Archives for August 2016

The Kicker…Cyber Insurance

SMALL cyber tuesdayPeople who live in glass houses should take out insurance.
– Unknown

In 1969, a song by Denny Zager and Rick Evans skyrocketed to the top of musical charts. The song, “In the Year 2525,” warned of the dangers of technology, foretelling a distant future in which the human race was destroyed by it. There are days in which it seems we may be traveling along the path envisioned by the dark lyrics of that song. But for the moment, as we look at a future beset with great uncertainty as to where the cybersecurity issues plaguing the world will take us, we increasingly are turning to a traditional means of offsetting risk—buying insurance.

Writing in Fedscoop, Shaun Waterman reports that “U.S. insurers took in almost $1 billion in premiums last year for writing cybersecurity policies,” citing credit analysts at Fitch Ratings. He goes on to write that “some estimates put the global value of the cyber insurance market at $2 billion a year — and insurance broker Marsh & McLennan estimated that could multiply three to five times by 2020.” There are other estimates suggesting the market could be closer to $20 billion by the end of this decade.

What is clear is that there is a lot of insurance being bought amidst great uncertainty as to just what is covered. The Council of Insurance Agents & Brokers’ new biannual Cyber Insurance Market Watch Survey cites this interesting finding. “Confusion about what is covered and what is excluded in a cyber policy continues to be the chief concern of brokers. Seventy-one (71) percent of brokers believe that there was little to no clarity about what is and what is not covered. Much responsibility lies with individual brokers and their ability to grasp exposures and coverage nuances and discuss those with individual clients whose interest levels vary greatly. The reason for this is explained by Ken A. Crerar, president and CEO of The Council. “As cyber threats move beyond just the theft of personal information, meaningful business interruption insurance is starting to become available….While the market has more loss data on cyber incidents, theft of intellectual property, physical damage and bodily injury are still not fully comprehended.”

Absent good actuarial data, there will continue to be tension in the insurance market, even as more businesses seek to purchase insurance. Businesses will seek to gain a better understanding of coverage and exclusions as well as generally accepted risk reduction practices, which can lead to lower premium costs. For their part, insurers will continue to sort through issues like probable maximum losses and liability apportionment, while dealing with another sort of exposure that is increasingly prominent. Michael Macauley, CEO of California- based Quadrant Information Services, a supplier of pricing analytics services to property/casualty insurance carriers, notes “As an industry, insurers tend to believe that their data—and with it, the trust of their policyholders—is secure. At one time, that might have been a reasonable assumption; but insurance, which is now a high-tech industry, is just as vulnerable to attacks by hackers as are banking, retail, entertainment….”

And so it goes.

By Tom Davis, SDI Cyber Risk Practice
August 30, 2016

Cyber Crime is Too Often an Inside Pitch

SMALL cyber tuesday

“The fault, dear Brutus, is not in our stars,
But in ourselves…”

-William Shakespeare (in his play Julius Caesar)


Here’s a startling statistic: Insider negligence is more than twice as likely to cause the compromise of insider accounts as any other potential source. This tidbit is found in one of the latest reports from the Ponemon Institute. The report, “Closing Security Gaps to Protect Corporate Data: A Study of US and European Organizations,” sponsored by Varonis, stems from a study conducted to determine the security gaps within organizations that can lead to data breaches and security incidents. A total of 3,027 employees in U.S. and European organizations (United Kingdom, Germany and France) were surveyed, including 1,371 individuals who work in such areas as sales, finance and accounting, corporate IT, and business operations, and 1,656 individuals who work in IT and IT security.

As 2016 heads toward its final quarter, most companies are investing in security–spending on products, beefing up security teams, developing response plans, hiring consultants, etc.  All of this helps, but the company is well advised to address what is widely seen as the weakest link: its employees.

Why is it that despite the ongoing cascade of stories about cyber breaches, individuals within companies continue to serve as open front doors to corporate data? Well, in part it’s because as creatures of habit, we become so accustomed to using email, texting, and visiting social media sites so regularly that we do so without thinking. We’re operating by rote—opening, clicking, visiting, and otherwise being consumers of the vast amounts of information and freedom made possible by the digital age. Many of us have seen someone cross a street against the light or drive through a red light while busy on their handheld device. Much like those situations, our tendency to open emails and click on links leaves us wide open to cybersecurity accidents with potential severe repercussions.

Addressing this problem requires a combination of effective technology, better policies and procedures (including restricting access to sensitive data—the report cited earlier says 62% of the employees interviewed said they had access to data whey probably should not be able to see), education and training. Training has to be persistent and detailed to ensure sensitivity to potential breaches is inculcated and retained. As the Bard also said, “What’s done is done,” but there is much left to do to lessen the prospect that your employees will be the source of future cyber mischief.

By Tom Davis, SDI Cyber Risk Practice
August 16, 2016

Man Up…At Least For Now

capture the cyber flag (1)Capture the Flag (CTF) is one of the simplest games children play. Based on the history of warfare in which capturing the enemy’s flag effectively ended a battle, some variant of the game is played in countries around the world. In recent times, adults have created more sophisticated versions of the game, and in all likelihood, the most sophisticated, and certainly best known in cyber circles, is the game played at the famous annual DEF CON hacking conference. The DEF CON CTF pits teams of hackers against each other to attack and defend computers and systems.

This year, just before the conference began, the US Defense Advanced Research Projects Agency (DARPA) sponsored a different sort of competition, the first all-machine hacking tournament. DARPA offered a $2 million prize to the team that won its version of Capture the Flag, called “The Cyber Grand Challenge.” Seven competitors entered the contest, and seven high performance computers competed.

The attraction to computers is obvious. Defending against threats and addressing vulnerabilities takes enormous amounts of time, and there are a limited number of humans who have the appropriate skills. It’s estimated that more than one million jobs are going unfulfilled in computer security worldwide. Moreover, the lag time from threat detection to resolution takes months, which provides a huge advantage and incentive to cyber criminals. If cyber defenses could be automated, with machines that can discover and fix software flaws in real-time, that would be a game-changer.

The highly anticipated Cyber Grand Challenge was a huge hit. Writing in The Christian Science Monitor, Sara Sorcher reported, “In a sign of what’s to come, the crowd went wild when the supercomputer robots found flaws that the judges didn’t even know were there.” Spectators were excited over seeing what they perceived as a transformative moment. “It’s really going to change us as a society,” said an audience member who identified himself as Baset. “I can only think of how this will look in five or 10 years. This kind of technology is going to enable countries that aren’t superpowers to level the playing field. The theme of DEF CON is really the rise of the machines, and I’m getting that sense here.”

So who won the $2 million prize? The chillingly named Mayhem, built by a team of Pittsburgh- based researchers called the ForAllSecure team, who used technology from Carnegie Mellon University.  Mike Walker, the DARPA program manager who launched the challenge, hailed the results saying, “I’m enormously gratified that we achieved CGC’s primary goal, which was to provide clear proof of principle that machine-speed, scalable cyber defense is indeed possible…The effort by the teams, the DARPA leadership and staff, and all the hundreds of people who helped make this unique, open-to-the-public test happen was enormous. I’m confident it will speed the day when networked attackers no longer have the inherent advantage they enjoy today.”

How quickly will that day come? Well, Mayhem was invited to participate in this year’s DEF CON Capture the Flag competition, marking the first time a machine was allowed to play in that historically all-human tournament. In an intensely spirited competition the team from Carnegie Mellon won—but not that team.  Carnegie Mellon’s competitive computer security team, The Plaid Parliament of Pwning, won its third title. Mayhem finished near the bottom. Humans rule for at least one more year.

By Tom Davis, SDI Cyber Risk Practice
August 9, 2016

Bounty Hunting, Cyber Style

SMALL cyber tuesday

Threat hunting is the act of aggressively tracking and eliminating cyber adversaries as early as possible in what Lockheed Martin has dubbed the “Cyber Kill Chain.”

-From a SANS Whitepaper, by Eric Cole, PhD

It’s likely most people who hear the term bounty hunter now, think of Duane Chapman, who goes by the name Dog, and who starred in a reality TV show named, incredibly, Dog the Bounty Hunter. But for me, the real bounty hunter is Steve McQueen, who played Josh Randall, a confederate Civil War veteran who made a living as a bounty hunter in the Wild West. Up until Josh Randall showed up, the term bounty hunter described an unsavory practitioner who lived on the fringes of the law. Josh changed all that, and the bounty hunter became, at least occasionally, a good guy.

The modern day version of Josh Randall is now bringing justice to the cybersecurity frontier. Increasingly, companies are hiring “threat hunters,” cyber experts who hunt through enterprise architecture, and identify, target, and eliminate threats that are hiding somewhere in the maze. It’s real-time hunting to detect malicious activity, performed by experts who have both tools and experience that enables them to carry out successful hunts far more efficiently than typically can be done by the internal security team.

A SANS white paper written by Robert M. Lee and Rob Lee explains the rationale that lies behind threat hunting. “Threats are human. It is the adversaries, not just their tools, such as malware, that interest threat hunters. These adversaries are persistent and flexible and often evade network defenses. The threats are often identified as advanced persistent threats (APTs), not just because of the capabilities that the adversaries wield, but also because of their ability to initiate and maintain long-term operations against targets. Focused and funded adversaries will not be countered by security boxes on the network alone. And threat hunters are not simply waiting to respond to alerts or indicators of compromise (IOCs). They are actively searching for threats to prevent or minimize damage.”

One of the more interesting aspects of the threat hunting approach lies in the human dimension. Writing in DarkReading, Jai Vijayan quotes Ben Johnson, co-founder and chief security strategist at security vendor Carbon Black, as saying what separates threat hunting from the usual security practices is its emphasis on human skills. Threat hunting, Johnson says, is about “using humans to find bad [guys] versus having an alert fire from a piece of technology.” In that regard this version of bounty hunting is not so terribly different from that practiced across the shifting sands of history. The biggest difference may be that when the bounty hunters squint today, it’s not the sun in their eyes, it’s more likely eye fatigue from staring at too many screens.

By Tom Davis, SDI Cyber Risk Practice

August 2, 2016