Monthly Archives: July 2017

Almost four times more budget is being spent on property related risks vs. cyber risk

Larry Ponemon

This unique cyber study found a serious disconnect in risk management. What’s interesting is that the majority of companies cover plant, property and equipment losses, insuring an average of 59 percent and self-insuring 28 percent. Cyber is almost the opposite, as companies are insuring an average of 15 percent and self-insuring 59 percent.

The purpose of this research is to compare the relative insurance protection of certain tangible versus intangible assets. How do cyber asset values and potential losses compare to tangible asset values and potential losses from an organization’s other perils, such as fires and weather?

The probability of any particular building burning down is significantly lower than one percent (1%). However, most organizations spend much more on fire-insurance premiums than on cyber insurance despite stating in their publicly disclosed documents that a majority of the organization’s value is attributed to intangible assets. One recent concrete example is the sale of Yahoo!: Verizon recently reduced the purchase price by $350 million because of the severity of cyber incidents in 2013 and 2014.

Acceleration in the scope, scale and economic impact of technology multiplied by the concomitant data revolution, which places unprecedented amounts of information in the hands of consumers and businesses alike, and the proliferation of technology-enabled business models, force organizations to examine the benefits and consequences of emerging technologies.

This financial-statement quantification study demonstrates that organizations recognize the growing value of technology and data assets relative to historical tangible assets, yet a disconnect remains regarding cost-benefit analysis resource allocation. Particularly, a disproportionate amount is spent on tangible asset insurance protection compared to cyber asset protection based on the respective relative financial statement impact and potential expected losses.

Quantitative models are being developed that evaluate the return on investment of various cyber risk management IT security and process solutions, which can incorporate cost-benefit analysis for different levels of insurance. As such, organizations are driven toward a holistic capital expenditure discussion spanning functional teams rather than being segmented in traditional silos. The goal of these models is to identify and protect critical assets by aligning macro-level risk tolerance more consistently.

How do organizations qualify and quantify the corresponding impact of financial statement exposure? Our goal is to compare the financial statement impact of tangible property and network risk exposures. A better understanding of the relative financial statement impact will assist organizations in allocating resources and determining the appropriate amount of risk transfer (insurance) resources to allocate to the mitigation of the financial statement impact of network risk exposures.

Network risk exposures can broadly include breach of privacy and security of personally identifiable information, stealing an organization’s intellectual property, confiscating online bank accounts, creating and distributing viruses on computers, posting confidential business information on the Internet, robotic malfunctions and disrupting a country’s critical national infrastructure.

We surveyed 709 individuals in North America involved in their company’s cyber risk management as well as enterprise risk management activities. Most respondents are either in finance, treasury and accounting (34 percent of respondents) or risk management (27 percent of respondents). Other respondents are in corporate compliance/audit (13 percent of respondents) and general management (12 percent of respondents).

All respondents are familiar with the cyber risks facing their company. In the context of this research, cyber risk means any risk of financial loss, disruption or damage to the reputation of an organization from some sort of failure of its information technology systems.

Despite the greater average potential loss to information assets ($1,020 million) compared to Property, Plant & Equipment (PP&E) ($843 million), the latter has much higher insurance coverage (62 percent vs. 16 percent).

Following are some of the key takeaways from this research:

  • Information assets are underinsured against theft or destruction based on the value, probable maximum loss (PML) and likelihood of an incident.
  • Disclosure of a material loss of PP&E and disclosure of information assets differ. Forty-five percent of respondents say their company would disclose the loss of PP&E in its financial statements as a footnote disclosure. However, 34 percent of respondents say a material loss to information assets does not require disclosure.
  • Despite the risk, companies are reluctant to purchase cyber insurance coverage. Sixty-four percent of respondents believe their company’s exposure to cyber risk will increase over the next 24 months. However, only 30 percent of respondents say their company has cyber insurance coverage.
  • Fifty-six percent of companies represented in this study experienced a material or significantly disruptive security exploit or data breach one or more times during the past two years, with an average economic impact of $4.4 million.
  • Eighty-nine percent of respondents believe cyber liability is one of the top 10 business risks for their company.

To read the full report, click here. 



What’s really scary about Petya ‘ransomware’ attack? It might not be ransomware

Bob Sullivan

The recent “ransomware” computer virus outbreak is over, but the speculation is just beginning. And it begins with those quotes around the term ransomware.


