Entries Tagged "cybersecurity"
Page 23 of 29
Cybersecurity Insurance
Good article about how difficult it is to insure an organization against Internet attacks, and how expensive the insurance is.
Companies like retailers, banks, and healthcare providers began seeking out cyberinsurance in the early 2000s, when states first passed data breach notification laws. But even with 20 years’ worth of experience and claims data in cyberinsurance, underwriters still struggle with how to model and quantify a unique type of risk.
“Typically in insurance we use the past as prediction for the future, and in cyber that’s very difficult to do because no two incidents are alike,” said Lori Bailey, global head of cyberrisk for the Zurich Insurance Group. Twenty years ago, policies dealt primarily with data breaches and third-party liability coverage, like the costs associated with breach class-action lawsuits or settlements. But more recent policies tend to accommodate first-party liability coverage, including costs like online extortion payments, renting temporary facilities during an attack, and lost business due to systems failures, cloud or web hosting provider outages, or even IT configuration errors.
In my new book—out in September—I write:
There are challenges to creating these new insurance products. There are two basic models for insurance. There’s the fire model, where individual houses catch on fire at a fairly steady rate, and the insurance industry can calculate premiums based on that rate. And there’s the flood model, where an infrequent large-scale event affects large numbers of people—but again at a fairly steady rate. Internet+ insurance is complicated because it follows neither of those models but instead has aspects of both: individuals are hacked at a steady (albeit increasing) rate, while class breaks and massive data breaches affect lots of people at once. Also, the constantly changing technology landscape makes it difficult to gather and analyze the historical data necessary to calculate premiums.
BoingBoing article.
DARPA Funding in AI-Assisted Cybersecurity
DARPA is launching a program aimed at vulnerability discovery via human-assisted AI. The new DARPA program is called CHESS (Computers and Humans Exploring Software Security), and they’re holding a proposers day in a week and a half.
This is the kind of thing that can dramatically change the offense/defense balance.
Dan Geer on the Dangers of Computer-Only Systems
A good warning, delivered in classic Dan Geer style.
Interesting Article on Marcus Hutchins
This is a good article on the complicated story of hacker Marcus Hutchins.
Election Security
I joined a letter supporting the Secure Elections Act (S. 2261):
The Secure Elections Act strikes a careful balance between state and federal action to secure American voting systems. The measure authorizes appropriation of grants to the states to take important and time-sensitive actions, including:
- Replacing insecure paperless voting systems with new equipment that will process a paper ballot;
- Implementing post-election audits of paper ballots or records to verify electronic tallies;
- Conducting “cyber hygiene” scans and “risk and vulnerability” assessments and supporting state efforts to remediate identified vulnerabilities.
The legislation would also create needed transparency and accountability in elections systems by establishing clear protocols for state and federal officials to communicate regarding security breaches and emerging threats.
Jumping Air Gaps
Nice profile of Mordechai Guri, who researches a variety of clever ways to steal data over air-gapped computers.
Guri and his fellow Ben-Gurion researchers have shown, for instance, that it's possible to trick a fully offline computer into leaking data to another nearby device via the noise its internal fan generates, by changing air temperatures in patterns that the receiving computer can detect with thermal sensors, or even by blinking out a stream of information from a computer hard drive LED to the camera on a quadcopter drone hovering outside a nearby window. In new research published today, the Ben-Gurion team has even shown that they can pull data off a computer protected by not only an air gap, but also a Faraday cage designed to block all radio signals.
Here’s a page with all the research results.
BoingBoing post.
Poor Security at the UK National Health Service
The Guardian is reporting that “every NHS trust assessed for cyber security vulnerabilities has failed to meet the standard required.”
This is the same NHS that was debilitated by WannaCry.
EDITED TO ADD (2/13): More news.
And don’t think that US hospitals are much better.
Susan Landau's New Book: Listening In
Susan Landau has written a terrific book on cybersecurity threats and why we need strong crypto. Listening In: Cybersecurity in an Insecure Age. It’s based in part on her 2016 Congressional testimony in the Apple/FBI case; it examines how the Digital Revolution has transformed society, and how law enforcement needs to—and can—adjust to the new realities. The book is accessible to techies and non-techies alike, and is strongly recommended.
And if you’ve already read it, give it a review on Amazon. Reviews sell books, and this one needs more of them.
Cybersecurity and the 2017 US National Security Strategy
Commentaries on the 2017 US national security strategy by Michael Sulmeyer and Ben Buchanan.
Sidebar photo of Bruce Schneier by Joe MacInnis.