Tag Archives: ransomware

What if You Had a Cyber Risk Score?

There have been three major global cyberattacks in the last six months. These attacks have caused extensive system damage and monetary loss. Some companies affected remain crippled weeks or months after the attack. Will this rate of “one every other month” continue? Nobody knows, of course. But, as a recent Wall Street Journal op-ed suggests, ransomware will remain the dominant attack method of choice, and the problem “isn’t going anywhere.” The article claims that “cybercriminals launch hundreds of millions of attacks daily across the globe, and recent studies have found that as many as 60% involve ransomware.” Why? Because they are easy, and they work.

Without a robustly secured network, it is impossible for most entities to withstand a targeted or random cyberattack. So most companies, big or small, generally enlist the help of third-party vendors, which traffic a multitude of software products, modules or platforms to keep cybercriminals from exploiting vulnerabilities. But, because nothing is fail-safe, companies must still consider buying insurance to protect against the staggering potential of loss that a global cyberattack can cause.

See also: Why Buy Cyber and Privacy Liability. . .  

Cyber is no different from other risks that an organization could be exposed to (e.g., fire, burglary, flooding, power failure, strikes and liability issues). Businesses have to consider insurance against cyber-attacks and the relating financial consequences. This kind of insurance policy is known as Cyber Liability Insurance Coverage, or CLIC. With the estimated annual costs to the global economy from cybercrime estimated between $375 billion and $575 billion in 2014 alone and the average cost of a corporate data breach at more than $3 million per incident, it is understandable why cyber insurance is catching on.

Still, there seems to leave a lot of room for error, rounding or otherwise, in a market where U.S. insurers wrote approximately $1.3 billion in cyber coverage last year. This is expected to reach $14 billion by 2022. There is industry data that shows insurance premiums could range from $800 to $1,200 for SMEs/SMBs with revenues of $100,000 to $500,000 (on the low end) to more than $100,000 for SMEs/SMBs with revenues in the millions. Allianz SE, the largest insurer in the world, expects these premiums to skyrocket by 2025. Furthermore, the Insurance Information Institute estimates that the third-largest risk for companies worldwide is cybercrime, not in the least due to cyber attacks such as WannaCry and Petya/NotPetya.

As it stands right now, insurance companies have limited resources to address the growing number of CLIC applicants. There are the obvious factors that come into play when calculating an insurance premium: the nature of the business, the vulnerability (attractiveness for cyber crooks) of the data, the size of the company and the amount of revenues, etc. But pinpointing the exact risk is still evolving. Currently, insurers mostly rely on questionnaires or third-party onsite assessments to estimate the cybersecurity posture of applicants, which is time-consuming and expensive. Because this branch of insurance is not mature enough, there is a lack of specialized and qualified personnel that have the experience and expertise to perform cyber risk assessments. In many cases, the onsite assessments are conducted by junior staff members of the insurer and junior security consultants using non-standardized methods.

My guess is that insurance companies still don’t know exactly what they are insuring and what to charge, because there are still inefficiencies in the market. There are conflicting definitions of what exactly makes a system “secure” and what constitutes a threatening vulnerability that must be decided upon. Knowledge still has to be gained to determine how to manage risk. Most insurance companies are large enough to have a staff of security officers and to use third-party vendors to protect themselves from cyber vulnerabilities. But what to do about assessing insurance candidates?

The good news is that there is progress being made where advanced simulation can help assess the various attack vectors that are being used today. The value of such a CLIC assessment would derive from being able to put an aggregate “risk score” on an insurance candidate. The score would be based on known and acceptable risk calculating methods such as NIST, CVSS3 and DREAD. It would be provided to each applicant based on the results from a simulated assessment done on its network, testing all its security controls.

See also: How Data Breaches Affect More Than Cyberliability  

The value from such technology comes from insurers being able to know within a few hours if they should provide coverage to an applicant based on demonstrated risk, how much coverage to provide the applicant without putting the insurers at risk and how much in premiums to charge based on an accepted risk score provided after the assessment. Providing a uniform score for cyber insurance applicants reduces the exposure level for insurers, possibly saving millions of dollars and could even lead to revenue growth by raising premium prices to match the risk level.

