Special Report: Cyber Risk and Security
From Facebook to The Washington Post to Target – 2013 showed us that no matter what, personal data is at risk, more so than ever before.
From Facebook to The Washington Post to Target – 2013 showed us that no matter what, personal data is at risk, more so than ever before.
In 2013, just some of the major cybersecurity breaches included:
- Twitter, Pinterest, Facebook were hacked, and user email addresses and passwords were obtained.
- Nearly 40 million Target customers’ credit and debit card numbers were stolen in the middle of the shopping season.
- The New York Time sand Wall Street Journal computer networks were hacked in January.
- In October, Adobe reported that 3 million customers’ credit card information was stolen.
- The U.S. Department of Homeland Security revealed that Social Security numbers, birth dates and names were exposed in an error in the software it uses to process employees’ background checks.
- The Federal Reserve Bank website was hacked by Anonymous.
The Business Costs
As the number of cyber attacks increase, the cost, frequency and time to resolve them increases as well.
Conducted by the Ponemon Institute and sponsored by HP Enterprise Security Products, the 2013 Cost of Cyber Crime Study found that the average annualized cost of cybercrime incurred by a benchmark sample of U.S. organizations was $11.56 million, representing a 78-percent increase since the initial study was conducted four years ago. The results also revealed that the time it takes to resolve a cyberattack has increased by nearly 130 percent during this same period, with the average cost incurred to resolve a single attack totalling more than $1 million.
The sophistication of cyberattacks has grown exponentially in recent years, as adversaries both specialize and share intelligence in order to obtain sensitive data and disrupt critical enterprise functions. According to the 2013 Cost of Cyber Crime Study, advanced security intelligence tools such as security information and event management (SIEM), network intelligence systems and big data analytics, can significantly help to mitigate data threats and reduce the cost of cybercrime.
The study also found:
- The average annualized cost of cybercrime incurred per organization was $11.56 million, with a range of $1.3 million to $58 million. This is an increase of 26 percent, or $2.6 million, over the average cost reported in 2012.
- Organizations experienced an average of 122 successful attacks per week, up from 102 attacks per week in 2012.
- The average time to resolve a cyberattack was 32 days, with an average cost incurred during this period of $1,035,769, or $32,469 per day – a 55-percent increase over 2012’s estimated average cost of $591,780 for a 24-day period.
- Information theft continues to represent the highest external costs, with business disruption a close second. On an annual basis, information loss accounts for 43 percent of total external costs, down two percent from 2012. Business disruption or lost productivity accounts for 36 percent of external costs, an increase of 18 percent from 2012.
- Organizations using security intelligence technologies were more efficient in detecting and containing cyberattacks, experiencing an average cost savings of nearly $4 million per year, and a 21-percent return on investment (ROI) over other technology categories.
- Deployment of enterprise security governance practices including investing in adequate resources, appointing a high-level security leader, and employing certified or expert staff can reduce cybercrime costs and enable organizations to save an estimated average of $1.5 million per year.
Survival of the Fittest
Given the level of risk to a business, cyber crime has been named the greatest global threat to an enterprise’s survival, says a study by Ernst & Young.
Under cyber-attack, EY’s 16th annual Global Information Security Survey 2013 that was released in October 2013, tracked the level of awareness and action by companies in response to cyber threats and canvases the opinion of more than 1,900 senior executives globally. The results show that as companies continue to invest heavily to protect themselves against cyber attacks, the number of security breaches is on the rise and it is no longer of question of if, but when, a company will be the target of an attack.
Thirty-one percent of respondents reported the number of security incidents within their organization has increased by at least five percent over 12 months. Many have realized the extent and depth of the threat posed to them; resulting in information security now being ‘owned’ at the highest level within 70 percent of the organizations surveyed.
Paul van Kessel, EY Global Risk Leader, said “The survey shows that organizations are moving in the right direction, but more still needs to be done – urgently. There are promising signs that the issue is now gaining traction at the highest levels. In 2012, none of the information security professionals surveyed reported to senior executives – in 2013 this jumped to 35 percent.”
Despite half of the respondents planning to increase their budget by five percent or more in the next 12 months, 65 percent cited an insufficient budget as their number one challenge to operating at the levels the business expects; and among organizations with revenues of $10 million or less this figure rises to 71 percent.
