Monthly Archives: July 2013

Wherefore art thou, cybersecurity insurance?

Uncertain coverage (image: commons.wikimedia.org/wiki/File%3AForgotten_umbrella.jpg)

Uncertain coverage

Developing a market for cybersecurity insurance is more difficult than it may seem.  With a rise in business losses stemming from malicious activities and adverse events in the cyber world, creating a market for cybersecurity insurance where losses could be mitigated would seem to be a no brainer.  However, developing, maturing, and establishing trust in a cybersecurity insurance market is slow in coming.

What it’s supposed to do

Ostensibly, implementation of a mature cybersecurity insurance market can provide protection and mitigation for such events as:

  • data breach
  • network damage
  • cyber extortion
  • brand damage
  • financial loss
  • other

The Department of Homeland Security quotes the Department of Commerce  in describing cybersecurity insurance as an “effective, market-driven way of increasing cybersecurity.”  The idea is that cybersecurity provides mitigation to damages suffered from a cyber event and also enhances cybersecurity in general by motivating better information risk management and security via premium discounts for good practices.

Implementation and chicken and egg challenges

Despite the seemingly obvious benefits, cybersecurity insurance has yet to undergo wholesale adoption.  DHS and the May 2013 Cyber Risk Culture Roundtable Readout Report hosted by the National Protection & Programs Directorate (NPPD) offer some reasons for lack of adoption to date:

  • Cost — An added cost that companies must deal with plus the perception of cybersecurity insurance as a luxury item
  • Uncertainty — potential customers wonder whether carriers will actually payout on cyber event claims.  There is little current precedent for such claims and payouts, hence the chicken and egg problem
  • High risk appetites — Particularly in technology fields where there is a lot of entrepreneurship, the tolerance for risk is high
  • Market/services maturity — Awareness and incentives structures within the cybersecurity insurance industry are not ubiquitous
  • Lack of clarity/precedence/data on likelihood of an adverse cyber event
  • Confusion/misunderstanding on exactly what is covered with cybersecurity insurance

At the cybersecurity framework hearing held by the Senate Commerce, Science, and Transportation Committee  on July 25, 2013, Patrick Gallagher, Director of U.S. Department of Commerce’s National Institute of Standards and Technology (NIST) also suggested that the cybersecurity insurance market was not yet sufficiently mature to handle large-scale, catastrophic cyber events.  Dr. Gallagher stated that there was not yet a robust actuarial and monetized basis for such large-scale coverage.

Further, at the same hearing, CEO of RSA, Art Coviello suggested that developing an actuarial basis for adverse cyber events was particularly difficult because the computing environment is changing so rapidly and because of the vast amount of data being generated that needs some form of analysis in order to determine appropriate coverage.

As much as I want to encourage and contribute to the rapid development of a mature cybersecurity insurance market, I too have concerns about how policies are written, how cyber events are described, and how much work is required to get an actual payout on a claim.  To get consumer buy-in in the short term, insurance providers might have to ‘go long’ with claims and payouts to establish trust and confidence amongst consumers.

 

Would you purchase cybersecurity insurance? What sorts of events would you like protection from? Data breach? Data loss or theft? What changes/implementations would make purchasing cybersecurity insurance more appealing to you?

 

[image: commons.wikimedia.org/wiki/File%3AForgotten_umbrella.jpg]

Force Protection & SMB Information Risk Management

chestypullerThe term “force protection” entered the American military vernacular in the late 70’s and 80’s in response to several events.  One of the key drivers, though not the only driver,  was the activities of the Red Army Faction or “Baader Meinhof Group”.  This group was responsible for several bombings, assassinations, & kidnappings over three decades.  As US bases and US military personnel were frequently the targets of these attacks (as well as attacks from other groups), the need to develop specific plans to protect ‘the rear’ began to be articulated. In effect, ‘the rear’ was no longer the rear.

Military organizations have always been aware of the concept of ‘protecting the rear’ or ‘covering your flank.’  However, the asymmetric, unpredictable aspects of these attacks put the military in the position of having to explicitly define a process for protection of assets that were not traditionally in harm’s way. Further, by naming and mandating the process, it was clear that some percentage of resources originally intended for forward operations would need to be diverted to support force protection. This was a shift in thinking.

I believe a similar thing could be occurring with managing information risk and security in small to medium-sized businesses (SMB’s).  Relatively suddenly, these businesses are finding themselves in hostile territory and if they want to stay in business, then they must dedicate some operational resources — whether marketing, production, R&D, revenue, etc — to support these protective and risk-lowering activities.

Early Marine Corps doctrine on force protection

I found a Marine Corps publication, “AntiTerrorism/Force Protection Campaign Plan” from 1998 that presents some operational concepts that could be helpful analogies to the issue of information risk and security for SMB’s.

The publication provides some definition of force protection:

In its purest sense, force protection is an overarching concept. It includes those procedural, training, equipment and leadership principles necessary to ensure … safety and well-being … In essence, force protection is an inherent function of [leadership] and as such should be an integral part of the way we do business on a daily basis.

Similarity in threat analysis

It goes on to describe analysis of the threat as considering a stool with three legs — Does the enemy have

  • motivation
  • means
  • opportunity

We can apply similar analysis to SMB information risk.

  • Does ‘the enemy’ (criminals or nation-state actors) have motivation to attack or compromise an SMB’s information assets?  Yes, certainly.  A successful attack provides, 1) potential revenue, 2) an attack point for attacks on other, possibly larger, more lucrative businesses
  • Do they have the means? Yes. They have readily available computers, pre-built networks for attacks, often anonymity, and sometimes protection from their parent state (country)
  • Do they have the opportunity? Yes. There are many poorly protected and non-resilient SMB computer networks available for attack.
Marine Corps operational doctrine on force protection (from 1998) Potential analogies in SMB information risk management
“Force protection is an operational aspect of every mission …” For example, resources are shifted away from marketing, R&D, production, etc to support SMB’s information infrastructure
Work to “eliminate the belief [by the enemy] that opportunity [for attack] exists” Employ basic measures such as anti-virus, firewalls, managed/standardized computers, and awareness education to create an unappealing risk/value proposition for potential attackers
“The value of alarms and drills…[Leaders] at every level should develop recognizable alarms for potential emergencies and critical incidents.” Rehearse disaster recovery and business continuity plans. Practice activities such as data recovery tests.

The US military found itself in a position of having to develop and evolve a practice to address a fairly sudden new threat that was also evolving, as well as unconventional, and unpredictable. Similarly, to remain relevant and to maximize their respective opportunities for success, I believe that SMB’s need to, in some manner, introduce information risk and security management into their daily activities as well.

Do you think there is currently motivation, means, and opportunity to attack your business?

You want fries with that?

French Fries 03— Cybercriminals are starting to provide kits, aka “kitz”, of prepackaged, ready-to-go, vetted, and integrated personal data in convenient prepackaged documents.

— This creates a value-add to stolen data by correlating, combining, cleaning, providing quality control services of personal information, and implementing this in a single authoritative document, aka “fullz”

— This allows criminals to deliver a “turnkey identity fraud service” per eWeek.  

— “fullz” on a person might include verified health information, social security numbers, financial account information to include bank login credentials, and driver’s license data.

— Currently, a full dossier on a person sells for approximately $500.  This price will surely decrease as competition increases and operations become more automated and efficient. 

Creating attacks by daisy-chaining trusted cloud services such as Dropbox

Cloud services and social media services are often touted as a way for Small to Medium-sized Businesses (SMB’s) to manage their IT needs, information risk, and information security needs.  While there is real potential for SMB’s in this space, it is not without risk.  As an example, CyberSquared has documented increasing use of attackers using trusted cloud services such as Dropbox & WordPress to manage aspects of an attack.

Sophisticated, Chained Multi-component Attacks

A recent attack had these sophisticated components:

  • A Word document with embedded malicious content that would attempt to activate upon opening.
  • The content of the Word document was relevant to the recipients of the attack.  In this case it appears to be a policy document for the Association of Southeast Asian Nations (ASEAN). That is, it’s a document that targeted recipients would likely be interested in opening.
  • There was also evidence that the Word document was a product/artifact of an earlier attack. That is, data/documents/information collected/stolen from earlier attacks are used as components and tools for future attacks.
  • The document was put in a Dropbox account created quickly and at no charge by the attacker.
  • The attacker then emailed the Dropbox account info to the targeted recipients.
Full_ASEAN_cybersquaredimage1

(via cybersquared.com)

  • Now for some extra sneakiness — note that the file says that it’s a zipped (compressed file) with the .zip extension. Upon opening, researchers saw that it used a fake Adobe pdf icon to cover up the fact that it was actually a Word document (that had the malicious code).
  • Once a user received this Dropbox link and opened the compressed-faux-pdf-actual-malicious-Word-doc file, the next phase would start.  From here the malicious code would then contact a WordPress site to get Command & Control information so that it could get specific instructions to further its attack.
  • Note IP address and port information embedded in an otherwise seemingly innocuous post.
ChinaIndia_WP_cybersquared

(via cybersquared.com)

Advantages of a Trusted Public Service to Attackers

  • Attackers can hide behind a trusted brand name such as Dropbox, WordPress, or Twitter
  • Ease of attacker anonymity stems from ease of account set up
  • Attackers able to use cloud service infrastructure to target victims, eg using Dropbox email component to reach out
  • Malicious content easily bypasses old school detection mechanisms

This is some pretty sneaky stuff embedded into some trusted services that often market directly to SMB’s.  I’m not saying don’t use them — they do offer huge convenience and direct cost savings.  However, it is critical to recognize that they don’t offer a slam-dunk solution for security.  Indeed, no solution offers this. Like everything else, reflection on risk needs to occur to ensure an SMB has the best chance for good decisions.

 

University of Washington adds new certificate for IT Audit

UWITAudit

 

University of Washington Professional & Continuing Education adds IT Audit Certificate program.

Demand for IT Audit skills and services are rapidly growing because of:

  • increasing regulatory requirements
  • increasing interconnectivity between businesses & the need to establish transparency & evidence of compliance between parties (eg, Amazon’s partner program)
  • rising demand for information risk management, regardless of business size, and audit’s growing role as a baseline in risk programs

UW’s IT Audit Certificate program provides training, recognition of accomplishment, and a professional network for IT/Information Management professionals as well as finance and administration professionals seeking to expand their skill sets in IT audit.

More here.

Industrial Control System Attackers & Attackees

ics_attackers2

ICS attacks by business sector
(image ICS-CERT)

—  ICS-CERT  responds to over 200 Industrial Control System (ICS) incidents between October 2012 and May 2013.
— Highest percentage in energy sector — 53%
— Critical Manufacturing sector follows — 17%

 

 

ICS attacks by source country (image TrendMicro)

ICS attacks by source country
(image TrendMicro)

— TrendMicro research emulates Industrial Control System with honeypots
— Only takes 18 hours for first honey pot to be attacked
 — Over 28 days, 39 attacks from 14 countries
— Of 39 attacks, 12 were unique and considered ‘targeted’
— Attackers demonstrated experience & expertise with ModBus industrial control protocol

 

Avoiding a Tragedy of the Commons

So maybe SMB Information Risk & Security doesn’t have to be a Tragedy of the Commons.

Admittedly, at initial glance it appears that it has to be. So many SMB’s have so few resources — they rarely have security expertise, typically have very little IT expertise, and probably zero information risk management expertise. Again, the reasons for this are not difficult to see. Their resources are limited and many of the traditional enterprise approaches to risk and security simply don’t scale down cost-effectively. 

What's one more fish? (Image by Earth'sbuddy [CC-BY-SA-3.0] via Wikimedia Commons

What’s one more fish?
(Image by Earth’sbuddy [CC-BY-SA-3.0] via Wikimedia Commons)

This is why risk and security for SMB’s can appear to be a Tragedy of the Commons. As discussed a couple of posts ago, a Tragedy of the Commons as introduced by Hardin in 1968 covers such scenarios as overfishing a portion of the ocean or overgrazing a pasture. Each individual actor, whether fisher getting one more fish or farmer putting one more cow on the pasture, contributes to the demise of the shared resource for all in the long-term while acting on self-interest in the short-term.

Similarly, it was suggested in the post, that the Internet is a shared resource for SMB’s. When an individual business is attacked, 1) the business can suffer itself, and/or 2) the business is used as an attack platform on other businesses which diminishes, i.e. depletes, the utility of the resource. However, in the short-term, the SMB has a hard time justifying risk management and security investment on its own behalf because it requires internal resources bound for marketing, R&D, production and similar.

Solution to Prisoner’s Dilemma Approach

The Tragedy of the Commons idea introduced by Hardin is similar to the Prisoner’s Dilemma  where it is assumed that there is no (or little) communication between actors – prisoners, in this case. While working independently and integrating previous and existing research, Elinor Ostrom  , 2009 Nobel Prize Winner for Economic Sciences (shared with Oliver Williamson), showed that there were many examples of successful sharing of a common pool resource (CPR). She asked the question, “Are rational individuals helplessly trapped in dilemma’s?” To answer this, she studied irrigation systems in Nepal, forests around the world, fisheries, police and government systems, as well as studies in her own laboratory.

Among other things, she clearly pointed out that there was indeed communication between the actors that were successfully sharing a Common Pool Resource. Further, a key component amongst actors in successful common sharing was trust.

Polycentric Governance Success

Follows are a number of her observations from her Prize Lecture entitled, “Beyond Markets and States: Polycentric Governance of Complex Economic Systems” . I am not suggesting that these observations directly map into the Common Pool Resource problem of SMB’s sharing the Internet. However, I do believe that they are worthy of reflection in this context and can serve as the basis for further discussion. (That said, I think the title itself may hold clues to the SMB Tragedy of the Commons problem.)

  • panaceas are potentially dysfunctional
  • small to medium-sized cities are more effective monitors of performance & costs
  • dissatisfied citizens (group members) can ‘vote with their feet’ and move to another group
  • large, incorporated communities can change contracts with external providers, but urban, less structured, districts have no voice
  • Re police in metropolitan areas, large number of direct service producers (e.g. patrol) more efficient while small number of indirect service producers (e.g. dispatch, crime lab analysis) more efficient — that is, most efficient was mix of large and small
  • complexity is not the same as chaos and it is often worth the investment to better understand the complexity
  • groups that did not communicate were more likely to overuse the shared resource
  • 5 types of property rights discovered, not just one (access, withdrawal, management, exclusion, & alienation rights)

Successful shared resource scenarios tended to have these traits:

  • boundaries of users & resource are clear
  • congruence between benefits & costs
  • actors had procedures for making their own rules
  • regular monitoring of resource and actors
  • graduated sanctions (against rule violators)
  • conflict resolution mechanisms
  • minimal recognition of rights by government
  • nested enterprises
  • users/actors themselves are active monitors of resource consumption (i.e. not a 3rd party)

Other observations:

  • users monitoring resource themselves more important than type of resource ownership
  • stronger when local communities have strong rule-making autonomy and incentives to monitor
  • behavioral theorists now looking at actors/individuals where individual is boundedly rational, but can learn
  • learning to trust others is central to cooperation
  • healthy resources have actors/users with long-term interests in the resource and invest in monitoring and building trust

What are parallels between these observations and secure-SMBs-on-the-Internet-Tragedy-of-the-Commons issue? Should government intervene? (these observations don’t make a strong case for it) Should trade groups organize rules? Should small, geographically similar SMB’s develop their own working groups somehow? Should SMB’s across the globe of similar size organize and develop membership rules re Internet participation? Are there other natural alignments amongst SMBs?

How do we increase the safety and security and lower the risk profile of SMB’s on the Internet?