Tag Archives: meltdown

Insurtechs Mitigate Intel Cyber Scare

With Meltdown and Spectre very much in the news, raising the possibility of major data breaches, here are answers to some common questions about the flaws that can be exploited, about what the vulnerabilities are and about how insurers can use insurtechs to protect themselves.

Meltdown and Spectre relate to a 20-year-old design flaw in Intel microprocessors, the sorts of chips that function as the brains for laptops, mobile phones and just about every other electronics product these days. It’s now clear that other microprocessors likely have similar flaws, but the Intel flaw has drawn attention both because Intel chips are so widely used and because Meltdown and Spectre have shown exactly how the Intel issue can be exploited.
The vulnerability has been known for months by Intel and the largest tech companies, but, despite the knowledge of the vulnerability and the recent scramble to patch it, there is still much uncertainty about the precise implications.

Who Discovered the Flaw?

An engineer with Project Zero, a team at Google that looks for flaws that cyber criminals can exploit, found the vulnerability in the Intel microprocessors. Jann Horn discovered the problem while developing a processor-specific application that required deep access into the chip hardware.

Since then, several other researchers discovered the flaw from a different angle, while looking at a technique where, to increase efficiency, processor operations are run out of order. Research papers were published in the microprocessor community about this technique and the possible implications. Several groups created simulations and discovered the obscure flaw in the Intel chip. One prominent group of researchers out of Graz University of Technology in Austria reported the flaw to Intel. Intel had already known for seven months at that point, but the discovery was now breaking news and came to light last week.

How Does the Flaw Work?

A computer’s processor executes code out of order to circumvent bottlenecks and speed the work. The CPU doesn’t just read code like a book, from front cover to back cover. The process is more like preparing a complicated recipe, where parts of the process need to be started at different times to keep the work moving smoothly. This technique is referred to as “speculative execution” – the CPU is taking its best guess about what work needs to be started when. Speculative execution has been used for 20 years.

Spectre exploits the technique. Developed by Horn to show the Intel flaw, Spectre intervenes in the speculative execution to have an application store sensitive or private data in the processor’s cache – the memory that is built into the processor itself. (As fast as the speed of light is, a processor simply takes too long if it has to grab all its information from separate memory chips, even inches away, rather than from elsewhere on the processor chip.) Spectre has the private data stored in particular places in the cache where an attacker can retrieve it later. Data can be accessible within several nanoseconds (billionths of a second).

Meltdown is the process of retrieving the sensitive data. Meltdown uses incredibly precise timing – remember, we’re operating in billionths of a second here – to grab the sensitive data. Meltdown does so in between the processor’s reads and writes – in other words, between the times the processor is reading data from cache and the times it is writing, or storing, data in cache. The operating system kernel provides the clock that allows events to be coordinated with such precision.

See also: Cyber: The Spectre of Uninsurable Risk?  

The particularly alarming aspect of this vulnerability is that it can be exploited from front-end Javascript code, which is used just about everywhere. This means that browsing web pages is one of the attack vectors that could be used to extract otherwise-secret data from your session.

What Is Being Done?

Spectre and Meltdown work hand in hand, so browser companies have removed application access to interfaces that measure precise timing intervals. FireFox has published steps to limit and remove access to the timing function.

However, removing access is only a temporary fix. The underlying flaw still exists. A fundamental change in chip design is required for a truly secure solution.

Companies like Amazon, Google and Microsoft have recently been rebooting so-called virtual machines (VMs) to clear the cache. VMs act like separate pieces of equipment as far as customers are concerned but, in fact, share hardware with other customers. (Software defines the boundaries of the “machine” within the physical piece of equipment. VMs make data centers far more efficient: Machines no longer sit idle simply because a particular customer doesn’t have work to do at that moment; someone else grabs the CPU time.) Sharing of physical hardware between customers could mean that your secret data was left in the processor cache, to be extracted through this process of speculative execution and precise timing from another company’s front-end apps. After all, you’re sharing the same physical processor.

