Network Critical - The Window to your Network

Is Your Company Cyber Covered?


Your company is likely insured to cover a variety of business risks. Some of the most common business coverages include general liability insurance, product liability insurance, professional liability insurance, commercial property insurance and perhaps some other specialty coverages depending on your business. So, as a business manager, you might think, I am covered. Well, it might be time for an insurance review that includes a relatively new, yet potentially devastating risk…cyber crime.

Most insurance companies that provide commercial property policies exclude electronic data under the definition of “covered property.” General liability coverages are designed for bodily injury or property damage which are narrowly defined in the policy. Electronic data is usually excluded under the definition of “covered property”. Personal and advertising injury excludes infringement of copyright, patent, trademark or trade secret loss which are often cyber targets.

Insurance companies and their actuarial research and tables have not kept pace with the blazing advancement in cyber technology. While technology continues to advance at a rapid pace, the insurance industry is struggling to keep up. There are, however, some companies that are developing and marketing cyber insurance policies to cover the potentially devastating effects from a cyber attack. AIG, for example, has introduced a stand alone policy called “CyberEdge.” that offers coverage against many cyber risks.

Many large companies mostly in developed economies are working with their insurers writing specific risk policies that provide coverage for business interruption, liability, remediation costs and other damages caused by cyber attacks. The cyber insurance industry is currently estimated to be about a $4 billion a year business and growing fast. Here are a few reasons for growth in cyber insurance…

Target - Data breach of 41 million customers credit card information in which Target settled for US$18 Million Anthem Health Care - Data breach exposed personal information of millions of patient records that Anthem settled for US$115 Million JP Morgan - The largest bank in the United States was hit by a breach where hackers obtained personal information including Social Security numbers of 76 million households and 7 million businesses. Subsequently, the bank has increased its cyber security budget to US$250 million per year.

A Ponemon Institute report found that the average cost of data breach for the 383 participating companies in 12 countries was about US$4 million. Two of the “megatrends” discussed in the report are that 1) Regulated industries such as healthcare and financial have the most costly breaches because of fines and a higher than average rate of lost business and customers. 2) Investments in certain data loss prevention controls and activities such as encryption and endpoint security solutions are important for preventing data breaches.

Similar to many other types of coverages, the insurance companies are working on developing risk assessment practices in order to better manage the cyber vulnerability score of applicants. Of course, the higher the risk score, the more the applicant will pay for coverage if a policy is underwritten. Many insurance companies, lacking industry-wide standardized practices are using Payment Card Industry (PCI) data security standards as a baseline for providing coverage. These standards require specific security practices such as firewall protection as well as other intrusion, encryption and data loss protections. An organization that is not in compliance with PCI standards will find it difficult to obtain coverage.

Strong network protection starts with a Next Generation Firewall (NGFW) that integrates intrusion protection along with traditional firewall protection. Additional appliances such as Data Loss Protection (DLP) provide another layer of protection helping prevent the download of protected information by unauthorized devices. Other critical appliances that identify traffic anomalies, block suspicious traffic and help weed out malware are coming to market every day.

Good news and bad news is the pace of malware protection innovation. Good that there is a constant flow of new technology coming to market with each new appliance covering a previously under-protected vulnerability. Bad that deploying numerous specialized appliances on every link of a complex network is very costly and can impact reliability and availability of networks to legitimate users. Fortunately there is one more “good” to this story.

Security appliances can be connected directly to links or can be “brokered” through intelligent visibility appliances that are designed to connect numerous appliances. These intelligent TAPS and Packet Brokers can map network traffic through connected appliances and bypass problem units. The port mapping and power-fail protections keep networks “alive” even when certain appliances are “dead”.

To summarize, cyber attacks are increasing in sophistication and frequency. A well written and rated cyber insurance policy can protect businesses from costly breaches and the associated liabilities. In order to get the best coverage at a reasonable rate, review your security profile prior to applying for coverage. The cost of a strong security infrastructure can be more than offset by lower insurance rates and by defeating attacks before the damage is done.

Posted: 15/08/2017 17:36:42 by Network Critical with 0 comments

Something Needs to Change


Before I weigh in with my two cents worth, I’d like to share a personal experience. Way back in spring 2006, I was awarded a contract to assist the Department of Transportation as they worked to submit the required systems Certification and Accreditation to OMB.

It was a tall order, but nonetheless I looked forward to the assignment; I assumed the only downside would be the pages of Government paperwork that I was required to submit before I could even step inside DoT headquarters. In order to obtain my ID badge, I had to provide personal details not just about myself, but my family and friends as well.

