Tag Archives: riskiq

Insurtechs Mitigate Intel Cyber Scare

With Meltdown and Spectre very much in the news, raising the possibility of major data breaches, here are answers to some common questions about the flaws that can be exploited, about what the vulnerabilities are and about how insurers can use insurtechs to protect themselves.

Meltdown and Spectre relate to a 20-year-old design flaw in Intel microprocessors, the sorts of chips that function as the brains for laptops, mobile phones and just about every other electronics product these days. It’s now clear that other microprocessors likely have similar flaws, but the Intel flaw has drawn attention both because Intel chips are so widely used and because Meltdown and Spectre have shown exactly how the Intel issue can be exploited.
The vulnerability has been known for months by Intel and the largest tech companies, but, despite the knowledge of the vulnerability and the recent scramble to patch it, there is still much uncertainty about the precise implications.

Who Discovered the Flaw?

An engineer with Project Zero, a team at Google that looks for flaws that cyber criminals can exploit, found the vulnerability in the Intel microprocessors. Jann Horn discovered the problem while developing a processor-specific application that required deep access into the chip hardware.

Since then, several other researchers discovered the flaw from a different angle, while looking at a technique where, to increase efficiency, processor operations are run out of order. Research papers were published in the microprocessor community about this technique and the possible implications. Several groups created simulations and discovered the obscure flaw in the Intel chip. One prominent group of researchers out of Graz University of Technology in Austria reported the flaw to Intel. Intel had already known for seven months at that point, but the discovery was now breaking news and came to light last week.

How Does the Flaw Work?

A computer’s processor executes code out of order to circumvent bottlenecks and speed the work. The CPU doesn’t just read code like a book, from front cover to back cover. The process is more like preparing a complicated recipe, where parts of the process need to be started at different times to keep the work moving smoothly. This technique is referred to as “speculative execution” – the CPU is taking its best guess about what work needs to be started when. Speculative execution has been used for 20 years.

Spectre exploits the technique. Developed by Horn to show the Intel flaw, Spectre intervenes in the speculative execution to have an application store sensitive or private data in the processor’s cache – the memory that is built into the processor itself. (As fast as the speed of light is, a processor simply takes too long if it has to grab all its information from separate memory chips, even inches away, rather than from elsewhere on the processor chip.) Spectre has the private data stored in particular places in the cache where an attacker can retrieve it later. Data can be accessible within several nanoseconds (billionths of a second).

Meltdown is the process of retrieving the sensitive data. Meltdown uses incredibly precise timing – remember, we’re operating in billionths of a second here – to grab the sensitive data. Meltdown does so in between the processor’s reads and writes – in other words, between the times the processor is reading data from cache and the times it is writing, or storing, data in cache. The operating system kernel provides the clock that allows events to be coordinated with such precision.

See also: Cyber: The Spectre of Uninsurable Risk?  

The particularly alarming aspect of this vulnerability is that it can be exploited from front-end Javascript code, which is used just about everywhere. This means that browsing web pages is one of the attack vectors that could be used to extract otherwise-secret data from your session.

What Is Being Done?

Spectre and Meltdown work hand in hand, so browser companies have removed application access to interfaces that measure precise timing intervals. FireFox has published steps to limit and remove access to the timing function.

However, removing access is only a temporary fix. The underlying flaw still exists. A fundamental change in chip design is required for a truly secure solution.

Companies like Amazon, Google and Microsoft have recently been rebooting so-called virtual machines (VMs) to clear the cache. VMs act like separate pieces of equipment as far as customers are concerned but, in fact, share hardware with other customers. (Software defines the boundaries of the “machine” within the physical piece of equipment. VMs make data centers far more efficient: Machines no longer sit idle simply because a particular customer doesn’t have work to do at that moment; someone else grabs the CPU time.) Sharing of physical hardware between customers could mean that your secret data was left in the processor cache, to be extracted through this process of speculative execution and precise timing from another company’s front-end apps. After all, you’re sharing the same physical processor.

Who Does It Affect?

The chip vulnerability affects all modern microprocessors, including those in desktops, laptops, mobile phones and IoT devices. Speculative execution is a technique used throughout the chip industry. Besides Intel, other chip manufacturers like AMD and Arm Holdings are implementing similar patches that are also focused on limiting access to cache timing.

How Does the Insurance Industry Respond?

Despite the panic, the insurance industry should stay the course. Providers of insurance services should follow the same cyber security methodologies they follow in times of certain vulnerabilities as they do in times of uncertain vulnerabilities.

First, implement all security patches and updates for all hardware in your organization. This should be done with caution because logic in the patches could significantly slow hardware.

Second, rely on the products and services of leading cyber security insurtechs. According to ITL’s Innovator’s Edge, there are 250 cyber security insurtechs globally, and many are making good progress. The insurtechs fall into three main categories:

Threat Prevention

Threat prevention, as the name implies, stops an attack before it occurs. This typically includes services like penetration testing, simulated attacks and system hardening. 30% of the cyber security insurtechs in Innovator’s Edge are assisting insurance providers with these activities.

RiskIQ, for example, uses big data, analytics and simulations. The company’s RiskIQ Digital Footprint maps all your IT assets and determines if they are hardened from a security standpoint.

Threat Detection

Threat detection is the process of being alerted when a breach does occur. Detection is most often made possible by security monitoring. Monitoring varies from conventional network monitoring to sophisticated machine-learning-based monitoring. 42% of cyber security insurtechs tracked by Innovator’s Edge mitigate cyber risk through threat detection.