In late June, organizations in 64 countries around the globe, according to Microsoft, found themselves beating back a virus that’s been variously named Petya, GoldenEye, or even “NotPetya.”  Infected computers suffered devestating attacks that disabled the machines and made files uselss — encrypted, with instructions for paying a ransom, in typical ransomware fashion.

But there was something very atypical about this attack.  The program itself was very sophisticated — far more sophisticated than WannaCry, last month’s most famous virus attack. Petya stole login credentials. It spread itself in multiple ways, meaning many folks who thought they were patched against Petya were not safe from it.  Microsoft’s analysis of the malware shows how much effort was put into the crafting of the program.

But the ransom payout mechanism was as fragile as a single email address. That was disabled almost immediately, meaning victims couldn’t contact the virus writers to save their files.

That makes no sense. So much work on the software, so little work on the ‘revenue’ side — unless Petya wasn’t really about stealing money. Plenty of security experts have alighted on this theory.

Kaspersky Labs was most assertive in its analysis: it refused to call the malware ransomware, saying it was designed only to destroy data, not to raise money.

“This malware campaign was not designed as a ransomware attack for financial gain. Instead, it appears it was designed as a wiper pretending to be ransomware,” Kaspersky wrote on its site.

Other analysts came to much the same conclusion.

“The attackers behind the NotPetya had to know that they were making it very difficult for anyone to actually get their files back.  Specifically, they provided just a single email address for victims to contact, to provide proof of payment,” said security firm SecureWorks in an email to me.

“Rather than being motivated by financial gain, these attackers created a disruptive attack masquerading as a ransomware campaign, and based on our investigation, it has been determined that (is) more likely,” SecureWorks said on its blog post about the attack. “While we recognize the possibility that this was a traditional ransomware campaign with some elements of poor execution, based on what we currently know… it is more likely that those apparent mistakes reflect elements of the campaign that were not important to the actor’s ultimate goal.”

So if the attack wasn’t about money, what was it about? Disruption, certainly.  But why?

It’s dangerous to speculate on attribution because it’s so easy to leave false flags during an attack. But the virus got its start in Ukraine, and infected the most machines there, experts agree. That’s certainly fodder for speculation.

“We saw the first infections in Ukraine, where more than 12,500 machines encountered the threat. We then observed infections in another 64 countries, including Belgium, Brazil, Germany, Russia, and the United States,” wrote Microsoft in its analysis.

There’s been rampant speculation that the attack actually began with infection of tax software used in Ukraine called MEDoc.  Criminals infected an automated update with the malware, which then was pushed out to unsuspecting victims, several outlets reported.

In its report, Microsoft said it had evidence that such a “supply chain attack” was indeed to blame.

“Microsoft now has evidence that a few active infections of the ransomware initially started from the legitimate MEDoc updater process,” it said.

Other circumstantial evidence suggests the attack targeted Ukraine. SecureWorks points out that the outbreak happened on the day before Ukrainian Constitution Day, which was Wednesday. It’s easy to raise the possibility that a nation-state or even rogue actors within it who are resentful of Ukrainian independence might seek to disrupt the nation on that day.

But, in the world of digital evidence, it’s hard to be conclusive about such attribution. The New York Times quoted an expert saying the I.P. address used in the attack was in Iran, who then pointed out that a hacker could have merely made it look like the attack came from Iran.  This reminds me of a line from an 1980s TV comedy about a faux murder: “The killer is either a member of the family, or not a member of the family.” By now, Internet should be used to the idea that things often aren’t what they seem.

More important, the Petya attack is clear evidence that ransomware-style attacks are getting more sophisticated and more dangerous. Virus writers are learning from each other, and developing nastier payloads and better spreading mechanisms.  Pay attention now. If you have escaped WannaCry and Petya, consider yourself lucky. There is a high likelihood that a future ransomware attack will attack you. There’s only one way to be ready:  Back up.  Make a copy of all the business files and photographs you care about and store them, physically, somewhere else.

For technologists, perhaps the biggest fear of all is the notion of the supply chain attack, raised by Microsoft recently.  All computer users are now groomed to accept regular updates — ironically for security reasons — from software firms.  If hackers learn to reliably infiltrate this update process, they will have found a powerful new attack vector.

Here’s a to-do list for network administrators from BeyondTrust:

  • Remove administrator rights from end users
  • Implement application control for only trusted applications
  • Perform vulnerability assessment and install security patches promptly
  • Train team members on how to identify phishing emails
  • Disable application (specifically MS Office) macros