Keeping Up With the Bad Guys
It is no exaggeration to say that keeping up with the creation of new cyber threats is a huge challenge for carriers, brokers, agents, and everyone else who depends on Internet connectivity to move confidential data.
Many of us do the best we can, but no one really expects the insurance industry to be on the cutting edge of cyber-attack prevention.
Instead, we depend on the folks who provide us with the platforms and applications we utilize to build into their products the protection that might otherwise not be found.
So when I read an Internet posting from IDG News Service about Microsoft apparently being behind on patching a dangerous threat, it made me wonder how much of a chance the rest of us have against the cyber criminals of the world.
According to IDG, Microsoft said recently that it plans eventually to patch a vulnerability in Internet Explorer 8 that it has known about for seven months, but it didn’t say when.
A security research group within Hewlett-Packard called the Zero Day Initiative (ZDI) released details of the flaw on May 21 after giving Microsoft months to address it.
“The group withholds details of vulnerabilities to prevent tipping off hackers but eventually publicizes its findings even if a flaw isn’t fixed,” the posting noted.
Microsoft said it had not detected attacks that used the vulnerability, and did not give a reason for the long delay, but said in a statement that some patches take longer to engineer and that the patches must be tested against a large number of programs and configurations, according to IDG.
To exploit the flaw, the posting added, an attacker would have to convince a user to click a link to a malicious website. If the attack were successful, a hacker would have the same rights as the victim on the computer and could run arbitrary code.
It is worth noting that this is the way many attacks are launched, and that the ploys that sometimes fool users — phony urgent “notices” from a bank, the government, UPS, PayPal, or Microsoft itself — are successful enough that the crooks keep using them.
While most of us won’t click on a link that promises a surprise inheritance from a king in Nigeria, many of us will be tempted to click a link about an errant UPS package, for example, especially if we have recently sent such a package.
My purpose here is not to berate Microsoft, however. As the provider of a highly popular computing platform, Microsoft is a likely target for those who seek to commit online crimes. Given this reality, it is surprising that Microsoft is able to issue the number of patches that it does.
No, the lesson here is a simple one. We cannot and should not depend on our technology vendors to close all the loopholes associated with their products — at least not in the next 10 seconds.
Certainly, we want our vendors to produce products that are safe and secure, but we cannot expect them to do the impossible.
The unfortunate fact is that cyber crime syndicates recruit some of the brightest talent in the technology universe, because the rewards are great and the risk of getting caught — at least at this time — is minimal.
The best we can do is to keep all our employees aware of scams — new and old — that might get them to click on a dangerous link. Communication is essential.
Erase Any Trace
The security of confidential data is obviously one of the most important technology issues faced by insurers in this day and age. Fortunately, technology providers offer a variety of ways to help safeguard data from unauthorized intrusion.
Unfortunately, data may also reside in places that are not protected because they are incidental (portable drives), discarded as being archaic (old media or drives from old laptop or desktop PCs), or — worse yet — forgotten.
When most of us think about data loss vulnerability, we think about holes in our firewalls; network problems like Heartbleed (the well-publicized bug that allows attackers to steal passwords, credit card data, Social Security numbers, etc.), or the human frailties that may give rise to social engineering scams. While these are certainly important, however, it is also vital to give some thought to all of the places where potentially valuable data might be stored within our enterprises and within our walls.
One way to address this challenge might be to begin with an inventory of hardware and storage devices on your premises. This would probably involve contacts with virtually all employees, and a thorough investigation into where virtually any company data has been stored. Once you find the devices, it’s a sure bet that some of them will be old, outdated, or otherwise rarely used.
You could then take the time to wipe the data from the drive of each and every storage device (multiple times if you want to make sure it can’t be recovered), or you could take a more draconian approach — just destroy the drives and/or media.
Of course, taking the time and effort to find and destroy every piece of data storage media and hardware within your walls could be a challenge in itself. Some technology vendors, however, will be more than happy to help in this process.
Data Security Inc. of Lincoln, Neb., for example, markets a line of devices designed to destroy both solid-state storage media and hard drives. You can even choose between a manually operated destroyer (uses no electricity) and an automated electric-powered option. The end result is always the same: The unwanted drives and media are crushed beyond any danger of recovery.
“When exposed to the powerful magnetic field of a degausser, the magnetic data on a tape or hard disk is neutralized, or erased.”
Another option to completely erase data-bearing media is degaussing. Degaussing, said Data Security, is the process of reducing or eliminating an unwanted magnetic field (or data) stored on tape and disk media such as computer and laptop hard drives, diskettes, reels, cassettes and cartridge tapes.
“When exposed to the powerful magnetic field of a degausser, the magnetic data on a tape or hard disk is neutralized, or erased.” Degaussing is the guaranteed form of hard drive erasure. As such, it serves as the standard method of data destruction, the company claimed.
They added that once a hard drive has been degaussed, it can be recycled for its precious metals, thereby helping to pay for the process (the cost of a degausser may be $2,000 or more, but the units may also be rented).
“Recycling companies are often willing to purchase degaussed/damaged hard drives. Complete hard drives provide a higher recycling value than shredded hard drives,” the company said.
Insurance data has value to both our customers and to crooks who steal this information and resell it on the black market. Destroying or degaussing unused media and drives may seem extreme, but it does close significant cracks through which valuable data could fall into the wrong hands.
Read more of Ara’s columns on technology here.
Following the Federal Example
I was thinking about the risks we face in the world of commerce and that led me to take a look at the National Terror Alert Response Center on the Homeland Security news website. As noted on that site, “The National Terror Alert Response Network promotes homeland security emergency preparedness through awareness, education, community involvement and partnerships between individuals, groups and organizations.” In doing so, the site provides information on terrorist-related incidents and activities in the United States and abroad.
The part of the site that really caught my eye was a list of “Preparedness Guides” for a variety of situations directly or marginally related to terrorism.
The topics include: biological attack, chemical attack, hijacking, explosive attack, emergency evacuation plans, water in an emergency, food storage programs, first aid, emergency communications, gas mask FAQs, and more.
Here, we have the federal government at least trying to raise awareness and offer practical advice for some very scary scenarios. The government site caused me to wonder if we couldn’t do the same thing for our own organizations and enterprises when it comes to cyber crime, social engineering and other activities that pose dangers.
If the feds can create a color-coded risk level profile for the nation, maybe it’s time we created and monitored such a profile for our own companies. The reason that many attacks succeed is that we are unaware that they are actually attacks. And some of the approaches are disarmingly simple.
For example, in one scam, the bad guys simply left thumb drives in the lavatories of a major company. Naturally, when the drives were discovered by employees, they plugged them in to their computers — their network-connected computers.
The drives, as you might suspect, contained malware that enabled the crooks to temporarily roam at will inside the network (from outside) and to steal passwords and other valuable information. Yet, it all started innocently enough with someone being curious about a “lost” thumb drive.
This could happen in your company or in mine. But if we spread the word about such possibilities within our own gates, we’re much less likely to be surprised by digital soldiers climbing out of the virtual Trojan horse. If we issue a weekly, or at least monthly, alert about reported hacking and social engineering attempts, it seems logical that many of us would think twice before plugging an unknown drive into our network-connected devices.
A rash of such incidents — or other crimes — could result in raising the risk profile in our organizations. This profile could easily be forwarded to every employee and every other connected entity on a daily basis as an aid to awareness.
Every person who connects with our networks is, by default, also standing guard over that network’s integrity. If we can all learn about what kinds of threats to expect and how those threats present, our enterprises and our organizations will be that much safer from those who wish to do us harm.
The final piece, of course, is to emulate the Homeland Security site by offering advice on what to do when a threat is detected. In one simple example, a directive and reminder to avoid clicking on any links from questionable sources would go far toward reducing the amount of cyber crime perpetrated against ourselves and our organizations.