Just How Bad Are We Doing With Cyber Security? Lets look at the past week…

So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.

Starbucks Impacted By Cyber Attack
Stop & Shop Hit By Cyber Incident – May Result In Bare Shelves
Supply Chain Management Vendor Blue Yonder Succumbs to Ransomware
The City of Odessa, TX Experiences a Cyber Incident
Weeks Later, Problems Persist At Hannaford Supermarkets
Wirral University Teaching Hospital Experiences Major Cyber Incident
Retailers Struggle After Attack on Supply Chain Provider Blue Yonder
RRCA Accounts Management Falls Victim to Play Ransomware Attack
Aspen Healthcare Services Announces Data Breach
Zyxel Firewalls Targeted in Recent Ransomware Attacks
Fintech Giant Finastra Investigates Data Breach

Continue reading

How The Failure Of Cyber Security Cost Harris the Election

Many do not realize this, but Donald Trump largely won the election because of cyber security failings by the current administration. Don’t believe me? Cyber security losses are a huge factor in inflation and have caused a massive economic problem, which has decimated healthcare and cost billions to government agencies, all while financing Hamas and the war in Ukraine.

These macroscopic problems may not seem to be linked to cyber security losses, but they are. While politicians like to pretend it is a minor, specialized issue, the fact is that cyber losses are now decimating business and hurting the monetary supply. They are a huge factor in why American businesses are failing and why it is harder than ever to compete. The pain that Americans feel at the gas pump, when they get their pay check, pay for insurance and the problems in the world are not 100% caused by poor management of cyber risks, but that is part of it.

The biggest problem, as I have stated before, is that we simply cannot improve things until the insurance sector cleans up its act. The moral crisis we now are seeing is caused primarily by the insurance sector, which has made the decision that it is fine to lose money on cyber security and it’s fine to raise rates. They’ve created a monster, and that monster can’t be kept at bay until regulators wise up and recognize that insurance must be held accountable for the disgusting and despicable conduct of cyber security underwriters.

Continue reading

Why is Ransom Paid? Panic, Perverse Incentives and Bluffs. 

It is rarely in the best interest of the victim to pay ransom! Although the narrative often is “Because they have no choice” or “It is to protect people from the leak.” This is a complete myth, and it tends to be advanced by those who have paid ransom before, as a way of covering their terrible and avoidable behavior. Nobody owns this untrue narrative more than the insurance underwriters who normalized this behavior.

The problem with something like ransomware is that most companies are willing to pay ransom, and as long as this remains true it will be a persistent problem and only get worse.  Ransomware has become so entrenched and is so easy and cheap to pull off, it will not subside until it becomes substantially difficult to succeed in a ransomware attack and make money doing so.  Unfortunately, there have been no efforts to reduce ransom payments.

It is important to never forget exactly what is paid for, with money American companies pay
(Source)

When ransomware gangs lock down a system, they are frequently the first people the victims hear from and they will do their best to instill fear, create panic and make the situation seem much worse than it is.  They will often claim that they will soon delete the data or raise their price for restoration.  Paying for data restoration is never necessary, if even the most basic of precautions have been taken to back up data, but that is often not the cast and 80% of organizations facing ransomware do not have adequate backups.   The situation is common, though always avoidable, and at least half of ransom payments are motivated primarily by the need to release systems and have data returned, not to avoid it leaking.

In many cases, companies have felt it was more reliable or faster to pay ransom, and with gangs so skilled at instilling fear and manipulating American companies, it is not uncommon.  In some cases insurers have even insisted that victims pay ransom against their will.  HSB is one of the few that still does this, forcing victims to pay ransom even if they felt it was not necessary, simply because the insurance company felt it was cheaper or safer to do so. However, the practice has never gone away completely from most insurers. Because the claims staff frequently receive kickbacks, they will tell organizations they are best off paying, even when they are not.

Unfortunately, it is not cheaper or safer to do so, and this is especially true if you do have backed up data.  The restored data is 100% assured to be contaminated with malware and backdoors and the incident response will be far worse off. Paying ransom almost doubles the average cost of cleaning up an incident in the end.  It also dramatically increases the chances of future attacks.

