Ara Trembly

Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

Column: Technology

Mind Games

By: | December 10, 2014 • 2 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

It is fair to say we have reached a stage in the evolution of technology in which hacking is an accepted fact of life in our business and personal spheres.

Advertisement




That is not to say we underestimate the damage that hacking attacks can do to insurance enterprises and to our organizations overall, but the prevailing attitude seems to be that the cyber bad guys are smarter than we are.

Our efforts to stop them may be partially successful, but in the end — just as a thief who really wants to steal your locked car will find a way to do it — a hacker who really wants to break in will eventually be able to do so.

We are all used to passwords as a security tool, but it is also useful to realize that passwords can easily be stolen — or guessed, if not adequately deployed.

To take this a bit further, since many of us feel we will lose the battle to hackers at some point, perhaps we are a bit less careful in our efforts to secure the data that is the lifeblood of our organizations. This idea was suggested to me by a recent article I read in “Dark Reading,” a data security publication.

In that piece, author Garret Grajek, CTO and COO for SecureAuth Corp., suggested that what is often missed in cyber attacks is the vulnerability created by what he refers to as “sloppy authentication.”

According to TechTarget.com, “Authentication is the process of determining whether someone or something is, in fact, who or what it is declared to be. In private and public computer networks (including the Internet), authentication is commonly done through the use of logon passwords. Knowledge of the password is assumed to guarantee that the user is authentic.”

We are all used to passwords as a security tool, but it is also useful to realize that passwords can easily be stolen — or guessed, if not adequately deployed.

“Hackers like it when the authentication deployment and security experts build sloppy authentication,” Grajek said. “The sloppiness generates vulnerabilities and thus the vector(s) for attack.”

And while many of us believe that hackers spend hours developing complicated algorithms to crack our systems, he called that idea a myth. “None of the major notable hacks, such as Living Social, Target, SnapChat, or Heartbleed, have provided any truth to these misconceptions,” he noted.

Instead, he said, “hackers attack the enterprise, rather than the algorithm.”

What does this mean? This is simply another way of saying that careless human efforts in the authentication building and securing process can lead to compromised systems and stolen data. Yes, some hackers are very clever — and sometimes they are a step ahead of those of us who would wish to stop them.

Advertisement




In fact, many of them are clever enough to realize that they need not spend countless hours devising mysterious break-in algorithms when they can instead count on the inevitable sloppiness of someone to leave a virtual door open for them. And one reason they can count on such carelessness is the defeated attitude of many who feel that a break-in is inevitable and thus are not vigilant in providing safeguards.

This battle is more psychological than it is technological. Grajek suggested that automated systems that involve less human involvement are the answer, and perhaps there is some merit in this idea.

In the end, however, it is also useful to remember that locking one’s car really does discourage theft, especially if others leave their vehicles unlocked.

Share this article:

Column: Technology

FDA Medical Device Guidance

By: | November 3, 2014 • 2 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

The Food and Drug Administration has released “long-awaited” guidelines on the cyber security of medical devices.

Obviously, this is a concern for health and life insurers, but it is also relevant to other areas of coverage, such as automobile or any insurance that pays medical claims.

“There is no such thing as a threat-proof medical device,” said Suzanne Schwartz, director of emergency preparedness at the FDA’s Center for Devices and Radiological Health, in an article in “USA Today” on the release of the guidelines.

“…many device manufacturers and software vendors only learn of vulnerabilities in their products after said products have been hacked.”

“It is important for medical device manufacturers to remain vigilant about cyber-security and to appropriately protect patients from those risks.”

Important indeed. One would think that such statements would be followed by some specific safety requirements, or at least by substantive recommendations.

Advertisement




Instead, the article noted, “The agency is recommending that manufacturers consider cyber security risks as they design and develop medical devices.”

And which particular risks might those be? It seems there is again no specificity.

Once having “considered” those risks, however, the FDA says companies should give the FDA information about the potential risks they found, as well as what controls they put in place to mitigate them.

While this is a nice idea, it ignores certain realities in the world of technology development in general and cyber security in particular.

First, many device manufacturers and software vendors only learn of vulnerabilities in their products after said products have been hacked.

