Thin Red line between Cyber-Insurance and Privacy-Insurance

Often I have been asked to explain the cyber-insurance and it’s need to have from organizational point of view when it comes to electronic activities and at the same time I have often heard that customers asking whats the difference between cyber-insurance and privacy-act (insurance)

Therefore, I thought I’ll put this down as a post explaining the Thin Red Line between both

Both covers the technology services and products. The policies are intended to cover both liability and property losses that may results when a business engages in various electronic activities e.g. selling on the internet or collecting data within its internal electronic network.

Notably, but not exclusively both Cyber and Privacy policies cover a business liability for a data breach in which the firm’s customer’s personal information , such as SIN or Credit card number is exposed or stolen by a hacker or other criminal who has gained access to the firm electronic network. The policy coverage has variety of expenses associated with data breaches, including notification costs, credit monitoring, cost to defend claims by state regulators, fines and penalties, also loss resulting from Identify theft.

Therefore, Cyber and Privacy Insurance is often confused with technology errors and omission (tech E&O). In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufactures and firms that store corporate data on an off-site basis.

Before anyone get confused what Errors and Omission Tech E&O means here.

Errors and omissions insurance (E&O) is a type of professional liability insurance that protects companies and their workers or individuals against claims made by clients for inadequate work or negligent actions.

Errors and omissions insurance often covers both court costs and any settlements up to the amount specified by the insurance contract.

Now Cyber Insurance 101:

What does AMX, HomeDepot, North Dakota Uni Sys and Target have in common? They are all part of the 342 data breaches exposing 9,015,970 personal records that have occurred till June 10, 2014, according to non-profit identity Theft Resource Center (ITRC)

Cyber Coverage can mean different things to different people but mainly cyber coverage is a mix of these four components. Errors and Omissions, Media Liability, Network Security and Privacy.

Before I continue a bit more , I would suggest to download and read IBM Data-Breach report of 2016 at (https://www.ibm.com/security/data-breach/)

Anyhow what interests me the most is that both Network Security and Privacy coverage  VS cyber Insurance , each covers the First-party coverage applied to direct costs for responding to privacy breach or security failure and same case with cyber insurance that policy typically covers first party as well as third party.

Another good document which I was able to search up , which I still have not finished reading yet was (www.gop.it/doc_pubblicazioni/633_2f188sb06d_ita.pdf)

Few other abstracts which I was able to gather from different authorities for a little better understanding are as following

Sources

http://www.investopedia.com/terms/e/errors-omissions-insurance.asp

https://wsandco.com/cyber-liability/cyber-basics/

www.idtheftcenter.org

www.cio.com/article/3065655/cyber-attacks-espionage/what-is-cyber-insurance-and-why-you-need-it.html

Microsoft RCE Flaw

On May 8th 2017 , Gooleg Project Zero team researcher ‘Tavis Ormandy’ tweety about a weakness discovery for Windows platform.

http://www.networkworld.com/article/3195145/security/google-project-zero-researchers-find-crazy-bad-windows-rce-that-is-wormable.html

Roughly about 8 hours of this tweet from the researcher. Microsoft responded to all of it’s Enterprise Customers with a lengthy email like the one below, I know this because our Cyber Team which I am part of also received it and even though I had read the tweet 8 hours ago, we were still scrambling to find the impact radius of this flaw.

First, before we dive into it, let me tell you what is a RCE vulnerability , RCE stands for Remote Code Execution and this RCE was discovered in MS Malware Protection Engine which by default runs on newer Operating Systems of Microsoft.

MS email alerts to Enterprise Customers.

—————————-

What is the purpose of this alert?

This alert is to notify you that Microsoft has released Security Advisory 4022344 – Security Update for Microsoft Malware Protection Engine – on May 8, 2017, to inform customers about an important update to the Microsoft Malware Protection Engine.

Summary

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section below for a list of affected products.

Affected Software

This security advisory applies to the following software:

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Defender for Windows RT 8.1
  • Windows Defender for Windows 7, and Windows Server 2008 R2
  • Windows Intune Endpoint Protection

Microsoft Malware Protection Engine Version Details

Last version of the Microsoft Malware Protection Engine affected by this vulnerability:  1.1.13701.0

First version of the Microsoft Malware Protection Engine with this vulnerability addressed: Version 1.1.13704.0

If your version of the Microsoft Malware Protection Engine is equal to or greater than 1.1.13704.0, then you are not affected by this vulnerability and do not need to take any further action.

For more information on how to verify the engine version number that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.

Update Deployment

Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Recommendations

We encourage you to review Microsoft Security Advisory 4022344 for an overview of the issue, details on affected components, suggested actions, answers to frequently asked questions (FAQ), and links to additional resources.

———————————-

Coming back to this RCE flaw in Maware Engine and how it works out from attacker point of view in exploiting the vulnerability.

Well for it to work, The attacker needs to send a specially crafted file to the user which can trick end-users into visiting a website hosting the file e.g. similar to phishing attack (can also be a file share location).

what this crafted file would do is to cause the MS Malware Protection Engine, which is part in Windows Defender, Security Eessentials to scan this file and automatically thus causing the code to execute (RCE). Thus hijacking the LocalSystem account and take control of the system.

Microsoft has released a technet security publication explaining more about it ‘https://technet.microsoft.com/en-us/library/security/4022344.aspx#ID0E3AAC’

Security Researcher at Microsoft ‘Tal be’ery’ doing a PoC using the code developed by Google Project Zero team

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5

70 Banks Infected by LAZARUS MALWARE (15 IN US), one which hacked Bangladesh bank

Researcher at badcyber.com released an article that detailed a serier of attacks directed at Polish Financial Institutions, the articile states that ‘this by far the most serious information security incident we have seen in poland’. It also claims that 20 commercial banks had been confirmed as victims.

You can read the entire article at badcyber.com

But in a brief, The preliminary investigation suggests that the starting point for the infection could have been location on a webserver of polish financial sector regulatory body, Polish Financial Supervision Authority (www.knf.gov.pl). This is really ironic if the website of the key institution responsible for assuring proper security level in the banking sector was the root reason of this hack.

How to Protect your HOME from CYBER CRIMINALS

How to Protect Your Home from Cyber Criminals – Smart Home and IoT

Smart Technology has the potential to streamline your life and make everything from getting out of bed in the morning with shades automatically opening to having freshly brewed hot coffee in the kitchen and at night having your Home Security System turned on with driveway lights dimmed to conserve energy. The Internet of Things (IoT) is full of promises. Convenience, Safety and Energy Efficiency are all the perks of a smart home and the possibilities are only growing as the technology advances and with all the hype around the power of Smart Technology, it’s easy to assume that a home automation system with security applications, will itself be secure. Unfortunately, that’s not always the case.

The amount of data collected by IoT devices now-a-days has a wealth of sensitive information related to location, activity, Individual personality, health etc. etc. When it comes to home automation, the security of your personal IoT can’t be overlooked. If you are unfamiliar with the term, IoT refers to the growing networking of interconnected objects and devices that uses the Internet to communicate and store information.

As I continuet to explain what these devices are in your own home, than the answer is literally anything you have plugged in to your home Wi-Fi or uses your home Wi-Fi to function e.g. Smart TV, Smart Home Cameras or Smart Thermostats or as simple as your child toy e.g. Teddy Bear

Before I continue, let’s go back to 2013 August and if you would have read about a new which made headline on CNNtech that ‘Your TV might be watching you’ and if you didn’t that let me give you a synopsis. Basically Hackers found a way to get into your home TV’s which in this case were the Samsung Smart TV’s build 2012 and they did all of this due to a vulnerability they discovered in the firmware. This firmware vulnerability which is also known inside the IT world as ‘BUG’ enabled hackers to remotely turn on the TV built-in camera without leaving any trace of it on the screen. Although Samsung quick reacted and fixed the problem by releasing a new software update.

Another one which also created a lot of noise on the cyber world was the Teddy Bear hack. Spiral Toys, the company behind the CloudPets ‘smart’ teddy bears, exposed 800,000 customers by storing the data on an open-source MongoDB database. Among the data were the customer’s emails and passwords.

This isn’t the first time when a such a device has raised alarms. Authorities in Germany called on parents to destroy internet-connected dolls that could potentially be hacked. Toymaker VTech was also hacked in late 2016, losing the personal data of millions of parents and children, including selfies and private messages. And believe it or not, these breaches certainly won’t be the last we have seen and security measures within Internet of Things have a great deal to catch up to be defended against online prying eyes.

Now, let’s talk about how you can really protect your home and I didn’t mean physically but from the Cyber Criminals. I am sure after reading above there would be a lot of questions coming to you mind and I bet one of them would be that why don’t I just simple stop using Smart in my home. Well, to be honest I thought of that too but, I don’t think it would something we can afford to do i.e. unplug the wires.

Thus, what we need to understand is that what does Cyber criminals want? and if we can commit to some of the standards on how we will use this valuable data or keep it inside our home. Then I would believe it’s somewhat safer to say you are protected.

Consequently, Cyber criminals look for Social Security and Credit Card numbers, bank account information, email addresses, home addresses, birth dates and anything which belongs to you, which they can with this loot; lure you into a trap using social engineering (tricking you into believing they are legit) or take over your existing account or open new ones to make fraudulent charges.

    Below are 10 ways to keep the Cyber gangs at bay:
  1. Encrypt your home wireless network with WPA-PSK instead of WEP type.
  2. If your child uses a computer make sure you create a separate account with restricted privileges on that computer, instead of using the default one which has administrative privileges.
  3. If you have Smart Devices connected on home Wi-Fi or Wired Network than make sure you have logged into them and change the default password to something strict and please try NOT to keep the same password for on all of them.
  4. Keep the Anti-Virus up-to-date on all home computers.
  5. If your kids or even yourself like using Chrome or Firefox instead of Internet Explorer and Safari which are default Internet Browsers in Windows and Mac than try installing Adblocker plugins.
  6. In case you have your own Router instead of your service provider default than make sure the router is always up-to-date for its Firmware. Keep an eye on the Internet for any potential security leaks on the model you are using and if you see one, change your router or contact the manufacturer for updates.
  7. Make sure your home computers built-in Firewall is always Turn-On especially for Public (external) networks.
  8. If you have a NAS or any other storage connected at home network containing family photos or documents than please make sure it has restricted from devices which needs to access it, access rules should not be wide open to the world.
  9. If you are Facebook or Twitter or Instagram person than try not post your location ‘Check-In’ on spot rather delay that information if you really have to post , ideally one should avoid.

Most importantly for Number # 10, please talk to your children about Cyber Security. Simple education can change the perceptive of the topic and living in this ultra-fast world of changing technology our children needs to understand the consequence of posting personal information. Read an article and discuss it on the dinner table.