Thin Red line between Cyber-Insurance and Privacy-Insurance

Often I have been asked to explain the cyber-insurance and it’s need to have from organizational point of view when it comes to electronic activities and at the same time I have often heard that customers asking whats the difference between cyber-insurance and privacy-act (insurance)

Therefore, I thought I’ll put this down as a post explaining the Thin Red Line between both

Both covers the technology services and products. The policies are intended to cover both liability and property losses that may results when a business engages in various electronic activities e.g. selling on the internet or collecting data within its internal electronic network.

Notably, but not exclusively both Cyber and Privacy policies cover a business liability for a data breach in which the firm’s customer’s personal information , such as SIN or Credit card number is exposed or stolen by a hacker or other criminal who has gained access to the firm electronic network. The policy coverage has variety of expenses associated with data breaches, including notification costs, credit monitoring, cost to defend claims by state regulators, fines and penalties, also loss resulting from Identify theft.

Therefore, Cyber and Privacy Insurance is often confused with technology errors and omission (tech E&O). In contrast to cyber and privacy insurance, tech E&O coverage is intended to protect providers of technology products and services, such as computer software and hardware manufactures and firms that store corporate data on an off-site basis.

Before anyone get confused what Errors and Omission Tech E&O means here.

Errors and omissions insurance (E&O) is a type of professional liability insurance that protects companies and their workers or individuals against claims made by clients for inadequate work or negligent actions.

Errors and omissions insurance often covers both court costs and any settlements up to the amount specified by the insurance contract.

Now Cyber Insurance 101:

What does AMX, HomeDepot, North Dakota Uni Sys and Target have in common? They are all part of the 342 data breaches exposing 9,015,970 personal records that have occurred till June 10, 2014, according to non-profit identity Theft Resource Center (ITRC)

Cyber Coverage can mean different things to different people but mainly cyber coverage is a mix of these four components. Errors and Omissions, Media Liability, Network Security and Privacy.

Before I continue a bit more , I would suggest to download and read IBM Data-Breach report of 2016 at (https://www.ibm.com/security/data-breach/)

Anyhow what interests me the most is that both Network Security and Privacy coverage  VS cyber Insurance , each covers the First-party coverage applied to direct costs for responding to privacy breach or security failure and same case with cyber insurance that policy typically covers first party as well as third party.

Another good document which I was able to search up , which I still have not finished reading yet was (www.gop.it/doc_pubblicazioni/633_2f188sb06d_ita.pdf)

Few other abstracts which I was able to gather from different authorities for a little better understanding are as following

Sources

http://www.investopedia.com/terms/e/errors-omissions-insurance.asp

https://wsandco.com/cyber-liability/cyber-basics/

www.idtheftcenter.org

www.cio.com/article/3065655/cyber-attacks-espionage/what-is-cyber-insurance-and-why-you-need-it.html

Microsoft RCE Flaw

On May 8th 2017 , Gooleg Project Zero team researcher ‘Tavis Ormandy’ tweety about a weakness discovery for Windows platform.

http://www.networkworld.com/article/3195145/security/google-project-zero-researchers-find-crazy-bad-windows-rce-that-is-wormable.html

Roughly about 8 hours of this tweet from the researcher. Microsoft responded to all of it’s Enterprise Customers with a lengthy email like the one below, I know this because our Cyber Team which I am part of also received it and even though I had read the tweet 8 hours ago, we were still scrambling to find the impact radius of this flaw.

First, before we dive into it, let me tell you what is a RCE vulnerability , RCE stands for Remote Code Execution and this RCE was discovered in MS Malware Protection Engine which by default runs on newer Operating Systems of Microsoft.

MS email alerts to Enterprise Customers.

—————————-

What is the purpose of this alert?

This alert is to notify you that Microsoft has released Security Advisory 4022344 – Security Update for Microsoft Malware Protection Engine – on May 8, 2017, to inform customers about an important update to the Microsoft Malware Protection Engine.

Summary

Microsoft is releasing this security advisory to inform customers that an update to the Microsoft Malware Protection Engine addresses a security vulnerability that was reported to Microsoft.

The update addresses a vulnerability that could allow remote code execution if the Microsoft Malware Protection Engine scans a specially crafted file. An attacker who successfully exploited this vulnerability could execute arbitrary code in the security context of the LocalSystem account and take control of the system.

The Microsoft Malware Protection Engine ships with several Microsoft antimalware products. See the Affected Software section below for a list of affected products.

Affected Software

This security advisory applies to the following software:

  • Microsoft Forefront Endpoint Protection 2010
  • Microsoft Forefront Security for SharePoint Service Pack 3
  • Microsoft System Center Endpoint Protection
  • Microsoft Security Essentials
  • Windows Defender for Windows 8.1, Windows Server 2012, Windows Server 2012 R2, Windows 10, Windows 10 1511, Windows 10 1607, Windows Server 2016, Windows 10 1703
  • Windows Defender for Windows RT 8.1
  • Windows Defender for Windows 7, and Windows Server 2008 R2
  • Windows Intune Endpoint Protection

Microsoft Malware Protection Engine Version Details

Last version of the Microsoft Malware Protection Engine affected by this vulnerability:  1.1.13701.0

First version of the Microsoft Malware Protection Engine with this vulnerability addressed: Version 1.1.13704.0

If your version of the Microsoft Malware Protection Engine is equal to or greater than 1.1.13704.0, then you are not affected by this vulnerability and do not need to take any further action.

For more information on how to verify the engine version number that your software is currently using, see the section, “Verifying Update Installation”, in Microsoft Knowledge Base Article 2510781.

Update Deployment

Updates to the Microsoft Malware Protection Engine are installed along with the updated malware definitions for the affected products. Administrators of enterprise installations should follow their established internal processes to ensure that the definition and engine updates are approved in their update management software, and that clients consume the updates accordingly.

Typically, no action is required of enterprise administrators or end users to install updates for the Microsoft Malware Protection Engine, because the built-in mechanism for the automatic detection and deployment of updates will apply the update within 48 hours of release. The exact time frame depends on the software used, Internet connection, and infrastructure configuration.

Recommendations

We encourage you to review Microsoft Security Advisory 4022344 for an overview of the issue, details on affected components, suggested actions, answers to frequently asked questions (FAQ), and links to additional resources.

———————————-

Coming back to this RCE flaw in Maware Engine and how it works out from attacker point of view in exploiting the vulnerability.

Well for it to work, The attacker needs to send a specially crafted file to the user which can trick end-users into visiting a website hosting the file e.g. similar to phishing attack (can also be a file share location).

what this crafted file would do is to cause the MS Malware Protection Engine, which is part in Windows Defender, Security Eessentials to scan this file and automatically thus causing the code to execute (RCE). Thus hijacking the LocalSystem account and take control of the system.

Microsoft has released a technet security publication explaining more about it ‘https://technet.microsoft.com/en-us/library/security/4022344.aspx#ID0E3AAC’

Security Researcher at Microsoft ‘Tal be’ery’ doing a PoC using the code developed by Google Project Zero team

https://bugs.chromium.org/p/project-zero/issues/detail?id=1252&desc=5