted: “It’s a safe bet that whoever is responsible for building this new Reaper IoT botnet will have more than enough firepower capable of executing Dyn-like attacks at internet pressure points. Attacks like these can cause widespread internet disruption because they target virtual gateways where third-party infrastructure providers communicate with hordes of customer Web sites, which in turn feed the online habits of countless internet users.”

See also: How to Keep Malware in Check  

Cost of a DDoS Attack

For many victims of a DDoS attack, lost internet traffic can equate to staggering costs and lost revenue. According to a survey Dyn sponsored and published in August 2016, the majority of companies surveyed calculate that an internet outage costs them a minimum of $1,000 per minute.

Protective Measures

Today’s connected enterprises definitely should fear the Reaper (apologies to 1970s rock band Blue Oyster Cult). But there are a number of steps companies can take to mitigate the risk of being taken offline by Reaper or other IoT attack malware. And because 100% prevention against the risk is impossible, companies also should consider transferring the residual risk through insurance.

Avoid or Mitigate the Impact of a DDoS Attack

There are several strategies an organization can deploy to prevent a DDoS attack or at least mitigate the effects of one, including:

  • Set traffic thresholds: Companies can track how many users typically visit their website on any given day, hour and minute. Volume can change based on a number of factors. By having this historical knowledge, thresholds can be installed and real-time alerts can be generated to advise of abnormal traffic.
  • Blacklist and whitelist: Control who can and cannot access your network with whitelists and blacklists for specific IP addresses. However, be mindful that certain IP addresses may generate false positives and be blacklisted when they are in fact legitimate traffic. By temporarily blocking traffic, a business can see how it responds. Legitimate users usually try again after a few minutes. Illegitimate traffic tends to switch IP addresses. A good resource to help begin the process of whitelisting and blacklisting can be found on the DNS whitelist. Here you will find IP addresses, domain names and e-mail contact addresses. Each IP address is given a trustworthiness level score.
  • Reroute traffic with additional servers. By having additional servers on standby to handle an abnormal increase in traffic, a business can improve the odds against one server being overwhelmed. While this is likely the most cost-effective method, it is difficult to tell how many might be needed because the size of the attack can vary.
  • Consider using content-delivery networks (CDN). This method involves using external resources to identify illegitimate traffic and diverting it to a cloud-based infrastructure.
  • There may be contractual obligations that are affected during and after a DDoS attack. As such it is important to review contractual liability implications with customers and business partners. Review contracts with an eye toward the following:
    Revise unfavorable service-guarantee language due to downtime resulting from a DDoS attack. Allocate liability for potential outages as appropriate. Clauses that require security-incident notification under contract may be detrimental, especially when not required by law. Be sure your attorney reviews language related to this specific issue.
  • Terminate traffic as soon as a DDoS attack starts. Terminate unwanted connections or processes on servers and routers and tune their TCP/IP settings. If the bottleneck is a particular feature of an application, temporarily disable that feature.
  • Analyze traffic and adjust defenses. If possible, use a network-analyzer tool to review the traffic. Create a network-intrusion-detection system signature to differentiate between benign and malicious traffic. If adjusting defenses, make one change at a time, so you know the cause of the changes you may observe. Configure egress filters to block the traffic your systems may send in response to DDoS traffic, to avoid adding unnecessary packets to the network.
  • Notify and activate your incident-response team, if one is already in place. Contact the company’s executive and legal teams. Upon their direction, consider involving law enforcement and collaborate with your business-continuity/disaster-recovery team.
  • Create a communication plan. A company can easily become overwhelmed with inquiries from customers, business partners and media during a DDoS attack. Create a status page with a statement explaining the circumstances of the event. In addition, a template letter can be created to automatically respond to customers that contact a business for information.
  • During a DDoS attack, immediate efforts should be made to document facts in an incident report. It should be used to document what happened, why it happened, decisions made and how the organization will prevent future attacks. Review and document the load and logs of servers, routers, firewalls, applications and other affected infrastructure. The incident report may be read by a wide audience, and it is therefore important that it’s written in a language that is not overly technical.

Insurance Issues

For companies that are either the direct target of a DDoS attack or that are indirectly affected by an attack on a third party, significant business interruption costs, including lost income and other expenses, can be incurred. Consequently, affected companies should scrutinize their insurance policies to determine if they have coverage under either scenario.