Of the budgets planned for 2014, the survey said that 14 percent is ear-marked for security innovation and emerging technologies. As current technologies become further entrenched in an organization’s network and culture, organizations need to be aware of how employees use the devices, both in the workplace and in their personal lives, the survey said. This is especially true when it comes to social media, which respondents identified as an area where they continue to still feel unsure in their capability to address risks.
According to the survey, “Organizations need to be more forward-looking. Moreover, if organizations are putting all their energy into addressing current technology issues, how will they protect themselves against technologies that are just around the corner or are about to appear on the horizon? If organizations still don’t have a high level of confidence after four years of mobile device use in the workplace, how will they face the challenge of managing and defending against personal and hosted clouds for example?”
Although information security is focusing on the right priorities, in many instances, the function doesn’t have the skilled resources or executive awareness and support needed to address them.
In particular, the gap is widening between supply and demand, creating a sellers’ market, with 50 percent of respondents citing a lack of skilled resources as a barrier to value creation. Similarly, where only 20 percent of previous survey participants indicated a lack of executive awareness or support, 31 percent now cite it as an issue.
Van Kessel concluded: “Organizations must undertake more proactive thinking, with tone-from-the-top support. Greater emphasis on improving employee awareness, increasing budgets and devoting more resources to innovating security solutions is needed. The pace of technology evolution will only accelerate – as will the cyber risks and by not considering risks until they arise gives cyber attackers the advantage, jeopardizing an organization’s survival.”
Securing Mobile Devices: Five Guiding Principles
The need to be extremely mobile in today’s work environment, taking data wherever we go, has led us to question how exactly does a company ensure that sensitive data is safeguarded? Answering this is a constant priority for many organizations, especially now, when our mobile devices have become an absolute necessity in the workforce and contain more personal and confidential information than ever before.
We’re living in an age where we’ve become accustomed to communicating instantly and accessing data from our fingertips, but we’ve yet to fully understand the true complexity of mobile security and how vulnerable businesses are without the proper safeguards in place.
Here are a few principles to help guide the implementation of smart, secure solutions.
1. Secure through Policy: Governments should help influence industry-wide mobile security standards. Adherence to these standards provides the assurance that the information can be trusted and suitable for use by some of the most security-conscious organizations in the world. This is the cornerstone in developing the necessary trust and confidence in the online economy. As more and more workers merge their private and business lives on their mobile devices, this principle becomes essential to their safety and privacy.
2. Secure through Encryption: The mobile technology industry should ensure that security is a key element in how they develop products so that customers can rely upon the mobile platform of their choice to untether their business.
3. Secure through Promotion: Company leaders need to ensure employees are educated on the importance of mobile safety and the risks involved to both business and personal data. Educational campaigns should encourage employees to be diligent in protecting personal mobile devices and should offer mobile safety tips including using strong passcodes and changing them frequently, using the lock function on mobile devices, and being mindful of private credentials when accessing public Wi-Fi connectors.
4. Secure through Separation: Companies and even government agencies are increasingly allowing their employees to use their personal smartphones for work-related communications and, as a result, consumers are carrying sensitive personal and business data with them everywhere they go. To increase security and prevent accidental data loss, it is critical that organizations provide users with solutions that keep their work and personal spaces separate, such as containerization.
5. Secure through Future Planning: Policymakers, enterprises and consumers alike all have a stake in mobile security. Sharing knowledge and best practices is vital to ensure we keep up with the latest security solutions, which is why public-private partnerships composed of experts across multiple sectors should be formed to discuss security issues. Having worked on these issues for many years, it’s clear that everyone could benefit from a more streamlined and collaborative approach to data security.
About the Author:
Mike K. Brown is Vice President for Security Product Management and Research, BlackBerry.
Collaboration In Depth
Knowing that there is no single cybersecurity silver bullet, we advise our customers on the concept of security in depth – a multi-layered approach to cyber defense that employs various solutions to provide the most comprehensive protection against today’s online threats.
Equally important in today’s enterprise is the concept of collaboration in depth, through which CSOs are increasingly sharing advanced cyber-defense solutions with their CIOs and IT departments. By sharing technology, CSOs are breaking down institutional silos, freeing their teams to focus on the most critical threats and making their organizations’ security their top priority.
