CyberheistNews Vol 7 #22 [Heads-Up] Cyber Insurance Does Not Pay out for Human Error

CyberheistNews Vol 7 #22
[Heads-Up] Cyber Insurance Does Not Pay out for Human Error

The WanaCry ransomworm has caused insurance companies really to take notice. Customers have started to file damage claims, however it is a bit early to see the insurance industry's full exposure to this recent malware pandemic. For insurers, the main threat regarding WanaCry is not about any one individual company that gets infected but rather as an aggregated risk.

The estimated total financial damage caused by WanaCry in just the initial 4 days would exceed a billion dollars, looking at the massive downtime caused for large organizations worldwide.

Cyber-security policies are a fast-growing new insurance market, pundits predict 5 billion in premiums by 2020. Organizations buy policies so that in the event of a data breach or ransomware infection they can file a claim and get help to recover costs and remediate damage.

But... How About Pre-existing Conditions

"The Wanna-Cry worm is one of the most significant and virulent forms of malware ever seen and therefore the insurance industry is taking notice," Pascal Millaire, vice-president and general manager for cyber-insurance at Symantec, told eWEEK.

"Insurers underwriting cyber-risk can handle ten loses or a hundred loses, but when there is a major systemic event that can lead to thousands or tens of thousands of simultaneous claims,"Millaire said. "At that point there are solvency issues that can threaten the future of an insurer."

So insurers try to limit their risk, similar to medical insurance where the issue of pre-existing conditions has seen a lot of controversy.

Three Things to Be Aware of in the Fine Print

There are three issues you need to be aware of when you buy a cyber security policy, or when you review your existing policy:
  • Is a known vulnerability that you have not patched a pre-existing condition?
  • Should an un-patched system be covered under a clause for errors and omissions?
  • When an employee falls for a phishing attack and infects the network that way, is that covered?
"Different policies will respond in different ways on what is covered and what is not," Millaire said. This means you need to have your legal department look into this carefully.

As an exception, WanaCry exploited a patched Microsoft vulnerability and spread like a worm, as opposed to 95% of ransomware that spreads through email and social engineering. Cyber insurance normally does not pay out when employee error was the cause of the infection.

Looking specifically at WanaCry, Millaire said that it's to early to tell at this point if WanaCry will have an impact on cyber-insurance premiums in the months ahead. I strongly suggest though that if your organization now is looking into buying cyber-insurance, you get quotes from several sources and very carefully analyze what is covered in which scenario.

Stepping employees through new-school security awareness training where they get trained with frequent simulated phishing attacks is an extremely effective way to bring down the risk of ransomware infections.

Now is the time to inoculate your employees against ransomware attacks. Get a quote for your organization and find out how affordable this is. You simply have got to start training and phishing your users ASAP. If you don't, the bad guys will, because your filters never catch all of it. Get a quote and you will be pleasantly surprised. Get a quote now:
Symantec: "Email Becomes the Weapon of Choice"

Symantec's 2017 Internet Security Threat Report (ISTR) details how simple tactics and innovative cyber criminals led to unprecedented outcomes in global threat activity. This report covers a lot of areas like international bank heists, disrupted elections, and state-sponsored attacks. However, one thing stood out and that is the following paragraph:

Email Becomes the Weapon of Choice

Email posed a dangerous and efficient threat to users: one in 131 emails contained malware, the highest rate in five years. And Business Email Compromise (BEC) scams, relying on spear-phishing emails, targeted over 400 businesses every day, draining 3 billion dollars over the last three years.

A combination of PowerShell, a common scripting language installed on PCs, and Microsoft Office files was an effective weapon. Cyber criminals used the two to leave a lighter footprint and hide in plain sight. Last year, 95 percent of PowerShell files seen by Symantec in the wild were malicious.

Which was followed by:

USA is an Easy Mark for Ransomware Scammers

64 percent of Americans cave in to digital extortion. Ransomware escalated across the globe as a profit center for criminals. Symantec identified 100 new malware families released into the wild, more than triple the amount seen previously, and a 36 percent increase in ransomware attacks worldwide.

The United States was the biggest – and softest – target. Symantec found 64 percent of Americans are willing to pay a ransom, compared to 34 percent globally. And the average ransom spiked 266 percent, with criminals demanding an average of 1,077 dollars per victim.

I suggest you grab a copy of this report. It is excellent ammo if you need to get more IT security budget:
Scam of the Week: Tech Support Exploits WanaCry Ransomware Fears

We all know about the infamous WanaCry ransomworm which caused a worldwide 1 billion dollars in damage, targeting mainly un-patched Windows 7 machines. As expected, the bad guys are now exploiting the mass media coverage and have come up with tech support scams that use the fears of people about getting infected with WanaCry.

We also know that Eastern European organized cyber crime is using the UK as their beta test site before they unleash their attacks on America. So here is your heads-up, this may very well happen to machines in your office the coming few weeks.

The UK's cybercrime center called Action Fraud, recently released a warning regarding scams that concern WanaCry.

The bad guys use a pop-up window that appear from nowhere, refuses to close, and looks like a message claiming to be from Microsoft. It will say that the user's workstation has been infected with WanaCry, and they are prompted to call the number flashed on the screen.

After the user calls the number they are urged to give the scammer remote access to the machine. Once granted, these scam artists run the Windows Malicious Software Removal tool - which anyone can download for nothing from Microsoft - and then demand a whopping £320 (roughly 415 dollars) as payment.

I suggest you send the following to your employees, friends, and family. You're welcome to copy, paste, and/or edit:

"Bad guys are now trying to trick computer users into believing they are infected with the WanaCry ransomware. A popup arrives on your screen from nowhere, and you cannot get rid of it. They popup claims it is from Microsoft, that your computer is infected and that you need to call tech support.

But when you call the number you get a scammer on the phone who will try to charge you 400 dollars to run a Microsoft malicious software removal tool that anyone can download for nothing. Remember that Microsoft’s error and warning messages on your PC will never include a phone number. Also, Microsoft will never proactively reach out to you to provide unsolicited PC or technical support. Any communication they have with you must be initiated by you."

Keep those users on their toes with security top of mind.
It can't be all doom and gloom. Here is something that was fun!

The Second Annual Cyber Investing Summit met last week at the New York Stock Exchange, and Kevin and I did the keynote, the first time in 5 years that Kevin and I made it on stage together, which was a lot of fun. We showed how easy it is to clone a prox card, to send someone a phishing attack with a malicious PDF and last but not least, we showed the real WanaCry ransomware in action!

The Cyberwire wrote: "The discussions brought to the fore the irreducibly human dimensions of cybersecurity. The opening keynote, an engaging performance by Kevin Mitnick (once notorious, and now famous hacker, and KnowBe4's Chief Hacking Officer) demonstrated the importance of misdirection to successful attacks of all kinds.

"In the mid-day keynote, former US Secretary of Homeland Security Michael Chertoff presented a broad overview of the threat landscape, highlighting the increasing convergence of criminals and nation-state intelligence services, and calling for development of international norms of cyber conflict.

He specifically advocated that the global financial system be placed off-limits in cyber conflict, and that recommendation was not prompted merely by the Summit's Wall Street venue."

After lunch, it was time for the pitch panel, Where a team of cyber security experts gave me the third degree... more like pointed softball questions. But the highlight of the day was the party on the actual NYSE trading floor, where we were shown where it all has been happening for 225 years! Here is yours truly holding the actual gavel and some other action shots:
NEW: Download The "Weak Password Test" Utility

How weak are your user’s passwords? Are your user’s passwords... P@ssw0rd?

Verizon's recent Data Breach Report showed that 81% of hacking-related breaches used either stolen and/or weak passwords. Employees are the weakest link in your network security, using weak passwords and falling for phishing and social engineering attacks.

KnowBe4’s complimentary Weak Password Test (WPT) checks your Active Directory for several different types of weak password related threats.

WPT gives you a quick look at the effectiveness of your password policies and any fails so that you can take action. WPT tests against 10 types of weak password related threats for example; Weak, Duplicate, Empty, Never Expires, plus 6 more.

Here's how Weak Password Test works:
  • Reports on the accounts that are affected
  • Tests against 10 types of weak password related threats
  • Does not show/report on the actual passwords of accounts
  • Just download the install and run it
  • Results in a few minutes!
This will take you 5 minutes and may give you some insights you never expected! Download Now:

Warm Regards,
Stu Sjouwerman

Quotes of the Week
"Just as a candle cannot burn without fire, men cannot live without a spiritual life."
- Gautama Buddha - Philosopher (563 - 483 BC)

"Begin at once to live, and count each separate day as a separate life."
- Seneca - Philosopher and Playwright (4 BC – 65 AD)

"Why is cyber security so hard? One reason, what is often a human problem is trying to be solved by mainly highly technical people" - Lance Spitzner, from SANS Securing The Human

Thanks for reading CyberheistNews
Security News
Wall Street Journal: "All IT Jobs Are Cybersecurity Jobs Now"

The WSJ focuses more and more on the fact that cybersecurity is a priority of orgs. I have subscribed to the WSJ for 25 years and like monitoring it as their editors write for business people, not technical folk like us.