Because there is no standard cyber insurance policy form, it is important for the insured to review its specific policy form and determine whether it provides coverage for a DDoS attack. Here are some issues to consider in that regard:

  • DDoS Provisions.
    • Is there an exclusion for DDoS attacks;
    • Is coverage limited to attacks targeted at the insured’s network;
    • Is there broader coverage for an attack that indirectly affects the insured;
    • Does the definition of “security event,” “security failure” or any relevant similar term include or exclude a DDoS attack?
  • Business Interruption Coverage.
    • Is coverage triggered only following a direct attack on the insured company;
    • Is contingent business interruption coverage available;
    • How long is the business interruption waiting period;
    • Is coverage triggered only by a complete business interruption or also by a degradation in business operations caused by the DDoS attack;
    • Is there coverage for professionals, including accountants retained by the policyholder, required to calculate and submit the claim?

Insureds are urged to consult with experienced insurance brokers and advisers to ensure that they obtain appropriate coverage for losses resulting from a DDoS attack. Cyber insurers often are open to negotiation of their policy forms, so insureds are encouraged to work with their insurance professionals to optimize coverage.

See also: How to Immunize Against Cyber Attacks  

Further, business interruption insurance may not be made available for every company. Companies can make themselves a better candidate for coverage by implementing a strong disaster recovery/business continuity plan.

Urgent Need on ‘Silent’ Cyber Risks

This is an unprecedented time for insurers. As margins associated with conventional lines of coverage continue to tighten, pressure is increasing to offer new forms of coverage to respond to the emerging cyber threats facing insureds in today’s digital economy. At the same time, insurers are compelled to make certain that those risks are effectively excluded from coverage under many other “traditional” policy forms.

Unfortunately for underwriters of both traditional and newer policy forms, emerging cyber threats can be difficult, if not impossible, to predict and factor into underwriting and policy drafting processes. But as we’ve already seen in the context of cyber incidents, today’s unknown cyber threat can become tomorrow’s front-page news and unanticipated limits payout. And if that threat is spread across multiple insureds in an insurer’s coverage portfolio, the bottom-line effect of the aggregated losses could be devastating. Making matters worse — as recently recognized by the Bank of England’s Prudential Regulation Authority (PRA) — these “silent” cyber exposures can simultaneously affect multiple lines of coverage, (including casualty, marine, aviation and transport), affecting both direct and facultative coverages.

See also: A Revolution in Risk Management  

Imagine this scenario:

Company A manufactures components used in the Wi-Fi systems of commercial airliners. Mr. X, a disgruntled employee of Company A, purposely inserts a software coding vulnerability into the components, which were then sold to Company B, a leading manufacturer of commercial jetliners. Company B incorporates Company A’s components into its jetliners and then sells 30 of them to three major U.S. commercial airlines. Company A also sells the affected components to Company C, which manufactures and sells private charter jets. Company C sells 15 jets containing Company A’s vulnerable components to various private individuals and corporations.

Once the planes are in operation, Mr. X remotely exploits the vulnerability in the aircraft, causing three in-flight planes to go down in populated areas. Plane 1 crashes into a medical center in Small Town. Plane 2 destroys an electrical power station in Mega City, plunging half of the city into darkness. Plane 3, a private corporate jet, causes serious damage to a bridge that is heavily used by a commuter rail service in Sunny City, rendering it unusable and making it virtually impossible for thousands of commuters to get to work.

Widespread panic immediately ensues after the crashes. All U.S. air traffic is halted pending an investigation of the cause. There are numerous traffic accidents and looting incidents following the blackout in Mega City, and many organizations are forced to close indefinitely. Mr. X then contacts Company C and the three airlines that purchased the affected jetliners and demands $1 billion in exchange for revealing the vulnerability.

This obviously is an unlikely scenario, but as technology continues to be used in novel ways, it is important to recognize what will be possible. This scenario was created to highlight a complex casualty catastrophe initiated from a technological weakness in an increasingly connected world. While crashing planes are terrifying, the bigger takeaway is that this was not a possible scenario prior to recent technological developments. It isn’t difficult to see how the multiple insurance coverages triggered from the above scenario could result in insured losses well in excess of $20 billion. Individual company losses could be disastrous, given the previously uncorrelated nature of individual lines of businesses that would be affected. While technology forges new connections among businesses and individuals, the connections have ushered in the new risk of technology initiated catastrophe scenarios, recently labeled as a “Cyber Andrew” scenario, in reference to Hurricane Andrew, which resulted in losses few insurers previously believed possible.

The continued expansion of loss causes, courtesy of new technology, will have implications for both legacy insurance and new cyber insurance contracts. This means that insurers must assimilate expanding possibilities into risk management processes including Probable Maximum Loss (“PML”), risk aggregations and risk appetites. At the core of the silent cyber hurdle is: Do current risk management systems capture all possible risks today, and will they capture what can happen tomorrow, before a “Cyber Andrew” hits?

See also: Can Risk Management Even Be Effective?  

This challenge, if the PRA is to be believed, is currently not being met. As the conversations continue to escalate to the C-suite, risk managers need access to a team with specialized skill sets to better understand and calculate the impact of new technology into their enterprise risk management plans. At the same time, this added focus on technology will continue to expand reporting requirements. Providing detailed yet clear reporting to the board that highlights the full impact of current technologies on the comprehensive insurance portfolio will be a minimum standard.

As technology continues to advance, insurers’ risk management tools and resources must evolve. Each organization will face its own distinct hurdles based on individual characteristics of its insurance portfolio, and its solution should be just as individualized. There will not be one magic bullet that ends cyber risk. The keys to meeting this challenge will be understanding new and emerging risks and assembling a team of professionals with the prerequisite skills to address the issues.

Cyber Rules May Be Only Weeks Away

Last September, New York’s Department of Financial Services (DFS) took a major step forward in its efforts to improve the cybersecurity posture of financial institutions (including banks and insurance companies) by proposing the first-in-country cybersecurity regulations.  By any measure, the proposed regulations are comprehensive and demanding, and admittedly are intended by DFS to be “groundbreaking.”  The proposal contains a number of prescriptive requirements that are substantially more rigorous than current best practices and would require major operational changes for many organizations.

Key Components  

The regulations would require entities to fulfill a variety of requirements, including the establishment of a cybersecurity program, and the adoption of a cybersecurity policy, which must be approved by the board or by a senior officer, and which encompasses key risk areas including information security, access controls, business continuity, data privacy, vendor management and incident response.

See also: If the Regulations Don’t Fit, You Must…  

The proposal would also require covered entities to designate a chief information security officer (CISO), who will be responsible for implementing, overseeing and enforcing the cybersecurity program and policy. The CISO would need to develop a report, at least bi-annually, that addresses a prescribed list of issues. The report would then be presented directly to the company’s board. The board chair or a senior office would be required to submit an annual certification of compliance with the regulations, which might expose the individual to liability if the entity is, in fact, noncompliant.

In addition, the proposed regulations broadly define a “cybersecurity event” as “any act or attempt, successful or unsuccessful, to gain unauthorized access to, disrupt or misuse an information system or information stored on such information system.” The covered entity would be required to notify the superintendent of financial services within 72 hours of any such event if it “has the reasonable likelihood of materially affecting the normal operation of the covered entity or that affects nonpublic information.” This raises the question of how an unsuccessful attack could ever have a reasonable likelihood of materially affecting operations or protected information. But a fair reading of the reporting mandate in light of the definition would not appear to allow for blanket disregard of failed attacks, even though major financial institutions thwart countless potentially devastating attacks on a daily basis. If this proposed requirement becomes part of the final regulation, the burden on covered entities and the DFS itself may be quite substantial.

Covered entities also would need to encrypt nonpublic information in transit and at rest. Although compensating controls approved by the CISO can be used if encryption is not currently feasible, the regulations would impose deadlines of January 2018 and January 2022 for encryption of data in transit and at rest, respectively. Encryption of at-rest data is likely to be one of the most challenging DFS requirements.

The proposed regulations contain many additional requirements, including:

  • Implement a fully documented incident response plan;
  • Maintain audit logs on system changes for six years;
  • Annually review and approve all policies and procedures:
  • Dispose of, in a timely manner, sensitive information that is not needed to provide services;
  • Use multi-factor authentication for privileged access to database servers that allow access to nonpublic information;
  • Adopt policies, procedures and controls to monitor authorized users and detect unauthorized access; and
  • Institute mandatory cybersecurity awareness training for all personnel.

See also: Huge Cyber Blind Spot for Many Firms

DFS is currently reviewing comments received from the public, but it is not known if the proposed requirements will change in any material way when they go into effect on the anticipated date of Jan. 1, 2017. Covered entities would then have only 180 days to comply with many requirements.

Concluding Thoughts 

Although large financial institutions may already have implemented a number of the mandates proposed by DFS, compliance still may be problematic for them because of the prescriptive nature of many of the components of the proposed regulations. And less mature entities would be well served to immediately focus on getting into compliance with the most basic requirements, given their virtually inevitable inclusion in the final regulations and the short deadline for compliance.