Take a customizable malware analysis sandbox for example. Designed for identifying new malware, analyzing its behavior and developing countermeasures to remediate those threats, this technology has mostly been the exclusive domain of highly skilled malware researchers. As these solutions have evolved and become easier to use, we are seeing their application extend beyond CSOs and their teams to become an increasingly valuable tool for IT departments, where the majority of frontline network security responsibilities still reside.
When Malware Strikes, Where Do You Start?
Consider the security challenges facing an enterprise IT department supporting thousands or even tens of thousands of employees doing business on endpoints in multiple geographies. You’re talking about dozens or more different system configurations, operating systems, language paks, different combinations of multiple versions of third-party applications, custom applications built in-house and more. Now imagine that IT discovers malware slipping past your antivirus and other defenses. Users are complaining, productivity is slowing and your data is at risk.
Which Systems Globally are at Risk?
A customizable malware analysis sandbox can be deployed by IT to address these situations more efficiently and effectively, enabling them to do more and know more before calling your team for support. First, users customize their sandboxes to replicate every endpoint configuration they manage, including the OS version and service paks, and whichever version of third-party applications like Adobe Reader, Java or browser they are using. Then, by submitting the malware to the sandbox, it executes across all those system configurations, instantly identifying which systems profiles are vulnerable. In minutes, an IT department will know which systems need to be addressed immediately.
All of this can easily be accomplished by most IT departments with no advanced cybersecurity skills on staff. Moreover, they will more quickly identify serious threats for CSOs and their teams to address.
Be Proactive and Get Prepared
Another way IT departments are utilizing sandboxes is to quantify their risk when new malware starts making headlines. Before they even have reports of infection, teams obtain samples of the latest malware scare and submit files to their sandbox to test across all their endpoint profiles. In minutes they will know what percentage of their endpoints are vulnerable to a new malware strain, enabling them to push out patches, alert local team members, update perimeter defenses and take other preventative measures.
Are We Ready To Patch?
Another security challenge IT departments contend with is when to apply patches. Many teams are still reluctant to apply patches as soon as they are issued, instead preferring to see how the broader user-base reacts and what issues they report. From a security standpoint, CSOs know that patching is critical. Again, a malware analysis sandbox is proving to be a valuable tool to help IT departments feel more confident about deploying patches without impacting security or productivity.
Making the Upgrade Argument
IT budgets aren’t what they used to be. Forget about the old upgrade cycle; it’s long gone. IT professionals are squeezing every last drop of value out of existing hardware and software.
A sandbox can help IT make a strong ROI argument for upgrades that also ties with a topic increasingly on the mind of senior management and board members: data breaches. Your senior leadership is concerned about liability, fines and damaging headlines. By executing malware in your sandbox across your entire application stack, you can quantify your risk profile and make a compelling argument that it’s finally time to upgrade that OS or long overdue to retire that old version of Microsoft Office, no matter how resistant users are to change.
Strong collaboration between CSOs and CIOs is key to strengthening enterprises cybersecurity, which is why it is encouraging to see more and more of these teams sharing technologies and deploying them in innovative new ways to solve everyday security challenges.
About the Author:
Julian Waits, Sr., is president and CEO of ThreatTrack Security Inc.
Cyber Espionage and Insurance Coverage
In the United States alone, it is estimated that the cost of “[c]yber-espionage and other malicious cyber crimes . . . [is] between $24 billion and $120 billion annually.” In 2008, the U.S. Department of Defense’s classified security networks were significantly compromised by foreign cyber-espionage. Indeed, in June 2008, “150 computers in the $1.75 billion computer network at the Department of Homeland Security were quietly penetrated with programs that sent an unknown quantity of information to a Chinese-language Web site.” In 2010, “[t]he reported hacking of Google . . . targeted not only access to dozens of Gmail user accounts of Chinese human rights activists, but also Google’s Intellectual Property.” In 2012, an average company experienced 1.8 cyber-attacks per year resulting in an average of $8.9 million in damages. So the question arises: “Are the cyber-activities of foreign countries against the United States “cyber-warfare?” If the answer is yes, do the “war” and “terrorism” exclusions of a cyber liability policy apply to bar coverage?
What Does a Cyber Liability Insurance Policy Cover?
A cyber liability policy covers e-business; the Internet; computer networks; the use of a computer; privacy issues; computer virus transmission; and other means by which compromised data is passed to a third party. Broadly speaking, a cyber liability policy affords first-party coverage (property and theft) and third-party coverage (privacy and data security).
First-party liability is for disclosure notification costs, crisis management expenses, business interruption expenses, damage resulting from theft, and damage resulting from threats (including the cost of professional negotiators and ransom). Third-party liability is for lawsuits that seek damages resulting from unauthorized access to or dissemination of an individual’s private information, intellectual property infringement, and reputation injury (including suits alleging libel or slander). Damages incurred as a result of war are excluded from coverage under a cyber liability policy. Typically, a “war” exclusion precludes coverage for damage arising from “insurrections,” “riots,” “civil commotion,” “hostilities” and “acts of war.” These terms, however, are undefined in a cyber liability insurance policy.
What Is Cyber-Espionage, Cyber-Activity and Cyberwar?
Cyber-espionage is defined as a“[n]etwork penetration to learn how to steal information, prepare the network for theft, or commit theft.” A cyber-attack and cyber-warfare, however, are defined more broadly. A cyber-attack is “any action taken to undermine the function of a computer network for a political or national security purpose.” The U.S. Army's DCSINT Handbook No. 1.02 defines “cyber-attack” as “[t]he premeditated use of disruptive activities, or the threat thereof, against computers and/or networks, with the intention to cause harm or to further social, ideological, religious, political or similar objectives. Or to intimidate any person in furtherance of such objectives.” “Cyberwar is defined as the use of computers to disrupt the activities of an enemy country, especially the deliberate attacking of communication systems.”
Is a State-Sponsored Cyber-Espionage Attack Excluded Under a Cyber Liability Insurance Policy?
In Pan American World Airways v. Aetna Casualty & Surety Co., the Second Circuit defines the scope of a “war” exclusion in an insurance policy. The Court held that hijacking did not constitute a warlike act for purposes of the war exclusion clause at issue. In coming to this holding, the Court first noted that the terms in the insurance policy’s exclusionary provision all related to violent acts, and therefore for any action, state sponsored or otherwise, to fit within the exclusion, it too must be violent in nature. While the action of hijacking in Pan American was found to be violent, because the action was not state-sponsored, it could not fit within the relevant exclusionary provision at issue.
The “war” and “terrorism” exclusions in a typical cyber liability policy are similar to the one found in Pan American. The war exclusion at issue in Pan American excluded from coverage all damage resulting from:
1. Capture, seizure, arrest, restraint or detention or the consequences thereof or of any attempt thereat, or any taking of the property insured or damage to or destruction thereof by any Government or governmental authority or agent (whether secret or otherwise) or by any military, naval or usurped power, whether any of the foregoing be done by way of requisition or otherwise and whether in time of peace or war and whether lawful or unlawful (this subdivision 1. shall not apply, however, to any such action by a foreign government or foreign governmental authority follow-the forceful diversion to a foreign country by any person not in lawful possession or custody of such insured aircraft and who is not an agent or representative, secret or otherwise, of any foreign government or governmental authority);
2. War, invasion, civil war, revolution, rebellion, insurrection or warlike operations, whether there be a declaration of war or not [hereinafter “clause 2”];
3. Strikes, riots, civil commotion [hereinafter “clause 3”].
To the extent violence is a necessary component of establishing a warlike action, it is unlikely cyber-espionage will fit within the war exclusion provision of a typical cyber liability policy. By definition, cyber-espionage amounts to, at most, theft and spying. And moreover, in the field of international diplomacy, espionage in all forms has been long recognized as an acceptable and legal form of information gathering.
Others, however, opine that some cyber-activities can constitute acts of war. In 2009, President Obama declared that “our digital infrastructure – the networks and computers we depend on every day – will be treated as they should be: as a national strategic asset…” President Obama goes on to state, “In one of the most serious cyber incidents to date against our military networks, several thousand computers were infected last year by malicious software – malware. And while no sensitive information was compromised, our troops and defense personnel had to give up those external memory devices – thumb drives – changing the way they used their computers every day. And last year we had a glimpse of the future face of war. As Russian tanks rolled into Georgia, [cyber-attacks] crippled Georgian government websites. The terrorists that sowed so much death and destruction in Mumbai relied not only on guns and grenades but also on GPS and phone using voice-over-the-Internet. For all these reasons, it’s now clear this cyber threat is one of the most serious economic and national security challenges we face as a nation.”
Since President Obama’s 2009 declaration, references to cyber-espionage and cyber-attacks as “cyber-warfare” have become popular rhetoric. One commentator has noted that, in light of the damage that can be inflicted via cyber-attacks, “[t]he question today is not whether a cyber-attack can constitute an armed attack – it can – but ‘whether a cyber-attack with a specified effect constitutes a use of force.’” Another popular opinion is that even cyber-exploitation, though not cyber-espionage, in certain circumstances, can constitute an act of war. Based on the media commentary over “cyber-warfare,” more severe cyber-attacks could arguable rise to the level of an act of war, and may be excluded from coverage.
Is A Non-State-Sponsored Cyber-Terrorism Attack Excluded Under A Cyber Liability Insurance Policy?
The question of whether a claim arising out of non-state sponsored cyber terrorism is excluded from coverage under the “war exclusion” of a cyber liability policy is much more straightforward. Because terrorist activities – under most circumstances – do not constitute acts of war, they fall outside the ambit of the “war exclusion.” However, precisely because of this problem, many policies now explicitly exclude terrorism as well. In this instance, the issue confronting an insured is whether cyber-activity causing either first or third-party damage constitutes terrorism?
The Terrorism Risk Insurance Program Act (as amended) may apply to cyber-terrorism. “The Act has two separate arms: the mandatory participation arm and the compensation arm.” The participation arm requires certain insurance providers to offer coverage including damage from terrorist activities. And, the compensation arm requires the federal government to pay claims against the insurer after certain deductible thresholds are met. Because the Terrorism Risk Insurance Program Act prohibits insurers from excluding claims arising out of terrorism, if the act applies to a cyber liability policy, then arguably the “terrorism exclusion” may be struck from the policies that contain them. In such a case, claims arising from cyber-terrorism may be struck from policies that contain a terrorism exclusion.
Ultimately, the “war” and “terrorism” exclusions in a cyber liability policy may preclude coverage for a cyber-espionage or cyber-activity attack. It appears that coverage turns on the intent of the attacker and the definition of war and terrorism. As one commentator has noted, “[t]he difficulty of attaining coverage for cyber losses stems not from exclusions to coverage . . . but from the absence of initial coverage in the basic agreement.” I leave you with one final thought, does a cyber liability policy afford coverage to a hacker that is part of a terrorist organization? The answer remains to be seen.
About the Author:
Alba Alessandro is a partner with the law firm Hodgson Russ LLP where she concentrates her practice on insurance coverage matters, with a focus on directors and officers liability. Prior to joining Hodgson Russ, Alessandro worked with several of the country’s leading insurance defense firms.
Defeating Hackers with Stronger Passwords
As the threat of hacking grows, internal IT teams and technology manufacturers are deploying sophisticated new solutions to thwart cyber thieves. But the user password is still the frontline security measure that stands between an organization’s vital business data and hackers, and unfortunately, user passwords are often the weakest link. Hackers exploit them to steal sensitive information, including client data and competitive intelligence.
One way hackers gain access to company data files is to identify a remote entry point that still has a default password in place (often just the word “password”). That’s easy to fix by simply changing it from the default password. But if the password is changed to an all-lowercase word that appears in the dictionary, it’s not much more secure than “password.” Hackers have programs that can crack a simple, all-lowercase word in mere seconds.
Another way hackers gain access is to study employees’ social media pages and try to guess passwords based on the information they find there. This is why it’s always a bad idea to use children’s or pets’ names or the names of favorite sports teams as passwords. Social media pages are also a treasure trove for hackers who are looking for answers to security questions, like a mother’s maiden name, the city where the user was born, etc.