They said: "The rise of cyberthreats means that the people once assigned to setting up computers and email servers must now treat security as top priority.

"Despite all the money we’ve spent — Gartner estimates 81.6 billion dollars on cybersecurity in 2016 — things are, on the whole, getting worse, says Chris Bronk, associate director of the Center for Information Security Research and Education at the University of Houston. “Some individual companies are doing better,” adds Dr. Bronk. “But as an entire society, we’re not doing better yet.”

The solution is resource management, with a focus on cybersecurity. Dr. Bronk lays it out like this:

1. Retrain IT staff on security—or replace them. In today’s world of ever-multiplying threats and dependence on connected assets, all IT staff must now be cybersecurity staff first. “The good news is that you don’t need that dedicated person to run your email server anymore—they can run security,” says Dr. Bronk.

2. Push everything to the cloud. It used to be the job of IT personnel was to build and maintain the tools employees need. Now, pretty much anything can be done better with a cloud-based service. “I mean, even the CIA uses Amazon’s web services,” says Dr. Bronk. “If there’s a best of breed, why not use it? If you want a safe car, go buy a Volvo.”

3. New IT investment will need baked-in security. Data from the Bureau of Labor Statistics indicates jobs in IT security are one of the fastest-growing categories in tech, up 33% in the past four years alone. That’s probably due to companies simply catching up on investing in cybersecurity after years of under-investment, says Mr. Gardiner."

I suggest you send this link to your C-level managers in case they did not see it!
Does Third-Party Security Awareness Training Work?

CSO has a good article where a Rapid7 security analyst describes the company’s direction with in-house vs. outsourcing training.

Being a security company, Rapid7 has to take special interest in making sure its 1,000 employees do not succumb to phishing and the like. At a recent CSO50 conference, speakers discussed their security awareness training. Katie Ledoux, senior security analyst at Rapid7, asked about the effectiveness of third parties conducting the training. In a follow Q&A, Managing Editor Ryan Francis discusses with Ledoux how Rapid7 approach security awareness training.

Q: "What is the overall purpose of third party security awareness training programs? How might they help security teams?

A: Employees are part of our company’s attack surface, and it’s our responsibility to make sure they have the knowledge and tools necessary to defend themselves and the organization against threats. This might include training on subjects like phishing, mobile security, physical security, password security, etc. In short, these programs empower employees to act as an extension of the security team, spotting and reporting threats."

The whole article is here, interesting to see how an IT security company does their own security awareness, and how they say that for practically anyone else, working with a third-party is the way to go:
LinkedIn Interview: Security Pro Stu Sjouwerman, CEO of KnowBe4 Talks Threats

I was interviewed by Laura Didio, who is an experienced high-tech analyst and writer covering the IoT, Data Analytics, and Security. We discussed The WanaCry ransomware attack, the bigger cybercrime landscape, how threats have evolved over the last 20 years, cyber insurance, and proactive measures. Read it here:
How a Fake Cyber Statistic Raced Through Washington

Nextgov wrote: "It’s the kind of figure that can make your jaw drop, the kind that forces lawmakers and public officials to get off their duffs and do something, that drives home the way cyber insecurity is ravaging small businesspeople across the nation.

"The statistic, typically attributed to the National Cyber Security Alliance, is that 60 percent of small businesses that suffer a cyberattack will go out of business within six months. But it’s completely erroneous, not based on any existing study, according to an exhaustive Nextgov search.

"In each case, the figure was attributed, at best, to a now-removed NCSA InfoGraphic that included the statistic credited to the antivirus firm Symantec but did not link to any study.

To be clear, there is no public study that has determined how many small businesses are forced to shut their doors following a cyberattack. In fact, there is very little information about the economic impact of data breaches and other cyber incidents on small businesses generally." Full article here:
Other Interesting News Items This Week

Some interesting Q1 stats from Kaspersky, mostly on mobile threats:

Target Agrees to Pay 18.5 Million dollars to End Data-Breach Probes:

Russian Hackers Made 'Tainted Leaks' a Thing — Phishing to Propaganda:

Here is a worldwide cybercrime heatmap from EuroPol. You can click on a region to get more information:

Hackers Hide Cyberattacks in Social Media Posts:
Cyberheist 'Fave' Links
This Week's Links We Like, Tips, Hints and Fun Stuff

FOLLOW US ON: Twitter | LinkedIn | Google | YouTube
Copyright © 2014-2017 KnowBe4, Inc. All rights reserved.

Subscribe To Our Blog

Cybersecurity Awareness Month 2022 Free Resource Kit

Get the latest about social engineering

Subscribe to CyberheistNews