Monday
Jan112016

The First Cyber Battle Of The Internet Of Things Era May Have Just Happened

DateMonday, January 11, 2016 at 11:26AM

The control center of California’s power grid in 2001. (John Decker / Bloomberg News)

Just two months ago I wrote about how the Internet of Things will fundamentally reshape the future of cyber warfare, evolving the cyber threat from simple website defacements, denial of service attacks, and data breaches, to affecting the physical world. Two weeks ago an hours-long power outage in Ukraine may have offered a preview of this new world as hackers were claimed to have disabled a portion of the nation’s power grid.

On the evening of December 23rd, power was lost across multiple cities in Ivano-Frankivs’ka oblast in Western Ukraine, leaving nearly half the region in the dark for almost six hours. While it has not yet been proven that a cyber attack was responsible for the outage, key related malware was found on the computer systems of the affected power company. More troubling, the malware in question not only had the capability to create a remote backdoor that would have allowed power to be cut off, but also included tools designed to permanently delete files and disable the hard drives of the industrial control computer systems.

Just last year was the first confirmed case of physical damage to a non-military target being caused by a cyber attack, when a German steel mill was “massively” damaged. The US Government is among many racing to develop offensive “lethal” cyber weapons designed to “trigger a nuclear plant meltdown; open a dam above a populated area, causing destruction; or disable air traffic control services, resulting in airplane crashes.”

While power was restored within a few hours due to the localized nature of the outage, one could imagine a far more devastating attack involving synchronized outages designed to overwhelm the grid’s ability to respond. Indeed, the fragility of the American power grid was starkly illuminated by the 2003 Northeast blackout in which a software bug caused a simple local power issue to cascade into an outage affecting 55 million people in 8 US states and Ontario. A series of strategic outages in the United States would affect not only the local regions, but could knock out the commercial cloud data centers powering much of the world’s commerce.

If proven that a cyber attack was indeed the cause of last month’s power outage in Ukraine, it represents the first glimmers of tomorrow’s “cyber first strike weapon.”

Kalev Leetaru

AuthorPhilip Blaisdell | CommentPost a Comment |
Tuesday
Jan052016

CYBER RISK INSURANCE: PREPARING TO OBTAIN COVERAGE WITH STANDARDS AND FRAMEWORKS

DateTuesday, January 5, 2016 at 10:48AM

Cyber Risk Insurance: Preparing To Obtain Coverage With Standards and Frameworks

Cyber attacks are getting bigger, costlier, and more frequent. They are gaining more and more media attention with each strike. The Lloyd’s Risk Index 2013, a global biennial survey of board-level and top-level executives, identified cyber risk as the third-highest risk that faces businesses. However, while a proactive defense against cyber risks is the first step in corporate risk management, government agencies and trade groups have also begun to devise post-attack protections for consumers and the companies that serve them.

The Rise of Cyber Risk Insurance

Organizations are increasingly acquiring insurance coverage to mitigate some of the financial burden of cyber attacks. The reinsurance company Swiss Re predicts “that by 2025, cybercoverage will be in every retail, commercial and industrial insurance policy.” Before acquiring any type of coverage, though, you should determine appropriate standards for data protection. Fault, which can negate coverage, stems from negligence. Insurers define negligence according to what they consider a reasonable effort to protect one’s assets. One of the foundational aspects of cyber risk management is having a set of security standards that organizations and courts can reference if negligence ever comes into question. Further, secure practices increase the likelihood of acquiring coverage, because high-risk organizations pose a financial burden to insurers.

As more companies brace against cyberthreats, common standards are emerging across enterprises in every industry. To respond to the mounting threat, the Obama administration accelerated standardization in 2013 with Executive Order 13636, Improving Critical Infrastructure Cybersecurity, which required “the Secretary of Commerce to direct the Director of the National Institute of Standards and Technology [NIST] to lead the development of a framework to reduce cyber risks to critical infrastructure.” A year after this directive was signed, NIST issued its first Cybersecurity Framework (CSF), a model for reasonable information security practices and a starting point for acquiring cyber risk insurance.

Apart from the government’s response, independent standards organizations have long established guidelines for organizational cybersecurity, especially where client data is of paramount importance. The International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) jointly published sets of guidelines and created accreditation processes to further vet risk management strategies. On the most basic level, ISO-certification, which requires compliance with ISO/IEC 27001 and 27002, signals to insurers that a company is responsible and, thus, eligible for coverage. Financial institutions, which require even more secure policies, have industry-specific cybersecurity standards being developed, but nevertheless require ISO 27001 certification and CSF compliance of vendors as a best practice.

Like the ISO/IEC financial standards in development, guidelines are being developed in other industries by their own organizations. In the electric systems industry, there is the North American Electric Reliability Corporation (NERC), from which the most widely recognized standard is NERC 1300. The insurance industry recently adopted “Principles for Effective Cybersecurity,” standards created by the cybersecurity task force of the National Association of Insurance Commissioners (NAIC). Cybersecurity standards are evolving and are, to some extent, industry-specific. When acquiring cybersecurity insurance, it is important to remember that an insurer’s duty to provide coverage will depend on your company’s ability to meet the appropriate standard of care. You should familiarize yourself with the standards in your industry as well as the guidelines required by your insurers.

Given the near-certainty that a breach will occur, even with the best cybersecurity policies and practices, post-breach loss management is and will be essential. In addition to the increase in cybersecurity standards, Congress is contemplating mandating cybersecurity insurance requirements in order to mitigate risks to companies and consumers. Breaches are occurring at a highly accelerated pace, and governments and industries are promoting, and in some cases requiring, cyber insurance. It is incumbent upon you to familiarize yourself with the cyber insurance market and decide how to integrate such policies into your enterprise risk management programs.

By  Lisa M. Brownlee

AuthorPhilip Blaisdell | CommentPost a Comment |
Tuesday
Jan052016

Insurers Look to Tighten Cybersecurity Before Innovation

DateTuesday, January 5, 2016 at 09:53AM

Underlying all 2016 trends is perhaps one of the largest focus areas for insurers: data security.

 

Several high-profile insurance data breaches in 2015, including the Anthem and Premera healthcare hacks, served as a giant wake-up call to the insurance industry — as hackers plucked the personal information of millions of consumers and forced the insurance industry to up the ante on its cybersecurity practices. As insurers explore technologies that collect more data and customer information than ever, they have no choice but to step up, says Gil Bishop, CISO of Amica.

“Ensuring the privacy and confidentiality of customer information in a rapidly evolving mobile insurance marketplace is challenging,” he says. “Issues range from how to sufficiently authenticate the user of a mobile device, to how to effectively provide end-to-end protection for payment and other sensitive transactions. Finding the appropriate balance between usability and security is critical.”

Besides severe effects on reputation and consumer satisfaction, big money is at stake: According to the Ponemon Institute’s Cost of Breach Study from May 2015, a breach can cost upward of $154 per record, and an average $3.79 million in damage overall.

The industry has been active in beginning to tackle the issue: Since the National Association of Insurance Commissioners created the Cybersecurity Taskforce at the end of 2014, recognition of the growing cybersecurity threat to insurers and the need for increased oversight has increased. The Cybersecurity Taskforce adopted 12 cybersecurity principles this year designed to provide guidance to insurers and regulators, and is also evaluating a new draft of a Cybersecurity Bill of Rights that specifies the rights of insurance consumers. 

Insurers have realized that not only do they have a responsibility to monitor its activities, but they need to make sure that basic housekeeping is being carried out, says Steve Durbin, a former Gartner analyst and managing director of the Information Security Forum. “You may not be able to detect the malware, but you should be able to spot unusual activity, you may not be able to protect every piece of data, but you should have implemented encryption.”

In a state filled with banks and insurers, it’s no surprise that New York regulators are currently considering a variety of cybersecurity requirements for banks and insurers. In a letter to other regulators, New York financial services superintendent Anthony Albanese said his agency has surveyed more than 150 banks and 43 insurers since 2013 and have concluded that “robust regulation” is needed.

On the other side of the coin, Durbin says there is the risk of becoming so focused on compliance that resilience and monitoring a rapidly emerging and evolving threat landscape gets lost in the mix. “Regulations are, by their very nature, retrospective in their context,” he explains, “whereas in cyberspace we need to be constantly looking forward and anticipating challenges through increased co-operation, increased sharing of intelligence and sound risk management.”

The good news is, insurers are in a unique position to address cybersecurity, according to James Ruotolo, director of products and marketing for security intelligence solutions at SAS, as many are beginning to offer cybersecurity coverage or see claims related to data breaches on business interruption, directors and officers or liability policies. “This can give insurers a unique perspective and the ability to see trends and patterns emerge,” he says. “While they certainly need to secure their own organizations, insurers have an important risk management and loss control role to play in addressing cybersecurity.” 

There is no doubt, however, that there will be a similar spate of breaches announced in the coming year, especially since many of these crimes occur months before the discovery or announcement, often by a third party, says Mitch Wein, VP of research and consulting at Novarica. “There is always a lag time between the breach and the detection and response,” he explains. “The idea is to shorten this time period since it can never be eliminated fully.” Many insurers have not yet fully deployed the comprehensive NIST Security framework which would reduce the time from breach to detection and response, he adds. 

But, according to the Novarica IT Security 2016 Update, 10-20% of insurers are planning to evaluate and pilot these security frameworks in 2016, says Wein. And budgets are blooming: According to Novarica’s US Insurer IT Budgets and Projects 2016, a survey of 104 insurers indicated that about 10% of their 2016 budget would be going to security, including hardware, software, and processes related to security including firewalls, intrusion detection, encryption, framework adoption, and audits. 

And risks of breaches are not affecting the insurance industry’s willingness to innovate, adds Wein.

“Insurers are innovating more, not less,” he says, including moving to digital, data-driven initiatives including collecting data from IoT-enabled devices and sensors, and mobile enablement of key processes: “The risk to insurers is increasing as they become more dependent on technology, however, they must innovate to survive,” he says.

By: Sharon M. Goldman

AuthorPhilip Blaisdell | CommentPost a Comment |
Monday
Nov232015

This Infographic shows Every submarine operated by the nations of Europe and the Mediterranean

DateMonday, November 23, 2015 at 08:56AM
Modern submarines are used for a wide variety of tasks: (attacking or) protecting aircraft carriers (as in the case of U.S. Navy subs included in Carrier Strike Groups), defending territorial waters, attacking enemy or merchant ships, running a blockade, gathering intelligence (directly or by means of drones), inserting special forces, as well as launching ballistic cruise missiles (even with targeting guidance of tactical jets) in a conventional or nuclear land attack scenario.

All the most advanced navies operate a submarine force for one or more of the above mentioned missions and in case you were wondering the type/class and number of nuke and conventional subs in in service with European and Mediterranean nations, the infographic, prepared by @Naval_Graphics, is what you were looking for.

The chart also shows the strength of the Russian Northern, Baltic and Black Sea Fleets. Interestingly, at least one Borei-class strategic nuclear submarine is assigned to the European theater.

Borei class submarines will form the backbone for Russian Naval strategic nuclear forces by 2025-2030, replacing several other types of submarines, including the larger Typhoons. Each submarine of the Borei class will be able to carry 16 Bulava intercontinental ballistic missiles, each one with a range up to 11,000 km and able to carry nuclear warheads.

Russian subs often operate near the territorial waters of northern European nations, like Sweden and the UK, with Maritime Patrol Aircraft struggling to locate and track them.

In the recent past there have been concerns that Russian Navy subs could attack key internet communications in future war scenarios, following an unsual naval activity near the locations of undersea cables.

 

 

AuthorPhilip Blaisdell | CommentPost a Comment |
Tuesday
Oct272015

Cybersecurity Information (Over)Sharing Act?

DateTuesday, October 27, 2015 at 01:30PM


The U.S. Senate is preparing to vote on cybersecurity legislation that proponents say is sorely needed to better help companies and the government share information about the latest Internet threats. Critics of the bill and its many proposed amendments charge that it will do little, if anything, to address the very real problem of flawed cybersecurity while creating conditions that are ripe for privacy abuses. What follows is a breakdown of the arguments on both sides, and a personal analysis that seeks to add some important context to the debate.

Up for consideration by the full Senate this week is the Cybersecurity Information Sharing Act (CISA), a bill designed to shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another to fight cybercrime. The Wall Street Journaland The Washington Post each recently published editorials in support of the bill.

“The idea behind the legislation is simple: Let private businesses share information with each other, and with the government, to better fight an escalating and constantly evolving cyber threat,” the WSJ said in an editorial published today (paywall). “This shared data might be the footprint of hackers that the government has seen but private companies haven’t. Or it might include more advanced technology that private companies have developed as a defense.”

“Since hackers can strike fast, real-time cooperation is essential,” the WSJ continued. “A crucial provision would shield companies from private lawsuits and antitrust laws if they seek help or cooperate with one another. Democrats had long resisted this legal safe harbor at the behest of plaintiffs lawyers who view corporate victims of cyber attack as another source of plunder.”

The Post’s editorial dismisses “alarmist claims [that] have been made by privacy advocates who describe it as a ‘surveillance’ bill”:

“The notion that there is a binary choice between privacy and security is false. We need both privacy protection and cybersecurity, and the Senate legislation is one step toward breaking the logjam on security,” the Post concluded. “Sponsors have added privacy protections that would scrub out personal information before it is shared. They have made the legislation voluntary, so if companies are really concerned, they can stay away. A broad coalition of business groups, including the U.S. Chamber of Commerce, has backed the legislation, saying that cybertheft and disruption are “advancing in scope and complexity.”

But critics of CISA say the devil is in the details, or rather in the raft of amendments that may be added to the bill before it’s passed. The Center for Democracy & Technology(CDT), a nonprofit technology policy group based in Washington, D.C., has published a comprehensive breakdown of the proposed amendments and their potential impacts.