How to Determine Your Cyber Coverage

Public agencies and organizations around the world are making cyber risk their top priority. North American policyholders dominate the market, but Europe and Asia are expected to grow rapidly over the next five years due to new laws and significant increases in targeted attacks, such as ransomware. Various experts predict the $3 billion global cyber insurance market will grow two-, three- or even four-fold by 2020.

Deciding how much cyber insurance to buy is no inconsequential matter, and the responsibility rests squarely with the board of directors (BoD). Directors and executives should have the highest-level view of cyber risk across the organization and are best-positioned to align insurance coverage with business objectives, asset vulnerability, third-party risk exposure and external factors.

See also: New Approach to Cyber Insurance  

So, how much does your organization stand to lose from a supply chain shut down, a web site outage or service downtime?

Recent data points from breach investigations help frame the discussion around risks and associated costs. Following a variety of high-profile breaches helps ensure that your projected coverage requirements match up with reality. Be sure to follow older cases for deeper insight into the full expense compared with insurance payout; related costs and losses are often incurred for years afterward due to customer and market response as well as legal and regulatory enforcement actions.

In 2013, Target suffered a very public breach that resulted in the resignation of the CEO, a 35-year employee. Target had purchased $100 million in cyber insurance, with a $10 million deductible. At last count, Target reported that the breach costs totaled $252 million, with some lawsuits still open.

Home Depot announced in 2014 that between April and September of that year cyber criminals stole an estimated 56 million debit and credit card numbers – the largest such breach to date. The company had procured $105 million in cyber insurance and reported breach-related expenses of $161 million, including a consumer-driven class action settlement of $20 million.

These cases illustrate the need for thoughtful discussion when deciding how much breach insurance to buy. Breach fallout costs depend on multiple factors, are not entirely predictable and can rise quickly due to cascading effects. Cases in point: the bizarre events surrounding Sony’s breach and the post-breach evisceration of Yahoo’s pending deal with Verizon.

Organizations need to review their security posture and threat environment on a regular basis and implement mechanisms for incessant improvement. The technology behind cyber security threats and countermeasures is on a sharp growth curve; targets, motives and schemes shift unpredictably. Directors may find it useful to assess risk levels and projected costs for multiple potential scenarios before cyber insurance amounts are decided upon.

Most policy premiums are currently based on self-assessments. The more accurate the information provided in your application, the more protected the organization will be. Most policies stipulate obligations the insured must meet to qualify for full coverage; be sure to read the fine print and seek expert advisement.

A professional security assessment can pinpoint areas in need of improvement. If you claim to be following specific protocols, but a post-breach investigation finds they were poorly implemented, circumvented or insufficiently monitored, the insurer may deny or reduce coverage. Notify your insurance provider immediately about significant changes to your security program.

Review policy details regularly to ensure they match prevailing threats and reflect the evolution of crimeware and dark web exploits. Cyber insurance carriers continually adjust their offerings based on risk exposure and litigation outcomes.

See also: Promise, Pitfalls of Cyber Insurance  

As the industry matures, cyber insurance policies will become more standardized. For now, it’s an evolving product in a dynamic market; boards and executives need to keep an eye on developments. Simultaneously, they must maintain a high degree of visibility across their security program. Checking off compliance requirements, writing policies and purchasing security software isn’t sufficient.

My advice is to lead from the top. Organizations need to ensure risk assessments are thorough and up-to-date, policies are communicated and enforced and security technology is properly configured, patched and monitored.

Turning a blind eye to cyber threats and organizational vulnerabilities can have disastrous consequences. Cyber insurance may soften the financial blows, but it only works in conjunction with an enterprise-wide commitment to security fundamentals and risk management.

Healthcare Needs a Data Checkup

As the healthcare industry continues to digitize, data protection technology has not been able to keep pace. Unfortunately for industry participants, healthcare has become a top target for state-sponsored and free-agent hackers.

