Tag Archives: pascal millaire

10 Cyber Security Predictions for 2017

Each year, the cyber security industry faces new types of threats as cybercriminals evolve their approach toward accessing organizations’ data. For 2017, the security experts at Symantec have taken a close look at the trends we can expect to see this year and in the years ahead. Given the consistently changing security landscape, it’s important to take a moment and determine where the security industry needs to focus attention.

We’ll continue to see a shift toward the modern workplace as businesses allow employees to introduce new technologies such as wearables, virtual reality and IoT-connected devices onto the network while supporting a rapidly dispersed workforce made possible by cloud applications and solutions. Enterprises will need to shift their focus from safeguarding endpoint devices toward protecting users and information across all applications and services.

Here’s a list of cyber security threats in 2017 as predicted by the Symantec cyber security team.

1. Connected cars will be taken for ransom

As cars start to have connected capabilities, it is only a matter of time until we see an automobile hack on a large scale. This could include cars being held for ransom, self-driving cars being hacked to obtain their location for hijacking, unauthorized surveillance and intelligence gathering, or other automobile-focused threats. This will also lead to a question of liability between the software vendor and automobile manufacturer, which will have long-term implications on the future of connected cars.

See also: Best Practices in Cyber Security  

2. IoT devices will increasingly penetrate the enterprise

Beyond looking simply at computers and mobile devices for vulnerabilities, incident response teams will need to consider thermostats and other connected devices as jumping points into the network. Similar to how printer servers were used for attacks several years ago, nearly everything in an enterprise is now connected to the internet and will need to be protected.

3. Increased IoT DDoS attacks

The Dyn attack in October demonstrated the vast number of IoT devices that don’t have security on them and are tremendously vulnerable to attacks. As more IoT devices are installed in the mass market, the risk of security breach will increase. Once insecure devices are in the market, it becomes almost impossible to fix the issue without recalling them or issuing security updates. Given that this lack of security will continue for the foreseeable future, the number of IoT attacks will only increase as well.

4. Ransomware will attack the cloud

Given the significant shift towards cloud-based storage and services, the cloud is becoming a very lucrative target for attacks. The cloud is not protected by firewalls or more traditional security measures, so there will be a shift in where enterprises need to defend their data. Cloud attacks could result in multi-million dollar damages and loss of critical data, so the need to defend it will become even more crucial.

5. Threats from AI will only continue to grow

In 2017, artificial intelligence or AI will only continue to grow – Forrester predicts investment in Artificial Intelligence will grow 300 percent next year alone. With this growth comes new, powerful insights for businesses to tap, and an increased collaboration between humans and machines. From a security standpoint, this expansion will impact organizations in more ways than one – including endpoints and mechanisms in the cloud.

6. Machine Learning to cause widespread threats

As new forms of machine learning and AI continue to enter the market, enterprises will need to invest in solutions that have the capabilities to collect and analyze data from the countless endpoints and attack sensors across different organizations, industries and geographies. These solutions will prove to be instrumental in teaching machines how to operate on the front lines of a global battle that changes every day, minute by minute.

7. Rogue nation states will finance themselves by stealing money

There is a dangerous possibility that rogue nation states could align with organized crime for their personal gain, such as what we saw in the SWIFT attacks. This could result in down time for countries’ political, military or financial systems.

8. Fileless malware will increase. Fileless infections – those written directly onto a computer’s RAM without using files of any kind – are difficult to detect and often elude intrusion prevention and antivirus programs. This type of attack increased throughout 2016 and will continue to gain prominence in 2017, most likely through PowerShell attacks.

9. SSL abuse will lead to increased phishing sites using HTTPS

The rise in popularity of free Secure Sockets Layer or SSL certifications paired with Google’s recent initiative to label HTTP-only sites as unsafe will weaken security standards, driving potential spear-phishing or malware programs due to malicious search engine optimization practices.

See also: Paradigm Shift on Cyber Security  

10. Drones will be used for espionage and explosive attacks

This could be seen in 2017, but is more likely to occur further down the road. By 2025, we can expect to see “dronejacking,” which will intercept drone signals and redirect drones for the attacker’s benefit. Given this possibility, we can also expect to see anti-drone hacking technology being developed to control these devices’ GPS and other important systems.

