On Thursday the US National Institute of Standards and Technology (NIST) will publish the Cybersecurity Framework (Version 1.0), based on existing standards, guidelines, and practices, for reducing cybersecurity risk to critical infrastructure. The result of the Executive Order, Improving Critical Infrastructure Cybersecurity, issued by President Obama a year ago, the hope was that the framework would lead to a more robust cyber insurance market with lower premiums, said NSS Labs’ Research Director Andrew Braunberg. “It will take a while for that to play out.”
With interest in enterprise security at an all-time high and the security industry’s annual Olympics’ equivalent, RSA Conference 2014, just two weeks away, cyber security insurance has been generating increasing interest. According to Braunberg, more transparency regarding cyber risk and cyber attacks is expected to drive greater adoption of cyber insurance as a means of demonstrating better corporate risk management.
NSS is traditionally a security testing house that’s been around for two decades and which a year ago decided to expand its focus with mobility and GRC (governance, risk management and compliance), where the insurance comes in, he said. “Cyber insurance is a topic people have been talking about for 10 years.”
Security insurance may be generating a lot of talk, but the current situation is “discouraging”, said Braunberg. As an example, none of the companies in the Fortune 1000 are coming close to the SEC guidelines re disclosures, he said, and growing threats, and risks to companies’ assets and reputations make this an area of increasing concern.
The challenge is that cyber security is facing increasing pressure, according to NSS, which in December took a closer look at a growing privileged class of cyber criminals, governments and brokers that are amassing information on newly-discovered vulnerabilities – as many as 151 days, on average – before affected software vendors are notified of these weaknesses. According to NSS Research VP Dr. Stefan Frei in his The Known Unknowns report, third-party services are offering subscriptions to zero-day (previously unknown) vulnerability information are breaking nation-states’ traditional monopoly on advanced cyber weapons.
The findings include:
-on any given day over the past 3 years, two vulnerability purchase programs alone gave their privileged subscribers early access to at least 58 vulnerabilities, on average, in Microsoft, Apple, Oracle or Adobe products;
-these vulnerabilities remained private for an average of 151 days before disclosure to vendors or the public;
-specialized vulnerability brokers’ fees are within more determined attackers’ budgets: For example, NSS found subscriptions delivering 25 zero-day vulnerabilities per year can be had for $2.5 million;
-attackers are outsourcing weaponry: Jointly, a half dozen “boutique” exploit providers have the capacity to craft more than 100 exploits per year; and,
-NSS’ research should be considered a “minimum estimate” of cyber weapons’ proliferation, since criminal gangs’, military and intelligence agencies’ activities around the world largely go undocumented.
Increasingly organizations are turning to cyber liability insurance as a hedge against these attacks. A recent Zurich survey found that more than 50% of risk managers said that their organizations are now purchasing Cyber Insurance policies, up almost 20% since 2011. Just over half (53%) of those not currently purchasing Cyber Liability insurance plan to do so in the next 3 years.
Another recent report paints a less-rosy picture. While 85% of corporate executives named cyber attacks as their greatest risk in 2013, less than 20% of companies purchase cyber insurance.
NSS data puts the cyber security insurance adoption numbers somewhere in between, with approximately a third of large US businesses having anted up. It said not only should organizations view cyber security insurance as an important component of their overall risk strategy, they should also better leverage IT security teams when selecting insurance and explaining risk profiles.
Braunberg said there’s been some traction but insurance folks have a long way to go to assess risk. “We still believe the right combination of products can make you less vulnerable.”
Originally insurance carriers came in and based on a long history of data determined what combination of products and factors would make you less susceptible to risk. In today’s environment, he said any increased transparency in cyber risk is good news for cyber insurance.
The NIST framework should help, but there is still a long way to go, said Braunberg. “People talk this game but very few walk the walk.”
NSS will be releasing a new report at RSA that will reveal the extent to which evolving threats can effectively bypass layered security products and exploit common applications and other attack surfaces across mobile, cloud and other platforms. Last month it released its Network Intrusion Prevention Systems (IPS) Security Value Map and Comparative Analysis Reports, which evaluated 10 of the leading IPS products on the market for security effectiveness, performance, enterprise management capabilities and total cost of ownership.
The company also published a comprehensive summary of new and evolving financial malware threats in January. These included:
-cyber criminals have switched to using Yahoo! blog sites to communicate with botnet malware such as Taidoor. Using benign-looking blog pages – instead of traditional “command and control” (C2) servers – makes it harder for victims to uncover Taidoor’s presence on networks;
-updated malware threats are employing SSL to encrypt their communications with C2 servers to conceal the type of data they are stealing and new instructions they receive; and,
-there is a growing pattern of new financial malware Trojans first appearing in Europe, then spreading to U.S. banks and account holders.