Adam Stern | PIA.org
Forewarned is forearmed. Ah, if only that applied to hacking. After all, if you’re not warned, it’s tough to take up arms. A recent survey conducted by a national carrier found that of 1,000 business owners nearly half (45 percent) of those who experienced phishing, hacking or other forms of cyberattacks had no idea they had been victimized. As reported in Becker’s Hospital Review, 57 percent of respondents said they didn’t have staff dedicated to monitoring cyberattacks; 37 percent cited cost as an issue while 34 percent didn’t anticipate being targeted by an attack in any case.
Of course, those responsible for cyberassaults typically do not send around an advance team, heralding the arrival of a hack or a Distributed Denial of Service attack. The element of surprise is kind of the point. Insurance agencies are inherently vulnerable to data (and therefore identity) theft, given the volume of personally identifiable information upon— which the industry depends. PII can walk out the door in any number of ways— some innocent, others malign. Employees may inadvertently mishandle information while accessing a public network off-site or by opening an email from an unknown source. Clicking or replying can mean giving away the keys to the kingdom. Bad intent ranges from programmatic brute force hacks to more genteel (but just as pernicious) social hacking—seemingly innocent email and even phone solicitations that get the job done more discreetly. Insurance agencies need to determine role-based access to data (i.e., who gets access to what, and when) in their organizations. They also need to determine what to encrypt and when to do it. They also need to create technical and policy/procedural measures that demand codifying, testing and periodic retesting.
Overkill? Not these days. It’s a tough world out there, and getting tougher. In May, the ransomware worm WannaCry fueled a massive attack that paralyzed some 300,000 computers in 150 countries, disabling systems at public hospitals throughout the U.K. along with those connected to Telefonica, the Spanish telecom provider, among other victims. WannaCry wreaked havoc—but, tellingly, not at the public cloud providers like Microsoft Azure, Amazon’s AWS, IBM and Rackspace. Nor the smartly managed midsize public cloud providers, either. In this turn of events is a counterintuitive lesson about what was indeed a major hack. The experience of public cloud providers should put to rest the notion that the cloud isn’t safe. WannaCry makes a compelling argument that the cloud is the safest place to be in a cyberattack. Internal IT departments, fixated on their own in-house mixology, were affected greatly, raising the legitimate question of why some roll-your-own insurance agencies and other organizations devote precious resources—including, with WannaCry, Bitcoins—to those departments in the belief that the cloud is a snakepit.
A short time after WannaCry, a new strain of ransomware—a Petya-esque variant known as Petya/NotPetya—swiftly spread across the globe, affecting tens of thousands of computers. More powerful, professional and dangerous than that earlier attack, the Petyaesque ransomware uses the same EternalBlue exploit to target vulnerabilities in Microsoft’s operating system. However, unlike WannaCry, this ransomware instructs the user to reboot the computer and then locks up the entire system.
But, the takeaway needs to be that users aren’t defenseless, even in the wake of a nefarious perpetrator like Petya/NotPetya. The best antidote is patch management. It’s a sound practice to keep your systems and servers updated with patches— it’s the shortest path to peace of mind. Indeed, “patch management consciousness” needs to be part of an overarching mantra: Security is a process, not an event—a mindset, not a matter of checking boxes and moving on to the next step. Vigilance should be everyone’s default mode. Spam is no one’s friend; be wary of emails from unknown sources, which means not opening them. Every small- and mid-size business wins by placing strategic emphasis on security protections, with technologies like clustered firewalls and intrusion prevention/detection software.
In the cloud’s infancy, cloud-hosting providers touted scalability, initial cost savings and speed. However, the prospect of enhanced security in the cloud—indeed, that the better cloud deployments now mean that data is safer in the cloud than on a typical unsecured desktop—has altered the conversation. Organizations assessing cloud-service providers can now seek out those whose security controls mitigate the risks of moving to the cloud. Increasingly, businesses of all stripes are facing the challenge of dealing with outdated modes of storage and finding affordable, practical, secure solutions that meet their needs.
On the premise that the best defense is understanding the real nature of the offense or offenses (since cybersecurity addresses a multifront battleground), it’s useful to think in terms of concentric circles—broad steps your agency can take to maximize your safety. It also may help you match your level of protection to the class of threat your agency faces. Users need to be familiar with online threats and at least somewhat conversant with tools to arrest them; no single system can circumvent vulnerabilities that haven’t been patched. Still, there are things that you can and should do to maximize your safety, which include:
First line of defense: The first line should be a firewall supported by intrusion detection and prevention technology, along with anti-virus and anti-malware software, which is limited to blocking items downloaded over unencrypted protocols.
Second line of defense: The second line centers around the trained, educated user—someone sufficiently cognizant of threats who thinks before executing a link or downloading an attachment: a user, attuned to the real and present danger inherent in viruses and malware, and who acts accordingly.
Third line of defense: The third line is comprised of patch management and locally installed anti-virus and anti-malware software, working together to effectively block attacks. Proper implementation of third-line defense means fewer bugs and optimized performance.
Fourth line of defense: In the event that malware or ransomware hits the system, things can proceed without a hiccup—assuming the organization was savvy enough to install application-consistent snapshot technology, a rollback process that takes just minutes and restores the server to its exact state prior to the attack.
Remember: The human element remains the most important social engineering piece of this construct. It’s always best to stop a problem early, before it festers and productivity suffers; think smoke detectors versus sprinkler systems.
The point is to make yourself as safe as you possibly can be. Yes, you can bring your own software and, yes, you may well be safe, perhaps safer than you think. However, to be safer still, you need to do these things; you need to internalize the four lines of defense. That’s how you determine precisely what “safe” means in your environment.
What technology threatens (and sometimes manages) to take away it also can restore. Consider massive volumetric DDoS—a silent killer that says, “Pay me or I’ll shut everything down.” There’s no question that massive volumetric attacks are something new and especially troubling, and no single firewall can stop them. However, a new model for real-time DDoS mitigation has emerged, in the form of technology that automatically analyzes suspected DDoS activity and deploys routing commands to ensure that immediate action is taken when legitimate DDoS attacks are detected—all without any human intervention.
Your professional, independent insurance agency—that is, your data—is considerably safer in the cloud than parked on equipment under someone’s desk. Any cloud provider worth its salt brings to the task a phalanx of timetested tools, procedures and technologies that ensure continuous uptime, regular backups, data redundancy, data encryption, anti-virus/anti-malware deployment, multiple firewalls, intrusion prevention and round-the-clock monitoring. These measures (and counter-measures) represent a trend that affirms that users still have a high degree of control—if they have the wherewithal to claim it.
Stern is founder and CEO of Infinitely Virtual, which offers products and services based on virtual dedicated server and cloud computing technologies (infinitelyvirtual.com or @IV_CloudHosting). The company is based in Los Angeles.