You can find the original article here.

3 Reasons Insurance Is Changed Forever

We are entering a new era for global insurers, one where business interruption claims are no longer confined to a limited geography but can simultaneously have an impact on seemingly disconnected insureds globally. This creates new forms of systemic risks that could threaten the solvency of major insurers if they do not understand the silent and affirmative cyber risks inherent in their portfolios.

On Friday, Oct. 21, a distributed denial of service attack (DDoS) rendered a large number of the world’s most popular websites — including Twitter, Amazon, Netflix and GitHub — inaccessible to many users. The internet outage conscripted vulnerable Internet of Things (IoT) devices such as routers, DVRs and CCTV cameras to overwhelm DNS provider Dyn, effectively hampering internet users’ ability to access websites across Europe and North America. The attack was carried out using an IoT botnet called Mirai, which works by continuously scanning for IoT devices with factory default user names and passwords.

The Dyn attack highlights three fundamental developments that have changed the nature of aggregated business interruption for the commercial insurance industry:

1. The proliferation of systemically important vendors

The emergence of systemically important vendors can cause simultaneous business interruption to large portions of the global economy.

The insurance industry is aware about the potential aggregation risk in cloud computing services, such as Amazon Web Services (AWS) and Microsoft Azure. Cloud computing providers create potential for aggregation risk; however, given the layers of security, redundancy and the 38 global availability zones built into AWS, it is not necessarily the easiest target for adversaries to cause a catastrophic event for insurers.

See also: Who Will Make the IoT Safe?

There are potentially several hundred systemically important vendors that could be susceptible to concurrent and substantial business interruption. This includes at least eight DNS providers that service over 50,000 websites — and some of these vendors may not have the kind of security that exists within providers like AWS.

2. Insecurity in the Internet of Things (IoT) built into all aspects of the global economy

The emergence of IoT with applications as diverse as consumer devices, manufacturing sensors, health monitoring and connected vehicles is another key development. Estimates state that anywhere from 20 to 200 billion everyday objects will be connected to the internet by 2020. Security is often not being built into the design of these products with the rush to get them to market.

Symantec’s research on IoT security has shown the state of IoT security is poor:

  • 19% of all tested mobile apps used to control IoT devices did not use Secure Socket Layer (SSL) connections to the cloud.
  • 40% of tested devices allowed unauthorized access to back-end systems.
  • 50% of tested devices did not provide encrypted firmware updates — if updates were provided at all.
  • IoT devices usually had weak password hygiene, including factory default passwords; for example, adversaries use default credentials for the Raspberry Pi devices to compromise devices.

The Dyn attack compromised less than 1% of IoT devices. By some accounts, millions of vulnerable IoT devices were used in a market with approximately 10 billion devices. XiongMai Technologies, the Chinese electronics firm behind many of the webcams compromised in the attack, has issued a recall for many of its devices.

Outages like these are just the beginning.

Shankar Somasundaram, senior director, Internet of Things at Symantec, expects more of these attacks in the near future.

3. Catastrophic losses because of cyber risks are not independent, unlike natural catastrophes 

A core tenant of natural catastrophe modeling is that the aggregation events are largely independent. An earthquake in Japan does not increase the likelihood of an earthquake in California.

In the cyber world consisting of active adversaries, this does not hold true for two reasons (which require an understanding of threat actors).

First, an attack on an organization like Dyn will often lead to copycat attacks from disparate non-state groups. Symantec maintains a network of honeypots, which collects IoT malware samples. A distribution of attacks is below:

  • 34% from China
  • 26% from the U.S.
  • 9% from Russia
  • 6% from Germany
  • 5% from the Netherland
  • 5% from the Ukraine
  • Long tail of adversaries from Vietnam, the UK, France and South Korea

Groups such as New World Hacking often replicate attacks. Understanding where they are targeting their time and attention and whether there are attempts to replicate attacks is important for an insurer to respond to a one-off event.

