Category Archives: Uncategorized

Could Drones Over New Jersey Be a Case of Mass Hysteria?

Posted on by
Reply

It’s far from certain, and there are a few cases that appear to be legitimate drone sightings, but a large number also appear to be civilian aircraft or other mistakes. At least some, thought perhaps not all reports are a case of panic.

If you have not been living under a rock, you are probably aware that people around New Jersey, and now elsewhere are up in arms over reported sightings of drones. Drone sightings are not at all unusual in the year 2024, but these include reports of drones over sensitive military facilities and critical infrastructure, such as reservoirs and power plants. These reports started coming in around November 13th and have gotten more and more extreme as time has gone on.

At present, a number of elected officials, such as mayors, the governor and police chiefs have voices concern. A great deal of drama is now under way, while officials are demanding answers from the FBI, military or others. Many are calling for the drones to be shot down.

The problem is we still don’t actually have any answers as to what is happening and the reports are fragmented and inconsistent. With time, confusion has only increased and primary evidence of documentation has been lacking.

Now similar reports are being made across the Northeast. At first it was claimed that the drones were “spreading to New York.” Now they claim to have been seen across the Northeast and the US in general.

Here is what seems to have been reported:

  • It has been reported that the drones are only out at night, reportedly appearing at dusk and not being seen during the day.
  • Many of the drones have lights on them, in some cases the lights are strobes or other standard hazard and navigational lights.
  • There have been reports of bright lights and drones that are highly visible and not trying to be stealthy.
  • The drones have been reported over restricted areas, such as Trump-owned property, military installations and airports.
  • Air traffic, including a medical helicopter have had to be diverted due to concerns over drone collisions.
  • Their origin, flight paths and landing locations remains elusive.
  • There are unconfirmed reports of drones switching off lights or otherwise trying to hide when pursued.
  • Many have claimed that the drones are enormous in size, frequently described as the size of an SUV or larger.
  • Reports imply the same drones remain in the sky for hours and travel great distances.

It should be noted that such large and capable drones do exist and are available for purchase. The reports of drones “The size of an SUV” or “8 feet in diameter,” if true, do imply that these are not consumer drones, but rather larger, higher capacity drones. Such drones do exist and are used in agriculture, surveying and other professional pursuits. It’s also possible that a large experimental drone could be constructed by hobbyists, as parts and supplies to build large drones do exist.

Continue reading

An Underwriters Guide to Cyber Risk: Managing 3rd Party Risk – Part 3

Posted on by
Reply

Due to the length of this detailed topic, it will be broken into multiple parts. Previous portions here:

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 1
An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 2

Technical Approvals in Cybersecurity: A Missing Pillar of Risk Management

In traditional industries, technical approval processes are a vital part of ensuring safety and reliability. For example, companies often pay to have their devices tested and approved by organizations like UL, which rigorously test products to ensure safety and reliability. Safety-critical devices—such as fire alarms, fire pumps, and safety doors—require approval before being used by insured parties, giving insurers the confidence that these devices will perform when needed.

Cybersecurity, however, lacks a similar robust system of technical approvals. Without an established process, standards in cybersecurity are often vague and difficult to enforce. For instance, many standards simply state that an organization must have a “firewall” or use “industry-standard encryption.” These requirements are difficult to enforce because they are vague—what exactly qualifies as an acceptable firewall, and who verifies it? There are many products that could meet these requirements on paper, but without an approval process, there is no consistent or provable standard of quality.

Technical approvals are ultimately an absolutely necessary step to establishing universally high standards. This is what will, eventually, end the problem of high levels of third party risk forever. It is an unavoidable part of standardizing risk management in technology and reign in losses. It will, unfortunately, be difficult to make great progress in cyber security until such time as a robust system of independent testing and approval is established. This will create the “ecosystem of trust” that is necessary to enforce security.

A Well-Established and Necessary Process
It is unusual that cybersecurity proceeds without technical approval, but this reflects an outdated mindset in IT, where buyers assume all risk without warranties or guarantees. Technical approval is a well-established process in many industries, providing independent verification that a product meets specific standards and ensuring accountability. It is no longer the 1980’s, and software and IT products are no longer specialty products or experimental, but this mentality still persists.

Continue reading

Just How Bad Are We Doing With Cyber Security? Lets look at the past week…

Posted on by
Reply

So just how bad is ransomware and cyber security in general? To get an impression, lets look at the past week. Just over the past 7 days, there have been over a dozen major ransomware attacks, though a few have not been well reported in the news media. The fact is, we have fallen for a kind of creeping normality. It’s not normal and it should not be considered a routine thing to see this happen.

Starbucks Impacted By Cyber Attack
Stop & Shop Hit By Cyber Incident – May Result In Bare Shelves
Supply Chain Management Vendor Blue Yonder Succumbs to Ransomware
The City of Odessa, TX Experiences a Cyber Incident
Weeks Later, Problems Persist At Hannaford Supermarkets
Wirral University Teaching Hospital Experiences Major Cyber Incident
Retailers Struggle After Attack on Supply Chain Provider Blue Yonder
RRCA Accounts Management Falls Victim to Play Ransomware Attack
Aspen Healthcare Services Announces Data Breach
Zyxel Firewalls Targeted in Recent Ransomware Attacks
Fintech Giant Finastra Investigates Data Breach

Continue reading

An Underwriters’ Guide to Cyber Risk: Managing 3rd Party Risk – Part 2

Posted on by
1

Understanding and Preventing Zero Day And Other Software Supply Chain Attacks

This is the second post in the series, intended to help better understand how third party risks can be managed, and addressing the problem of misinformation from high raking sources. Because of the pervasiveness of the myth that third party risks are unmanageable, primarily due to the insistence by insurance executives that “Well I don’t understand it, and therefore it can’t be done.” But because of this toxic insistence, it is necessary to break things down and provide detailed supporting information.

In this post, we will look at zero days and unpatched vulnerabilities as a type of exposure to third party risk. Zero days are similar to supply chain attacks, and many of the same methods for controlling zero days apply to supply chain attacks as well. MOVEit is an example of a zero day attack, which caused massive damage to the US and global economy. It illustrates exactly how these attacks work.

In some ways, it was the kind of systemic attack that insurers are constantly complaining about. However, it also illustrates all the ways the damage could have been prevented. MOVEit was bad, but it was also tragic, because so much of the loss could have been prevented, if we had our act together on this.

Continue reading

How To Underwrite Cyber Insurance Properly

Posted on by
Reply

Because the artificial risk of cyber-attacks Is So controllable, Cyber Insurance can be a reliable cash cow, but it we must rethink what cyber risk is and what role cyber insurance plays. Doing so unlocks the door to billions of dollars in potential profits. Currently, nobody in the entire insurance sector knows how to do this and nobody does it properly.

The term for what we are living through is moral crisis.

Last year, the world lost hundreds of billions of dollars to cyber attacks and trillions were lost to the total economic impact of these attacks.  The biggest problem is ransomware, but business email compromise, leading to fund transfer fraud and other types of account interception and social engineering fraud are also costing the economy billions.  Every week, we hear about more police forces, hospitals, schools and critical institutions being attacked.  Ransom is frequently paid.  Lives have even been lost.  It’s no longer possible to rely on your doctor, lawyer, police force or fire department to be there for you and not leak your private information.

And then we have cyber insurance, which keeps paying ransom and racking up losses, insisting that “cyber is just inherently high loss” or “cyber incidents are like earthquakes: unpredictable and unstoppable.”  We see top ranking executives, even the likes of Warren Buffet saying that it is expected that cyber insurance will lose money.  It will because cyber risks are just big risks and we don’t know how to control them.  Also, we don’t have enough data, and perhaps in a few years we will be able to figure out how to price it.

As an expert in cyber security, ransomware especially, with an education in cyber security and over 20 years of experience, I cannot stress this enough: THIS IS INSANE!

Cybercrimes are just that: crimes.  Like all crimes, they are human created and can be stopped. Cyber security is not some oddball unfigured-out kind of thing.  It’s just bad guys breaking into our systems because we do not institute strong enough controls.  The idea that cyber criminals are so much smarter than our best engineers is absurd.  It’s the year 2024 and the US has the best technology in the world.  None of this needs to happen.  We could shut this down in a day, if there were proper experts involved.

There has been a massive misunderstanding of the nature of cyber risk by the insurance sector, and in doing so we have entrenches a monster which is sapping hundreds of billions of dollars out of the legitimate economy and is funding terrorism.  The history of cyber insurance is a comedy of errors.  There’s a reason no legitimate cyber risk experts should not have been consulted from day one, but there was a belief that cyber was simply a shiny object that could be monetized to appeal to the digital age. Insurers have been trying to sell cyber insurance without investing a dime in understanding it. They’ve simply broken something they don’t understand and now consider it a lost cause. This is absurd.

The truth is simple: If not for the fact that cyber insurance has come along and decided to encourage bad behavior, while funding crime, we would not have the ransomware problem we do. Our hospitals would be safe. Our schools would be safe. Our emergency services would not be targeted. The problem cannot currently be solved, because insurance companies stubbornly insist that they don’t want to, but are fine paying out ransoms.

Continue reading

The Perfect Analogy for How We Manage Cyber Risk…

Posted on by
Reply

It has been over a year since one of the most bizarre freak accidents to capture the world’s attention. I am, of course, speaking of the Titan submersible, operated by the company Oceangate. The company had been operating the submersible for a few years, and it had already gone through a hull replacement, with the previous carbon fiber hull being replaced due to concerns over fatigue. This should tell you something, because most submersibles use materials with a great enough factor of safety and high enough confidence that dangerous levels of material fatigue are just not an issue.

At the time this happened, I, personally, knew very little about the operation. I had heard of a new private venture, which had been taking paying customers to the titanic. To be perfectly honest, that kind of thing isn’t all that interesting to me. Of all the shipwrecks in the world, few have been more thoroughly documented or more constantly bombarded by tourists and other activity. Sure, it still holds some level of scientific and historical interest. It is, after all, one of few liners of the era that still exists in any form. The only others that are still around are also sunk, such as the Britannic and Lusitania.

It would be one thing to lay a single plaque on the Titanic as a tribute to the tragedy, but it seems every single expedition feels the need to leave their mark and explain why they are the best and most poetic at memorializing the ship. At some point, it starts to look like litter.

Continue reading

Warren Buffet Is Dangerously Wrong About Cyber Risk

Posted on by
Reply

The unfortunate thing is that how Berkshire Hathaway decides it wants to handle the issue of cyber risk ends up impacting far more than Berkshire Hathaway. Buffet is so admired and Berkshire Hathaway such a giant player in risk and insurance, that his words impact everyone’s security.

Warren Buffet may be old, but he continues to be held in the highest of esteem by investors. He certainly has a great track record. Buffet is also admired because of his openness and candid discussion of his methods and stock picks. He’s always sworn by a long term investing strategy, which values not only growth but stability. His disciplined approach has been the key to great success.

For this reason, when he speaks, the investing and business world listen. He’s been called the Oracle Of Ohama. When his Berkshire Hathaway group holds its annual shareholders meeting, some investing companies take the day off and gather to watch the whole thing with the enthusiasm and fanfare of the Superbowl.

When Warren Buffet speaks, the financial world listens. The insurance world also listens, because Berkshire Hathaway has become one of the biggest players in insurance. The group recently purchased a large portion of Chubb, one of the largest providers of cyber risk coverage.

This is a problem, because when someone so influential speaks about something so important, they had better be correct, and in this case, he is dead wrong. I do not mean to criticize Mr. Buffet personally, of course, but it’s important to bring attention to this. As an expert in this area, I find his comments to be absolutely terrifying.

The reason it’s so terrifying is the impact that these comments, and others like it, from other business leaders, has caused to national security and the global economy. Insurance vital to how a capitalist economy self regulates and how risk is properly priced. Insurance is the bedrock of how risks are treated in the economy.

The unfortunate thing is that this very ignorance is at the root of the stagnation of cyber defenses, the layoffs of so many in the sector, the divestment of resources and the acceptance of such dire levels of loss. It’s terrible to think that anyone so followed could be actively telling people that cyber security is a mystery nobody has figured out. If that were the case, it would be pointless to spend on it and hire experts.

Shortly after this meeting, a large number of cyber security professionals were laid off.

Continue reading

A Plea For Sanity

Posted on by
Reply

Hi and welcome to my new blog. If you’re reading this shortly after it was posted, than this site probably does not look like much. It will need a few days to spruce up with some better content and formatting.

But there is an important reason for creating this site: The world seems to have completely lost its mind when it comes to cybersecurity and risk management in general. We never used to have the kinds of losses due to systems being hacked that we have now. In the age of ransomware and rampant fraud, we are seeing one hospital after another, one school, one municipality after another being hit by viscous international terrorist.

Somehow we have normalized this. If it were 1999 and a hospital were shut down by savage criminals, looking to collect extortion money and willing to hurt anyone and divulge data, we would be shocked and appalled, as well we should. We would have had FEMA and the National Guard setting up temporary medical facilities. There would have been a massive response. Arguably, it should never have been dismissed as a minor thing, and just an inevitable thing.

Yet, over the past year almost nobody has noticed that the hospitals in Brooklyn were all closed for over a month, that half the hospitals in Connecticut have been disrupted. Municipalities and emergency services are being disrupted left and right. The amount of money collected by these gangs of thugs has made them unstoppable.

But what is so insane about this? Isn’t it just inevitable that which such smart hackers out there, we’d have no way to defend ourselves?

Continue reading