Fast forward to summer 2015, when OPM notified me that their database had been compromised; as many as 21.5 million individual records had been stolen and there was a “strong possibility” that the personal data included in my DoT paperwork was amongst them. Now it’s fair to say that this ‘strong possibility’ wasn’t an absolute certainty. But given that my family and close friends information was stolen as well as my own, let’s just say that I wasn’t very open to considering the ‘possibility’ that my data had been untouched. Would you have been?

Sure, I’ve since been offered a prepaid subscription to an identity theft monitoring program, but let’s be candid. That’s the virtual equivalent of deciding to install smoke detectors in your home, after it’s been burned to the ground. Taking steps to protect the people you’re responsible for, only after they’ve been compromised, means you’ve failed. It’s that simple.

I’ve since heard that OPM has introduced two-factor authentication as a common working practice since the incident. But given that’s a feature found on most iPhones, why did it take so long for a Government department to implement it as a basic security measure?

No matter where you stand politically, no one can deny that we share a mutual concern; virtual criminals are becoming increasingly sophisticated by the day, so a level paranoia comes with the territory in the Public Sector. What continues to alarm me is that we’re all seem to be victims waiting for the next headline to hit. We are so preoccupied with fixing the destruction caused by the last attack we didn’t see coming, that we don’t have time to be proactive about preventing the next one.

There tends to be a reliance on assumptions and ‘what we know’. But given the increasingly unpredictable and unparalleled nature of these attacks, is what we know good enough anymore?

With far more exciting targets such as the NSA and the Pentagon, I for one would’ve completely dismissed anyone who predicted the possibility that a Government agency such as the OPM would be targeted, and I’m willing to bet I’m not the only one.

Back in 2011, Iran admitted to overriding and taking control of a US drone and amazingly, the story once reported seems to have disappeared from our minds. Clearly, the political and military consequences were discussed but surely there should be more time committed to asking “if a drone can be hacked, what else can?”

We need to consider the far-fetched, worst-case scenario given our current climate. If a drone can be overridden, who can absolutely guarantee the same wouldn’t happen to a plane with a pilot onboard? Is a commercial air traffic control tower just as at risk of being compromised as the OPM? Are similar, low visibility departments at risk, like the Department of Veteran Affairs?

More recently the Chinese military unveiled their latest fighter aircraft the Chengdu-J20. The aircraft bears a striking resemblance to our F-22 advanced fighter. Anyone who has seen the J-20 can’t dismiss the fact that somehow the Chinese were able to hack into either a DoD or subcontractor network and steal proprietary specifications and designs for the F-22. Fortunately stealing the designs appears to be a simpler task than duplicating the sophisticated technology that provides the F-22 pilot the ability to see and fire upon enemy aircraft even if the enemy is behind them.

Fighting fires once the damage has been done is an all too common practice. But as for best practice? That comes with discussion, sharing our experiences and bouncing ideas off each other - and I’m not referring just to our world and industry leaders.

It’s time we took a more proactive role in actually preventing the constant threat of cyber criminals that we face daily, instead of simply waiting for the latest breach to make the news, and reacting to it.

For an industry that operates in the background to ensure our information is protected, we’re being caught in the headlines way too often, and for the wrong reasons.

Sometimes it’s on a global scale, sometimes it’s personal. But one things for certain, something needs to change.

Last week I created a LinkedIn closed group to bring together informed, like-minded people who want to take a different, more proactive approach to combatting cyber security.

The group isn’t designed to be a passive, voyeuristic forum. Its purpose is for those that want to come to the table with strong ideas, share best practice in a trusted environment and are ready to hit the issues head-on together.

That way, we have a fighting chance of preventing more disastrous headlines.

You can join ‘The Cyber Security Forum’ here.

Posted: 01/03/2017 03:38:45 by Network Critical with 0 comments

The New Battlefield: Cyber Space

Cyber warfare is real. It is happening now. In fact, while you are reading this blog, government and corporate cyber resources are under attack around the globe. Here are a few recent examples:

Department of the Navy - Hacked through contractors emails. 134,000 sailors have had their personal information and social security numbers stolen. This information will likely be sold for the purpose of identity theft. This is not just stealing information to make credit cards and buy stuff on a fictitious account. This hack is more. This is cyber warfare. This hack is compromising the families and distracting the focus of service men and women in the Navy.
National Security Agency - Hacked by the Shadow Brokers. This group actually hacked a hacking group within the NSA called the Equation Group. According to Kaspersky Labs, the code that was leaked by Shadow Brokers is used by Equation Group for its own hacking and decryption operations. This is real spy vs spy stuff but it is all done behind the cyber curtain. Today it is code vs code.

People’s Liberation Army Unit 61398 is a division of the Chinese military that is dedicated to hacking corporations and governments around the world. A report by computer security firm Mandiant provided detail on this organization and, after many diplomatic denials, the Chinese government actually confirmed the existence of the group.
The CIA and FBI have confirmed that Russian hacking groups have been very active in trying to influence the outcome of the 2016 United States election. Congressional investigations are being organized to gather more detail on the scope and influence of these efforts.