To create a strong password, use at least eight characters, and make it a combination of upper and lowercase letters, numbers and symbols. This makes it much more difficult for hackers to crack. Your password strength increases exponentially with each additional character. Of course, the challenge here is to create a password that has all of these elements AND is simple enough for a user to easily recall. Here are a couple of techniques users can employ to create a hard-to-guess, easy-to-remember password:
- Use numbers and symbols that look like letters. For example, “Football” is easy to remember, but it’s not a strong password. However, “F00tba!!” contains upper and lowercase letters, numbers and symbols; it’s easy to remember, and it’s a strong password.
- Use the first letter of each word of a phrase as a password. The expression, “It’s always darkest before the dawn” could translate to “I@dbtd.” It’s hard to guess but easy for a user to remember. Just add a number or special character or two, and you'll have a strong password.
These are just a couple of ways users can create passwords that are difficult to crack but easy to remember. Another technique is to use password management software. With password management software, users can gain access to all of their password-protected applications and sites with just one simple, secure password they use at login. Password management software automatically creates secure passwords for each site or application the user visits and changes them frequently to reduce vulnerability even further.
By taking these simple steps – changing default passwords and using one of these techniques to create difficult-to-guess but easy-to-remember passwords – businesses can defeat hackers. They’ll also have greater assurance that their vital company data is safe from prying eyes.
About the Author:
Bill Carey is Vice President of Marketing & Business Development at Siber Systems Inc.
Provides Mobile Authenticatation
Onyx is a software-based authentication solution that uses a device’s camera to capture and identify a user's unique fingerprint. A download and install enables touchless fingerprint access on just about any mobile device. If a finger is dirty or it has a scratch, Onyx will still capture the fingerprint. It is compatible with both Android and iOS.
Securely Connects Analog Audio Devices to Computers
For Internet-connected computers located inside high security zones where classified calls and meetings take place, using audio devices may cause a security breach if they are not properly protected. Such computers are often used with headphones, speakers, or microphones to enable conference calls. These Internet-connected computers can be compromised by hackers to remotely enable their microphones or headsets, using them to “listen” in to surrounding environment. This Secure Headset Adapter is designed to securely connect analog audio devices to computers in a secure environment with ease and simplicity. Among several key security features, the adapter works by using an audio diode to assure unidirectional audio flow, preventing the headphones from being used as a microphone.
Enhances Ability to Identify Online Fraud
Reducing fraud is an ongoing process, especially in today’s environment of online crime, and it can be difficult to keep up with the quick pace of fraud trends and criminal activity. This device reputation database has been enhanced with several new features to help enterprise security executives get ahead of fraud trends and reduce risk to the enterprise.
Through this system, you can add sophisticated rule combinations to leverage users’ current and past device behavior intelligence to stop fraud. For example, if a customer fails multiple log-ins on an unfamiliar device, that would send a red flag signal through the system that a fraudster could be attempting to break into that customer’s account from an unknown computer. But, as no two enterprises are completely alike, users have the ability to set their own red flags – checking for PCs masquerading as mobile devices, new device attempts to access an existing account, counting transactions that occur at specific customer touch points (login and account creation), or different considerations for IP addresses and associated geolocation information. Combined rules are also a possibility – such as more closely reviewing transactions that originate from outside the U.S. and are accessing an existing account from a new device – and they help to home in on specific threats.
Find out more at www.iovation.com
Monitors Social Media for Brand-Damaging or Threatening Content
There are 70 billion Facebook posts every month and an average of 190 million tweets every day. This is a new avenue of communication for customers and threat actors alike, and it would behoove enterprise security executives to monitor those discussions. But instead of getting bogged down in the billions of tweets and posts, this social media monitoring module can track how many times a brand name was mentioned on social media or generate alarms based on potentially hazardous content. Geo-fence parameters can also be set for a building, a neighborhood, a city or a county, so that a school system could monitor the district for keywords related to bullying or words such as “bomb” or “gun.” Each keyword or combination of words can be escalated according to the type of alarm and how it should be handled.
The module can also add value on the marketing side of the enterprise by monitoring brand-related activity and relevant trends, listen to customers, monitor the enterprise’s online reputation and keep track of competitors. The software also allows companies to save time on taking immediate action and responding to online customers complaints before they escalate.
Find out more at www.boldgroup.com