Immediate Vault Immediate Access

Phishing: Understanding Your Cyber Adversaries

Nearly two years ago, an infamous incident occurred where stolen pictures of celebrities flooded the internet. Originally, it was thought that this was due to an iCloud vulnerability that allowed a brute force attack. But it now turns out it was because of a simple social engineering phishing hack.

Phishing usually involves sending mass emails that masquerade as legitimate communications, coming from a trustworthy source like a big bank or credit card company. The phisher seeks to trick the recipient into clicking on a link or opening an attachment that downloads malware onto the victim’s computer. The malware can then be used for criminal activity including theft of sensitive data or money. While phishers may send thousands of emails, all they need are a few or even one individual to fall for their trick to get into the IT system. It’s easy to forget that security threats aren’t always the work of sophisticated technology geniuses with malevolent intent. As in the case of the celebrity photos, the method was relatively simple. However, it still caused reputational damage.

Cyber attacks don’t appear out of nowhere. At the beginning and right through development and attack, humans are involved. Recently, we profiled half a dozen types of attackers. We call them the “Unusual Suspects.” An attack might start with the Professional working in the digital shadows seeking to make the most money possible from the damage they cause. Then you’ve got the Mules and Getaways who are on the front line, and will be the first to get caught when the law comes knocking. There are also Activists and Nation State Actors who are looking to change the world or steal information on behalf of their country’s government. And then there’s the Insider leaking sensitive information accidentally or on purpose with malicious intent.

bae - the usual suspects

These are all just some of personas BAE Systems recently identified as key threats to businesses and without them, cybercrime can’t exist.

Wising up to phishing attacks

In the IT space, one of the most common ways cyber criminals target employees of a company is through phishing. In the aforementioned celebrity photos case, court documents said Ryan Collins, 36, of Pennsylvania, hacked more than 100 people. According to reports in the press he used email names like ‘e-mail.protection318@icloud.com’ and asked for password details.

With these credentials, the hacker was able to go through email accounts looking for photos and videos, managing to get into around 50 iCloud accounts and 72 Gmail accounts mostly belonging to celebrities. It’s quite easy to imagine the damage hackers could cause if they got hold of corporate emails – think of the damage the 2014 Sony hack inflicted.

You can’t patch a human

Employees will always be a weak spot, and clever social engineering is leading to more examples of how this weakness can be exploited. The effects can be devastating. For example: a company that collects credit card data from its customers is at risk of a major data breach from a single employee clicking on an email leading to a website laced with malware. The financial and/or reputational damage and the related fines or compensation claims that result could be significant.

At its core, combating social engineering is a human problem that requires human solutions. In certain cases victims may violate policies, but it may often be the case that the rules or training were not clear enough for the employee to know they were doing something that could have serious consequences. And because humans are behind social engineering attacks, they are capable of evolving, matching the way the business world is using technology.

To mitigate against social engineering attacks, there needs to be security awareness and culture from top to bottom. This might mean ongoing training for employees to understand the threats, as well as the right policies and procedures in place. This helps employees understand the risk from social engineering and what role they have in preventing it. Remember, this all has to be done in tandem with putting the right technology in place.

Defeating the Unusual Suspects

Defending against cyber threats is all well and good, but what about catching these Unusual Suspects? This is difficult, because they use sophisticated tactics to escape detection–they are located all over the world, and use secure software to escape detection and remain anonymous, often routing communications through multiple countries to avoid being caught.

Fortunately this is a case where human fallibility is a good thing–criminals will make mistakes and leave digital finger prints that sophisticated analytics and forensic analysis can pick up. Finally don’t underestimate the power of human ingenuity–thanks to the efforts of security professionals, we’re finally getting to a point where the investigation of online crime is being slowly demystified and defenses put in place to mitigate the threat.

Gaining Cyber Confidence With a CISO

Businesses aren’t the only ones struggling to ramp up budget allocations to fortify against cyberrisk. In his new $4.1 trillion budget proposal, President Obama has asked for $19 billion for cybersecurity efforts, a 35% increase from last year.

The president directed his administration to “implement a Cybersecurity National Action Plan (CNAP) that takes near-term actions and puts in place a long-term strategy to enhance cybersecurity awareness and protections, protect privacy, maintain public safety as well as economic and national security, and empower Americans to take better control of their digital security.” In addition to a cybersecurity awareness campaign targeting both consumers and businesses, the plan calls for government-wide risk assessments, a nation-wide push for a range of better consumer data security measures, and a range of initiatives to attract more and better cybersecurity personnel. Some of these new employees will offer cybersecurity training to more than 1.4 million small businesses, and the Department of Homeland Security is expected to double the number of cybersecurity advisors available to assist private sector organizations with risk assessments and the implementation of best practices.

Obama’s plan also takes a page from the private sector, creating the position of Federal Chief Information Security Officer to drive cybersecurity policy, planning and implementation across the federal government.