In fact, a study released by Michigan State University in April 2017 found that healthcare providers reported 1,225 of the total 1,798 data breaches in the U.S. from 2009 to 2016. Why has the healthcare industry become such a target? And what can healthcare providers do to protect their organizations and the thousands of patients they serve?

One primary reason for the target on healthcare’s figurative back is the rapid implementation of electronic health records (EHRs). From 2009 to 2014, adoption of EHRs rose from less than 10% to 97%. This haste to complete implementation has led to a deficiency in data protection and security measures within EHRs. Additionally, with more and more providers leveraging mobile devices and turning to data driven by the Internet of Things, attackers have a plethora of new entry points to access private and sensitive data.

See also: Data Security Critical as IoT Multiplies  

A quick scan of the Identity Theft Center’s 2016 Data Breach Report shows that lost workplace laptops and stolen company-issued cell phones are frequently listed as reasons for a data breach.

Given the growing use of workplace devices in the healthcare industry, as well as the corresponding danger of transmitting information from a central data center to end-user devices and back again, it is crucial that data is protected the moment it is created. Further, healthcare providers must ensure employees are aware that their devices could be compromised when the connection to the data center is lost.

Mobile devices make it harder to protect data

For example, an attacker could access data while employees are traveling between medical centers when the connection is lost and then sell the retrieved information or leverage it for ransom. As such, data should be protected regardless of whether it is at rest or in transit, as well as in connected and disconnected environments.

To protect themselves from vulnerabilities that lead to data breaches, cyber attacks and ransomware, healthcare organizations must revisit their security strategy. This strategy should be comprehensive, flexible and capable of mitigating the impact of a breach at various levels within the enterprise via multiple layers of security solutions. The use of layered security allows for incremental defense to ultimately protect what is most vital to the business—its data. If other security countermeasures are defeated, data protection, which supersedes traditional encryption, will be vital as the last line of defense. For this reason, organizations must use data protection that travels with their data, rendering the data useless to the attacker should it be compromised.

Training, technology part of treatment

Data security is a threat that will not fade away, but rather grow in importance. As technology continues to advance, attackers and other entities involved in data theft will have just as many tools as the healthcare providers endeavoring to protect valuable and private information.

See also: Aggressive Regulation on Data Breaches  

Healthcare organizations must accept that their data will become a target and that these threats could originate from nontraditional sources, such as IoT and other innovations. Leaders must act now to protect their business, patients and other stakeholders.

This article originally appeared on ThirdCertainty. It was written by Ermis Sfakiyanudis.

How to Anticipate Cyber Surprises

The WannaCry attack, the biggest ransomware attack in history, is not over. It has had an impact on companies in at least 150 countries, leaving organizations around the world wondering if they might be affected by subsequent waves.

It’s critical to keep in mind that effective mitigation of ransomware (and similar) attacks is accomplished with good governance and risk management, not with the acquisition of expensive security solutions.

Detecting and mitigating risks effectively requires an integrated approach. It requires understanding the dependencies and overlapping activities between entities or departments.

See also: Quest for Reliable Cyber Security  

Technology necessary for a robust cybersecurity program already exists in most organizations. The missing piece — strong governance — is the key to putting internal policies into practice and maximizing the effectiveness of existing technology.

With that in mind, there are a few fundamental steps organizations should take. Enterprise-wide risk management procedures must be used to automate the assessment and monitoring of these processes. Timeliness and frequency are key to sustaining protection. The creation of corporate policies does not assure that those policies are followed equally across business areas out to the front lines. In fact, without enterprise risk management, they rarely are.

Back up data; use patches

The first step is to make sure off-site backups are kept up to date. Automatic notifications should alert the security team at preset intervals, reminding them to verify that data is fully backed up at an off-site location. It’s critical to use a risk-based approach to prioritize which data needs monitoring and testing.