Who Does It Affect?

The chip vulnerability affects all modern microprocessors, including those in desktops, laptops, mobile phones and IoT devices. Speculative execution is a technique used throughout the chip industry. Besides Intel, other chip manufacturers like AMD and Arm Holdings are implementing similar patches that are also focused on limiting access to cache timing.

How Does the Insurance Industry Respond?

Despite the panic, the insurance industry should stay the course. Providers of insurance services should follow the same cyber security methodologies they follow in times of certain vulnerabilities as they do in times of uncertain vulnerabilities.

First, implement all security patches and updates for all hardware in your organization. This should be done with caution because logic in the patches could significantly slow hardware.

Second, rely on the products and services of leading cyber security insurtechs. According to ITL’s Innovator’s Edge, there are 250 cyber security insurtechs globally, and many are making good progress. The insurtechs fall into three main categories:

Threat Prevention

Threat prevention, as the name implies, stops an attack before it occurs. This typically includes services like penetration testing, simulated attacks and system hardening. 30% of the cyber security insurtechs in Innovator’s Edge are assisting insurance providers with these activities.

RiskIQ, for example, uses big data, analytics and simulations. The company’s RiskIQ Digital Footprint maps all your IT assets and determines if they are hardened from a security standpoint.

Threat Detection

Threat detection is the process of being alerted when a breach does occur. Detection is most often made possible by security monitoring. Monitoring varies from conventional network monitoring to sophisticated machine-learning-based monitoring. 42% of cyber security insurtechs tracked by Innovator’s Edge mitigate cyber risk through threat detection.

For instance, TesseractGlobal’s Peerlox EDR focuses on detecting targeted cyber attacks through machine learning. The strategy for leveraging artificial intelligence and data analytics is an ideal second line of defense for an organization.

See also: Cyber Threats: Big One Is Out There  

Threat Management

Threat management most often relies on consulting. Threat management is applied when a breach occurs, there is damage done, and there is a mess to clean up. As you can imagine, this is highly specialized work. According to Innovator’s Edge, 14% of the cyber insurtechs have these capabilities.

SeraBrynn, for one, assists insurance providers after they have become the victims of a breach. The team consists of industry leaders in cyber security who have assisted the NSA.

The combination of the strategies that insurtechs offer can help minimize the reverberations created by something like Spectre and Meltdown. The capabilities are a hedge against the negligence of the technology industry, whose insatiable pursuit of Moore’s law has come at the expense of security. Luckily for the insurance industry, there is an Insurtech for that.

Cyber: The Spectre of Uninsurable Risk?

It’s been an awfully eventful start to the New Year. In case you’ve missed the news, two major security flaws have been discovered in the processors that power nearly all of the world’s computers. The two techniques discovered to exploit these flaws, nicknamed Meltdown and Spectre, could allow hackers to steal data and secrets from any vulnerable computer, including mobile devices. Because the flaws are with the computer processor itself, any software platform running on top of an affected processor is potentially vulnerable.

If by this point you’ve tired of hearing about technology vulnerabilities, this one is different (but also mostly the same, as I’ll get to a bit later). For one, this isn’t a software bug like you might find in your operating system or browser. Nor is it a physical defect in the processor itself. Meltdown and Spectre aren’t really “bugs” at all. Instead, they represent methods to take advantage of the normal ways that many processors work for the purpose of extracting secrets and data. More important, though, is the magnitude of the impact. By comparison, the WannaCry and NoPetya ransomware attacks wreaked global havoc exploiting vulnerabilities that are believed to have affected ~400,000 computers versus the estimated 2 billion computers susceptible to Meltdown and Spectre.

See also: New Approach to Cyber Insurance  

The timing of these events could hardly come at a more interesting time for the cyber insurance industry. Only a few days prior, in an interview with the Financial Times, Christian Mumenthaler, CEO of Swiss Re, one of the world’s largest reinsurers, wisely questioned the very insurability of cyber risk due to the possibility for accumulation risk—the possibility that a cyber event could hit many insurance policyholders at the same time, by the same attack, resulting in huge potential claims payouts.

Sound familiar?

Cut the FUD

As we’ve discussed before, we now live at a time where a cyber attack, technology failure or human error can cause everything from data theft to supply chain disruptions, hospital shutdowns, hotel room lockouts, blackouts and even nuclear centrifuge explosions—literally the entire spectrum of known risk. That these events could even theoretically occur on a massive scale, and all at once, is certainly cause for alarm—it would indeed pose a serious accumulation risk and eliminate one of the core pillars of insurability.

However, it would be mistaken to assume that such a scenario, as in the case of Meltdown and Spectre, is anything more than FUD (fear, uncertainty and doubt). This is hardly to say that the discovery of these security flaws is much ado about nothing. On the contrary, they pose a very real threat and may well open the door to serious cyber attacks. However, as with the headline-grabbing ransomware attacks of 2017, there are many reasons to believe that subsequent losses will be relatively contained.

Hierarchy of Cyber Security

To understand why, it’s helpful to understand the hierarchy of cyber security. At the base are vulnerabilities in all their forms (software, humans, even processor architectures). That the base is bounded is misleading because, in reality, there are an infinite number of vulnerabilities that can and will exist. However, vulnerabilities only matter if they pose a threat to an organization. This combination of threat and vulnerability is generally the risk an organization faces. Even then, threats don’t matter unless someone proceeds to attack you. And that someone at the top of the pyramid is, 10 out of 10 times, a human actor. Why does this matter?

It matters because cyber attacks are really just forms of cybercrime, which itself is merely a form of crime—it is the people, not the form, that matter. There are costs for criminals to launch attacks, and not just the risk of being caught (which for the moment is abysmally low). Criminals require time, infrastructure and money to fund their enterprises, enumerate targets and move through the kill chain toward the realization of their desired outcomes. All the while they must also factor in the uncertainty of achieving the outcome.

Exploits for security flaws can accomplish many things, but few produce cash.

Every step in this chain takes effort. Although cyber criminals are becoming more numerous and sophisticated, they are still limited in how much damage they can cause and profit they can reap. As a result, even though an entire population may be vulnerable, the economically optimal strategy for an attacker is nonetheless to focus on a relatively small set of victims.

Cyber insurance is dead. Long live cyber insurance!

Although there is little doubt that certain accumulation scenarios exist, limiting the insurability of certain cyber risk exposures, this is not one of them. Absent an expertise in hacking and cybercrime—and the economics thereof—it is no surprise that many insurers offering cyber insurance struggle to understand, much less manage, accumulation risk. It’s high time they woke up.

See also: Cyber Insurance Needs Automated Security  

Insurers must come to realize the role that insurance plays in protecting companies from all forms of risk that accompany the digitization of everything. It also means thinking about cyber insurance as more than just coverage for data breach and response. The most recent devastating attacks have resulted in business and supply chain interruption, and even physical property damage. It is hardly a stretch to imagine exposure to nearly every other form of known risk, including bodily injury or even pollution. Of course, with new exposures come new challenges in underwriting and management of accumulation.

Overcoming these challenges won’t be easy. It will mean using data in an entirely novel way to not only assess the risk of an individual policyholder, but an entire population of policyholders, and doing so on a continuous basis. It will also mean measuring diversity, and particularly technological diversity, to manage accumulation in novel ways. How many insurers today know which cloud service provider their clients use, much less which versions of software they are running? Or whether their clients’ passwords have been compromised in a third-party data breach? If you don’t know these answers, you’re in trouble. Gone are the days when accumulation will be managed by geography, industry and revenue size. Are we up to the challenge?

Long live cyber insurance.