Keeping Up With the Bad Guys

By: | August 4, 2014

Ara Trembly is founder of The Tech Consultant and The Rogue Guru Blog. He can be reached at [email protected].

It is no exaggeration to say that keeping up with the creation of new cyber threats is a huge challenge for carriers, brokers, agents, and everyone else who depends on Internet connectivity to move confidential data.

Many of us do the best we can, but no one really expects the insurance industry to be on the cutting edge of cyber-attack prevention.

Instead, we depend on the folks who provide us with the platforms and applications we utilize to build into their products the protection that might otherwise not be found.

So when I read an Internet posting from IDG News Service about Microsoft apparently being behind on patching a dangerous threat, it made me wonder how much of a chance the rest of us have against the cyber criminals of the world.

According to IDG, Microsoft said recently that it plans eventually to patch a vulnerability in Internet Explorer 8 that it has known about for seven months, but it didn’t say when.

A security research group within Hewlett-Packard called the Zero Day Initiative (ZDI) released details of the flaw on May 21 after giving Microsoft months to address it.

“The group withholds details of vulnerabilities to prevent tipping off hackers but eventually publicizes its findings even if a flaw isn’t fixed,” the posting noted.

Microsoft said it had not detected attacks that used the vulnerability, and did not give a reason for the long delay, but said in a statement that some patches take longer to engineer and that the patches must be tested against a large number of programs and configurations, according to IDG.

To exploit the flaw, the posting added, an attacker would have to convince a user to click a link to a malicious website. If the attack were successful, a hacker would have the same rights as the victim on the computer and could run arbitrary code.

It is worth noting that this is the way many attacks are launched, and that the ploys that sometimes fool users — phony urgent “notices” from a bank, the government, UPS, PayPal, or Microsoft itself — are successful enough that the crooks keep using them.

While most of us won’t click on a link that promises a surprise inheritance from a king in Nigeria, many of us will be tempted to click a link about an errant UPS package, for example, especially if we have recently sent such a package.

My purpose here is not to berate Microsoft, however. As the provider of a highly popular computing platform, Microsoft is a likely target for those who seek to commit online crimes. Given this reality, it is surprising that Microsoft is able to issue the number of patches that it does.

No, the lesson here is a simple one. We cannot and should not depend on our technology vendors to close all the loopholes associated with their products — at least not in the next 10 seconds.

Certainly, we want our vendors to produce products that are safe and secure, but we cannot expect them to do the impossible.

The unfortunate fact is that cyber crime syndicates recruit some of the brightest talent in the technology universe, because the rewards are great and the risk of getting caught — at least at this time — is minimal.

The best we can do is to keep all our employees aware of scams — new and old — that might get them to click on a dangerous link. Communication is essential.

More from Risk & Insurance