Continue reading

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 2

Understanding and Preventing Zero Day And Other Software Supply Chain Attacks

This is the second post in the series, intended to help better understand how third party risks can be managed, and addressing the problem of misinformation from high raking sources. Because of the pervasiveness of the myth that third party risks are unmanageable, primarily due to the insistence by insurance executives that “Well I don’t understand it, and therefore it can’t be done.” But because of this toxic insistence, it is necessary to break things down and provide detailed supporting information.

In this post, we will look at zero days and unpatched vulnerabilities as a type of exposure to third party risk. Zero days are similar to supply chain attacks, and many of the same methods for controlling zero days apply to supply chain attacks as well. MOVEit is an example of a zero day attack, which caused massive damage to the US and global economy. It illustrates exactly how these attacks work.

In some ways, it was the kind of systemic attack that insurers are constantly complaining about. However, it also illustrates all the ways the damage could have been prevented. MOVEit was bad, but it was also tragic, because so much of the loss could have been prevented, if we had our act together on this.

Continue reading

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 1

Due to the length of this detailed topic, it will be broken into multiple parts. One of the reasons this post is so long is the extreme entrenchment of incorrect views, and therefore, a need to provide detailed explanations of why they are wrong.

As written about earlier, Warren Buffet is one of the worst out there when it comes to spreading misinformation and unnecessary alarm about cyber security risks. He’s not the only one, however. There seems to be an incessant and rather insane cry of “Well, there are third party risks and they could be systemic. Lets throw our hands up in the air and say there is nothing we can do.”

Of course, this is not the case, in the finite and artificial world of cyber security, no risk is insurmountable and all can be understood. Third party risks come from the fact that so many organizations are dependent on various third parties, such as vendors and contractors. Even clients and customers can be a third party risk, because some organizations rely on a relatively limited number of clients.

In this video-accompanied post, I will do my best to provide detailed information to refute this dangerous and deeply entrenched idea.

Lets be clear on something, this is not new or unique to cyber:
There is nothing new or novel about this concept at all. Some policyholders have always been dependent on a limited number of vendors or service providers. Even in the years before cyber security, a major failing of the power grid, as happened in 2003 and 1977, can cause widespread loss across a large area. A single storm can impact a huge area, or a bad hurricane season can bring devastating storms to a large area. That’s what a systemic risk is.

However, in cyber security, all systemic risks can easily be detected ahead of time, if we care to look. They’re artificial, based on the relationships we choose to have and the artificial, man-made, engineered systems we use with the human-created, anthropogenic, artificial, man-made, ARTIFICIAL RISKS. And therefore finite and easy to understand. It’s always easy to know your risks, when they are in engineered systems you own, right?

Continue reading

Cyber Insurance Applications Revealed

The moral failing of insurance that pays ransom regularly, makes no attempt not to, affirmatively disengages leaders and funds terrorism should be obvious, but many argue with me, stating that insurers are doing the best they can, have incomplete data, or that they are improving.

Unfortunately, they’re not. There have been a few small measures taken, mostly just in terms of wording changes. Not a dime has been invested in enforcement or compliance management.

To show how negligent these insurance companies have been, it’s important to take a look at the applications they have for cyber insurance. These applications represent all that these companies have, in terms of policy controls. It’s abundantly clear that no adult with any idea how any of this works wrote these. There is never any other enforcement. Even large clients do not receive independent assessments or audits. These “requirements” are not generally enforceable, do not create a call to action and, just plain won’t ever work. Money will continue to be lost until even the most minimal efforts to do otherwise are made.

Cyber insurance is considered a loss center (for some reason) and for this reason it gets zero investment and the underwriters who end up on this line are typically the lowest achievers. That’s truly the opposite of what is needed here.

These applications seem to be current, although some have not been updated in years. I do not think it is at all unreasonable to say that those who were responsible for writing the loss controls, for an insurance that paid extortion, to foreign hostile parties, should face some kind of criminal charges. This is not normal. This is not okay. It should not be normalized to have such clueless people, when professionals are avaliable.

