Cybersecurity Threats – What You Need to Know as an Insurance

Professional and as a Consumer

Aurobindo SundaramVP IS Assurance & Data Protection, Reed Elsevier Inc.

November 2014

2Security Leaders Summit Southeast

Agenda

• A Primer on Attacks• Global Target Trends• Global Attack Trends and Attacker Profiles

» Custom malware and targeted social engineering» Indirect attacks (e.g. through third parties)

• An Example Attack• Why Should Insurance Companies Care?• Risk Mitigation

3Security Leaders Summit Southeast

Attacks ...

“Hacking”

• Basic MO is to get through your systems before you patch them (network, application, custom code).

• Defend by equal parts luck, technology, and diligent process.

• Expose as little as you can, detect/prevent obvious attacks, and deflect attacks.

Denial of Service

• Almost always nuisance value from security perspective, less so from a loss of revenue perspective.

• Consider denial of service protection services (if your firewalls/border routers/ISPs are not up to the task)

Solid infrastructure should make both of these straightforward (but not easy!) to deal with

4Security Leaders Summit Southeast

Attacks ...

Phishing

• More sophisticated than ever• Spear phishing - Targeting

specific individuals (e.g. senior executives)

• Quickly adapt to clone changes on legitimate websites

• Some variants even pass through to legitimate website

Targeted Malware

• Integrated with hacking and phishing attacks to create enduring weaknesses in infrastructure

• Not just financial customers that are targeted – web of compromise continues to expand.

• Hard to detect; once infected, you’re toast.

User education is criticalDo newer tools (e.g. FireEye) help? Unclear.

5Security Leaders Summit Southeast

Advanced Persistent Threats

… a group, such as a foreign government or organized crime, with the capability and intent to persistently and effectively target a specific

entity

• Social activism (“hacktivism”)• Threats targeting financial institutions

(directly or indirectly)• Threats targeting other firms housing

personal information (Legal, Insurance, Retail, etc.)

• Threats targeting infrastructure

Tempting to say “If xxx can be hacked, what chance do I have?”Detection and response capabilities are key

6Security Leaders Summit Southeast

Global Target Trends

• Attempting to retrieve financial information on consumers (e.g. through hacks of credit card databases; cloning of cards; and evasion of fraud detection mechanisms).

• Attempting to retrieve personal information on consumers (HR, health, shopping, insurance/claims) to use in future perpetration of identity theft.

• Attempting to retrieve corporate secrets (attacking legal firms, investment banks, high technology firms) for national or individual gain.

• Attempting to compromise user systems and use them as DDoS bots against targets (usually multi-player gaming systems – Sony, XBox, LoL, etc.).

7Security Leaders Summit Southeast

Attacker Profiles

• Generally resident in countries where Rule of Law is weak (Eastern Europe, West Africa, etc.)

• Use a complex set of intermediaries to avoid detection• Attacking systems (bots, etc.)

• Accessories (J1 visas, etc.)

• Use advanced technology and stealth measures to avoid detection• Tor

• Bitcoin

• Custom malware

• (Can spend weeks to months breaking into a corporation)

• But also use simple attack mechanisms• Guessing of passwords

• Simple phishing attacks and other social engineering

8Security Leaders Summit Southeast

An Example Attack

J1 Mule Operator• Aka the mastermind. He orchestrates the entire crime and reaps most of

its proceeds (along with co-conspirators).

J1 Mule• Foreign citizens that come to the US on J1 (exchange visitor) visas and

then carry back currency to their home country.

Runner• A go-between to receive money from a J1 mule and pass it on to a

sender.

Sender• A participant who retrieves funds to send to a foreign Receiver.

Receiver• A foreign agent who receives funds from the crime to deliver to the J1

Mule Operator.

9Security Leaders Summit Southeast

An Example Attack

J1 MuleOperator

(1) OnlineResearch User

Launch phishing email

With compromised ID,access wealthy victim’s

information(2) PersonalRecords

Runner

SendersSendersSendersSendersSendersSendersSendersSendersSendersSenders

ReceiversReceiversReceiversReceiversReceiversReceiversReceivers

Impersonate (4) victimVictim’s

BankVictim’s

BankVictim’s

Bank(3) Victim’s

Banks

J1 MuleJ1 MuleJ1 Mules

10Security Leaders Summit Southeast

An Example Criminal Enterprise Infrastructure

11Security Leaders Summit Southeast

Why Should Insurance Companies Care?

• You access, store, or process significant sensitive personal information (SSNs, DOBs, bank account information from quotes, claims, etc.). You’re as tempting a target as – a retail store, a public records company, a hospital...

• Some of you are also financial institutions or have links with them.

• You have thousands of agents and associates that access sensitive personal information, and any of them could be social engineered for their user credentials.

12Security Leaders Summit Southeast

Risk Mitigation

How much risk do you want to mitigate and how much do you want to accept?

Perimeter Protections• Firewalls with strict ingress/egress rules.• Web hygiene checking (i.e. dynamic URL blocking).• Intrusion detection/prevention systems.• Penetration testing.

Host Protections• Current anti-virus with updates (brand is not

important).• Patch management program.

Application Protections• Authentication enhancements (e.g. strong

passwords, multi-factor authentication).• Web application security scans.

Other

• User need for access to services.

• Instrumentation and monitoring of outbound traffic (particularly web) – fraud detection, data leakage protection, correlation analysis.

• Logging and monitoring of network, application, and host traffic.

• User education (social engineering prevention, etc.).

• Document your Information Security Program.

Optional / Buy with care• Specialized monitoring (e.g. botnet detectors).• Denial of service protection devices.

* Use standards such as ISO 27002:2013 to determine the technical controls you need.

13Security Leaders Summit Southeast

Contact Information

Presenter Contact informationAurobindo Sundaram,

VP Information Assurance & Data Protection

aurobindo.sundaram@lexisnexis.com

+1-678-694-3663