Getting paid for getting hacked

In the middle of February, Time Magazine ran a great article on Cyberinsurance or "Shock Absorbers", and I feel this future trend deserves a couple of comments, from the article :



"As companies grow more dependent on the Internet to conduct business, they have been driving the growing demand for cyber insurance. Written premiums have climbed from $100 million in 2003 to $200 million in 2005, according to Aon Financial Services Group. The need for cyberinsurance has only increased as hacker move away from general mischief to targeted crimes for profit. Insurers offer two basic types of cyber insurance: first-party coverage will help companies pay for recovery after an attack or even to pay the extortion for threatened attacks, while third-party coverage helps pay legal expenses if someone sues after a security breach. Demand for insurance is also driven by laws in over twenty states that require companies to notify consumers if a breach compromises their personal data. However, prevention is still the top priority for most companies, since loss of critical data to competitors would do damage beyond the payout of any policy."



Cyber insurance seems to be an exciting business with a lot of uncertainty compared to other industries with more detailed ROIs, as I feel the information security one is missing a reliable ROSI model. I once blogged about why we cannot measure the real cost of cybercrime, and commented the same issue with the "FBI's 2005 Computer Crime Survey - what's to consider?". Don't get me wrong, these are reliable sources for various market indicators, still the situation is, of course, even worse.


But how do you try to value security at the bottom line?



Bargaining with security, and negotiating its cost is projectable and easy to calculate, but whether security is actually in place or somehow improved, seems to be a second priority -- bad bargaining in the long-term, but marketable one in the short one.



Going back to the article, I hope there aren't any botnet herders reading this, especially the first-party coverage point. To a certain extend, that's a very pointless service, as it fuels the growth of DDoS extortion, as now it's the insurer having to pay for it, meaning there're a lot of revenue streams to be taken by the cybergang. While covering the expenses of extortion attempts is very marketable, it clearly highlights how immature the current state of the concept really is. Something else to consider, is that a lot of companies reasonably take advantage of MSSPs with the idea to forward risk/outsource their security to an experienced provider, and most importantly, budget with their security spending. And while the California's SB 1386 is important factor for growth of the service given the 20 states participating, with the number of stolen databases from both, commercial, educational and military organizations, insurers will start earning a lot of revenues that could have been perhaps spent in security R&D -- which I doubt they would spend them on, would they?



UPDATE:
The post has just appeared at Net-Security.org - "Getting paid for getting hacked", as well as LinuxSecurity.com - "Getting paid for getting hacked"



Related resources :

Cyber-Insurance Revisited
Economics and Security Resource Page
WEIS05 WorkShop on Economics and Information Security - papers and presentations
Valuing Security Products and Patches
The New Economics of Information Security
Safety at a Premium
Cyber Insurance and IT Security Investment Impact on Interdependent Risk
Valuing Security Products and Patches
Network Risks, Exposures and Solutions



Technorati tags :
Security, ROSI, Cyber Insurance, Economics Continue reading →

Security threats to consider when doing E-Banking

E-banking, and mobile commerce are inevitable part of our daily lifes, and would continue to get more popular. 

The bad thing is, that it's not just us, the end users benefiting from this fact, but also, the malicious attackers exploiting our naivety and lack of awareness on the threats to watch for. Candid Wuuest did an outstanding research on the insecurities of E-banking, and excellect job in comparing the different security measures next to one another. The slides will also provide you with a lot of useful info on the topic.

Further info on the topic an also be found at :

Why eBanking is Bad for your Bank Balance
Risk management principles for electronic banking

Technorati tags :
e-banking, electronic banking, E-commerce, security, information security

Continue reading →

The hidden internet economy

How much does phishing, spam and spyware for instance cost on businesses? Should we measure in cash, or hardly quantified long-term affects such as reputation damage, loss of confidence in the business, or the percentage of people that would think twice before doing any E-shopping at all?

These days, I believe that there’s a huge number of individuals with purchasing power that tend to avoid online purchases at all. That's the baby boomers I am talking about, who as a matter of fact are having more and more disposable income!