See also: Why More Attacks Via IoT Are Inevitable  

A key aspect to consider in cyber modeling is intelligence about state-based threat actors. It is important to understand both the capabilities and the motivations of threat actors when assessing the frequency of catastrophic scenarios. Scenarios where we see a greater propensity for catastrophic cyber attacks are also scenarios where those state actors are likely attempting multiple attacks. Although insurers may wish to seek refuge in the act of war definitions that exist in other insurance lines, cyber attack attribution to state-based actors is difficult — and, in some cases, not possible.

What does this mean for global insurers?

The Dyn attack illustrates that insurers need to pursue new approaches to understanding and modeling cyber risk. Recommendations for insurers are below:

  1. Recognize that cyber as a peril expands far beyond cyber data and liability from a data breach and could be embedded in almost all major commercial insurance lines.
  2. Develop and hire cyber security expertise internally — especially in the group risk function — to understand the implications of cyber perils across all lines.
  3. Understand whether basic IoT security hygiene is being undertaken when underwriting companies using IoT devices.
  4. Partner with institutions that can provide a multi-disciplinary approach to modeling cyber security for insurers, including:
  • Hard data (for example, attack trends across the kill chain by industry);
  • Intelligence (such as active adversary monitoring); and
  • Expertise (in new IoT technologies and key points of failure).

Symantec is partnering globally with leading insurers to develop probabilistic, scenario-based modeling to help understand cyber risks inherent in standalone cyber policies, as well as cyber as a peril across all lines of insurance. The Internet of Things opens up tremendous new opportunities for consumers and businesses, but understanding the financial risks inherent in this development will require deep collaboration between the cyber security and cyber insurance industries.

7 Predictions for IoT Impact on Insurance

We are at an inflection point. The internet is going from controlling information to controlling physical things, which has profound implications for both the global economy and the future of insurance. In this post, I will provide seven predictions for how the Internet of Things (IoT) will change the insurance industry, although ultimately these predictions only scratch the surface as there are few lines of insurance that won’t be affected by cyber risk in the next five to 10 years.

Background on Internet of Things (IoT)

It is estimated that there will be as many as 200 billion everyday objects connected to the internet by 2020. Applications for the IoT are as diverse as consumer devices, manufacturing sensors, health monitoring, connected vehicles, office automation and all the way to fully “smart cities.” The emergence of IoT technologies is a tremendous development that spans all aspects of human existence and could unlock as much as $11 trillion per year in value to the global economy by 2025, according to the McKinsey Global Institute.

See also: Insurance and the Internet of Things  

What these numbers don’t show, however, is the tremendous physical and financial risks associated with the emergence of having everyday objects connected to the internet. According to the 2016 Symantec Internet Security Threat Report (ISTR), hundreds of millions of internet-connected TVs are vulnerable to click fraud, botnets, data theft and even ransomware, and these numbers are growing rapidly. Cyber attacks on internet-connected devices create systemic risks and the potential for hundreds of billions of dollars in losses. When physical devices can be hacked (and potentially hacked en masse), the potential for major business interruption, physical damage and even loss of life becomes very real.

This isn’t to say we should not pursue IoT technologies. In fact, in many ways, IoT will make society safer, as well as more efficient and convenient. Every year, 1.2 million people die in automobile accidents, and around 90% of those accidents are attributable to driver error, which will decline as more internet-connected vehicles incorporate advanced safety features. However, as internet-connected devices become pervasive in all aspects of our lives, the nature of risks facing consumers and businesses will be fundamentally different.

While the future is uncertain, especially as it pertains to technology, here are seven predictions on how IoT could affect insurers.

  1. Continued Growth of Affirmative Cyber Insurance Policies:
    According to Lloyd’s of London, cyber attacks cost businesses $400 billion in losses per year, and, by some estimates, cyber crime costs the global economy trillions of dollars per year. The current cyber insurance market, which is focused on data protection, is around $2.7 billion globally. The market has doubled over the past 24 to 36 months, and growth shows no signs of abating. Growth of affirmative cyber insurance data and liability policies, primarily covering costs associated with data breaches, is just a tip of the “IoT iceberg,” as cyber becomes an even more important insurable risk.
  2. Some Core Insurance Lines Will Decline: IoT will change the nature of the risks that consumers and businesses face. For example, according to AT Kearney, features such as advanced driver-assisted systems (ADAS), semi-autonomous vehicles and tracking of stolen vehicles will be deployed in half of the cars on the road by 2025. By some estimates, the global auto insurance market will shrink by 60% or more, where there is a reduction in driver error and a resulting decline in the insurance needed for this risk. As key insurable losses become preventable by IoT, core insurance lines will decline.
  3. IoT Aggregation Risk Starts Pervading a Diverse Set of Insurance Lines: IoT can turn large-scale hacks into global cyber catastrophes. Already, there have been successful hacks on industrial control systems that have led to major physical damage in heavy industries. Fortunately, these incidents have been isolated to “one-off” occurrences, but with key industrial control systems, logistics tracking systems and building automation systems crossing tens of thousands of businesses, the potential for major cross-cutting cyber events is increasing. IoT aggregation risk occurs in insurance lines where it wasn’t previously observed, accounted for or priced into the cost of an insurance policy.
  4. Cyber Peril Exclusions Grow in Commercial Policies: In the years to come, we will see highly public “forcing events” related to cyber attacks on IoT devices. Unfortunately, it is not a matter of if but when we see major IoT cyber hacks. When these events happen, insurers will likely respond by writing in more explicit exclusions for cyber perils in insurance lines such as product liability, property, E&O and other policies. In many cases, insurers are focused on the aggregation risks that exist within their affirmative cyber data and liability policies, when the reality is there is tremendous silent coverage in the rest of an insurer’s portfolio today.
  5. “Cyber Gap” Insurance Policies Emerge: There will be an expanding list of critical cyber perils that won’t be covered under a standard insurance policy. Specialty cyber insurance policies and endorsements will surface to fill in the need for IoT cyber risk coverage. McKinsey estimates that as much as $3.7 trillion in value could be unlocked in factories alone from IoT. Too much value is at stake for clients not to seek coverage from insurers, and the market demand is too large for insurers not to provide this cover, although it will take deep cyber expertise to understand these novel risks.
  6. New Cyber Risk Capital Market Offerings Emerge: Currently, the global insurance market has $4 billion to $5 billion in capacity for nuclear risks and $100 billiion for natural catastrophes. Fixing the Y2K bug alone is estimated to have cost $100 billion, and the costs associated with remediating IoT security deficiencies could be very high, particularly when IoT components do not always have a means for remote firmware updates. Given that cyber events represent hundreds of billions of dollars (or more) of potential liability, which have low correlation with other events, there is a role for capital markets providers to step in to help transfer risk. Given initial explorations already happening today, London could emerge as a major market for insurance-linked securities tied back to cyber risk.
  7. Insurers Will Help Drive IoT Security: Consumers aren’t necessarily buying technology products with IoT risk in mind; regulators are struggling to keep up; and in a race to get new products to market, technology companies are often launching products without adequate cyber security in mind. Symantec’s research has shown that 19% of mobile apps used to control IoT devices don’t use SSL connections to the cloud and more than 50% didn’t provide a mechanism for firmware updates, or, if they did, those updates were not encrypted. Given that insurers are taking on the financial risk associated with IoT going wrong, insurers have an important role to play in making sure that the basics are done right for the risks they underwrite.

The emergence of IoT is a tremendous technological development that will create wide-ranging benefits for governments, businesses and consumers. However, it will also propel cyber risk into the limelight as the most important risk of the 21st Century.

See also: Prospects for Insurers as a Global Industry  

As an industry that transfers and mutualizes risk, insurers face far-reaching implications, and there will be both winners and losers. Those that win will have a deep understanding of the evolving nature of cyber risk, leveraging cyber data, intelligence and expertise. Companies like Symantec will have an important role to play in helping to understand evolving threats, which is why we have set up a dedicated Cyber Insurance Group to support our insurer partners.

It is hard to predict the future of technology and the risks that new technology will create with any degree of certainty. What is certain is that where there is risk, there is an opportunity for insurers to provide risk-transfer solutions through insurance products. Just as there is innovation in technology, there will be innovation in insurance as both industries come together to unlock the potential of the Internet of Things.