Email
Newsletters
R&I ONE®
(weekly)
The best articles from around the web and R&I, handpicked by R&I editors.
WORKERSCOMP FORUM
(weekly)
Workers' Comp news and insights as well as columns and features from R&I.
RISK SCENARIOS
(monthly)
Update on new scenarios as well as upcoming Risk Scenarios Live! events.

Ara Trembly

Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

Column: Technology

Can We Trust Driverless Vehicles?

By: | September 15, 2014 • 3 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

Several years ago, I read a story about a man who purchased a brand new mobile home. One day, while driving along, he decided he needed a cup of coffee, so he set the mobile home on cruise control and walked back to make said coffee.

Needless to say, the vehicle ran off the road and crashed. It turns out this story wasn’t true, but it does reinforce the idea that technology left alone in a moving vehicle may not be a good idea.

Advertisement




That brings us to the subject of the proposed driverless car, a topic on which I have opined previously.

A recent article in the Wall Street Journal notes that, “Between now and 2016, an increasing number of car makers will offer ‘traffic jam assist’ systems that take over braking, steering and acceleration for vehicles inching along in low-speed traffic. It is a far cry from Google Inc.’s vision for a car that can drive itself in all conditions, but auto makers and suppliers have long taken the view that quantum leaps typically take place one mile at a time.

At first, this seems like a very appealing concept. I was recently stuck in a monster traffic jam on Interstate 95 in South Carolina, and I certainly could have saved a great deal of effort and aggravation over the hour or so that we crawled along if my car simply took over all the stops and starts while I grabbed a nap.

But I also remember that during this mind numbing event there were several times when people, including children, got out of their cars to walk around on the roadway.

Common sense and true concern for the safety of drivers demand that we strike a balance between technology that reduces risk and gadgets that actually increase the danger by removing responsibility and accountability.

Would my “traffic jam assist” recognize that potential hazard? And would the software alert me when the road was clear again? One wonders.

Auto industry executives, the Journal says, intend to offer systems that can robotically pilot a car at speeds up to 40 miles per hour within the next five years or so.

“Meanwhile, federal safety regulators say they are still conducting research on the potential safety and benefits of autonomous technology.”

Well done, regulators. Any technology that substitutes itself for the alertness and judgment needed from a human driver is risky by definition.

Ask yourself how many times your own computer fails to work quickly — or just quits working, necessitating a reboot or some other fix. Most of us have come to accept these glitches as a fact of life, but motoring down the road at 40 mph (and I’m sure it will be faster as time goes on), there would be no time for a reboot.

As I noted in my previous writings on this subject, accidents involving the inevitable failure (even if it is only occasional) of such technology could be a nightmare for insurers who need to assign risk and pay claims.

Advertisement




Certainly, technology that automatically brakes before my car can smash into anything is a potential lifesaver. The real danger is from technology that allows or encourages human drivers to stop paying attention, because the human brain understands things about risk that a computer chip may not.

Common sense and true concern for the safety of drivers demand that we strike a balance between technology that reduces risk and gadgets that actually increase the danger by removing responsibility and accountability.

Share this article:

Column: Technology

How Are We Doing?

By: | September 2, 2014 • 2 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

Famed former New York City Mayor Ed Koch was noted for, among other things, frequently asking the Big Apple’s citizens for an informal report on his job performance as the city’s executive. “How am I doing?” Koch would ask at press conferences and, in his case, the answers were often positive.

Advertisement




We would all do well to adopt the same approach when it comes to the cyber security of our enterprises, as well as the enterprises of our service providers and trading partners.

So when it comes to safeguarding the precious data of our companies and our customers, just how are we doing overall?

According to HP’s 2013 Cyber Risk report, there is both good and bad news.
The good news is that the total number of publicly disclosed cyber vulnerabilities remained at roughly the same levels seen in the previous three years, with the volume decreasing about 6 percent from 2012.

It goes without saying that more obvious targets tend to be better protected, but that leaves plenty of room for less obvious targets, such as insurance enterprises, as well as brokers, agents, third-party suppliers and countless small businesses.

The really good news is that “high-severity vulnerabilities continued their multi-year decline in volume, reflecting vendors’ use of newer security technologies.”

This is truly significant, because any kind of positive news on the cyber security front is as scarce as hen’s teeth. Still, we cannot afford to get too comfortable.

The bad news? HP reported that, “As organizations scramble to meld their mobile and desktop workflows … the hybrid development frameworks available don’t sufficiently address a number of issues already well known to desktop developers.”

The most pressing issue identified in the report is “missing or weak encryption in native mobile applications, thus carrying potentially high risks for related hybrid mobile applications.” HP Security Research found that nearly 46 percent of iOS and Android applications analyzed use encryption improperly.

It’s great that so-called “high-severity” vulnerabilities are down, but we can’t ignore the possibility and probability that cyber criminals are simply choosing to settle for less chaos (and a reduced chance of being caught) in exchange for easier access to systems and highly valuable data.

It goes without saying that more obvious targets tend to be better protected, but that leaves plenty of room for less obvious targets, such as insurance enterprises, as well as brokers, agents, third-party suppliers and countless small businesses.

In addition, the HP report noted, “Plenty of vulnerabilities already known on traditional platforms can be equally effective on mobile devices using the same attack techniques, vectors, and targets. Worse, users tend to trust their handy mobile devices more than they trust their desktops, making certain techniques (social engineering attacks, for instance) far more effective.”

Advertisement




There can be little doubt that mobile devices are being pushed at both business and personal users as the most convenient and “coolest” way to go, so this challenge is likely to grow more difficult over time.

Further, said HP, “As the line between mobile and desktop usage blurs, and as users become more accustomed to having access to sensitive data on any platform they please, such [security] issues will rise in importance. In the meantime, organization defenders face the difficult task of socializing best security practices among their people, while waiting for the development community to hold up its end.”

Coming back, then, to our question of “How are we doing?” the answer is something like “slightly better, but not nearly good enough.”

In fact, it appears that the threats are simply changing their appearance and methods, keeping many of us off balance. This is something we cannot allow.

Share this article:

Column: Technology

Keeping Up With the Bad Guys

By: | August 4, 2014 • 3 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

It is no exaggeration to say that keeping up with the creation of new cyber threats is a huge challenge for carriers, brokers, agents, and everyone else who depends on Internet connectivity to move confidential data.

Many of us do the best we can, but no one really expects the insurance industry to be on the cutting edge of cyber-attack prevention.

Instead, we depend on the folks who provide us with the platforms and applications we utilize to build into their products the protection that might otherwise not be found.

Advertisement




So when I read an Internet posting from IDG News Service about Microsoft apparently being behind on patching a dangerous threat, it made me wonder how much of a chance the rest of us have against the cyber criminals of the world.

According to IDG, Microsoft said recently that it plans eventually to patch a vulnerability in Internet Explorer 8 that it has known about for seven months, but it didn’t say when.

A security research group within Hewlett-Packard called the Zero Day Initiative (ZDI) released details of the flaw on May 21 after giving Microsoft months to address it.

“The group withholds details of vulnerabilities to prevent tipping off hackers but eventually publicizes its findings even if a flaw isn’t fixed,” the posting noted.

Microsoft said it had not detected attacks that used the vulnerability, and did not give a reason for the long delay, but said in a statement that some patches take longer to engineer and that the patches must be tested against a large number of programs and configurations, according to IDG.

To exploit the flaw, the posting added, an attacker would have to convince a user to click a link to a malicious website. If the attack were successful, a hacker would have the same rights as the victim on the computer and could run arbitrary code.

It is worth noting that this is the way many attacks are launched, and that the ploys that sometimes fool users — phony urgent “notices” from a bank, the government, UPS, PayPal, or Microsoft itself — are successful enough that the crooks keep using them.

While most of us won’t click on a link that promises a surprise inheritance from a king in Nigeria, many of us will be tempted to click a link about an errant UPS package, for example, especially if we have recently sent such a package.

My purpose here is not to berate Microsoft, however. As the provider of a highly popular computing platform, Microsoft is a likely target for those who seek to commit online crimes. Given this reality, it is surprising that Microsoft is able to issue the number of patches that it does.

Advertisement




No, the lesson here is a simple one. We cannot and should not depend on our technology vendors to close all the loopholes associated with their products — at least not in the next 10 seconds.

Certainly, we want our vendors to produce products that are safe and secure, but we cannot expect them to do the impossible.

The unfortunate fact is that cyber crime syndicates recruit some of the brightest talent in the technology universe, because the rewards are great and the risk of getting caught — at least at this time — is minimal.

The best we can do is to keep all our employees aware of scams — new and old — that might get them to click on a dangerous link. Communication is essential.

Share this article: