Existing Remedies Are Not Keeping Up
The Commission on the Theft of American Intellectual Property recently released a report, The IP Commission Report. While the report’s focus is on international Intellectual Property theft, it offers a wealth of information that can be applied to protecting other types of sensitive data and in combating cyber theft. I highly recommend reading it, as you will not be disappointed.
This report tidbit should come of no surprise:
A network exists in order to share information with authorized users, and a targeted hacker, given enough time, will always be able to penetrate even the best network defenses.
The IP Commission Report Cyber Solutions
There are two types of hackers:
1. The “opportunistic hacker” uses the Internet to run probing attacks against many networks and then intrudes wherever he finds vulnerability, and
2. The “targeted hacker” seeks to take specific proprietary information in a specific network belonging to a specific government agency or private company.
As the report states, whereas some hackers target entities for individual ideological reasons, many others are sponsored by a government agency, often for direct military purposes–intelligence and reconnaissance–or to damage military networks. Other targeted hackers seek to intrude on behalf of a foreign corporate competitor into the network of a U.S. corporation, often to take specific information to gain a business advantage.
Vulnerability Mitigation Is Effective Only against Opportunistic Hackers
Today almost all network security approaches to date have been based on the concept of vulnerability mitigation, which seeks to strengthen one’s existing network security by pursuing the newest and best software, network appliances, regular updates, updated firewalls, most recent patches to software weaknesses, and so forth. This places a high burden on Network Administrators due to an ever-expanding universe of security products.
Taking a Threat-based Deterrence against Targeted Hackers
Effective security concepts against targeted attacks must be based on the reality that a perfect defense against intrusion is impossible.
As a countermeasure, the report suggests:
Taking a threat-based deterrence against hackers. The security concept of threat-based deterrence is designed to introduce countermeasures against targeted hackers to the point that they decide it is no longer worth making the attacks in the first place. Effective threat-based deterrence tools and thinking are in their infancy, but their development is a very high priority both for the U.S. government and private companies.
An IP Commission Report Recommendation:
Encourage adherence to best-in-class vulnerability-mitigation measures by companies and governments in the face of an evolving cybersecurity environment.
As the report stated, despite their limited utility against skilled and persistent targeted hackers, computer security systems still need to maintain the most up-to-date vulnerability-mitigation measures, such as firewalls, password-protection systems, and other passive measures. And they should also install active systems that monitor activity on the network, detect anomalous behavior, and trigger intrusion alarms that initiate both network and physical actions immediately.
I liked the report’s suggestion of ensuring that organizations “stand watch” and be prepared to take action (explained below) based upon system warnings and to have a “man in the loop” to ensure that machine responses cannot be manipulated. While I do not claim to be a computer security expert, it seems to me that organizations need to have a “code red” panic alarm button that can be used in real time. As the report suggests, by having such a system this allows an organization to take real-time action to shut down free movement around the house, lock inside doors, and immobilize attackers once the alarms indicate that an intrusion has started. While this seems quite logical, these types of systems are still rare. For more information, on this subject matter refer to Chapter 13 of the IP Commission Report. And while I’m not advocating this approach, here’s an interesting read on how some organizations are responding in real time to their cyber attacks.
Cyber Insurance: Your “Code Red” Incident Response Plan
Once a hacker enters an organization’s network, a computer forensics investigation must be conducted to determine what type of data was exposed and if the breach needs to be reported according to 46 U.S. Privacy laws. This can be an overwhelming process. Why go it alone? Cyber insurance offers coverage for a computer forensics investigation, which can help reduce the man hours it would take an organization to conduct on its own and also offers other coverage’s if the investigation deems the breach needs to be reported. Which in that case means a privacy attorney will need to assist, breach notification letters will need to be mailed and credit monitoring services can be offered to breach victims. Other coverage benefits are also available. However, you will need to check the policy wording which is always advisable to do before purchasing a cyber/data breach insurance policy.
For assistance, please complete the box below to learn how a Cyber Risk Insurance policy can help you be prepared for a data breach and/or network security event. Or call 1 + (855) CUT-RISK.
CYBER DATA RISK MANAGERS LLC is an Independent Insurance Agency specializing in Cyber Security and Data Breach response insurance. We offer solutions that help you quickly respond to cyber events and data breaches as well as to plan in advance for their occurrence. Given the ever changing nature of information assurance and compliance, you don’t want to be caught unprepared.