Published in December, 2005, a poll published by the CSIA estimated that almost 50% of all adults in the U.S avoid making purchases online because they are afraid that their personal information could be stolen. And while impulsive teens are excluded, and the poll's quality is taken for granted, to me it highlights an important fact that I have always believed in -- that there is a hidden Internet economy that could boom given more confidence is build in ensuring that, this huge number of individuals will start bringing even more online revenues to any of the dotcom darlings. Until then, stay tuned for yet another major security breach at a data aggregator :(

Technorati tags :
internet economy, dotcom, security, information security, CSIA

Continue reading →

How to secure the Internet

I recently wondered, are there any existing government practices towards securing the entire Internet?

So I went though the U.S National Strategy to Security Cyberspace, to find out what is the U.S up to given it stillmaintains "control" of the Internet. What is the Internet's biggest weakness? No, it's not a sophisticated term, its a common word called design.



A fact that is often neglected as the core of all problems, is that the Net's design by itself was primarily developed for reseach purposes. That is, universities and scientists exchanging data, users whose activities would definitely not result in the following :)



- infect the competing Ivy League universities with malware, and "borrow" as much intellectual property as possible

- Conduct DNS poisoning and redirect their competition's site to their own one

- Eavesdrop on their fellow researcher's communications



The Internet wasn't mean to be as secure as we wished it could be today. So, when it became public and turned into today's part of daily life, I feel this weakness started to remerge on a harge scale.



Perhaps the second biggest vulnerability is the ability to forge source addresses, and given you can spoof the origins of your packet no accountability for a great deal of today's threats is present. IPv6 isn't the panacea of security, and would never be though. There are as a matter of fact a lot of vulnerabilities related to mostly, implementation, and awareness on the possibilities. But the introduction of IPv6 over the Internet, still remains an ambition for goverments and organizations across the world. As a matter of the the U.S DoD indicated their troubles while migrating to IPv6, but they desperately need it. Though, I greatly feel the sooner the better.



The current Internet IP space is so easily mapped and datamined, that on most occasions,such transparence is mostly beneficial to malicious attackers. I believe that security threats can indeed have a national security impact, of course, given their sevirity and actual abuse. Today's information and knowledge driven societies are largely dependent on information and technology infrastructure for most of their needs. This has on the other hand boosted a tremendous technological growth. It eventually resulted in an increased world productivity, but the dependance can also affect real life situations on certain ocassions.



Can cyberspace indeed influence real-life situations and cause havoc?
Would someone wants to bring down the Internet, and how sound is this? What are the main driving factors behind the known weaknesses of the infrastructure, and how can their negative effects be prevented?



I greatly feel that the growth of E-governments, native Internet population, improved communication infrastructure, thus more bandwidth and opportunities,are crucial for the growth of a nation. The only weakness besides actual usability or utilization, is Security.



Going back to the report, it clearly highlights and takes into consideration both, soft and hard dollars.


That is, enemies conducting espionage over companies, universities, or mapping key government, industry networks, and easily reachable known targets to be used later on. Hit-lists for potential targets can be easily gathered in today's open source intelligence world.



On a worldwide basis, the implications to the entire Internet posed by insecure DNS servers, and by the insecurities of the DNS protocol can undermine the Internet in itself. What happens when all sites are actually there, but remain unreachable worldwide? The 2002 attacks on the root Internet servers indeed acted as a wake up to the international community on how fragile the current system really can be.



Some of the obstacles for a secure Internet from my point of view consist of :

- Plain text communications are the easiest, most common way malicious attackers can abuse a nation's communications, excluding the fact that the majority of communications remain unencrypted

- Lack of evolving compliance, threats change so fast, that everyone can barely keep up with them, and what used to be "secured" yesterday, is vulnerable today

- Less procedures and strategies, more actions, perfecting planning is futile, by the time you end you planning process you would have to change everything. My point is, empower those who are able to execute real actions towards improving security.

- The gap between government, private and academic sectors is resulting in a lack of integrated early warning systems, that would eventually benefit everyone

- Realization of a nationwide client-side sensor, I have also considered Symante's utilization of their 120M client based as the biggest, most sensitive honeypot ever.



To sum up my ideas, migration to the, at least though to be more secure Internet2 , would take years and cost billions of dollars on a worldwide basis, yet it's worth it!



Have an opinion? Share it!



Technorati tags :

cyberspace,security,information security,IPv6,Internet2 Continue reading →