Many organizations have begun to see concrete value from adding CISOs to the C-suite. According to a recent study from ThreatTrack Security, companies with a CISO are more confident about the technology they use to combat malware (83% versus 63% at organizations without one). This is particularly notable as only 20% of those surveyed said their defenses against hackers have improved in the past year—about half of those who said the same in 2013.

“Perhaps CISOs have a better handle on what solutions to implement or are better equipped and positioned in the organization to ensure their team has the solutions they need to defend the organization,” the report said.

Organizations with a CISO also feel more confident about their ability to address cyberrisk. When asked if they felt able to personally guarantee the security of customers’ data, 71% of respondents from companies with a CISO said yes, while only 29% could say the same without someone in this role. CISOs are also making a huge impact on breach preparation and incident response. When it comes to having an incident response team or security operations center to identify and respond to cyberattacks, 94% of respondents at organizations with a CISO had these resources in place, compared to just 49% without one. Concerningly, however, the overall number was 80%, 6% lower than in 2013.

When asked how defending their organization against cyberthreats had changed over the last year, 45% of respondents said nothing had changed, while 35% recognized that it has gotten harder to fight cyberrisks.

ThreatTrack Security found CISOs have also boosted corporate compliance with regard to cybercrime, with only 11% of companies failing to report breaches to customers, partners or other stakeholders, compared to 57% in 2013.

Cyber Insurance Purchasing Up, But Breaches Felt in Prices and Limits

NEW YORK—At yesterday’s Advisen Cyber Insights Conference, Zurich and Advisen released the fifth annual Advisen Cyber Survey of U.S. risk managers, finding a 9% acceleration in cyber liability insurance purchasing from 2014 to 2015. The firm has seen a 26% increase in the number of respondents who have coverage since the first survey in 2011.

Companies are taking cyberliability more seriously, Zurich reports, with the number of organizations developing data breach response plans up 10% from last year. What’s more, companies appear to be better recognizing the sheer amount of value at risk, with two-thirds of respondents saying they have either increased their policy limits or are considering doing so. While Zurich found that more organizations view information security as an organizational challenge rather than the purview of the IT department alone, and respondents said that boards and executive management are taking cyberrisk more seriously, those who have not yet obtained cyber coverage say it is because their superiors still do not see the need. There is also still a considerable difference in take-up rates among large corporations and small and mid-sized businesses, with Catherine Mulligan, senior vice president and national underwriting manager of specialty E&O, telling the audience there is an approximate 20-point spread between the groups.

“This year’s cyber survey shows that demand for coverage and higher limits has increased tremendously and we at Zurich have seen double digit growth year over year,” said Bryan Salvatore, president of specialty products for Zurich North America. “That is why we are heavily invested in identifying risks and delivering solutions and why we are committed to staying at the forefront of this issue.”

Marsh has also seen considerable growth in cyber liability insurance purchasing among its clients. According to the insurer’s new midyear cyber benchmarking report, the number of U.S.-based Marsh clients purchasing standalone cyber insurance increased 32% in the first half of 2015, up from 26% growth during this period in 2014. By sector, members of the education industry made up the biggest growth, with 155% more clients purchasing the coverage, followed by power and utilities with a 100% increase and manufacturing with a 76% increase. The healthcare sector remains Marsh’s largest buyer of cyber coverage, with 41% of all clients in this industry purchasing it by the end of the first half of 2015.

Cyber liability insurance growth rates

Sessions throughout the conference made clear that insurers—and the industry at large—are still struggling with what is also risk managers’ biggest challenge: data. Completely evaluating the true value at risk with cyber liability continues to elude both sides, although many new approaches and consultancy services are emerging. Further, the dearth of actuarial data not only compounds the challenges of the cyberrisk assessment process, but make it hard for the industry to set pricing and limits with confidence.

“It is hard for insurers to be prudent with cyber as risk managers often do not fully understand how to measure their exposure,” Mulligan said.

“Actuarial data is the Holy Grail of the cyberinsurance market: we’re all searching for it and it’s just not there,” said Bob Parisi, cyber product leader at Marsh, who moderated a session on the struggle to quantify and model cyberrisk.

In addition to the actuarial uncertainty, the considerable number of large losses over the past few years is continuing to push up the cost of cyber, forming what Willis executive vice president Peter Foster described as a “hot” market that will have to cool and solidify with time. Parisi chose to describe the market as “brittle” after absorbing several hundred million dollars in losses, and a range of insurers and brokers reported that premiums have increased dramatically as a result. The Marsh study found that price increases across industries averaged 19%, with 32% increases among retailers, the most frequently breached sector over the past few years.

cyber insurance limits purchased

While these breaches and better estimates of the real cost of cyber incidents have helped many companies realize they may be underinsuring for cyber liability, the move to correct this is getting more difficult. Insurers have said repeatedly that there is plenty of capacity in the cyberinsurance market and many buyers have increased the limits purchased, but higher limits of liability are increasingly hard to come by, and none really exist in excess of $100 million. Particularly for businesses that have yet to implement serious efforts to address information security, rate increases appear sure to continue, and simply buying more coverage will not only be unsustainable, but may not even be possible as insurers give more thought to the capacity they are willing to commit to these risks.