Once data has been protected, companies should ensure approved patches are implemented. Although most organizations have approval procedures to force implementation, inconsistency causes massive, preventable vulnerabilities. Without risk-based monitoring, critical assets are left unprotected as priorities interfere with one another.

Virus detection software is typically reviewed and updated in a similar manner. Security teams need the guidance of centralized governance so they can monitor systems effectively.

Limit access

Managing access rights — which can be achieved by first implementing internal password policies and asset management — is critical when minimizing cyber exposure. The “principle of least privilege,” by which the company grants employees only the access rights they need to perform their job responsibilities, is particularly important. This also should apply to vendors and other third parties. Conceptually this is simple, but, in practice, a risk-based approach is needed to connect process owners to the security team. This is where most access rights programs fail.

Automated monitoring also should be applied to company virtual private networks. VPNs are important tools that sustain security and access, but if they are not managed correctly and don’t time out according to a preset timeframe, they create vulnerabilities that can be exploited. Once again, vendors should be held to similar standards.

Business continuity and disaster recovery (BC/DR) plans, much like data backups, must be tested (and optimized) at regular intervals. If a company has a plan in place but does not regularly test its ability to implement a “clean recovery,” it’s highly unlikely it will get back on its feet after an attack within the required time period.

Keep recovery time short

Centralized risk management allows subject-matter experts to assess each device, application and data store. Recovery time objectives (RTOs) measure how long business objectives can be met without a particular asset. The security team, after receiving automatic notifications, should test to ensure the clean recovery timeframe is smaller than the shortest RTO.

See also: 10 Cyber Security Predictions for 2017  

The steps above remove cybersecurity vulnerabilities by improving governance, not by mandating the acquisition of new IT resources. Good governance enables the operationalization of security procedures, closing the gap between senior leadership and everyday activities. A risk-based approach reduces both exposure and the cost of effective security operations.

This article originally appeared on ThirdCertainty. It was written by Steven Minsky.

WannaCry Portends a Surge in Attacks

The landmark WannaCry ransomware attack, I believe, may have been a proof of concept experiment that inadvertently spun out of control after it got released prematurely.

But now that it’s out there, WannaCry signifies two developments of profound consequence to company decision-makers monitoring the cybersecurity threat landscape:

  • It revives the self-propagating internet worm as a preferred way to rapidly spread new exploits, machine to machine, with no user action required.
  • It lights up the cyber underground like a Las Vegas strip billboard, heralding a very viable style of attack. WannaCry already has begun to spur hackers to revisit self-spreading worms, an old-school, highly invasive type of attack.

The unfolding “kill switch” subplot supports my analysis.

First, a recap: WannaCry is an exploit that spreads on its own, seeking out Windows laptops, desktops and servers that lack a certain security patch issued in March by Microsoft.

See also: How to Keep Malware in Check  

WannaCry first appeared on the internet on a Friday morning and swiftly swept across the globe, reminiscent of the I Love You and Code Red worms of yore. It infected 200,000 Windows machines in 150-plus countries. Hardest-hit were institutions of the U.K.’s National Health Service, as well as Spanish and Russian utility companies.

You may recall that self-spreading Windows worms were all in vogue a decade ago. The most infamous probably was Conficker. I wrote extensively about Conficker for USA Today. But for all the attention Conficker drew, it never delivered any overtly malicious payload. It simply spread.

WannaCry, by contrast, is spreading with a purpose. It carries with it instructions to encrypt each infected machine’s hard drive. Then it requests a $300 ransom, payable in bitcoin, to decrypt the drive.

So why do I think WannaCry was released prematurely? Because $300 is low for a ransom demand, especially for a ransomware attack aimed at the business sector and designed to scale globally. It makes more sense that $300 was a placeholder amount.

“This looked like a shotgun approach to compromise as many systems as quickly as possible before anti-virus definitions could catch up,” says Andrew Spangler, principal malware analyst at Nuix, an intelligence, analytics and cybersecurity solutions company. “It’s possible the attackers were not even aware of how effective this propagation method would be.”

