STE WILLIAMS

Students continue to be weak links for schools and universities, according to data from security firm Malwarebytes.

The education sector continues to suffer from malware because of tight budgets, a shortfall in necessary security workers, and a lack of security awareness among students, according to new analysis published by security firm Malwarebytes.

Schools and universities were the top targets of Trojan horse programs, such as Emotet and Trickbot, for all of 2018 and the first half of 2019, Malwarebytes’ data shows. Almost three of every 10 devices owned by educational institutions encountered malware in the past 18 months, while a third of student-owned systems were actually infected with a Trojan, according to Malwarebytes.

“Most schools don’t have the funding for large-scale cybersecurity initiatives,” says Wendy Zamora, editor-in-chief at Malwarebytes Labs. “A lot of these schools may have one cybersecurity individual for the entire district — one person for possibly thousands of endpoints.”

While other industries, such as manufacturing and retail, were also affected by Trojan horse programs, which more than doubled in 2018 overall, the education sector saw Trojans account for more than 11% of all compromises. In addition, the education sector was the industry most affected by adware, which accounted for 43% of all threats seen by educational organizations in the first half of 2019, Malwarebytes stated in its report.

“Over the last 10 years, schools have been implementing technology in the classroom, trying to keep up with the consumer side in technology, but they’ve got legacy systems. They’ve got hardware that’s probably not been updated in 10 years,” Zamora says. “So if people do not have the proper security solutions in place to stop these more sophisticated attacks, then they run the risk of a massive infection.”

1,400 Infections in a Day
The East Irondequoit Central School District, in Monroe County, New York, provides an example of the risk schools face. The district had equipped faculty and students with 3,400 iPads and Windows laptops, but the lack of security made the connected devices a fertile ground for malware. The Emotet Trojan infected one administrator’s system and then spread using hidden admin shares on the other systems, according to Malwarebytes. Within 24 hours, more than 1,400 systems were infected.

The company helped East Irondequoit clean the Emotet compromises off the systems — a task requiring almost three weeks of work, the firm said.

The report is not the first time security professionals have issued a warning to the education sector. Last year, education claimed the dubious honor of last place in the rankings of industries’ cybersecurity practices, according to security-ratings firm SecurityScorecard. 

In 2016, security scanning and ratings firm BitSight found that 13% of the higher-education sector had been infected with ransomware, the highest rate across all industries. BitSight warned that the sharing mindset at schools and universities lead to more cybersecurity risk. 

“Those in the education field naturally have an ‘information-sharing’ mentality, which lends to a high rate of peer-to-peer file sharing,” the company stated in a blog post. “Universities and higher ed institutions encourage collaboration — but as a result, you often see students and faculty engaging in file-sharing activity on the school’s primary network.”

Malwarebytes gathered the data when the infected students’ systems attempted to connect to the network of schools using its software, Zamora says.

Trio of Trojans
The top three Trojans affecting students are Emotet, Trickbot, and Trace, which represented nearly half of all Trojans detected, according to Malwarebytes. Emotet is a Trojan that, since last summer, has evolved into an attack-for-hire service that other criminals can use to spread another piece of malicious software.

For that reason, Trickbot is often installed after Emotet infects a system, Malwarebytes’ Zamora says. Ransomware often follows as well.

“When we look at the trending attack vectors, there is a classic triple threat — where Emotet comes in, drops Trickbot, and often times drops Ryuk ransomware,” she says. “So when we stop Trojans, we may have stopped something that could have become a ransomware attack.”

Schools and higher education need to start focusing on securing their own systems as well as on students who may know little about cybersecurity, Zamora says.

“There are many districts of schools that are using some rather outdated hardware and software,” she says. “We still see WannaCry infections out there because people haven’t patched.”

Related Content:

• Education Gets an ‘F’ for Cybersecurity
• Pervasive Emotet Botnet Now Steals Emails
• 8 Head-Turning Ransomware Attacks to Hit City Governments
• Monroe College Hit with Ransomware Attack
• New Trickbot Variant Uses URL Redirection to Spread

Veteran technology journalist of more than 20 years. Former research engineer. Written for more than two dozen publications, including CNET News.com, Dark Reading, MIT’s Technology Review, Popular Science, and Wired News. Five awards for journalism, including Best Deadline … View Full Bio

Article source: https://www.darkreading.com/adware-trojans-hit-education-sector-hard/d/d-id/1335533?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

NSA researchers took the Black Hat stage to share details of how they developed and released the software reverse-engineering framework.

The National Security Agency released its classified Ghidra software reverse-engineering (SRE) tool as open source to the cybersecurity community on April 4. NSA researchers Brian Knighton and Chris Delikat shared how Ghidra was built and the process of releasing it at Black Hat 2019.

Ghidra is a framework developed by the NSA’s Research Directorate for the agency’s cybersecurity mission. It’s designed to analyze malicious code to give security pros a better understanding of potential vulnerabilities in their networks and systems. To do this, it comes with software analysis tools to research code on Windows, macOS, and Linux, and capabilities including disassembly, assembly, decompilation, graphing, and scripting, among others.

“Ghidra has been on going project in research for many years now,” said Delikat, researcher and cyber team lead for the NSA, in their Black Hat briefing. The tool has been in development for roughly 20 years, he added, and it’s meant to be a foundation to support future research. The NSA publicly released Ghidra in March at RSA ahead of its open source debut in April.

Why use SRE? Organizations may find a binary on their network and want to analyze it for vulnerabilities so they can defend themselves, Delikat continued. If there’s a binary on your network you didn’t put there, you’ll want to figure out what it’s doing and where it came from. Back in 2000, when development began, there weren’t any tools to do these things, he noted. Now, as software grows and the possibility of vulnerabilities increases, the agency wanted to give organizations a framework to explore potential malware on progressively larger networks.

The was to bring three key features — scaling, teaming, and extendability — into a single body of work, said Knighton, Ghidra developer and IoT vulnerability researcher at the NSA.

Delikat and Knighton elaborated on some of the details and design decisions involved with building Ghidra. It’s a project-based framework, meaning instead of bringing in a single binary to investigate, researchers can create a project and include all the binaries they want to analyze. A “Project Window” provides a view where a binary can be annotated and marked up.

A file system browser, introduced after Ghidra was created, lets researchers drill down into firmware bundles, Delikat continued. Its script manager can be used to automate tasks and find functions. Researchers can write scripts in Java or Python, which was added after Ghidra was open sourced. If someone else wanted to add Ruby, he noted, they’d be able to do that.

Developers chose Java for the tool because of its popularity in the early 2000s, said Knighton. They tried C++ but the language didn’t give a platform-independent GUI from the start. If they were building today, they’d still use Java, he said, but would likely do things differently.

Government policies pushed Ghidra over the finish line. Delikat pointed to Executive Order 13691, “Promoting Private Sector Cybersecurity Information Sharing,” which was issued on February 13, 2015, and recognizes that organizations engaged in sharing information related to security risks and incidents have an “invaluable role” in national cybersecurity. The EO encourages the development of organizations to share data, establishes mechanisms to improve their capabilities, and aims to make it easier for them to voluntarily partner with the government.

“Using the same tool across different groups is really going to improve the ability to share,” Delikat said. Open sourcing Ghidra was a slow process: The NSA did a prepublication review in which two people reviewed each line of code. “Think about any internal software project you’ve got in-house for a decade or more,” he added. “Now all of a sudden, you want to make it open source so everyone can download it. … This was a moonshot for us.”

The next version of Ghidra, 9.1, will be coming out soon and bring additional processor modules, support for data type bit fields, and support for SysCalls and a Sleigh editor. In the future, they hope to bring Android OAT/ART support, a debugger, and external engagement.

“Part of what we’re trying to leverage by getting the tool into the open source community is the creativity,” said Knighton.

Related Content:

• The Flaw in Vulnerability Management: It’s Time to Get Real
• 5 Things to Know About Cyber Insurance
• The State of IT Operations and Cybersecurity Operations
• 7 Biggest Cloud Security Blind Spots
• Stronger Defenses Force Cybercriminals to Rethink Strategy

Check out The Edge, Dark Reading’s new section for features, threat data, and in-depth perspectives. Today’s top story: 5 Things to Know About Cyber Insurance.

Kelly Sheridan is the Staff Editor at Dark Reading, where she focuses on cybersecurity news and analysis. She is a business technology journalist who previously reported for InformationWeek, where she covered Microsoft, and Insurance Technology, where she covered financial … View Full Bio

Article source: https://www.darkreading.com/endpoint/nsa-researchers-talk-development-release-of-ghidra-sre-tool/d/d-id/1335536?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Facebook has been collecting some voice chats on Messenger and paying contractors to listen to and transcribe them, Bloomberg reported on Tuesday after hearing from rattled contractors who thought that lack of user notification was unethical.

This is past tense: on Tuesday, Facebook said it knocked it off “more than a week ago” following the scrutiny that Apple and Google have gotten over doing the same thing. Bloomberg quoted a statement in which Facebook confirmed that yes, it had been transcribing users’ audio, but that it’s “paused” the practice:

Much like Apple and Google, we paused human review of audio more than a week ago.

Facebook didn’t say if or when it might resume. The company did say, however, that the eavesdropping was opt-in: only users who chose the option in Messenger would have had their voice chats transcribed. The purpose was to vet Facebook’s artificial intelligence’s (AI’s) ability to correctly interpret the voice messages, which, Facebook says, were anonymized.

They’re all doing it – or at least, they were

Facebook is far from the only tech giant to get its human employees to listen in on voice snippets in order to fine-tune their AI and voice recognition technologies: Google, Apple, Microsoft and Amazon have all been doing it.

In April, Bloomberg reported that Amazon employs thousands of people around the world to work on improving its Alexa digital assistant, which powers its line of Echo speakers. Amazon has confirmed that it keeps these recordings indefinitely instead of deleting the data.

It’s sometimes mundane work. It’s sometimes disturbing: contractors and employees have reported hearing what they interpret as sexual assault, children screaming for help, and other recordings that users would be very unlikely to willingly share.

In July, whistleblowing Google contractors who’d read the news about Amazon reached out to report that it was doing the same thing. Then it was Apple’s turn: the Guardian ran a story revealing that contractors “regularly hear” all sorts of things Apple customers would probably rather they didn’t, including sexual encounters, business deals, and patient-doctor chats.

The vendors have said that the recordings are to some extent anonymized. It’s just done to improve Siri’s accuracy, Apple said. But according to the whistleblower who spoke to the Guardian, in some cases, the recordings that accompany the user data showed location, contact details, and app data.

As far as Microsoft goes, Motherboard reported last week that it got its hands on documents, screenshots, and audio that it says show that humans listen to Skype calls made using the app’s translation function.

Google and Apple suspended contractor access to voice recordings after the media reports. In the aftermath of those reports, Amazon said it will let users opt out of human review of Alexa recordings, though users have to actually go in and, periodically, delete those recordings themselves. Here’s how.

”This conspiracy theory” about eavesdropping

Post-Cambridge Analytica, when Facebook CEO Mark Zuckerberg got invited to Capitol Hill to chat with Congress about his company’s handling of user data, he directly denied the widely held notion that Facebook listens in on users to show them ads or tweak their news feeds.

That’s just nutty, he told US Senator Gary Peters in April 2018:

You’re talking about this conspiracy theory that gets passed around that we listen to what’s going on on your microphone and use that for ads. We don’t do that.

Facebook later clarified that it…

…only accesses users’ microphone if the user has given our app permission and if they are actively using a specific feature that requires audio (like voice messaging features).

But as Bloomberg reports, some contractors feel that Facebook’s failure to disclose the fact that third parties may review their audio is unethical. One of Bloomberg’s sources was TaskUs, which performs these transcription services for Facebook. The company confirmed that Facebook asked it to pause the work over a week ago.

Unfortunately, perfecting automatic voice recognition is actually an important job for social media platforms like Facebook, which have a dizzying volume of content to pore over in order to determine what’s possibly in violation of its policies. Facebook and other platforms have been getting sharp attention for whatever role they’ve played in election tampering, child exploitation, hate speech or terrorism, for example. How do they block what they can’t decipher?

But while it’s vital to weed out violative content, it’s also incumbent on Facebook to ensure that users actually know exactly what’s happening with their communications – as in, who’s listening in, and why.

Unsurprisingly, the news has caught the attention of those whose job it is to determine how well Facebook is protecting user data.

The regulator’s ears prick up

Ireland’s Data Protection Commission (DPC), which regulates Facebook in the Europe Union, said on Wednesday that it’s going to have a chat with the company to suss out just how all this jibes with General Data Protection Regulation (GDPR) rules.

From a statement the DPC sent to Reuters:

Further to our ongoing engagement with Google, Apple and Microsoft in relation to the processing of personal data in the context of the manual transcription of audio recordings, we are now seeking detailed information from Facebook on the processing in question and how Facebook believes that such processing of data is compliant with their GDPR obligations.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/ygMZYoeBESk/

When users of hacking forums turn on each other, expect things to get messy quickly.

The latest site to find itself on the receiving end of this phenomenon is Cracked.to which last Friday reportedly found its database of 321,000 members and 749,161 unique email addresses leaked on rival site, RaidForums.

We can say that with confidence because by Monday the compromised accounts had become another statistic on the Have I Been Pwned (HIBP) breach database – the industry’s go-to for news of such incidents.

That dated the breach to 21 July, with the stolen data also including things anyone frequenting a forum of this type would rather not be out in the open such as “IP addresses, passwords, private messages, usernames.”

As Ars Technica points out, this isn’t likely to be as serious a data breach as it would be for a more mainstream website.

IP addresses will likely be anonymised using Tor with account email addresses that probably won’t identify the users behind them – this is a cagey hacking forum after all.

As for password security, according to the site’s breach warning, it appears that months before the breach an admin at Cracked.to realised the danger of using weak hashing:

We have changed the hashing algorithm of passwords from myBB default (MD5) to something more advanced a few months ago, which makes it almost impossible to decrypt your passwords.

Doxing schadenfreude

More of a problem, however, is the leaking of private messages, which might identify at least some users.

The culprit? Apparently, an inside job carried out by an “old person of my trust”, said a current forum admin. Naturally:

There will be consequences for the forum that is responsible for distributing the backup and for the person that leaked it.

On the former point of revenge, they might need to join a queue. In May, data from 112,988 users of rival forum OGusers also appeared on RaidForums.

Security writer Brian Krebs argued that this “comeuppance” would probably prove to be an excellent resource for law enforcement to trawl through for evidence of crimes and perhaps the names behind them.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/xvjD6W7zzTE/

A vanity plate reading “NULL” sounded good to security researcher/hacker “Droogie,” at least in theory: maybe it would make his plate invisible to Automatic License Plate Reader (ALPR) systems?!

Maybe entering the characters – NULL is the marker used in structured query system (SQL) databases in order to indicate that a data value doesn’t exist – would just return error messages when his plate was spotted during one of his traffic violations…?

That’s not what happened, he told an audience at the recent Defcon security conference. Instead, $12,000 in traffic violation fines happened.

Forbes quoted Droogie as he reminisced about his initial expectations:

[I thought,] ‘I’m gonna be invisible’. Instead, I got all the tickets.

As the Guardian reports, every single speeding ticket earned by cars that lacked valid license plates wound up getting assigned to Droogie’s car – turning it into a veritable NULL bucket.

I’m not paying those, Droogie told Defconners. An unsympathetic Los Angeles police department had initially told him that the only solution was to change his license plate.

But why should he? He didn’t do anything wrong. He had checked with California’s Division of Motor Vehicles (DMV), found that the “NULL” vanity plate was surprisingly available, and registered it without any problem – “no bugs or anything.”

He said that it left him without any “high expectations of the DMV website.” At any rate, Droogie got his plate and set off to figure out if it would render him “invisible” to citations:

What happens when a police officer does a search for my plate ‘NULL’, would it not return any data? If they file a citation, would it cause an issue?

Fortunately for Droogie, the $12,000 worth of issues it caused were eventually scrapped by police.

The episode is giving rise to links to the XKCD Little Bobby Tables cartoon about sanitizing database input, but as a commenter on Ars Technica’s coverage pointed out, this one about the guy with the all-1s license plate was a whole lot more prescient.

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/0V6dSt5YHpQ/

There are many ways to compromise company data, but IT teams often overlook one of the most serious: the humble printer. It sits in the corner, happily humming away as it churns out sensitive company documents, but it’s a small computer with the ability to spit out hard copy. These things have an increasingly large attack surface and are often connected to the internet, awaiting remote commands.

Researchers at security company NCC Group took a closer look at printer security and discovered serious flaws in six popular printer brands that could allow attackers to take over accounts or comb through company documents. The opportunities for printer pwnage are many and varied – the researchers found several classes of bugs that recurred across many of these devices.

Buffer overflows were a common problem – especially critical because they could allow for remote code execution (RCE). These flaws would often show up in the printers’ Internet Printing Protocol (IPP) service, which lets clients submit and query print jobs.

IPP is an IP-based protocol that can run locally or over the internet. They were also often common in the Line Printer Daemon (LPD) protocol, an older service also used to accept and control print jobs remotely. A maliciously crafted network packet is often enough to take control.

Another serious bug was the lack of an account lockout, enabling attackers to figure out local account credentials by brute-forcing the device, which is where you automatically try password after password until you get lucky. Lexmark, Ricoh, and Xerox printers contained this flaw.

Most modern printers feature HTML and JavaScript-based administrative interfaces, making cross-site scripting (XSS) bugs a common occurrence in the NCC Group tests. These could enable an attacker to hijack the administrator’s session in the printer’s web application. Cross-side request forgery (CSRF) attacks could allow attackers to inject code into these interfaces, and in some cases take over an account.

Some Brother printers had a critical heap overflow bug in their IPP implementation, and a stack buffer overflow flaw in their cookie-handling code. Both of these were RCE bugs. NCC Group found multiple vulnerabilities in several HP printers, including cross-site scripting and buffer overflow flaws.

Kyocera printers had buffer overflows in their web servers, IPP services, and LPD services, along with a critical broken access control bug allowing unauthorised access to printer configuration settings, including user details and some passwords.

The printers also had several other less severe bugs, including XSS and CSRF flaws, and a path traversal vulnerability that allowed attackers to check for the existence of files on the printer and then retrieve them.

The researchers found six classes of vulnerability across dozens of Lexmark printer models. The most serious was a set of overflow bugs that allowed specially crafted requests to the printer’s web server to execute arbitrary code on the system, closely followed by the account lockout flaw.

The rest of the Lexmark bugs ranged from a denial of service vulnerability in SNMP, through information disclosure bugs and XSS flaws. The information disclosure bugs could leak sensitive operational and configuration data to an unauthenticated user, they warned.

Four Ricoh printers shared several bugs, including critical buffer overflows in the IPP service, the HTTP cookie header and parameter parsing, and LPD service. An information disclosure bug led to the disclosure of operating system memory.

Ricoh devices also featured several flaws unique to that brand in the NCC Group tests. Their design exposed a hardware serial connector to attackers with physical access to the machines, which could give them full control of the printers. The company also hardcoded FTP credentials into some of its printers’ firmware, allowing attackers to read information on the device’s FTP folders.

Xerox printers suffered from critical buffer overflows in their implementations of Google Cloud Print and IPP, and in their web servers. These could all lead to remote code execution or denial of service attacks. They also exhibited XSS and CSRF bugs.

The vendors have all patched these vulnerabilities so make sure you have the latest updates. This news highlights the importance of auditing and hardening this part of your IT ecosystem. When was the last time you patched your printer firmware and checked its configuration?

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/nskUwQnmN2Q/

Episode 4 of the Naked Security Podcast is now live!

This week host Anna Brading is joined by Paul Ducklin and Matt Boddy. They discuss how iPhone vulnerabilities have changed Apple’s attitude towards cybersecurity researchers [3’50”], the latest twist in romance scams where crooks are recruiting money mules via dating sites [12’43”], and malware in preinstalled apps on Android [26’09”].

As usual, we answer your questions on the show [39’43”] – this week: advice on how to get started in the cybersecurity industry, tips for securing your online life, and the thorny issue of whether mobile phones are making cybersecurity better or worse.

Do you have a question for next week? Simply comment below or ask us on social media.

Listen now and share your thoughts with us!

Article source: http://feedproxy.google.com/~r/nakedsecurity/~3/SYnPcoueNsg/

A young man who DoSed two British police forces’ websites has been sentenced to 16 months in a young offenders’ institution.

Liam Reece Watts was jailed at Chester Crown Court earlier this week after DoSing Cheshire Police and Greater Manchester Police’s public-facing websites as revenge for being convicted of carrying out a bomb hoax just days after the Manchester Arena mass murder.

Both forces’ websites went down for around a day during each denial-of-service attack.

Watts, who was 19 at the time of his misdeeds, was caught after directly taunting police through Twitter using the handle Synic. Cheshire Police traced his account and arrested him at home on 26 March and Watts pleaded guilty a month later to two charges under the Computer Misuse Act.

One of his tweets reportedly said: “@Cheshirepolice want to send me to prison for a bomb hoax I never did, here you f****** go, here is what I’m guilty of.”

A SYN flood is a type of DoS attack that consists of overloading a target server by bombarding it with SYN requests. Watts’ Twitter alias may have been a reference to this mischief.

CPS prosecutor Chris Taylor told Judge Patrick Thompson at Watts’ sentencing hearing on Monday that the perpetrator had also been convicted of a Computer Misuse Act offence back in 2016 after DoSing his college. The Press Association newswire reported (via ITV News) that Watts’ lawyer, Patrick Williamson, said his client suffered from ADHD and “alcohol-related neurodevelopment disorder”.

Watts also has a criminal conviction for attempted robbery, as well as the bomb hoax, which was carried out in Warrington, Cheshire.

Ursula Doyle, a specialist c prosecutor working for the organisation’s Merseyside branch, said: “Watts appears to have been motivated by revenge for a previous conviction, but in fact the people who were primarily inconvenienced were the thousands of members of the public who use the websites to contact police, or access the websites for help: that service was temporarily disabled.”

20-year-old Watts, of Stratford Road, Chorley, Lancashire, pleaded guilty to two charges brought under section 3(2)(b) of the Computer Misuse Act 1990, having set out to “prevent or hinder access to any program or data held in any computer”. He was sentenced to 16 months in a young offenders’ institution, handed a five-year restraining order to stop him from deleting his browsing history and to allow police to trawl through it on demand, and forfeited his computers for destruction. He was also handed a victim surcharge tax of £140.

Detective Sergeant Chris Maddocks of Cheshire Police’s cybercrime unit said in a statement that he hoped the sentence “will act as a warning to anyone who would engage in this type of behaviour online”. ®

Sponsored:
Balancing consumerization and corporate control

Article source: http://go.theregister.com/feed/www.theregister.co.uk/2019/08/15/liam_watts_dos_cheshire_greater_manchester_police_jailed/

More businesses are recognizing the need for cyber insurance as part of an overall security strategy. Here are some key points to consider when evaluating, purchasing, and relying on a policy.

After years of trying, Risk Based Security CISO Jake Kouns finally managed to get cyber insurance the attention he thinks it deserves. He had been submitting ideas for insurance-related talks for the annual Black Hat USA event since 2012 – and had been rejected four times. But at last week’s Black Hat in Las Vegas, he led one of the sessions during a dedicated micro summit about cyber insurance.

Interest and attitudes around cyber insurance has changed, according to Kouns, as more security managers and businesses of all sizes recognize its need as part of an overall security strategy. Though PWC estimates only about 30% of companies have cyber-risk insurance or cyber liability insurance coverage, the market continues to grow. According to a recent report by A.M Best, direct premiums written for both standalone and packaged cyber policies grew about 12% in 2018, from $1.8 billion to $2 billion. While this is a bit slower than the past two years, the $2 billion figure is more than double what was written in 2015.

In his session, “Integration of Cyber Insurance Into A Risk Management Program,” Kouns walked attendees through some of the best practices and caveats for investing in a policy. Here are some key takeaways for CISOs to consider when evaluating, purchasing, and relying on cyber insurance.

1. If Your Organization Doesn’t Already Have Cyber Insurance, It Will
Organizations are increasingly investing in cyber insurance simply because they have no choice, Kouns said. Clients are insisting their partners have insurance for compliance purposes and regulatory requirements. More and more, having cyber insurance is part of contractual requirements, he said.

Kouns also stressed that for smaller organizations that have not put a strong security program in place, cyber insurance is critical and makes financial sense.

“Typical costs for cyber insurance are currently extremely reasonable,” Kouns said. “If you’re a CISO and you have a breach, what do you want to say? ‘Whoops, sorry?’ Or, ‘We have a partner, let’s file a claim.'”

2. Insurance Coverage Is Not a Substitution for a Security Program
Just like you wouldn’t drive recklessly in a car simply because you have auto insurance, cyber insurance should not serve as reasoning to tailor back on investing in security strategy and tools. Under no circumstances should a business purchase cyber insurance and assume it is covered without putting the time and investment into a solid security program, Kouns said.

“My concern is this is what some people hear and do. We call this a moral hazard,” he said. “Effective security programs cost money.”

While cyber insurance may reimburse costs, it cannot mitigate the reputational damage incurred by a breach or a security incident. Insurance will not reinstate trust from clients and customers post-breach.

3. Security Should Get Involved Early in the Insurance Process
While the conversation about insurance is often being led in other financial divisions of a company, such as at the CFO level, the security department should be involved at the outset to help evaluate policies and coverage levels, Kouns said.

“Read the policy, give your input,” he said. “Help to fill out the application. I have not seen enough IT security involved in the insurance process. A broker will say, ‘Don’t worry about talking to your IT staff. I’ll fill it out for you.’ That’s bad.'”

Security staff or the CISO will understand the technical language and definitions in a way that others less tech-savvy and risk-informed cannot. Security is also more qualified to identify important exclusions that may be slipped into the policy and can advise accordingly. In order to ensure the policy has the right inclusions for your specific organization’s needs, security needs to be consulted on each step of the evaluation and purchasing process.

4. Ensure the Requirements of a Policy Are Fulfilled So Your Coverage Won’t Be Nullified
You’ve got a policy and now you’re covered, right? Think again. You are obligated to fulfill and have in place a number of requirements in order for that policy to cover you in the event of a breach or other security incident.

This brings us back to the importance of security’s involvement in the process and a thorough understanding of both the coverage and the policy details. What does your organization need to have in place that it may be overlooking? If the policy requires it, you will be out of luck on coverage in the event of a breach if you haven’t made the proper accommodations.

5. Some Elements of Your Incident Response Plan May Need to Change
Kouns stressed that certain steps in an incident response plan may need to be tweaked once a cyber insurance policy is in place. This will include your breach reporting timeline because, as Kouns pointed out, almost all policies have requirements about timely reporting.

Secondly, it is critical to develop your IT plan prior to having to use it – and test it out. While many organizations have an incident response plan in theory, a considerable number have not actually put it to the test. Are you sure yours is up to the challenge if a breach occurs?

Related Content:

• CISOs: How to Answer the 5 Questions Boards Will Ask You
• 2019 Pwnie Award Winners (And Those Who Wish They Weren’t)
• You Gotta Reach ’Em to Teach ’Em
• Why Every Organization Needs an Incident Response Plan

Image Source: Krolone via Adobe Stock

 

Joan Goodchild is a veteran journalist, editor, and writer who has been covering security for more than a decade. She has written for several publications and previously served as editor-in-chief for CSO Online. View Full Bio

Article source: https://www.darkreading.com/edge/theedge/5-things-to-know-about-cyber-insurance-/b/d-id/1335526?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple

Cloud computing boon is for innovation, yet security organizations find themselves running into obstacles.

Image Source:Adobe Stock (Sergey Nivens)

Cloud computing is evolving from a viable option for delivering IT services to the de facto standard. According to the “2019 Public Cloud Trends” report, from the Enterprise Strategy Group (ESG), the use of infrastructure-as-a-service environments has shot up in the past eight years, from 17% of organizations to 58%, and a full 39% of organizations report they take a cloud-first mentality to all of their technology deployments.

It’s a boon for innovation, for sure, but security organizations continue to struggle keeping up with the constant changes in cloud technology, architecture, and use cases. Many of the biggest challenges they face have to do with visibility. In a recent report from the Cloud Security Alliance, three-quarters of companies with assets in the public cloud cited lack of visibility as a major challenge.

Here are some of the biggest cloud security blind spots that cause these visibility woes.

 

Ericka Chickowski specializes in coverage of information technology and business innovation. She has focused on information security for the better part of a decade and regularly writes about the security industry as a contributor to Dark Reading.  View Full Bio

Article source: https://www.darkreading.com/cloud/7-biggest-cloud-security-blind-spots/d/d-id/1335493?_mc=rss_x_drr_edt_aud_dr_x_x-rss-simple