275 7TH Ave 7th floor New York , NY 10001 email@example.com
Chelsea / Lower Manhattan
Daniel Cullinane CPA p 848-250-9587
Around half of industry practitioners see the risk of silent cyber exposure – potential cyber-related losses due to silent coverage from insurance policies not specifically designed to cover cyber risk – as growing over the coming year, according to Willis Re.
[silent cyber exposure]
Silent cyber exposure
In the Willis Re survey, respondents were asked to assess the extent to which, over the next 12 months, the cyber aspect of exposure would increase the likelihood of a covered loss.
Around half of respondents felt that the risk of a silent cyber loss from property or other liability was greater than 1 in100 while close to a quarter considered the risk to be greater than 1 in10, illustrating the degree of uncertainty surrounding potential exposure.
Examples of silent cyber exposure could include a cyber-attack on an industrial plant’s control system causing a boiler explosion, leading to extensive property damage and business interruption, or malware causing an elevator to fail, resulting in multiple casualties.
While a policy pay-out will depend on the specifics of individual wordings and occurrences, such examples illustrate how silent cyber events can push up loss rations on policies not specifically meant to cover cyber risk.
Degree of concern
Anthony Dagostino, Head of Global Cyber Risk, Willis Towers Watson, said: “Buyers of insurance have to consider the exposure that they have in relation to the rising prominence of cyber-related incidents. The results of the survey have reinforced the need for a holistic cyber risk insurance strategy and tailored insurance policies to address the risk adequately.
Mark Synnott, Global Cyber Practice Leader, Willis Re, added: “The degree of concern over silent cyber exposure has confirmed the importance of the existing support we are giving to clients to help them better manage their known and unknown cyber exposures.”
The results of the survey varied by industry group: IT/Utilities/Telecom and Financial Services were seen as higher risk, perhaps reflecting perceived threats to utility infrastructure.
Interestingly however, although some of the most well-known silent cyber property losses to date have occurred in industrial settings, respondents did not foresee especially high risk for the Construction, Engineering and Industrial, Manufacturing and Natural Resources groupings which were also seen as relatively low risk for other liability losses, perhaps indicating that as these industries accumulate less personal data from the public, they are therefore as less exposed to other liabilities.
Implement a robust cybersecurity awareness training programme
Technical controls may not detect and contain all ransomware, or indeed all malware, especially given the rapidly evolving nature of these threats. In this event, the last line of defence is the end user who receives the email or browses the web. Therefore, it is essential that all users are properly empowered to identify security threats and deal with them accordingly.
You should review your current security awareness training programme to ensure that it is appropriately resourced and that it targets all users. Although technical controls can minimise the risk posed by various threats, the human factor needs to be constantly managed. If people are not made aware of the threats posed to their systems or data, of the reasons why certain policies and controls are in place, or how to react to a suspect security breach, then the risk of a security breach occurring increases significantly.
The security awareness programme should be tailored for the audience. For example, developers should have a different programme and focus on topic relevant to their role compared to the programme aimed at the sales and marketing function.
Ensure anti-virus software is updated and all features enabled
You should ensure that all PCs have up to date anti-virus software installed and that they are regularly updated with the latest software updates, virus signatures, and security features. In addition, you should ensure that the anti-virus suite deployed on all PCs has all the anti-malware features implemented so that any unusual behaviour that may indicate an infection can be quickly identified.
Ensure all operating system and software patches are applied
You should ensure that all PCs have the latest operating system and software updates deployed and applied in a timely manner. You should investigate and implement a means to keep all PCs and laptops patched with the latest updates for all software applications installed on those computers.
Disable ActiveX in Office files
You should disable ActiveX content in the Microsoft Office Suite of applications. Many computer viruses use macros to take advantage of ActiveX and download malware onto the affected PC. This would be particularly recommended to any organisation running devices with any Microsoft operating system earlier than Windows 10.
Block executable files from the %APPData% and %TEMP% paths
You should look at methods to block executable files from the %APPDATA% and %TEMP% paths on computers with the Microsoft Windows Operating System installed. These folders are often used by malicious software to download and execute the files associated with ransomware and other malicious software.
You could employ Software Restriction Policies to protect systems from infection from the use of unauthorised software. Exclude files of the following types:
Your PC should be configured to not allow executable files to be run from the following folders:
It is strongly recommended that all policies are comprehensively tested before being deployed into a live environment.
Deploy Windows AppLocker
On computers installed with Microsoft Windows, you should consider deploying AppLocker to manage which applications can be run.
AppLocker is a more advanced way than Software Restriction Policies for managing the applications users can access. It has several features that allow it to be centrally managed, for it to be tested more rigorously before deployment, and create exceptions to the rules.
Deploy Microsoft EMET
The Microsoft Enhanced Mitigation Experience Toolkit (EMET) is a free security utility which helps security vulnerabilities in software from being successfully exploited. They use security mitigation technologies as special protections and obstacles that an exploit author must defeat to take advantage of any software vulnerabilities.
You should deploy EMET throughout your computer estate to reduce the likelihood of malicious software, or an attacker, exploiting a software vulnerability.
Disable macros in Office files
You should disable Macros in the Microsoft Office Suite of applications. Many computer viruses use Macros to download malware onto the affected PC.
Upgrade to the latest version of Windows
You should upgrade computers with Microsoft Windows installed on them to the latest version of the operating system. At the time of writing, Windows 10 Professional is now considered to be one of the most secure desktop operating systems.
Implement network segmentation
Consider segmenting your network to reduce the ability of computer worms, whether ransomware or otherwise, to spread rapidly from one system to another. This will give you the ability to cut off infected sections of the network and prevent the infection spreading further.
Run regular phishing tests
You should run regular phishing simulations against staff to determine how many would potentially fall victim to such an attack. A phishing simulation is a tool to send fake emails to staff with an attachment or link to determine how many staff would click on the attachment or link. As most ransomware attacks are the result of phishing emails, this type of testing, combined with an effective cybersecurity awareness programme, can be quite effective in conditioning staff not to trust all emails and to be cautious when dealing with emails.
You should aim to have the click-through rate of staff responding to the phishing simulations to be consistently below 15%, which is considered the industry recognised norm.
Staff who consistently fail the phishing simulations should be given additional security awareness training and/or have additional technical controls and restrictions placed on their systems.
Improve visibility of security events
You should consider deploying a Security Information and Event Management (SIEM) solution to provide visibility into ongoing threats within your network. This SIEM solution could either be deployed internally, or if you do not have the required resources available, it could be outsourced to a Managed Security Service Provider that specialises in this area.
Implement an Intrusion Detection System/Intrusion Prevention System (IDS/IPS) solution
A properly configured IDS/IPS solution can be a very effective platform to detect and manage threats on a network. You should initiate a project to ensure the IDS/IPS is fully and properly deployed and that it is regularly reviewed.
Intrusion Detection/Intrusion Prevention models can be:
Signature-Based: This is where patterns, or signatures, of known attacks are downloaded by the system. Network traffic is compared against these patterns to identify potential attacks. A disadvantage for signature-based detection is that it cannot detect new attacks because it only compares attacks against known signatures.
Anomaly-Based: Intrusion Software first needs to learn the “normal” behaviour of your network and the types of traffic and network packets it usually handles. Then, it can be put in to action when traffic is detected that is out of the normal state.
Rule-Based: Rule-based systems employ a set of rules or protocols defined as acceptable behaviour. The IDS analyses the behaviour of network traffic or application traffic and if it is deemed as normal behaviour it is allowed. If the traffic is outside the norm, then it is blocked.
Establish baseline network behaviour
You should ensure that you have full visibility of how your network traffic behaves under normal business conditions. This knowledge can then be used as a baseline to identify any unusual activity which should then be investigated to determine whether it is the result of a potential breach or an issue with the network.
Ensure User Access Control (UAC) is enabled on Windows
User Access Control is a security feature built in to Windows Vista, 7, 8 and 10 which helps prevent unauthorised changes to a computer. Changes can be initiated by applications, viruses or other users. When UAC is enabled, it makes sure these changes are made only with approval from the person using the computer or by an administrator.
Enable the operating system to show file extensions
Attackers can trick users into running a file infected with a computer virus by appending a hidden extension to a filename. For example, a user receives a file called “Not Ransomware.jpg” but the file has a hidden extension of .EXE, thus making the actual filename “Not Ransomeware.jpg.exe”. The user, thinking the file is a picture, opens the file, but because the file is an executable (.exe) file the ransomware hidden in the file is launched. You should change the operating system to show Hidden File Extensions.
Windows’ AutoPlay feature begins reading from media as soon as it is inserted into a device. You should disable it when plugging in external media to reduce the chances of an attack infecting your device from that source. AutoPlay can also be disabled via Group Policy.
Implement User Behavioural Analytic (UBA) systems
In line with the Network Baselining recommendation, you should implement a User Behavioural Analytic (UBA) system to identify any unusual or suspicious user activity on the network. Many ransomware infections can be quickly identified by the high rate of file system access to network shares as the ransomware encrypts the targeted files. UAB technologies could detect such activity and enable you to proactively react to a ransomware infection.
Implement ad blocking software at the network perimeter
Ransomware can be deployed via compromised adverts displayed on websites. This can result in a computer becoming infected with ransomware simply by visiting a website that is displaying the malicious advert.
To reduce the attack surface from this vector, you should consider implementing blocking software on your network’s firewall to prevent infections via infected advertising on websites.
Implement threat intelligence
You should subscribe to reliable threat intelligence services which would provide you with Indicators of Compromise (IoCs) and other data which could be used to identify malware threats within your network. These will regularly update you with details of malicious and suspicious URLs, domains, and IP addresses on the internet, to which you can then block access from your network.
Although several of these threat intelligence services are commercial and require a subscription, there are open source options available such as the Malware Information Sharing Project (MISP). This is a free threat sharing platform which enables organisations to share information on security incidents to help other organisations better protect themselves.
Ensure appropriate training for technical staff
You should develop a technical training programme to ensure that technical staff have the relevant training to enable them to confidently manage the various security platforms installed in your environment.
You should deploy honeypots on your network to help you proactively detect an intrusion on your network, including intrusions relating to ransomware. A honeypot system is a decoy set up to look like a live system; any activity on it could be a strong indicator that the network is compromised.
Honeypots can be an effective tool if used correctly, however caution is advised when working with honeypots to ensure they do not adversely impact your environment or be compromised by attackers to attack other systems within your network, or indeed systems external to your organisation. ENISA has a very good paper on how best to deploy honeypots.
Implement appropriate rights/permissions for users
You should create and maintain users’ rights and permission sets within their network operating system. Users should only be issued the rights/permissions required for their job role. If they change role within the organisation, then their rights/permissions need to change accordingly.
Monitor Domain Name System (DNS) logs for unusual activity
The DNS servers have logs which contain records of all the domains and networks accessed by devices on your network. Regular monitoring of the DNS server logs could identify traffic being relayed to or from unusual hosts which may not be associated with normal business activity. This unusual traffic could indicate a malware infection.
Review security of mobile devices
You should note that ransomware is migrating towards mobile devices such as smartphones and tablets, and it would be prudent for you to review the security of mobile devices to include:
HOW TO PREVENT RANSOMWARE