“There is just not enough capacity to extend $50 to $100 million limits to every account,” said Greg Vernaci, AIG’s head of cyber in the United States and Canada. “We are looking to reward those companies with a robust information security posture who go beyond and take a multifaceted approach to managing cyberrisk.”

Automation: The Key to More Effective Cyberrisk Management

cybersecurity automation

In a perfect cybersecurity world, people would only have access to the data they need, and only when they need it. However, IT budgets are tighter than ever and, in most organizations, manually updating new and existing employees’ access levels on a consistent basis is a time-consuming productivity-killer. As a result, there’s a good chance an employee may accidentally have access to a group of files that they should not. As one can imagine, security that is loosely managed across the enterprise is a breeding ground for malware.

The velocity of cyberattacks has accelerated as well. It is easier than ever for cyber criminals to access exploits, malware, phishing tools, and other resources to automate the creation and execution of an attack. Digitization, Internet connectivity, and smart device growth are creating more vectors for attackers to gain an entry point into an organization’s network, and this trend only gets worse as you think about the Internet of Things, which could have concrete impact on machines from production equipment to planes and cars.

One way IT departments can help mitigate the cyberrisk of employee access overload is through automating security policies and processes such as the monitoring, detection and remediation of threats. In the past, organizations have spent a lot on prevention technologies: disparate point solutions such as anti-virus software and firewalls that try to act before an attack occurs. Prevention is important but not 100% effective. And how could technology used for prevention stop a cyber-attacker that has already infiltrated the network? If prevention were the end-all, be-all in security tools, we wouldn’t be reading about cyberattacks on a daily basis. As more companies realize this, a spending shift to detection and response is being driven.

To help determine cyberrisk—or better yet, safely manage your cyberrisk—you must look at the threat (which is ever growing due to constant hackers and advanced techniques), vulnerability (how open your data is to cyberattacks), and consequence (the amount of time threats are doing damage in your network). Or, more simply put: risk = threat X vulnerability X consequence time.

To manage your cyberrisk, you need to optimize at least one of the aforementioned variables. Unfortunately, threat is the one variable that cannot be optimized because hackers will never stop attacking and are creating malware at an escalating rate. In fact, a G DATA study showed that 6 million new malware strains were found by researchers in 2014—almost double the number of new strains found the previous year. Instead, what organizations can focus on is investing in the right solutions that target the remaining two variables: vulnerability and consequence.

  • Step One: Organizations must make sure they know their environments well (such as endpoints, network, and access points) and know where their sensitive information lives. It’s always a good idea to rank systems and information in terms of criticality, value and importance to the business.
  • Step Two: Organizations must gain increased visibility into potential threat activity occurring in the environment. As is often said, there are two types of companies: those that have been attacked and those that have been attacked and don’t know it. A way to increase visibility is through the deployment of behavior-based technology on the network, like sandboxes. Organizations are now shifting their focus to the endpoint. Today’s attacks require endpoint and network visibility, including correlation of this activity. The challenge with visibility is that it can be overwhelming.
  • Step Three: There needs to be some process or mechanism to determine which alerts matter and which ones should be prioritized. In order to gain increased visibility into environments and detect today’s threats, organizations clearly need to deploy more contemporary detection solutions and advanced threat analytics.
  • Step Four: Invest more in response and shift the mindset to continuous response. If attacks are continuous and we are continuously monitoring, then the next logical step is to respond continuously. Historically, response has been episodic or event-driven (“I’ve been attacked – Do something!”). This mindset needs to shift to continuous response (“I’m getting attacked all the time – Do something!”).  A key ingredient to enable continuous incident response will be the increasing use of automation. Why? Automation is required to keep up with attackers that are leveraging automation to attack. It’s also required to address a key challenge that large and small companies face: the significant cybersecurity skills shortage.

Advanced threat analytics should be important to any organization that takes its security posture seriously. The majority of threats being faced today are getting more advanced by the minute. If an organization relies solely on legacy, signature-based detection, their defenses will be easily breached. It’s important for teams to understand that the cyber defense and response capabilities of an organization must constantly evolve to match the evolving threat landscape. This includes both automatic detection and remediation. Automatic remediation dramatically reduces the time that malware can exist on a network and also reduces the amount of time spent investigating the issue at hand. With automated security defenses, IT teams are given a forensic view of every packet that moves through the network and allows teams to spot anomalies and threats before they have a chance to wreak havoc. And since these tools are automated and work at machine speed, they can deal with a high volume of threats without necessitating human intervention, taking some of the load off overburdened security teams, and ultimately freeing them to act decisively and quickly, before network damage is done.