Check out this PDF to get an idea of just how bad this situation is.

BREAKDOWN OF CYBER INSURANCE APPLICATIONS

HSB Total Cyber Insurance Application
AIG’S CYBER UNDERWRITING APPLICATION
Travelers CyberRisk Applications and Forms
Chubb Cyber And Privacy Insurance
Beazley Cyber Application
The Hartford CyberChoice Premier Application
FailSafe Cyber / Information Risk Supplement Application

How To Underwrite Cyber Insurance Properly

Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.

The term for what we are living through is moral crisis.

Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks.  The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions.  Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked.  Ransom is frequently paid.  Lives have even been lost.  It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.

And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.”  We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money.  It will because cyber risks are just big risks and we don’t know how to control them.  Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.

As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!

Cybercrimes are just that: crimes.  Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing.  It’s just bad guys breaking into our systems because we do not institute strong enough controls.  The idea that cyber criminals are so much smarter than our best engineers is absurd.  It’s the year 2024 and the US has the best technology in the world.  None of this needs to happen.  We could shut this down in a day, if there were proper experts involved.

There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism.  The history of cyber insurance is a comedy of errors.  There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.

The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.

Continue reading

What We Lack In Cyber Security

The severe moral and ethical failure of the insurance sector, when it comes to cyber security, must be understood in the context of the greater economic issues that it has created. Insurance is a very important foundation to risk management in the private sector. It’s well known that, in the absence of loss control and underwriting standards, insurance can become a subsidy for behavior badly. This is a classic moral hazard, which is made worse by the fact that cyber insurance underwriters have standardized the payment of ransom, endangering all of society and creating massive economic problems.

But there is actually more to it than that. Because of the affirmative disconnection by insurance leaders, who are hell bent on not discussing this sore subject, we have seen a massive divesture of the safety systems we need to keep society running smoothly. Insurance, as an economic force, provides some necessary services and incentives, which it currently does not.

Unfortunately: I can say with 100% confidence, that until the insurance sector gets their act together and starts making money, rather than losing it, we simply will be unable to make substantive progress in cyber security. Effectively, insurance underwriters have broken all economic incentives toward having better cyber security. This is not a minor thing. It’s exactly why we have the problems we do.

A good example is technical approvals. Without the ability to have independent authorities to test and approve individual technologies, it’s impossible to fully enforce good standards. This is vita and it’s unresolvable to not have technical level approvals or products and processes. At present, every organization is left to its own devices to develop its own standards and nothing can truly be mandated.

So why do they do this, when it loses them money? It seems to be a stubborn refusal to spend on cyber controls, because the geriatric idiots who run these pathetic companies are convinced that it’s too new-fangled to bother with. Also, if they decided to stop losing billions, it might cost them hundreds of thousands of dollars. Yes, of course, it’s stupid. It’s a classic case of intimidation by a seemingly new risk, wanting to save face and fear of anyone finding out how bad you’ve been doing at your job.

You see a lot of that in cyber security. Cyber security professionals are pretty used to walking into a client who has just made some terrible mistakes and needs some help getting their reputation back together. We see that more than almost any other area, and we are very empathetic to it. The fact that insurance companies have made such an extraordinary effort to exclude legitimate subject matter experts should tell you something.

One thing that should be kept in mind is that the insurance sector in general, has absolutely lost its way. That goes far beyond cyber security. Insurance has been taken over by purely finical people, who have no idea at all how risk management works and are absolutely opposed to spending a time on loss control or risk analysis. It’s sad because the loss of the ethical compass of the insurance sector has caused far greater problems. It’s why car fatalities have gone up and why nobody is pushing for better fire protection for California.

In case anyone has missed this: It would be substantially cheaper to pay for loss control than to continue to pay out losses, and it would boost profits significantly to reign in these losses.

The depravity of cyber underwriters, their extreme level of greed and their cowardly refusal to ever engage with a single person who understands the risk really underlies just how immoral and truly unethical these people are. They are not only hurting their companies, but endangering the very communities they live in. They’ve thrown their country, their investors, their policyholders all under the bus.

In future posts, there will be greater deconstruction of the terrible history of cyber insurance and how it has caused all these problems for society. The history is well understood. AIG started selling cyber insurance in 1999, without any qualifications. They were warned about this, but it was cheaper not to bother. The addiction to a quick profit, even at the cost of long term losses, seems to be pervasive these days. That sent the industry down a very dangerous path. Today, not a single cyber insurance underwriter knows a thing about the actual field of cyber security. No, I’m not kidding.

There is truly no place for cowards in risk management.

Things We Need to Fix The Cyber Problem

(But do not because of the severe lack of insurance buy in)

Continue reading

Warren Buffet Is Dangerously Wrong About Cyber Risk

The unfortunate thing is that how Berkshire Hathaway decides it wants to handle the issue of cyber risk ends up impacting far more than Berkshire Hathaway. Buffet is so admired and Berkshire Hathaway such a giant player in risk and insurance, that his words impact everyone’s security.

Warren Buffet may be old, but he continues to be held in the highest of esteem by investors. He certainly has a great track record. Buffet is also admired because of his openness and candid discussion of his methods and stock picks. He’s always sworn by a long term investing strategy, which values not only growth but stability. His disciplined approach has been the key to great success.

For this reason, when he speaks, the investing and business world listen. He’s been called the Oracle Of Ohama. When his Berkshire Hathaway group holds its annual shareholders meeting, some investing companies take the day off and gather to watch the whole thing with the enthusiasm and fanfare of the Superbowl.

When Warren Buffet speaks, the financial world listens. The insurance world also listens, because Berkshire Hathaway has become one of the biggest players in insurance. The group recently purchased a large portion of Chubb, one of the largest providers of cyber risk coverage.

This is a problem, because when someone so influential speaks about something so important, they had better be correct, and in this case, he is dead wrong. I do not mean to criticize Mr. Buffet personally, of course, but it’s important to bring attention to this. As an expert in this area, I find his comments to be absolutely terrifying.

The reason it’s so terrifying is the impact that these comments, and others like it, from other business leaders, has caused to national security and the global economy. Insurance vital to how a capitalist economy self regulates and how risk is properly priced. Insurance is the bedrock of how risks are treated in the economy.

The unfortunate thing is that this very ignorance is at the root of the stagnation of cyber defenses, the layoffs of so many in the sector, the divestment of resources and the acceptance of such dire levels of loss. It’s terrible to think that anyone so followed could be actively telling people that cyber security is a mystery nobody has figured out. If that were the case, it would be pointless to spend on it and hire experts.

Shortly after this meeting, a large number of cyber security professionals were laid off.

Continue reading

Understanding the Core Problem in Cyber Security

From a technical standpoint, in terms of why bad things happen in IT systems, it’s pretty straight forward: We don’t do a good job of controlling access to accounts and we do not monitor accounts for problems. That’s 90% of the problem. It’s account access control. The reason for this is passwords do not work and efforts to standardize and mandate better access control have been poorly supported.

While cyber security may seem very complicated, this is really just because it is so unfamiliar and has been wrapped in mystery.  It is no more complex or perplexing than any other type of security, but it is a relatively small specialty and so there are really only a small number of subject matter experts who have any kind of clear-headed thinking on this one.

For the most part, the problem we have in cyber security is access control.  Specifically, we do not have great authentication of remote access control.  That’s it.  That’s the problem.  In most circumstances, most than 90%, in fact, it comes down to not being able to authenticate that a connection is legitimately who it says it is.  So, for example, the CEO’s email is being read by a foreign hacker, who stole the CEO’s password.

That might sound like it would not be an insurmountable challenge.  I mean, after all, how hard is it to make sure the CEO is who he says he is and not a foreign agent?  Surely, we could track the geolocation or the context or use his approved hardware.  And you would be correct, it is not insurmountable.  In fact, we can close all the holes in access control if we decide to.

Continue reading