Kill switch discovered

On Friday night, a researcher going by the handle “Malware Tech” reported that he had reverse-engineered WannaCry and discovered a “kill switch” sitting at a domain name that the author had not yet actually registered.

A kill switch also is somewhat unusual for ransomware. It could have been included as a tool to give the attacker the ability to release the ransomware in small doses, shutting it down to make tweaks. But WannaCry’s creator neglected to follow through and register his kill switch’s domain name.

That made it possible for Malware Tech to come along, discover the unregistered domain name, register it and thus take control of the kill switch. He then was able to shut down the original version of WannaCry—by hitting the kill switch.

Yet to no one’s surprise, within a matter of hours, slightly tweaked variants of the original version began circulating. “Updated WannaCry variations have since been released,” says Ray Pompon, principal threat researcher at F5 Networks, an application services and security company. “The danger is still real.”

Good guys, bad guys engage in cyber duel

To be specific, new variants with a slightly modified kill-switch domain are spreading. A very small change connects the malware’s kill switch to a slightly different domain and creates a viable variant, says Chris Doman, threat engineer at AlienVault. “This allows WannaCry to continue propagating again,” Doman says.

Fortunately, other good-guy researchers have taken it upon themselves to hustle to register the kill switch domains of any new variant that turns up and follow Malware Tech’s example to kill the variant when possible.

“The cat-and-mouse (chase) will likely continue until someone makes a larger change to the malware, removing the kill-switch functionality completely,” Doman says. “At that point, it will be harder to stop new variants.”

Security patching more vital than ever

The kill switch subplot aside, one might ask why did it took this long—nearly a decade after Conficker—for cyber criminals to incorporate a Windows worm into an attack designed for monetary gain?

Part of the reason is that Microsoft has put forth a tremendous effort to stay on top of newly discovered Windows vulnerabilities. Under its bug bounty program, it pays researchers handsomely to discover and report fresh Windows vulnerabilities. And it pours vast resources into issuing security patches in a timely manner.

See also: It’s Time for the Cyber 101 Discussion  

With respect to the specific Windows bug leveraged by WannaCry, Microsoft issued a patch in March. Still, the digital world we live in is both amazing—and amazingly complex. That means implementing security patches across an organization of any size can be an onerous process.

The result is that vulnerability management, and security patching, lags well behind in the vast majority of organizations. This is true for patches issued by Microsoft, Oracle, Java, Adobe and any other widely used business system you care to name.

“Numerous organizations have fallen victim to these attacks because they failed to apply the patches in a timely manner or were using legacy systems that could not be patched,” says Andreas Kuehlmann, senior vice president and general manager of the Software Integrity Group at Synopsys.

Unintended help from government

An X-factor also came into play. It turns out that the National Security Agency knew all about this particular Windows bug and, in fact, possessed a tool to take advantage of it. Nothing wrong with that. Our intelligence agencies need to have the capability to match or exceed the cyber capabilities of China, Russia or North Korea.

The X-factor that made a difference was this: Hackers stole that information from the NSA and published it online—delivering it on a silver platter to the creator of WannaCry.

“Now that weapons-grade cyber attack tools are in the wrong hands, it is clear that tools and techniques previously reserved for use by nation-states are being integrated into crime ware for profit,” says Josh Gomez, senior security researcher at Anomali. “This means we can expect to see more of these exploits and tools leveraged in future attacks, each one likely surpassing the previous in sophistication and stealth.”

Hang on to your hats, folks. Buckle your seat belts. Company networks’ defenses sorely need shoring up: This, we know all too well. And now attacks are all but certain to ratchet to an unprecedented level of intensity.

Observes Jonathan Sander, chief technology officer at STEALTHbits Technology: “This massive attack is a potent mix of phishing to attack the human, worm to spread via unpatched Microsoft systems and ransomware to get the bad guys their payday. … The reason for WannaCry’s success is our collective failure to do the basic security blocking and tackling of patches, user education and consistent backups. As long as we fail to remove vulnerabilities and watch our files, bad guys will exploit us by exploiting our systems.”