For instance, TesseractGlobal’s Peerlox EDR focuses on detecting targeted cyber attacks through machine learning. The strategy for leveraging artificial intelligence and data analytics is an ideal second line of defense for an organization.

See also: Cyber Threats: Big One Is Out There  

Threat Management

Threat management most often relies on consulting. Threat management is applied when a breach occurs, there is damage done, and there is a mess to clean up. As you can imagine, this is highly specialized work. According to Innovator’s Edge, 14% of the cyber insurtechs have these capabilities.

SeraBrynn, for one, assists insurance providers after they have become the victims of a breach. The team consists of industry leaders in cyber security who have assisted the NSA.

The combination of the strategies that insurtechs offer can help minimize the reverberations created by something like Spectre and Meltdown. The capabilities are a hedge against the negligence of the technology industry, whose insatiable pursuit of Moore’s law has come at the expense of security. Luckily for the insurance industry, there is an Insurtech for that.

Your Social Posts: Hackers Love Them

Social media is embedded in our lives—Facebook alone had 1.79 billion daily users as of September 2016—which means cyber criminals are not far behind.

As companies increasingly rely on this digital channel for marketing, recruiting, customer service and other business functions, social media also has become a highly effective vehicle for cyber attacks. Outside of the corporate network perimeter and an organization’s control, it throws traditional security approaches out the window.

A growing category of digital risk monitoring vendors, identified by Forrester Research Inc. in a recent quarterly Wave report, are catering to this problem. According to the report, digital channels—social, mobile, web and dark web—“are now ground zero for cyber, brand and even physical attacks.”

The ways in which cyber criminals weaponize these channels are limited only by their imagination. Hackers can create fake corporate accounts for harvesting customer credentials, impersonate company executives, damage the brand’s reputation and post legitimate-looking links that contain malware.

See also: Hacking the Human: Social Engineering  

According to Cisco’s 2016 annual security report, Facebook, for example, was the top mechanism last year for delivering malware, through social engineering, in order to gain access to organizational networks.

“(Social media) is a business technology platform, and because it’s been adopted at all levels of business … organizations have to figure out how to protect it,” says Evan Blair, co-founder and chief business officer at ZeroFOX, a digital-risk monitoring (DRM) vendor launched in 2013.

“And it’s a gold mine for intelligence on individuals,” he adds.

Social media—the ideal weapon

The sheer volume of traffic on social networks is a magnet not only for businesses but also for the criminal element.

According to the Pew Research Center, 79% of internet users are on Facebook, the most popular social network. About a third of internet users are on Instagram, and a quarter are on Twitter.

Better click-through rates and lower advertising costs, among other things, are compelling companies to throw more money at social media advertising (Hootsuite estimates social media budgets have nearly doubled, from $16 billion in 2014 to $31 billion in 2016).

But it’s not just the growing numbers of users and increased brand presence that creates an attractive playground for bad actors. It’s easy to create accounts and instantly attract followers—which means it’s easier than email for reaching a massive number of people with a phishing attack.

Adding to the problem is that social media can be highly automated because it was built on an open API (application programming interface) that allows developers access to proprietary applications.“It’s a frictionless environment that allows you to communicate immediately,” says Devin Redmond, general manager and vice president of digital risk and compliance solutions for Proofpoint, another DRM vendor.

Blair says: “Social media was built with automation in mind. You can create an account that interacts completely autonomously.”

Even though email remains the medium of choice, according to various security companies, email phishing is on the decline. Social media phishing, on the other hand, is growing.

Why organizations are at risk

Eric Olson, vice president of intelligence operations at LookingGlass, says what makes digital risk a high priority is that it’s a business risk that touches multiple facets of an organization. It not just about cybersecurity—it also involves compliance, human resources and legal, among others.

He says it’s important for security practitioners to focus on the how — e.g. phishing — rather than the channel it came from.

“You have to be able to keep eyes in all the dark corners,” Olson says.

A new technique Proofpoint identified in 2016 is angler phishing. Bad actors create a fake social media account on, say, Twitter, using stolen branding. They watch for customer service requests addressed to the legitimate account for a bank or a service like PayPal. They then tweet a reply with a link to a lookalike fake website where the customer is asked to enter login credentials.

Despite this growing threat, however, many security practitioners are not aligned with social media, Redmond says.

“The pace of adoption of social by enterprises and the pace of the risks that are evolving around that are growing much faster than people are addressing those risks,” he says.

An emerging space

The offerings of the vendors in this space vary. For example, ZeroFOX focuses largely on social media. Proofpoint covers social, mobile, web and email. LookingGlass integrates machine readable/open source feeds, analyst services, threat intelligence tools and appliances.

Whatever approach they take, more security companies are likely to join in because the market is still growing.

But even savvy companies are struggling to secure these channels. The hacking of Microsoft’s Skype for Business Twitter account in 2014 is proof—the Syrian Electronic Army wasted no time tweeting negative messages after taking over the account. They got some 8,000 retweets.

See also: Social Media And The Insurance Implications  

“Social media is the best attack platform for a nation-state actor and sophisticated cyber criminals, not just because it’s the easiest one to leverage for compromise, but it’s also completely anonymous,” Blair says.

Redmond expects mobile to be another rising digital frontier, as more bad actors use fraudulent apps to do things like harvesting credentials.

“If you look at it through the lens of bad actors, they’ve figured out all these are effective vehicles,” he says. They don’t have to break in any more — they just have to pretend they’re someone else.

He adds, “They can do that more rapidly, at a greater scale, with less chance of detection.”

This post was written by Rodika Tollefson and first appeared on ThirdCertainty.