Following is a quote from former US President Obama on the subject: “America’s economic prosperity, national security, and our individual liberties depend on our commitment to securing cyberspace and maintaining an open, interoperable, secure, and reliable Internet. Our critical infrastructure continues to be at risk from threats in cyberspace, and our economy is harmed by the theft of our intellectual property.”

Cyber warfare is our biggest threat today. It is more effective than blowing up buildings and roads. It is more effective than killing and capturing opposing forces. It is the warfare of the 21st century. It is warfare that captures minds and hearts, not just bodies. The new bombs are fake news, leaked emails and violent propaganda. The United States spends hundreds of billions of dollars on new fighter jets, bombs and automatic weapons. Yet, the Marine Corps database, managed on contract with HP, was not secured. This is what allowed SQL injection breach to the Marine Corps Intranet by the Navy hackers noted above.

The latest budget proposal from Obama significantly increases the federal spend on cyber security to $14 Billion. While this is good news, the United States cyber security spend is still a tiny fraction of the overall military budget of almost $600 Billion. Imagine the future potential if the military budget included $2 Billion dollars of scholarships to West Point and Annapolis for promising students to study cyber security and cyber warfare. Imagine the potential of funding $1 Billion in research into cyber warfare initiatives. These should be the budget priorities of the future.

For the time being, however, it is also important to recognize and act on the urgent need for vigilant management of network security profiles, continuous training, and permanent monitoring and management with tools that are available now.

Tapping links and utilizing Firewalls, Intrusion Prevention Systems (IPS), Data Loss Prevention (DLP) and other threat landscape reduction tools are a promising start to deterrence of debilitating breaches from foreign governments as well as domestic hackers. Packet Brokers are capable of providing simplified connection of multiple security tools. These devices allow mapping of data flows to specific tools and provide fail-safe protection to the network in case one of the security tools goes off line. Further, tools may be connected redundantly for maximum security without compromising network availability.

Cyber warfare is the new battlefield. It is quiet but effective. It is hidden from public view but very much a public threat. We have some good tools to fight it now but must up our game for the future. Military investment must maintain our traditional fighting forces but must also support a rapid transition to fighting a new type of war.


Posted: 21/02/2017 16:54:58 by Network Critical with 0 comments

Cyber Skills Gap


Are the bad guys better than the good guys? The Financial Times Cyber Security Summit Europe was held in September. The presentations focused on cyber crime against financial institutions and their vulnerabilities to such attacks. Obviously, this is a lucrative target for criminals because billions of dollars pass through inter-bank transactions and clearing systems. At risk is catastrophic failure of our digital financial system.

First, lets look at our modern global financial system.

Money is an imaginary system of mutual trust. In fact, money is the most universal and most efficient system of mutual trust ever devised. Throughout human progress in history, we went from bartering a sheep for seed, to trading gold coins for various products and services. Eventually paper currency was developed and backed by empires and governments. Now most of our currency is electronic bits backed by governments and financial institutions. Just as cash money has no intrinsic value, neither does an electronic debit. They are just bits of information stored on a server. However, our trust in the institutions that manage these bits is the foundation of the entire global economic system.

The sum total of money in the world today is about $60 Trillion. The sum total of actual currency in circulation in the world is about $6 Trillion. More than 90% of the money in the world today exists only as bits on computer servers. So, now, how important is managing and securing the servers that maintain this currency? The very survival of our economic system depends on our trust that the underlying currency information is safe and available.

The Society for Worldwide Interbank Financial Telecommunication (SWIFT) provides a network that enables financial institutions worldwide to send and receive information about financial transactions in a secure, standardized and reliable environment. A significant breach of inter-bank transactions sent alarms through the industry.

SWIFT transactions were manipulated in February and August of 2016 by a group called Ordinaff. In the February breach, the Bank of Bangladesh lost $81 Million. The SWIFT system is constantly under attack and the skills of the attackers seem to be very sophisticated. Alain Desausoi, CISO at SWIFT commented at the summit, “We were surprised by the gap between the skills of the attackers and the cyber security practices in the banking industry.” One of the problems discussed is that while the threat is the same worldwide, the necessary skills to manage them are not the same in all countries. The February attack was caught by an alert manager who noticed a typo in a transaction message. If not for that catch, this breach could have been in the billions of dollars.

Back to the skills gap. The financial industry is under attack and will continue to be under persistent attack by cyber criminals who want to steal money, data, identities and more. In order to maintain trust in the system, the industry must close the skills gap between it’s employees and those of the enormous and well financed hacking industry. The Financial Times summit is a cooperative effort to work through these issues and develop practices to protect our financial systems.

Some of the resolutions that came out of the summit include improved information sharing, more resilient software, improved security practices, traffic pattern detection to identify anomalies, and ensuring banks have the right security partners. The banks understand the enormity of this problem and are working towards solutions to thwart cyber aggression against our most trusted global institution.

Intelligent network monitoring devices coupled with Data Loss Protection, Intrusion Prevention and abnormal activity search and block appliances are being deployed by financial networks around the world. Multiple security appliances are being connected by TAPs and Packet Brokers to provide robust protection without impacting network reliability or availability.

These network protection technologies coupled with consistent employee training, cooperation with local law enforcement and strict access policies will help manage the cyber aggressors for now. Ultimately, upgrading international law enforcement cyber skills, inter-agency cooperation, stiff penalties and ruthless tracking of cyber criminals will be required to maintain our global digital monetary system. We must close the skills gap between the good guys and the bad guys before faith and trust in the system erodes.

Posted: 19/01/2017 16:56:23 by Network Critical with 0 comments

Crime and Punishment…and Protection


Crime

The European Cybercrime Center announced in its 2016 Internet Organized Crime Threat Assessment report. Here is a quote from the organization. “The volume, scope and material cost of cybercrime all remain on an upward trend and have reached very high levels.” Another report from BT and KPMG stated that, “Criminal groups who mount a constant assault on legitimate businesses are not simply members of an amorphous underworld. They are, in fact operated as rational hard-nosed businesses with their own clearly defined business models and money making scams.”

Given the above information here is an interesting report. According to a Zurich Insurance Group survey of small and medium sized businesses, about 11 percent of respondents said they worried about cyber-crime. This is not a typo and your eyes are not playing tricks. Also note, this is not a small sample. The survey polled 2600 C-level executives from 13 countries for this study. However, even though the number is small, it is the fastest growing perceived business risk category. So, it appears that cyber-crime awareness is relatively weak in small and medium businesses, it is growing.

Law enforcement, however, is paying attention. About 200 delegates from 56 countries met in Singapore the last week of September to discuss best practices for overcoming the many steep challenges of fighting cyber-crime and bringing perpetrators to justice.

Punishment
As reported in SC Magazine UK, Nazariy Markuta, a hacker for D33D Company, has been convicted and will spend two years in prison by the UK’s National Crime Agency. Two years! That is not a typo either, two years! Now, this is a guy who is believed to be involved in the leak of 450,000 email addresses and passwords from Yahoo!’s contributor network. Further, when he was arrested, agents found thousands or payment card records in his possession. But wait there is more…between 2012 and 1014 Markuta had attacked a video game reseller and SMS messaging service. He actually was sentenced to 11 years pleading guilty to 8 counts of hacking and fraud but the sentences will run concurrently, leaving him locked up for only two years!

Time for a little editorial comment…So, look. Cyber crime is no joke. It hurts real people and causes severe financial distress for victims. Global losses are estimated to be in the Billions of dollars annually. It is also difficult to track, arrest and prosecute perpetrators. Cyber theft of payment cards and personal information should be treated just like bank robbery or any other high crime. Ransomware hackers who disable systems and hold the encryption key for ransom, should be tracked down and treated like any extortionist. Phishers, whalers and other criminals with cute cyber names should be gives stiff sentences with little leniency. What about an international treaty that requires a minimum sentence of 20 years prison time and no cell phone or tech access? It seems that international cooperation and internet crime legislation have not yet caught up to the cyber world. Hopefully, that will change soon.

Protection
Until our lawmakers, judges and leaders catch up with the connected world, all we can do is to be careful, aware and protected. I had just read a report from a company called mimecast that offers some sage tips to help protect against whaling, a cyber crime where the perpetrator sends an email pretending to be a high level company official asking a subordinate to send money. For example, a US networking company called Ubiquiti was victimized to the tune of $46 million dollars in 2015 by a whaling attack. Here are some anti-whaling ideas:

  • Educate senior management and finance teams about this type of attack so they can be aware of the whaling tactics.
  • Carry out tests within your organization to gauge staff vulnerability.
  • Consider technology that alerts users when an email is coming from outside the corporate network.
  • Subscribe to domain name registration so that you will be alerted to domains that look like or are similar to yours.
  • Review financial practices. Insist that multiple signatures and requisition review be done prior to any large fund distribution.

Cyber crime is one of the fastest growing businesses on the global landscape. Law enforcement and the legislators are struggling to catch up with the new and evolving types and styles of cyber theft and extortion. Until that happens, it is up to individuals and companies to read, learn and be aware of potential threats coming at you in cyber space.


Posted: 29/12/2016 22:53:37 by Network Critical with 0 comments