In what preliminary reports are indicating could be one of the biggest breaches of 2016, the Friend Finder’s Network (FFN) and the six properties operating under its domain, including Adult Friends Finder, have been breached. The breach was triggered by local file inclusion vulnerability (LFI) and resulted in over 412 million users being compromised. Most passwords were stored with SHA-1 encryption, which is too weak to thwart off modern attackers. Experts are saying that this breach could be worse than the one that occurred at MySpace earlier this year. Consequently, the FFN breach is likely to cause a domino effect of smaller breaches resulting from password reuse and spear-phishing. The breach at FFN indicates a growing need for data systems to update and modernize security as the cyber landscape continues to grow and evolve.
Over the past several weeks, we have seen a spark in Distributed Denial of Service (DDoS) attacks across the globe. Kaspersky Lab, an international cybersecurity provider based in Moscow, has confirmed that 5 of Russia’s largest banks, including Sberbank, have been experiencing persistent DDoS attacks over the past several days. At the peak of the DDoS attacks, Kaspersky Lab reached over 660,000 requests per second. Experts believe that the hackers have carried out these attacks through the botnet of a hacked Internet of Things device, similar to the recent DDoS attack on Dynamic Network Services Inc. (Dyn) in the United States. While the origins of the attacks are unknown, some speculate that they have originated from anger about Russian involvement in the U.S. elections. In response to the attacks, the Online Trust Alliance (OTA) has produced a framework for a kite mark standard in securing IoT devices. While this DDoS attack on Russian banks was just one of 68 in total this year, experts say it is one of the largest they have ever seen.
A group of researchers from Indiana University Bloomington, University of California Santa Barbara and the Georgia Institute of Technology discovered more than 600 cloud repositories that contained malware and other potentially unwanted programs (PUP). According to Liao et al.’s report, up to 10 percent of the 140,000 sites and 20 major cloud platforms researched, including those of Google, Amazon and Groupon, contained compromised content. Additionally, the researchers also found the presence of several hundred malicious “buckets,” which actively dump malware into these repositories. Threat actors have utilized a variety of common attacks including fake antiviruses, phishing, as well as drive-by downloads. Liao et al.’s findings are an indication of the growing difficulty in securing big data repositories and the possible vulnerability of these cloud platforms.
President Obama’s Commission on Enhancing National Cybersecurity will hold its final public meeting this month, which will prepare policy recommendations for the transition to the new Trump administration. President Obama created the Commission to improve the nation’s cybersecurity posture with both short and long-term strategies in mind, including an industry-government partnership on voluntary standards. The presidential group has also been working hard to finish the Cybersecurity National Action Plan (CNAP) which includes a government-coordinated response plan for significant cyber-attacks.
President Obama has been vocal about his pledge of a peaceful transition, something he credits the Bush administration with mastering in his first days in office. They “could have not been more professional or gracious” in assisting the Obama team during the transition. While President-elect Trump has promised to undo many of Obama’s major policies, both the President and President-elect have stressed the need for better cybersecurity practices and more funding for the federal government regarding cyber. As a result, the White House hopes it can help “guide the incoming Trump administration on advancing cybersecurity polices that build on the progress of an industry-government partnership on voluntary standards, while going further to address emerging and evolving threats,” according to a recent Inside Cybersecurity article. The Commission on Enhancing National Cybersecurity will hold a call-in meeting on November 21 asking for public input and will address their progress on developing policy recommendations for the transition.
The recent distributed denial of service (DDoS) attack on internet service provider Dynamic Network Services Inc. (Dyn), which disabled the websites for major corporations such as Twitter, Spotify, Netflix, Amazon, Tumblr, Reddit, The New York Times and many others, not only serves as a wake-up call for organizations of all sizes, but a warning as well, according to the FBI. The agency has warned private companies that cyber-attacks through thousands of connected devices, known as the Internet of Things (IoT), will only increase in number. “The exploitation of the IoT to conduct small-to-large scale attacks on the private industry will very likely continue,” explained the FBI in an October 26 bulletin to private organizations.
Further, an FBI spokeswoman explained, “In furtherance of public-private partnerships, the FBI routinely advises private industry of various cyber threat indicators observed during the course of our investigations. This data is provided in order to help systems administrators guard against the actions of persistent cybercriminals.” The reason this threat will remain, the FBI explained, is because the source code used in the attack, known as Mirai, is publically available. Anyone with technical skills can set up their own “botnet” of hacked IoT devices to overload websites with tens of thousands of IP addresses. Director of National Intelligence James Clapper said Russia is not believed to be the culprit, as the attacks do not appear to be government-based.
Los Angeles, a target for movie stars and warm weather, is also one of the largest for cyber-attacks in the world. Being the second largest city in the nation, L.A.’s massive data responsibilities create an enormity of security challenges. “We receive a massive amount of automated cyber-attacks every month, about 100 million,” said Ted Ross, the city’s CIO. To combat this issue, Ross reports that the city has made significant improvements to its cybersecurity in the last two years, such as the construction of a $1.8 million Integrated Security Operations Center which consolidates threat intelligence. Consolidation has helped to speed up threat response and coordination. L.A. is sharing their findings with the FBI, Homeland Security, and the Secret Service in efforts of unifying with other governments and cyber professionals. The issue of ransomware remains at the top of the list of L.A.’s worries, but they do feel confident in their security behind their internet of things infrastructure.
Ransomware attacks are on the rise across the country, with hackers reportedly extracting $209 million in ransom payments in the first three months of 2016. Madison County fell victim to a ransomware attack on Saturday, shutting down nearly all country services. Following the attack, commissioners gathered in an emergency session to discuss their options. Although the full implications of the attack remain unknown, and no personal information appears to have been released, the commissioners issued a unanimous vote to pay the ransom, but they are still hoping to find way to fight back. “We’re following the directions of our insurance carrier,” said Madison County Commissioner, John Richwine. While he did not reveal the amount paid to the cybercriminals, Richwine explained that it was not as much as one might think, and is covered by the county’s cyber insurance policy with Travelers after a deductible is paid.
According to Symantec’s 2016 Internet Security Threat Report, 43 percent of phishing attempts targeted small businesses in 2015. Despite this figure, only five percent of small and medium-sized enterprises (SMEs) are believed to have a cyber insurance policy in place. While businesses of all sizes are aware of the potential impact cyber-risk has on the organization, decision makers choose not to purchase cyber insurance for a variety of reasons. To help small businesses make the decision to purchase cyber insurance, a PropertyCasualty360 article explains there are a number of things a broker can do to help SMEs offset that risk.
IBM’s 2016 Cost of Data Breach Study puts the average cost of a data breach at about $4 million, with the average stolen recording costing about $221. With the increasing number of cyber-threats in the United States, a cyber-attack falling on your organization is almost inevitable. Compared to the potential loss following a data breach, the decision to purchase cyber insurance may ultimately be the reason an organization is still functioning. Not to mention, cyber liability insurance is not nearly as expensive as many perceive – relative to other lines of insurance, basic cyber liability coverage is actually fairly inexpensive. Brokers must also explain to SMEs that data on the cloud does not guarantee safety. Cloud providers often have hold-harmless agreements, meaning the provider is exempt from any liability accusations if all or any data is lost from a data breach. Lastly, while data breaches making headlines usually involve large corporations or government entities, cyber-attacks are happening on SMEs every day, in every city. Small businesses owners must understand they are just, if not more likely to be the target of an attack, primarily due to inadequate cybersecurity practices. Cyber insurance can not only help mitigate the risk on the back-end, but it can also ramp up cybersecurity practices on the front-end due to employee training opportunities and mandatory cybersecurity requirements. While it is important that organizations of all sizes strive to protect their data and stop a breach before it occurs, a cyber liability policy can at the very least, help hedge the costs of a data breach if one were to occur.
Although cyber insurance is generally written via manuscript policies and thus, are unique in nature, cyber polices are becoming more robust and encompassing. However, one particular exclusion exists in the overwhelming majority of cyber insurance policies: cyber-attacks involving nation state hackers. While government-affiliated cybercriminals have been at the crux of recent cyber-talk, cyber insurance policies often “explicitly exclude acts of war and ‘warlike operations.’” Many policies “also exclude acts of broadly defined foreign enemies, government actors and terrorism,” said Robert Morgus, a policy analyst in New America’s International Security Program. This begs the question – who then, is responsible for attributing the cyber-attack following a cyber insurance claim?
A recent CyberScoop article suggests that carriers will likely avoid taking the insured to court over attribution regarding a cyber-attack. “Generally speaking, liability exclusion details are difficult to study because most cyber insurance contracts are confidential in nature,” Morgus explained. “Legal experts say there has yet to be a case where the insurance company or a breach victim have specifically challenged the attribution of an attack in court.” Nonetheless, exclusions regarding “acts of war,” from “nation state hackers” are common and in order to attribute the attack to the cybercriminal(s), the insurer will ultimately have to bear the costs of a digital forensic investigation. As a result, it is believed that carriers will continue to avoid such a potentially messy legal battle over attribution.
Insurance Attorney Scott Godes warns businesses to make sure they’re covered in the gray areas – referring to the rift between cyber policies and traditional crime coverage. However, some insurance companies, such as Willis Towers Watson, are looking to fill those gaps. Willis recently announced its CyFi plan – short for cyber insurance and fidelity. The new plan is intended to fill the gap and will serve excess over the crime policy and cyber policy, and will also be available to industries outside of the financial field. Godes notes that the new CyFi plan goes further than any other to date, and makes several recommendations of things to look for when buying policies.