CDT says despite some changes made to assuage privacy concerns, neither CISA as written nor any of its many proposed amendments address the fundamental weaknesses of the legislation. According to CDT, “the bill requires that any Internet user information volunteered by a company to the Department of Homeland Security for cybersecurity purposes be shared immediately with the National Security Agency (NSA), other elements of the Intelligence Community, with the FBI/DOJ, and many other Federal agencies – a requirement that will discourage company participation in the voluntary information sharing scheme envisioned in the bill.”

CDT warns that CISA risks turning the cybersecurity program it creates into a backdoor wiretap by authorizing sharing and use of CTIs (cyber threat indicators) for a broad array of law enforcement purposes that have nothing to do with cybersecurity. Moreover, CDT says, CISA will likely introduce unintended consequences:

“It trumps all law in authorizing companies to share user Internet communications and data that qualify as ‘cyber threat indicators,’ [and] does nothing to address conduct of the NSA that actually undermines cybersecurity, including the stockpiling of zero day vulnerabilities.”

ANALYSIS

On the surface, efforts to increase information sharing about the latest cyber threats seem like a no-brainer. We read constantly about breaches at major corporations in which the attackers were found to have been inside of the victim’s network for months or years on end before the organization discovered that it was breached (or, more likely, they were notified by law enforcement officials or third-party security firms).

If only there were an easier way, we are told, for companies to share so-called “indicators of compromise” — Internet addresses or malicious software samples known to be favored by specific cybercriminal groups, for example — such breaches and the resulting leakage of consumer data and corporate secrets could be detected and stanched far more quickly.

In practice, however, there are already plenty of efforts — some public, some subscription-based — to collect and disseminate this threat data. From where I sit, the biggest impediment to detecting and responding to breaches in a more timely manner comes from a fundamental lack of appreciation — from an organization’s leadership on down — for how much is riding on all the technology that drives virtually every aspect of the modern business enterprise today. While many business leaders fail to appreciate the value and criticality of all their IT assets, I guarantee you today’s cybercrooks know all too well how much these assets are worth. And this yawning gap in awareness and understanding is evident by the sheer number of breaches announced each week.

Far too many organizations have trouble seeing the value of investing in cybersecurity until it is too late. Even then, breached entities will often seek out shiny new technologies or products that they perceive will help detect and prevent the next breach, while overlooking the value of investing in talented cybersecurity professionals to help them make sense of what all this technology is already trying to tell them about the integrity and health of their network and computing devices.

One of the more stunning examples of this comes from a depressingly static finding in the annual data breach reports published by Verizon Enterprise, a company that helps victims of cybercrime respond to and clean up after major data breaches. Every year, Verizon produces an in-depth report that tries to pull lessons out of dozens of incidents it has responded to in the previous year. It also polls dozens of law enforcement agencies worldwide for their takeaways from investigating cybercrime incidents.

The depressingly static stat is that in a great many of these breaches, the information that could have tipped companies off to a breach much sooner was already collected by the breached organization’s various cybersecurity tools; the trouble was, the organization lacked the human resources needed to make sense of all this information.

We all want the enormous benefits that technology and the Internet can bring, but all too often we are unwilling to face just how dependent we have become on technology. We embrace and extoll these benefits, but we routinely fail to appreciate how these tools can be used against us.

We all want the enormous benefits that technology and the Internet can bring, but all too often we are unwilling to face just how dependent we have become on technology. We embrace and extoll these benefits, but we routinely fail to appreciate how these tools can be used against us. We want the benefits of it all, but we’re reluctant to put in the difficult and very often unsexy work required to make sure we can continue to make those benefits work for us.

The most frustrating aspect of a legislative approach to fixing this problem is that it may be virtually impossible to measure whether a bill like CISA will in fact lead to more information sharing that helps companies prevent or quash data breaches. Meanwhile, history is littered with examples of well-intentioned laws that produce unintended (if not unforeseen) consequences.

Having read through the proposed CISA bill and its myriad amendments, I’m left with an impression perhaps best voiced in a letter sent earlier this week to the bill’s sponsors by nearly two-dozen academics. The coalition of professors charged that CISA is an example of the classic “let’s do something law” from a Congress that is under intense pressure to respond to a seemingly never-ending parade of breaches across the public and private sectors.

Rather than encouraging companies to increase their own cybersecurity standards, the professors wrote, “CISA ignores that goal and offloads responsibility to a generalized public-private secret information sharing network.”

“CISA creates new law in the wrong places,” the letter concluded. “For example, as the attached letter indicates, security threat information sharing is already quite robust. Instead, what are most needed are more robust and meaningful private efforts to prevent intrusions into networks and leaks out of them, and CISA does nothing to move us in that direction.”

By Brian Krebs 

Further reading: Independent national security journalist Marcy Wheeler’s take at EmptyWheel.net.

AuthorPhilip Blaisdell | CommentPost a Comment |
Page 1 ... 2 3 4 5 6 ... 54 Next 5 Entries ยป