You can't secure what you don't acknowledge.SM

Wednesday, October 8, 2014

What no one is saying about cyber insurance

I race cars for fun and sport and found out the hard way not long ago that if I wanted to increase my life insurance I was going to have to jump through numerous hoops and pay enormous premiums for a minimal increase in my existing coverage. I was thinking about this scenario compared to 'cyber insurance' and, wow, what a difference.

 Knowing what I know, there appear to be minimal barriers to entry for cyber insurance coverage. It's been that way since I first started hearing about it around 14 years ago. The premiums I've seen and heard of aren't outrageous either. Sure, there's an application process and perhaps another questionnaire or two. Maybe - just maybe - there'll be a request for more information such as recent vulnerability scan reports or perhaps a higher level audit that has to be performed.

Yet, unlike car racing where the risks are known (albeit they're much lower than the old days of racing given our safety equipment requirements, smarter rules, etc., yet my life insurance premiums are based on the mindset of the past, but I digress...), I'm confident that the true information security posture of any given organization that's being underwritten by cyber insurance has yet to be discovered.

You see, it's like most audits in the name of compliance: everything looks great on the surface. Ditto for those SOC 2 data center audits that everyone is proud to share.

Security policies in place? Check.
User training program (yearly email reminder and a poster in the breakroom) taking place? Check.
Passwords required? Check.
Anti-malware software in use? Check.

You've seen these.

Getting back to reality, I'm confident that not enough of the right questions are being asked and, more specifically, not enough technical security testing is being performed to reveal the true security posture of those being approved for cyber insurance coverage.

I was discussing this topic with a colleague recently and we came to the conclusion that there are two likely scenarios for these organizations being underwritten:
  1. The truth is not being told
  2. Bad information is being received and/or given
Low-hanging fruit security flaws are everywhere and it's virtually guaranteed that they can be found on any given network at any given time. Weak and blank passwords, no laptop encryption, no testing being performed on critical Web applications, under-secured wireless networks, PII scattered across numerous unprotected network shares, physical security controls open to the public, hundreds of missing third-party software patches on every computer, no proactive security audit logging and monitoring...You name it, it's there. Yet we continue on looking for that magic silver bullet to protect our information in the form of next-generation firewalls, DLP, cloud blah-blah-blah or whatever technology is being pushed on the industry at the moment.

I recently attended a cyber insurance event in Atlanta, and in talking to the insurance salesman, consultants, and others I met, everyone seemed to be on the same page: no one really knows the true security posture yet the cyber insurance policies continue to be underwritten. I don't know all the ins and outs of the cyber insurance industry but I've heard enough stories and I've seen enough security flaws that get overlooked to be confident in saying the cart's before the horse on this one. I suspect it won't last too long as the low-hanging fruit continues to rear its ugly head in both the breaches we know about and, most certainly, the ones we don't.

Don't get me wrong. Cyber insurance is great for a final fallback plan after you've done everything else - the proven basics that have been around for years and even decades. You're likely already doing some remarkable things with information security. Most of what you need to know about - and do with - security is already present in your environment. It could be that you find out that you don't need to buy anything or implement anything new to get to where you need to be - perhaps just a few tweaks here and there. Just don't use cyber insurance as an excuse for poor security decision-making as it will certainly come back to bite when you're least expecting it.

My trip to the 2014 ISC^2 Congress

Last week I had the opportunity to attend the ISC2 Congress in Atlanta. It was held in conjunction with that physical security organization. When I arrived to walk the show floor, it was nothing but physical security vendors - as far as the eye could see. After about 45 minutes (sans program guide), I discovered where the information security vendors where. There were about five of them and they were tucked away in the back off the beaten path.

That wasn't what I was expecting.

Then I thought, this isn't why I came to the show anyway. Sure, it's good to hear what the booth babes are waxing poetic about, and see the latest tech in action, but it's usually better to hear what other experts are saying in their presentations - that's how we learn the most, anyway. One presentation stood out - way out. It was Winn Schwartau's irreverent take on security awareness: "How to Make a Security Awareness Program Fail". I've had my strong opinions on that subject for years now and his thoughts/ideas helped solidify them. [Good to know Winn!]

If you've never seen this man present, you must. Winn made me - and the audience - laugh literally every 30 seconds for the entire presentation. It was the best IT/security related presentation I've ever seen...not too serious, not too unprofessional and not starting every sentence with "So..." (you've heard/seen the cussing and beer drinking at some of the shows in our field). It was perfectly delivered and I learned a ton. Most importantly I decided that I want to be as entertaining and informative a speaker as Winn when I grow up!


All in all, ISC2 Congress is a worthy show if you ever have a chance to attend in the future.