BreachExchange mailing list archives

Insurers’ Top 5 IT Security Threats (and What to Do About Them)


From: Audrey McNeil <audrey () riskbasedsecurity com>
Date: Wed, 20 Aug 2014 19:53:52 -0600

http://www.insurancenetworking.com/news/data_management/insurers-top-5-it-security-threats-and-what-to-do-about-them-34742-1.html?pg=1

In the United States, the average cost of a data security breach increased
to $5.85 million this year from $5.4 million in 2013, according to “2014
Cost of Data Breach Study: Global Analysis,” conducted by the Poneman
Institute and sponsored by IBM. While the organization’s bottom line
obviously suffers, breaches inevitably lead to diminishing trust and
reputational damage, especially for those in the financial services, health
care and pharmaceuticals industries, which lead all others in terms of the
resulting customer churn and the cost of damages.

Insurers are at risk, as they conduct more business electronically, move
core applications to the cloud and offer customers and agents self-service
access to data and systems. As more of that sensitive, personally
identifiable financial and health information is transmitted, it
potentially becomes more vulnerable to theft and vandalism.

While insurers have not been victim to a high-profile cyber-crime recently,
retailer Target has offered many an object lesson on what not to do. Target
lost 40 million payment card numbers plus 70 million other pieces of
customer data through compromised point-of-sale systems late last year and
a seemingly lackadaisical response, illuminating the risks companies face
and the magnitude of the backlash from customers, regulators and
shareholders when they fail to protect systems and customer data.

“There have been plenty of instances where a CIO is no longer with the
company after a breach,” says Chris Burroughs, VP of IT architecture and
program management for Allianz Global Assistance, a travel and event
insurer. “But what happened to the Target CEO gets people’s attention,” she
adds, referring to the resignation of chairman Gregg Steinhafel, who had
been the company for 35 years and CEO since 2008. “The CEO puts a lot of
trust in his CIO and his IT staff, so we are getting more recognition.”

Insurers of different types and sizes, including several that would speak
only on background, made it clear that the security threats insurers face,
and the solutions they are undertaking, are only partially technological.
Rather, insurers largely are trying to keep pace with technological change,
limit their vulnerabilities, create an IT culture that is attentive and
responsive to threats, educate end users, and align business and IT through
more risk-based conversations.

1. EVER-MORE SOPHISTICATED ATTACKS

Hackers are doing more than keeping pace with the rate of technological
change. Just as insurers are increasing the sophistication of their online
offerings, cyber-criminals are increasing the sophistication of their
attacks and adapting their strategies to penetrate them.

“I am astounded with the rate of change,” says Joseph Topale, VP of
infrastructure and chief information security officer for OneBeacon, a
specialty insurer with $1.09 billion in net written premium that sells
through independent agents. “The number of new technologies that they’re
attacking is a fascinating piece of this,” and for insurers, the challenge
is to exceed hackers’ levels of innovation given insurers’ finite
resources, he adds. “I’m not a technology business, so I can’t possibly be
inventing stuff. My innovation is centered around how to deploy
applications in a cost-effective manner.”

The nature of the attackers also is changing. “They’re the nation-state
attackers, they’re professional organized criminals,” says Mike Everley,
second VP of IT at Ameritas Life Insurance. “They deploy not only just
technology, they develop processes for attacking. And they educate people.
They run boot camps for hackers. They’re approaching it as a business,
using a business model. And it’s through people, processes and technology
that their effectiveness is growing and making it harder to defend against.”
While large-scale data breaches routinely make the news and motivate
corporations to harden their technological defenses, cyber-criminals
continue to adapt.

“There’s more innovation, unfortunately, on the part of the bad guys than
there is on the part of the good guys,” says Greg Bangs, VP and worldwide
product manager for crime, kidnap/ransom/extortion and workplace violence
expense insurance for Chubb, a global P&C insurer.

Bangs offers advancements in malicious software applications, commonly
known as malware, as an example. “CryptoLocker is amazing because, frankly,
the concept is so simple,” Bangs says. Typically the CryptoLocker virus
arrives by email as an attachment and hides itself as a PDF file. If users
open the file, the malware encrypts files on the computer using RSA public
key cryptography, with the private key stored only on the malware’s control
servers. Then the cyber-criminal demands payment, typically within 72
hours, Bangs explains. “The amount is usually small enough that it’s
manageable; they figure most people are just going to pay rather than go
through the headache of trying to deal with this.”

While the scale of CryptoLocker is relatively small, Bangs says his company
has seen attacks in which attackers have stolen personally identifiable
information from medical organizations, companies that process
pharmaceutical scripts or financial institutions, and demanded ransoms in
the millions of dollars. “The board of directors, who have a fiduciary duty
to protect this in- formation and their clients’ information, could end up
getting sued. Not only would they have a loss in terms of the ransom amount
and all the expenses, but they’d have those reputational and legal issues
as well.”

Prevention is critical to managing escalating threats, and Bangs recommends
a combination of tried-and-true practices, such as automatic backups, virus
protection and user training. Software restriction policies, which can
block unauthorized executable files from running in specific parts of a
computer, also are effective, he says. “Make sure the board is aware of
these issues and what to do in case something happens. Ideally there’s a
team set up — somebody from legal, corporate security, IT, maybe a CEO or
COO — to discuss the issue and what to do about it.”

2. WEAK PERIMETER DEFENSES

The proliferation of cloud-based applications, tablets, phones and
self-service portals offers cyber-criminals many new ways to get through
insurers’ defenses, and the multitude of operating systems, releases,
hardware and app types creates an additional layer of complexity to
establishing effective defenses.

Insurers can’t rely on playing defense, Everley says. The question then
becomes, if something or someone breaches the defenses, whether that breach
can be detected and eradicated. “The way you go about it is similar to
managing internal controls, assuming you had good internal controls and
processes,” he says. “If you’re a company that just put a hard perimeter
around your network and then didn’t pay much attention to it, you’ll have a
lot of catching up to do to create good controls and processes for the
actual data.”

Everley uses the analogy of a street corner shell game to explain internal
data controls. “The guy moves the pea around under the shell, and you’ve
got to guess which shell the pea is under. The pea is the data. My job is
to follow the data. We can move it around, we can wrap it, we can call it
whatever you want. Then it doesn’t matter if you put it on this server,
that server or on the cloud. We deploy different mechanisms and tools, but
we think about it the same way.”

The move toward cloud computing for enterprise applications, however, can
leave companies especially vulnerable to attack, Topale says. “There are a
ton of cloud security experts out there, and they say secure cloud is by
definition an oxymoron,” he adds.

The issue is shared tenancy, which differentiates cloud from a private
hosted-computing infrastructure. “Those are service-oriented architectures
with very strict contractual obligations by the operators,” Topale says.
“That’s a way different attack surface than if I’m hosting my email system
in the cloud, for example.”
A particular vulnerability to shared tenancy cloud- based systems is the
distributed denial-of-service (DDOS) attack. “I have two data-center
vendors, and both of them in the last 12 months have sent alerts out to us
that they were under denial-of-service attacks,” Burroughs says. Allianz’s
site wasn’t attacked, but access to the company’s data slowed as Allianz
suffered “collateral damage,” she says. “[The attack] was filling up these
shared Internet pipes coming into the data center,” she explains. “Even if
insurers are not being attacked, they need to be careful about who else is
on that Internet pipe with them.”

3. POOR USE OF SECURITY RESOURCES

Changing the security culture, through education and communication, is
critical to cyber-security. Burroughs says she has worked at other
companies where the relationships between applications developers,
infrastructure and security were not supportive. “The most difficult part
is establishing relationships so they don’t think of the security team as
holding up their project,” she says. And even having the most advanced
security technologies doesn’t mean that they are being deployed
effectively. At Target, for example, security systems reportedly were
installed but not monitored, and personnel were slow to react to the many
alerts that were triggered.

“You need web-application firewalls and network firewalls, but it’s about
the rhythm and the discipline more than it is the tools,” Burroughs says.
“Every company is doing the same things, but we have processes in place. On
a daily basis, we review the log files. On a weekly basis, we do the
anti-virus. We have checklists. And my security team has to fill out
tickets to say that they’ve done those things. We have accountability. It’s
about the discipline and using the outputs of all of those tools to tell
you where the vulnerabilities are. And, where you have gaps, making sure
you do something about them.”

Culture extends into planning and application development as well. Allianz
Assistance, which offers travel insurance online, now has additional
concerns related to taking credit card information online. Because of
Payment Card Industry (PCI) standards, developers at Allianz Assistance are
required to attend Open Web Application Security Project (OWASP) training
and then demonstrate that they have internalized that training, Burroughs
says. Deadlines for developers are frequently tight, and as a result
security sometimes is mistakenly treated as an afterthought.

“You have to change your culture so developers realize the impact of
writing insecure code,” Burroughs says. “We’re doing code reviews with the
developers and talking about security and disaster recovery on the front
end versus bolting it all on the back end.”

The weakest links are the end users, Burroughs says, who will share
passwords and post them on their monitors when the culture permits.
“Finding a way to engage the user community to be part of the solution,
it’s a full-time job. People think it’s an IT-only problem, but it’s not.
It’s the entire company.”

4. CARELESS END-USERS

OneBeacon recently retained a penetration testing company to explore the
company’s cyber-vulnerabilities, with a focus on employee awareness. “It
was a big shock to some people,” Topale says. “They were surprised that
they gave away information, to the point where I had to tell them their own
passwords before they believed that they actually had given them away.”

For the test, the penetration testing company was given the office phone
numbers of OneBeacon employees and briefed on the insurer’s internal
nomenclature. The testing company then devised a plausible scenario,
?called each employee and frequently was able to talk the employee into
giving up passwords and other potentially sensitive information. “We call
our help desk Enterprise Support, so the script used ‘Enterprise Support,’
and that got people’s guard lowered. [Employees] didn’t ask questions, they
didn’t even look in their caller IDs, they didn’t look at anything.”

Topale says what was most revelatory was the push- back he got from the
users, most of whom denied having given up their credentials. ”Most didn’t
know,” he says. “We had to literally describe the situation where they had
been called by a supposed IT person and were tricked into testing some new
system and had given up their ID and password.”

Of even greater concern to the company was that in a real-life scenario,
those compromised credentials would have remained valid for a period of
time. “That was the kicker,” Topale says. “The new thing is the bad guys
are trying to come in under the radar. If they have valid credentials, they
want to be very light touch with those things.” Many newer malware programs
are not designed to delete files, Topale explains, but rather to sit
quietly in the background and capture approved credentials, and then move
horizontally through the organization, collecting and transmitting
information until they are detected and removed.
OneBeacon has since increased internal education efforts on how to respond
to such inquiries and created a security steering committee comprised of
top-level managers, and it continues to conduct increasingly sophisticated
penetration tests.

Five years ago, a penetration test consisted of professionals trying to
hack into a website, Topale says. Today, a comprehensive test could include
a variety of internal, external and physical tests for vulnerabilities,
also called “indicators of compromise,” he adds. For example, a test could
exercise applications looking for vulnerabilities in the code. Or testers
could use valid credentials and behave as if they were committing an inside
job, or had stolen the credentials. Physical testing might entail sending
someone disguised as a service or delivery person to enter a physical
location.

“It’s never-ending,” Topale adds. “A new type of threat emerges, and you
have to shift resources and move in another direction.”

5. A GAP IN IT/BUSINESS ALIGNMENT

Since 2009, when Ameritas Life Insurance formed a dedicated security unit,
the company has shifted its security focus from governance to a risk-based
security model, Everley explains. At the time, Everley says the perception
among the business users was that firewalls and anti-malware applications
were just waiting for an attack. In actuality, the company is under
near-constant attack, he says, deflecting tens of thousands of spam and
malware-laden emails per day.

“The likelihood is approaching 100 percent that something is going to get
through,” Everley says. “But when you’re explaining it to the business,
they don’t care about the ones and zeros. They want to know what’s the
risk.” To explain the risks, and develop and mobilize security talent at
Ameritas, Everley last year put together a security focus forum comprised
of representatives from various departments. “We get together every other
week for an hour. I’ve come to understand that we have some opportunities
to improve. Then I translate that into business plans and conversations
with the executive team at Ameritas.”

Executives from the various business units discuss security matters from a
business perspective every other month, he says. “We talk about real
threats that have happened. I share metrics that show escalations. We’re
getting more attacks all the time, and I talk about where some of the gaps
are and the opportunities to improve. When we have the conversations about
money, they’re supportive. Nobody smiles and applauds, but neither do they
argue.”

Rather than deliver a lecture, Everley says IT should be able to offer a
cogent description of the technology and financial risks and the resources
required to ad- dress them. “It always comes down to money,” he says. “I’m
not going to capitalize on their fear, but certainly the time is ripe to
have the harder conversations.”

But the business also has to own responsibility for cyber-security, Everley
says. “The business owns the data, so they own the responsibility for its
care. And if they’re outsourcing, they should ask all kinds of questions
about how the provider is protecting it. Just because it’s not an internal
IT department doesn’t absolve them of asking the same questions.”



Insurers’ Top 5 CyberThreats

1. Ever-More Sophisticated Attacks. The frequency and sophistication of
cyber-attacks are increasing.

2. Weak Perimeter Defenses. The increasing availability of systems and data
through mobile devices, customer self-service portals and shared services
increases the number of “attack surfaces” insurers have to protect.

3. Poor Use of Security Resources. Most businesses use essentially the same
tools to protect networks, systems and data, but tools are not solutions if
they are not used effectively.

4.Careless End-Users. Even well-intentioned end users are careless.

5. A Gap in IT/Business Alignment. Communicating with business partners in
terms of risk management and mitigation is a must.
_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!

Current thread: