Cyber Insurance Part V

by Mark Rasch,

Managing Principal, Cybersecurity

You get a call at 2AM from your sysadmin with the four worst words you can hear from a sysadmin.  “Oh, by the way…” You have had a breach.  A big one.  You assemble your internal team.  You put into place your data breach, forensics and investigation plan.

Because you had planned ahead for this eventuality, and had a Rapid Response Retainer program from Verizon, you call in their team of investigators, researchers and analysts.  You bring in your legal team (in house and outside counsel.) You coordinate your activities with relevant law enforcement agencies.  You bring in your HR and crisis communications team.  You prepare press releases for your CIO or CISO or CEO or whomever, depending on the scope and scale of the breach.  You retain and bring in a data breach notification team to send out the tens of thousands of data breach notification letters or emails.  You retain a company to provide credit freeze or credit monitoring for affected customers.  You obtain documents and records from the relevant ISPs to track down the bad guys.  You monitor the dark web to see whether any purloined information shows up on the black market.  You prepare for potential class action lawsuits by shareholders, customers, business partners, credit card issuers, or third party merchants.  You prepare for litigation with the FTC or state consumer protection regulators.  You prepare your international response; all the things that you prepared for when you retained Verizon’s rapid response team – except one.

One of the things you did (and it is looking pretty smart right now) was purchased cyber insurance.  Not general cyber insurance, mind you.  But data breach insurance.  Exactly what you need.  You’ve been paying premiums for a couple of years, and now that investment has paid off.  Maybe.   Data breach and cyber insurance policies are frequently written in a way that creates ambiguities about what breach costs are covered and which are not.  Exclusions for things like criminal activities of insiders may be used to limit coverage when the breach occurs as a result of an employee’s conduct with respect to phishing, and “first party” coverage may limit payments only to your customers, and not to their banks, credit card companies, card brands, or other merchants who are impacted by stolen credit cards.  If medical records are breached, you may have a conflict between your breach insurance policy and your publicity policy (that’s your general liability policy that covers breach of privacy or publicity) especially if issued by different carriers.  But none of these policies provide any coverage if you don’t notify your insurer.

Insurance policies typically contain at least two duties of the insured as a condition of coverage.  A duty to promptly notify of the claim and a duty to cooperate with the insurer with respect to the claim.  Policies typically require that the insurer “promptly be notified, in writing, of any casualty loss, third-party liability claim, or occurrence that could give rise to a liability claim.”  Seems simple, no?  No.  What does “in writing” mean?  Mail?  E-Mail? Text message? Does prompt oral notification suffice for notice?  And what is an “occurrence that could give rise to a liability claim?”  A breach?  A potential breach?  An investigation of a potential breach?  Oh, and of course, what is “promptly?”  It’s so much better to get these terms worked out (at least informally) before a claim than litigated afterwards.  All of the costs you incurred before notifying the insurer may end up being for naught if you don’t notify.

The duty to cooperate extends the duty to notify and generally would require the insured to keep the insurance company apprised of all material facts concerning the loss or underlying claim, and to respond fairly to all reasonable insurer requests for information and documentation.  Many data breach insurers may insist that you use their data breach investigators, or their counsel, or their forensics teams, or at least teams that have been approved by them as a condition of coverage.   If you want to continue to use the team that you know and trust, the one that you have retained in advance, the one with knowledge and awareness of your policies and procedures, networks and devices, then tell your breach insurers that you intend to use your own team and that you have a Rapid Response Retainer service, and get them to buy in.  In fact, since such a retainer service can help limit the cost and impact of a breach, your breach insurer is not only likely to let you use your own team, but may reduce your premiums or increase your coverage for having the foresight to have planned for potential breaches.  It’s worth a conversation.  ‘Cause everyone loves talking about insurance, amirite?

Hacktivist Attack – the Dark Shadow

by John Grim

RISK Team/Verizon

The Data Breach Digest—authored and published by the Verizon RISK Team earlier this year—slices through the FUD, the Fear, Uncertainty, and Doubt, that’s so prevalent in the world of cyber security. In doing so, the Data Breach Digest reveals what’s really happening in the world of cyber investigations. And more importantly, what you, the Incident Response stakeholder, should do when faced with a data breach.

We took a ‘RISK Team ride-a-long’ approach to telling our story, and selected 12 of the most prevalent scenarios we have seen, and six of the most lethal scenarios we have seen in the past three years of our caseload. Each scenario narrative follows a common path:

  • ⎯ ‘detection and validation’ – the state of the data breach prior to us getting involved
  • ⎯ ‘response and investigation’ – us responding and working hand-in-hand with the victim
  • ⎯ ‘remediation and recovery’ – our final feedback to the victim – expert, experienced feedback to get them back on their feet

For this month, we selected one of the six lethal scenarios to follow-up on:  Scenario #8 of the Data Breach Digest, ‘Hacktivist Attack—the Dark Shadow’, which detailed the breach of a critical infrastructure provider by a determined hacktivist seeking to punish or embarrass their target rather than seeking personal financial benefit. The associated scenario follow-up takes a ‘Key 5×5 Approach’ by providing five recommendations on mitigating and five recommendations on responding to hacktivist attacks.

Download the Data Breach Digest. Read about the Dark Shadow and the 17 other RISK Team-experienced scenarios, and use the lessons-learned to mitigate and respond to those most prevalent and most lethal data breaches.

Data Breach Digest Update: CMS Compromise

by John Grim
RISK Team/Verizon

The Data Breach Digest—released this past February by the Verizon RISK Team—has brought a fresh perspective to the security conversation. It’s underlying premise was that ‘many data breach victims believe they are in isolation, dealing with sophisticated tactics and zero-day malware never seen before.  The RISK Team has seen otherwise. To us, few breaches have been unique – there is tremendous commonality in real-word cyber-attacks.

Based on 18 actual cases that we’ve investigated, the Data Breach Digest makes security tangible and real to not only the technical Incident Response stakeholders, but all stakeholders who are involved in incident response. And, in doing so, it encourages everyone to become an important link within the security chain.

One of the cases we investigated involved actual pirates hacking a global shipping company’s content management system (CMS) to steal the freight records and target their theft of valuables. This Update provides recommendations on how you can mitigate the threat of a CMS attack and how you should respond if you are breached.

Download the Data Breach Digest.  Read it, learn from it, and use it to mitigate and respond to those most prevalent and lethal data breaches that we – the RISK Team – have come across.


Making the Most of Limited Security Resources

Author: Joan Ross, Managing Principal, Cybersecurity

“If your enemy has no ships, building submarines may not be the best use of your limited resources”, a CIO at a recent Verizon 2016 Data Breach Investigations Report (DBIR) session conveyed.  Accountable for building and maintaining major infrastructure, he and the chief information security officer were actively strategizing together as to how to best utilize and stretch their limited security resources for the year.  Knowing the threats to your industry is the first step in evolving the most effective security strategies, obtaining priority budget, and educating all personnel within your organization.

While the extent of security breach data represented in this year’s report is sobering, (especially, for example, internal organization detection of security breaches have greatly decreased), there is encouraging information in how to get ahead of these attacks. Eighteen of the most common attacks are detailed within the Verizon 2016 Data Breach Digest.

We know from empirical evidence that in 82% of security breaches, we found evidence leading up to the breach in the logs.  Thus, one of the significant activities security teams can do as part of their rapid response practice is gathering the last 90 days of their logs from critical and non-critical systems.

There should be standard operating procedures and training established for the team in gathering log data for two reasons:  One, it’s critical to rehearse incident response activities before an actual breach and collect evidentiary data that follows proper chain of custody handling quickly (within 24 hours).  This rehearsal gets valuable data rapidly into the expert hands of the responding experts when actual breaches may be occurring to more accurately source and defend against known attack patterns.

Secondly, and just as important, if you take the additional steps of getting the data from the rehearsal into the hands of trusted experts with the right tools, the early behaviors and reputations associated with increased attacks can be ascertained to help prevent a serious attack.  This puts valuable digital intelligence into the hands of your security team, executives and board of directors as to where potentially malicious traffic and connectivity is following known patterns.  While security incident event management systems (SIEMs) may detect perhaps up to 15% of potentially malicious activity, being proactive in your review by hunting for known malicious patterns and behaviors is increasingly useful in getting ahead of the 85% of more sophisticated attack queries.

The best way to get ahead of security breaches is to familiarize your team with these patterns, and build your strategy based on relevant, empirical evidence for your organization.

Making the Move to Managed Security Services

Author: Joan Ross, Managing Principal, Cybersecurity

One of the hardest realities for chief information security officers (CISOs) to confront is what concrete protections can be achieved with the annual resources available to them.  Theirs is a vital function, albeit typically with a smaller staff and budget than other divisions.  One must constantly evaluate and protect against the ongoing concern that someone with malicious intent will breach or disrupt the organization’s operations, and obtain sensitive customer information and secret business intellectual property.  Being a CISO is not for the faint of heart.

Prioritizing relevant risk to their organization and determining appropriate treatment with their executive team is an ongoing process. When necessary security funding is not allocated, or resources are few, the CISO is in a difficult position.  Ultimately, they bear the responsibility of a breach, even should it occur through a business supplier on systems outside of their control.  There may be limited people and mitigating controls to provide quality information security assurance.

2016 is the year more CISOs are making an honest evaluation of their team’s core security competencies and annual funding.  While difficult to relinquish control, the realization is they have no control or insight if the security functions are not being fulfilled.  This is when the tough decision is made to move the most time-consuming and burdensome security activities to a quality managed security services provider (MSSP).

In hindsight, CISOs relay moving to a MSSP has been one of the best decisions for the organization, given they select a strong MSSP.  They’re able to obtain more actionable security intelligence by experts at recognizing patterns and events, and if frees up their limited resources to devote their efforts to the evolving business security strategy and improvements.

Expanding access capabilities, burgeoning security devices, and the continual monitoring of threats and vulnerabilities takes a toll, both professionally and financially. MSSPs are an acceptable option provided the CISO conducts the appropriate due diligence on the third-party provider.  This is where experience, skill, certifications, reputation and investment in ongoing personnel training of the MSS provider matters, the selection criteria must be greater than any cost efficiencies.

At a minimum, today’s CISO needs a rapid response retainer in place.  Established organizations are moving to contractually require these contracts with their critical business partners.  The reason for this is simple: preventing, detecting, containing and managing information security requires trained professionals, reliable processes, chain of custody expertise, and forensics experts available at a moment’s notice.  With a retainer in place, organizations can report suspicious activity and have it qualified, or have response on course of action within minutes.  In seventy-percent of the targeted breaches we analyzed, the incident spread to the secondary victim(s) in twenty-four hours once the attack was successful – a risk no CISO takes lightly in consideration of their organization, customers, and business partners.

Briefing the Board: Directing Security Evolvement

Author: Joan Ross, Managing Principal, Cybersecurity

If an organization’s CISO is not regularly updating the Board of Directors (BoD), there is an inherent disconnect in the security viability of the organization.  The function of the BoD is to act on the behalf of the best interests of shareholders and stakeholders in validating a well-managed company.

A CISO’s agenda for the BoD begins with three primary areas:

  1. What we know and have tested recently regarding security controls.
  2. What we don’t know or haven’t effectively evaluated at this time.
  3. Priorities for risk, budget, and evolving strategy based on a combination of #1, #2, current and planned business model, and current threat intelligence for your industry.

Verizon publishes the Data Breach Investigations Report (DBIR) on an annual basis for the greater good of the security community at no cost. This intelligence is heavily leveraged for the empirical research and investigation findings it provides, including trends in the common attack patterns.  Every security organization has it available to them to utilize as the basis for their BoD presentations and ongoing security awareness training for the organization.

CISOs convey that the most important graphic for them to begin their BoD presentation is the DBIR Incident Classification Patterns and percentages for their industry.  Annual budgets and periodic new budget needs can leverage the attack trends to justify requests.  While many security professionals may be aware of the proliferation of these patterns and methods, rarely is the BoD.  Today’s CISO educates their BoD as part of every briefing opportunity on how the organization remains potentially vulnerable.

The BoD are responsible for gaining the understanding of the routine occurrence of many of these data breaches and asking their organization the tough questions on risk reduction to prevent, detect, defend against and mitigate these intrusions.  Verizon’s Data Breach Digest illustrates twelve of the most common recurring attacks and methods, and six of the emerging more sophisticated attack types to guard against.

With the publication of these reports and truly brief reads, there is no reason for top leadership, including the BoD, not to be aware of the risk, commonality and methods of the majority of security breaches to their industry.  The measurement of a well-managed company is evolving to where these attacks risks are mitigated based on BoD support.

What’s in your wallet?

Author: Mark Rasch, Managing Principal, Cybersecurity

When workers were tearing down the old Apollo Theater in Times Square, they discovered a cache of men’s wallets and women’s purses hidden in the attic.  Apparently in New York in the 1940’s and 1950’s, the Apollo was the epicenter for pickpockets – targeting tourists and residents alike.  The cache represented a time capsule of sorts, with photographs of sweethearts, friends and family members, stored fortune cookie fortunes, paycheck stubs, utility receipts, social security cards, and handwritten driver’s licenses.  Gone of course was any hint of cash – after all that was what the pickpockets were after.  Also conspicuously missing for 21st century mentalities are loyalty program cards, access cards, or credit cards (although Bank AmeriCard and Diner’s Club both existed back then).

I say this as my wallet gets thinner and thinner.  I keep a newly “secure” driver’s license with digital pictures, holograms and other security devices for identification.  And corporate and personal credit cards with a digital chip which occasionally gets scanned.  A box store membership card and a too infrequently used health club membership card.  And that’s it.  My kids, on the other hand have bulging thick wallets filled with nothing – or nothing important.

When we think of the items in our wallet or purse, we should consider them to be tokens.  A driver’s license is a token issued by the state indicating that we passed a minimum competence examination to operate a motor vehicle in that jurisdiction.  A credit card is a token issued by a bank indicating that we have an account (a bank account if a debit card, a revolving credit account if a credit card) with that institution and allowing third party merchants to interact with that account.  Loyalty cards are similarly tokens for accounts which establish a relationship with a particular merchant or club.  Even the cash in your wallet is a token issued by the government with whatever value society decides to imbue on it.

Every one of these tokens will soon be obsolete – if they aren’t already.  This doesn’t mean that they will disappear.  We have invested billions in the infrastructure necessary to issue, read, and interact with these tokens.  A folded note will still be easier to read than a file stored on an Android phone.  A tangible physical object serves as a reminder of our loyalty to a particular institution.   But the functionality of these tokens has already been duplicated in things like Apple Pay and Wallet, Android Pay, and other electronic wallet substitutes.  Our family pictures are on our devices and/or in the cloud (sometimes without or knowledge).  Electronic substitutes exist for identity, relationship, affiliation, authority, and access control.  There are even electronic substitutes for cash (like Bitcoin) despite the fact that a Florida court recently ruled that laundering Bitcoin does not constitute “money laundering.”

This move from physical objects to their electronic substitute is not without risk.  The Apollo theater attendees knew (or soon realized) that they had been robbed.  The contents of my electronic “wallet” can be stolen without my knowledge.  The Times Square visitors knew (or should have known) that the Times Square of the 40’s though 50’s was a wretched hive of scum and villainy.  For electronic records there is no safe haven.  If someone stole a 1950s wallet, there was little chance of false personation and identity theft.  Since much of our modern interaction is virtual; you steal my token, you steal my identity.  What’s worse, I can now get new credentials and new tokens in your name, and become you online.  And now new crimes of false personation, identity theft, identity fraud, and synthetic and virtual identity fraud exist that could not have been contemplated back then.

All of this is by way of saying that, in designing any token system – whether it’s a driver’s license, a financial instrument, an access card, or a user id and password, we must take particular care in determining how it will be used, and how it can be abused.  We misplace our trust in the token, rather than in the person presenting the token.  Multi-channel and

multi factor systems, sometimes with a biometric component should be considered – but the privacy and anonymity implications of such systems should also be considered.  We must preserve the right and the ability for people to interact without a permanent record of their actions.

When we think of information security, we have to think not only of computers and networks, but of how people interact with them – in the virtual and physical world.  And you can take that sentiment and put it on a note and stick it in your wallet.  The movie playing at the Apollo Theater in the summer of 1958 was Ben-Hur.  Some things never change.

Hospitality Customizing the Perfect Guest Experience

Author: Joan Ross, Managing Principal, Cybersecurity

The hospitality industry is moving full-speed ahead in creating the ideal travel experience. Utilizing Internet of things (IoT) design and technology communication, the goal is to attain greater customer loyalty by tailoring the patron’s experience to their preferences as they arrive and travel through their extended establishments.

Since many hospitality vendors have various tiers of property brands, designing and enabling a secure entrance into customized experiences requires significant planning, expertise and is fraught with risk. Both the physical as well as the sensitive data protections of their guests are paramount to their brand reputation.

Technology is enabling a more comfortable and scalable travel era.  Imagine the business or vacation travel experience enabling your transport as it detects your plane has landed to minimize your wait time. The hotel check-in is a red-carpet luxury experience straight to your favorite room which is already at your preferred temperature. An easy touch-interface performs immediate digital concierge services such as obtaining reservations to the restaurant you desire, tickets to a particular show, or booking the perfect golf tee-time.

This custom capability evolution requires significant data protections that not all owner-operators will be able to comprehend or afford.  Since security breaches would negatively impact the entire brand, leading hospitality providers will move towards providing security-as –a-service for their owner-operators. This provides consistent levels of protections, similar to the Payment Card Industry Data Security Standard (PCI-DSS) for credit card transaction capabilities. The hospitality industry should move quickly and efficiently to lead the opportunity effort on customer experience IoT standardization and API integration.

The brand name leaders in this effort will provide governance and oversight to provide reliable and cost-effective safeguards such as advanced automation, strong authentication, limited access, pseudo-anonymous profiles, encryption, and non-repudiation.  Without privacy and security, there is no perfect guest experience. Consistent governance and control implementation requirements across all tiers of property operations, especially smaller affiliated owner-operated properties , helping clear the path for additional business revenue through utilization of global economies of scale while providing protections consistent with the brand’s requirements for essential customer privacy and information security.

Information Security for SMB’s…Who Me?

By Mark Rasch
Security Evangelist
Verizon Enterprise Solutions
July 29, 2016

The biggest obstacle to building an effective information program at many institutions – particularly small and medium sized businesses (SMB’s) – is not a lack of resources, a lack of knowledge, or a lack of technology.  Typically, the biggest obstacle is complacency.  When meeting with senior corporate or government officials (in non-regulated environments) you will often hear expressions of concepts like “we would never be a target of hackers,” or “we don’t have anything anyone would want” or “we’re too small for anyone to care about.”

While the security demands of SMB’s are different from large government agencies or multinational corporations, the vulnerabilities are potentially more severe.  SMB’s that suffer significant attacks may never recover – they may be forced to close up shop because of a ransomware attack, or because their clients and customers have lost faith and confidence in their ability to do their job or to protect their data.  That’s why attention must be paid.

The answer to the “we don’t have anything anyone would want” argument is easy to address.  Ask the question, “What would happen to my enterprise if… what would happen if the data I collected (including HR data, sales, costs, marketing, compliance, and strategy information) was no longer confidential.”  And, as we have learned from the recent DNC hack, there’s much more in your information systems than you think – and much more potential damage from its release than you think.  Company employees can be DOX’ed, targeted, harassed and otherwise attacked as a result of (or as the goal of) a data breach.

So the first step is a comprehensive assessment.  But not the kind you’re likely thinking of.  It’s not sufficient to assess your technology – how many servers, how many computers, how many ports open, etc.  That’s a technology assessment.  What you want to do is to assess the business impact of a potential breach as well.  What are the critical systems AND the critical data in those systems – and why is it critical?  When DNC officials were sending routine emails discussing strategy and tactics they probably didn’t consider these emails (or the email system on which they resided or were transported) to be particularly critical.  And that points out another problem with how we typically prioritize security.  We look at securing the device – the container – the transport channel, rather than looking to secure the information in it.  We treat e-mail, for example as a system that needs to be secured, documents as another system, stored files as another, and so on.  But e-mail is just a means for communicating.  There are sensitive e-mails and non-sensitive e-mails.  As a result, we either secure the trivial with a degree of security more reasonable for critical communications (a waste of resources) or secure the critical data at the level of the trivial security (vulnerability).  More often, we do a bit of both.  That’s why data classification and data segregation is also important; layers on layers of security. Even for SMB’s.

Security need not be prohibitively expensive.  Nor need it be unnecessarily complex.  But it should be done right to facilitate business.  And at the end of the day, isn’t that why you are in business in the first place?

Phishing license: training and awareness

by Wesley Hamrick
Analyst, Enterprise
Verizon Enterprise Solutions

The Verizon Data Breach Investigations Report (DBIR) has consistently shown that the number one threat to companies– is malicious code injected via successful phishing attacks.  It’s number one in 2016.  It was number one in 2015.  It was number one in 2014.  And so on, and so on.  So if a company were to target one vector and one solution to fix above all others, it would be phishing.

Easier said than done.

Successful phishing attacks exploit vulnerabilities and weaknesses in hardware, software, people and processes.  At the outset, they use data acquired through other means to engage in social engineering attacks against authorized users.  They use “legitimate” channels of communication – email, text, etc. to further their objectives.  They can use stolen or compromised accounts or credentials, spoofed or faked email addresses, or other indications of validity to trick users into clicking on or otherwise taking action in response to the communication.

The fraudsters lie, cheat, steal, cajole, and hack to get in and to get the user to click a link, go to a website, install software, provide information or otherwise respond.  These attacks can be as simple as installing clickbait, or as targeted and sophisticated as spear phishing (email that appears to come from someone you know) or whale phishing (emails targeted at company executives). Just as the attacks are layered and sophisticated, the defenses need to be as well.

Many phishing defenses rely on technology.  They block email from known spammers or known “bad” email addresses.  They filter, block and quarantine communications from suspicious sites, or which contain suspicious content or links.  E-mail links are disabled by default, executables are not supposed to run on the clean system, and known bad IP addresses are not supposed to be resolved.

But much of that is in theory.  You see, phishing attacks are dynamic and ever-changing.  The goal of the phisher is to get in without being noticed.  The phisher takes into account these known technology defenses.  Phishing mail will originate from a trusted IP address and email account, with a compelling subject line, and the link will not self-execute.  The malware will approximate “normal” behavior to avoid detection.  The IP address may be spoofed, proxied or from an anonymous source.

At heart, phishing is a human problem exacerbated by and potentially solved by humans.  Humans presented with phishing attacks often are easily deceived.  And the phishing attacks come back and in greater numbers.  The problem is that users who are the primary vehicle for phishing are poorly  trained.  By that, I mean that we “check the box” that the user sat through a 15 to 50 minute slide show or video extolling the harms of phishing, and then answered a few random multiple choice questions about the problem.  Even when effective,  such training, has a shelf-life of maybe a few weeks.

Anti-phishing awareness is best when  coupled with a bit of “light touch” testing.  A corporate-sponsored phishing attempt can redirect those who click links back to the training program as a refresher.  If it is not reinforced, it won’t be remembered.

Like everything else in security, it’s a matter of people, processes, technology, and policy.  But don’t forget the people because if you forget to teach the people security, they will forget to secure the network.