Posts Tagged ‘cyber attacks’

What’s Next After ‘Massive Disruption’ From Latest Cyber-Attack? A View From The Trenches

As the cyber-attack continues to spread around the globe causing massive disruption and damage for universities, hospitals, automakers and many other businesses including FedEx, only one thing is certain: It won’t be the last.

That’s because the cyber criminals are running a multibillion-dollar enterprise with the help of ultra-sophisticated tools, said Yuri Frayman, co-founder and CEO of Aventura-based cybersecurity company Zenedge. The company, which launched in 2014 after two years of development, helps companies worldwide protect their web applications and networks against cyber-attacks with its proprietary technology.

“If this was not a wake-up call to the corporate world, I don’t know what needs to happen next,” said Frayman, offering his view from the trenches. “About 220,000 companies have been hit, and this is just what we know. We are seeing a massive disruption in the network operations across the globe.”

A screenshot of the warning screen from a purported ransomware attack, as captured by a computer user in Taiwan, is seen on laptop in Beijing on Saturday. Thousands of companies were hit with a huge ransomware attack over the weekend that locked up computers and held users’ files for ransom in hospitals, companies and government agencies. (PHOTO CREDIT: Mark Schiefelbein AP)

None of the firms his company protects have reported any disruptions from the so-called “WannaCry” ransomware virus, he said. But as the attack has unfolded, Zenedge has been talking with industry security specialists around the globe about how they are mitigating the damage and seeking to stabilize large infrastructure companies.

What really worries Frayman is what comes next in this attack, and ones to follow. Companies such as FedEx will throw everything at this problem in the next three or four days at an unbelievable cost, said Frayman, who has himself been expecting a FedEx delivery for the past two days. But less-sophisticated firms may may not even know a virus lurks in their system.

 “A second problem is the massive shortage of cyber-security experts. The enemies are hackers who are years ahead, Frayman said.  “Telecommuting also creates risk. Ninety-eight percent of the world population doesn’t know if their home has been hacked. If I have your home, I can hack your corporate environment. Many people around the world work from home, and that is another black hole that is ready to explode.

The solution – beyond turning off the internet – is commitment to vigilance. Generally, the largest financial services companies are very proactive, appropriating the proper budget, staff and training and putting key processes in place. But take a step outside of that and you will see across the board that corporations have not taken this seriously. Hiring a chief security officer is not enough. It’s not about buying cyber insurance and hiring a couple of people – it’s about discipline. Having a dedicated staff and/or vendors whose single task is to secure and protect the company is key. So is continual staff training. You can’t just be clicking anymore…. Hackers are using very sophisticated tools to mimic regular emails you get every single day. If you click on one that downloads a virus, it eventually could discover the system administration credentials. Once the hackers know those, they can do whatever they want.”

Zenedge currently has about 250 clients spanning the financial, ecommerce, gaming, healthcare and manufacturing industries worldwide and also protects large internet service providers, said Frayman, who previously helped lead and sell four other companies. Zenedge raised $6.2 million in September to finance its global expansion; in total, it has raised $13.7 million in venture capital funding.

“Every single attack, every single malware, we take it apart, and we train our algorithyms to be able to pick up the behavior of an attacker,” Frayman said. “If you train a computer to think like a human, then you can protect as many customers as we do without a need for a human interaction.”


Source: Miami Herald

Insurers Forced To Grapple With Cyber-Attacks That Spill Over Into Physical Damage

As hackers wreak havoc with depressing regularity, the insurance industry finds itself forced to contemplate a whole new set of risks.

They range from the theft of millions of credit-card numbers from American retailers to the disabling of the power grid, as happened in Ukraine last December. The dedicated “cyber-insurance” policies that companies offer against data breaches have become relatively routine. But the risks they insure under other policies are also affected by cyber-risks—and they are still struggling to understand this so-called “silent” cyber-exposure.

Insurance that protects firms who suffer data breaches has been on offer for around 15 years. It is much harder to put a precise value on, for example, stolen health records than on a property or car. Insurers sidestep the problem by covering only the direct costs that a company incurs from a hack. Typically, these include hiring a specialized forensics firm to work out exactly what was stolen, notifying affected customers (which 47 American states currently require), short-term business interruption and fines.

The industry will be shaken up by new EU data-protection rules, which come into force in 2018 and will impose stricter notification requirements and stiffer fines for data breaches than firms have so far faced in America. Partly because of this, the market for cyber-insurance, which represented only $2.5bn in global premium revenue in 2014 (90% of which came from American companies), is expected to treble by 2020, according to PwC, a consultancy. That would still leave it tiny in comparison with, say, the $670bn global motor-insurance market.

Data breaches are, however, for the most part a manageable nuisance rather than a disaster. Despite the hundreds that take place annually, only 90 since 2010 have been reported by American companies to regulators as having had a “material” impact on their business.

The bigger concern is the “silent” exposure: cyber-attacks that cause physical damage or bodily injury and can end up triggering other policies, such as life, home or commercial-property insurance. Often, such policies, though not designed with cyber-risks in mind, do not specifically exclude them either. In some cases the difference may be minor; a burglar who enters a house by hacking a “smart” lock will not necessarily steal more than one who breaks a window. But cases such as the massive damage caused to a steelworks in Germany in 2014 by hackers who messed with a blast furnace, or the hacking of the Ukrainian power grid (blamed by many on Russia), give insurers pause. They have added urgency to efforts to understand, measure and calibrate their exposures to these new threats.

With real-world precedents still too rare to form the basis of any reliable estimates, the industry has turned to using hypothetical scenarios. At the end of last year, for the first time, Lloyd’s of London, an insurance market that specialises in niche and emerging risks, asked its syndicates (groups of insurers and brokers) to come up with “plausible but extreme” cyber-attack scenarios, and report back their estimated total exposure, in what is to be an annual requirement. The exercise follows a cyber-scenario report in May 2015 from the management of Lloyd’s itself on a hypothetical hacker-caused blackout of the entire power grid of the American north-east. It estimated this would cause direct losses to business revenues of $222bn, and a total dent in GDP of over $1trn over five years.

Many insurers are turning to outside expertise. Matt Webb of Hiscox, a specialist insurer, describes an “arms race” between analytics firms such as RMS and Symantec, offering their long-standing modelling prowess (RMS is already well-trusted on hurricane modelling, for example) to help insurers understand their cyber-liabilities.

But even if exposures are better understood, limiting them may prove tricky. Kevin Kalinich of Aon, an insurance-broker, points to the near-impossibility of drawing a line, for example, between cyber-war or cyberterrorism and “normal” hacking. Cyber-crime knows no geographical bounds, unlike, say, a Florida hurricane. Mr Webb reckons that insurance policies will at a minimum need explicitly to recognise that cyber-risks are covered or to exclude them—just as many policies already include exemptions for terrorism or war.

Although insurers are already helping companies with more humdrum data breaches, the industry still lacks a clearly formulated response to a larger-scale cyber-calamity. Inga Beale, CEO of Lloyd’s, is optimistic that the market, thanks to its exacting modelling exercises and its unique risk-sharing structure, is better equipped than most. But only a devastating, real-life cyber-attack would test how effective its preparations have been.


Source: Economist