Yes, it would be fair to say that manufacturers and vendors should do a better job of testing in order to ferret out potential problems, but it is also fair to say that the number of ways to crack a product’s code are many and that not all of those ways are likely to be anticipated.

And at some point in the product development process, the testing phase must come to an end — unless the vendor is oblivious to the possibilities for profitably marketing a given product.

“Many devices are poorly secured and do not require a lot to hack. If there is sufficient incentive to do so, it will happen, causing harm to patients,” said Shel Sharma, director of product marketing for Cyphort, a threat-detection company, in the published piece.

But why would anyone want to hack into a medical device, implanted or otherwise? One obvious reason might indeed be to do harm to that individual. If an implant suddenly overheats and loses functionality, who is to say it wasn’t an accident, as opposed to attempted murder?

More ominous, however, is the idea that devices of various kinds must, by design, interface with broader medical systems that contain much more data — including confidential data on health and things like Social Security numbers. It might also be that a compromised device would provide a gateway to an entire enterprise, allowing for mischief and significant data loss, and the liability that would accompany same.

Advertisement




And liability is precisely the point for insurers of nearly any stripe. Of course, this whole risk scenario may represent a new area of insurance coverage to be marketed by our carriers.

Even in that case, however, insurers hardly want device makers to make things easy for criminals, because the carriers must then pay the claims. The FDA held a national workshop on medical devices and cyber security in October. Let’s hope the risks and the solutions that emerge from that gathering are more clearly defined.

Share this article:

Column: Technology

Beware the Internet of Things

By: | October 15, 2014 • 3 min read
Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at riskletters@lrp.com.

In case you missed it, the technology world is all about “the next big thing.” We are all breathlessly awaiting the next technology pronouncement that will — pundits like me say — be essential to your enterprise or to your larger organization. And it goes without saying that anyone who doesn’t buy in to said pronouncement will be left whimpering in the proverbial dust by their far more tech-savvy competitors.

Advertisement




Let us then consider one of the hottest new technology concepts—and ruminate on how this concept will affect the insurance industry. Behold, the Internet of Things (IoT)! According to Techopedia, “The Internet of Things (IoT) is a computing concept that describes a future where everyday physical objects will be connected to the Internet and be able to identify themselves to other devices. The term is closely identified with RFID as the method of communication, although it also may include other sensor technologies, wireless technologies or QR codes.”

Why is this so important? “The IoT is significant because an object that can represent itself digitally becomes something greater than the object by itself,” says Techopedia. “No longer does the object relate just to you, but is now connected to surrounding objects and database data. When many objects act in unison, they are known as having ‘ambient intelligence.’”

Admittedly, this still sounds rather academic and esoteric, but the people at Cisco make a very telling comment on their web site. According to Cisco, “The Internet of Things (IoT) is the network of physical objects accessed through the Internet, as defined by technology analysts and visionaries. These objects contain embedded technology to interact with internal states or the external environment. In other words, when objects can sense and communicate, it changes how and where decisions are made, and who makes them.” (Italics mine)

Now we begin to see the importance of this technology in general and for the insurance sector in particular. Anything that impacts on our decision-making process is certainly significant. But just what kinds of “objects” are we talking about?

“The IoT is connecting new places–such as manufacturing floors, energy grids, healthcare facilities, and transportation systems–to the Internet,” Cisco explains.

“When an object can represent itself digitally, it can be controlled from anywhere. This connectivity means more data, gathered from more places, with more ways to increase efficiency and improve safety and security.”

It also means many more ways for criminals to interfere with operations and/or steal confidential information. It’s one thing to have the appliances in our homes communicating with each other to automatically provide appropriate lighting, temperature control, food preparation, video monitoring of our premises, etc., but it is quite another to have, say, an entire city’s power grid exposed to multiple points of hacking. And what about all that confidential data that sits on healthcare systems?

Advertisement




The IoT is clearly a two-edged sword. It will (or should) allow far more automation of manufacturing and transportation systems, which should result in higher efficiency and (insurers take note) greater safety. Unfortunately, every “object” or device now becomes a point of access—offering an opportunity for mischief, or perhaps more serious crime. In a strange, antediluvian way, the very fact that most of today’s electronic devices are not connected through the Internet provides a layer of data security that can and will be lost as literally anything that runs on electric power becomes an Internet object.

Beware the IoT.

Share this article: