Who Is

watching out for you?

In today's world you need to understand a few more things...

Who Is

knocking on your virtual front door?

It could be someone down the block or from the Bloc

Yet another insurance premium to pay

Dr. Richard Ford, Raytheon Websense

9-December-2015 2016 Cyber Security Predictions Report

Year end is time for prognostication. The Raytheon|Websense 2016 Cyber Security Prediction Report is available, and Securebuzz spoke about it with Dr. Richard Ford, Principal Engineering Fellow - Chief Scientist, Raytheon|Websense.

Now that USA retailers are finally joining the rest of the world with PIN and chip credit card technology, we’re seeing mobile devices become a standard for payment. So criminals are targeting mobile devices.

While attacks on users’ phones are bad, it’s not the worst issue however, and not for the reason you might think.

“What we’ll see is collateral damage, via connections to corporate networks bleed through; if you will,” Ford said. “I can pretty much authenticate if I have your phone. It’s a useful asset for attackers. If you can attack end use devices, we’ll see that same kind of attack on smartphones. If an attacker can exploit your phone by texting you, he could potentially get access to lots of phones very quickly.”

As for going after the big targets, researchers see spreading of attacks as criminals look for new avenues.

Another worrisome prospect is how some gTLDs (general Top Level Domains) are commoditized by criminals. From the report: The number of gTLDs as of November 2015 exceeds 700 domains, and about 1,900 more are in the waiting list. As new top-line domains emerge, they will be rapidly colonized by attackers well before legitimate users. Taking advantage of domain confusion, criminals and nation-state attackers will create highly effective social engineering lures to steer unsuspecting users toward malware and data theft.

“Sadly, attackers are the earliest adopters,” Ford said. “In some ways they’re the perfect example of the ecosystem in which we live. The possibility of adoption and exploitation by bad guys. I have to think carefully about how they can be abused interesting and novel ways. It’s such a shame, because some of these are so exciting and we can’t leverage them as cleanly and as quickly as we’d might want them.”

The takeaway?
Have your eyes wide open.  

Perhaps the most interesting development is the conversation we’re going to be having about cyber insurance premiums.

“We think 2016 will be a very interesting year for the cyber insurance market,” said Ford. “People will realize it’s not a nice-to- have; it’s a must-have.”

With life insurance, if you’re of a certain age, a non-smoker, and carrying little extra weight, your premium is pulled from an existing actuarial table.

Think about car insurance: What‘s your driving history?
How much do your car parts cost when shipped from Japan, Korea, or Germany?  
If you live in Canada, does your insurer mandate you drive on snow tires during the winter? Or discount your premium if you do?

In cyber, the data assets a company holds can be as valuable or as costly if you lose them, as physical products. The challenge is how do you assess the level of risk for a policy?

“We can look at the encounter rate of different users and companies,” Ford said. “For example, User A might have encounters 10 times a month, and User B might encounter 5 times a month. We see those differences corporately – some corporations are in the crosshairs more than others.”

If for example you deploy a DLP (Data Loss Prevention) solution, in theory your remediation should kick in, and you’d think your costs would be less expensive. Another company might be running DLP in a better, more efficient deployment. To write a policy the insurer needs to recognize these differences.
“It must be based the same way as life or car insurance, and that hasn’t happened yet,” said Ford. “The switch towards evidence-based premiums is really interesting. Companies may have to share with insurers how their defenses really work. It’s going to be a very interesting few years. Absolutely fascinating with the intangibles. We’re going to have to figure it out, one way or another.”

Buying cyber insurance is similar to fire prevention measures we all take for granted. An insurer is spreading risk, and those risks are spread across the aggregate. Ford hopes insurance premiums will drive improvements in cyber security.

“My job is to figure out how to enable you to do your business without worrying about security,” he said. “I’m an enabler, I’m not a ‘thou shall not ___, because IT forbids it.’  And you’ll see that in how we try to protect people.”