How Good Is Your Cybersecurity?

The country was rocked recently when three major enterprises, including the New York Stock Exchange, encountered cyber “glitches” that were serious enough to take them off line, leading to speculation that perhaps there was something more sinister at play. While contemplating the situation in real time, many enterprises undoubtedly engaged in a quick self-assessment of their own cybersecurity defenses and readiness and heaved a sigh of relief when the disruptions were reported to be resolved, unrelated and not caused by malicious outsiders.

But what if it had been different? How well would your company fare in the face of an attempted or successful cyber attack?

Recent events should serve as a wake-up call for all enterprises to shore up their defenses and formulate their game plan in the event of a cybersecurity incident.

Here are four key factors to consider:

1. Have you conducted a risk-based security assessment? The assessment, among other things, should determine if you’ve already been hacked, test your perimeter and scan for internal and external vulnerabilities.

2. Have you established and implemented effective employee training and awareness policies and programs? Studies repeatedly show that employees are at the heart of most security incidents. Employees should be educated about the crucial role they play in securing enterprise data, and they should be trained to recognize and avoid security threats.

3. Have you assembled an incident response team? No entity should put itself in the position of wondering what to do and who to call when it suffers a cybersecurity incident. Entities should build their incident response team and practice their response to various security incident scenarios before an incident ever happens. Companies that do this are in a better position to respond when an event occurs, thereby minimizing the financial, legal and reputational fallout of a cybersecurity incident.

4. Have you purchased insurance to cover cyber incidents? Enterprises routinely purchase insurance to transfer the risk of potential liabilities they might encounter in the course of their business operations. Cyber liabilities should be treated the same way. Cyber insurance can provide much needed financial and tactical support in the event of a cyber incident.

Takeaway

Thoughtful focus on these four steps can help companies protect against and mitigate the effects of a cybersecurity incident. As recent events have demonstrated, the risks are real, and they show no signs of abating.

Checklist to Mitigate ‘Big Data’ Risks

The last few years have witnessed truly astounding developments in the area of information management. We’ve become masters at creating, storing, analyzing and uncovering the hidden value of massive volumes of information.

It seems that, every day, we’re hearing about how all this big data has been used for amazing purposes, such as to improve customer service, uncover fraud, develop pharmaceutical products, predict diseases, improve airline travel and so on.

Unfortunately, it also seems that, every day, we’re hearing about how big data is causing big headaches arising out of improper management and security breaches.

Recent headlines about cyber incidents have forced companies to analyze their risk of incurring information-related liability and to take steps to mitigate those risks. Concern over these issues, however, shouldn’t stop with the IT department or even the C-suite. As Target and other companies have recently experienced, legal claims related to data-related events are now being asserted against corporate boards in the form of shareholder derivative actions.

Although the legal liability of board members for information-related mishaps is an emerging area of the law, longstanding principles make clear that board members have a fiduciary duty to act on an informed basis, in good faith, for the best interests of the company. The emerging area of information governance, including privacy and data security, is no exception to this rule.

Checklist of Issues to Consider

Every organization is different and presents its own unique information risk profile. Corporate boards should be informed of and take steps to address the potential sources of information risk applicable to their specific organization. Those areas may include the following:

  • What types of information is the entity managing, and does it include sensitive data such as health information, credit card data or intellectual property?
  • How is enterprise data being managed throughout its entire life cycle, from creation or collection through final disposition or destruction?
  • Are policies and procedures in place to ensure that information with no business value or compliance/legal restrictions is destroyed in a legally defensible manner?
  • Have policies been implemented relating to the company’s use of information, including privacy concerns and social media usage?
  • Are there policies in place to manage IT assets, including mixed-use devices (those used for both personal and business purposes), while at use and at the time of disposition?
  • Have reasonable data and network security policies, protocols and procedures been created, and are they regularly updated?
  • Are all information-related policies actually in effect, enforced and updated, or are they just sitting on a shelf?
  • If the company engages in big data projects, is the collection, storage, use and resale of data consistent with customer consents, applicable laws and regulations?
  • Is there effective vetting and management of third parties that handle the company’s data or have access to the company’s computer network?
  • Does the enterprise have up-to-date plans to address information-related incidents, such as a data breach, and are those plans vetted and practiced, before a breach ever happens?

Take-Away Message

Responsibility for the management of enterprise information and mitigation of information-related liability has now reached the board level of many corporations. Active oversight by engaged and informed board members can reduce those risks to the corporation as well as to the members of the corporate board themselves.