The growing need for Cyber Insurance

Robert Broxup

Cyber insurance is on the increase. With an increasing number of high profile data breaches, not to mention the events we don’t hear about, insurance underwriters must implement realistic premiums and policy terms and conditions if cyber insurance is to be beneficial to policyholders and profitable for the insurance industry.

With life insurance, many lifestyle choices influence insurance policies and their premiums, such as smoking and participating in dangerous sports. Demonstrating a healthy weight and absence of any life-threatening or preexisting conditions reduces the risk and reduces premiums. Similar processes have evolved with car insurance and the no claims discount. For stereotypical high-risk drivers, telematics has become popular to monitor driving patterns and set premiums accordingly. Members of the Institute of Advanced Motorists, who have passed their advanced driving test, can get car insurance at a reduced premium. A typical policy restriction on car theft is that a car must be locked when unattended. Insurance companies would not pay out if a vehicle is left unlocked, or worse, with the key in the ignition, for example. Likewise, home insurance policies require doors and windows to be locked, and for locks to be up to a specific standard for insurance policies to be valid.

It stands to reason that similar standards and policies will evolve with cyber insurance. For a cyber insurance policy to payout, policyholders will need to demonstrate that they have met an agreed standard of cyber defence. In much the same way that not leaving possessions visible in a car reduces the risk of vehicle theft and claims, having better security lowers the risk and is more important than relying on insurance to pay for any damage. In addition to the growing need for cyber insurance, there is an increasing need for specific advice that people can follow to reduce exposure to risks; a minimum standard of cyber defence across the board.

Avoiding Ransomware

Robert Broxup

Ransomware is a frequently reported threat, and it may be only a matter of time before a significant attack takes place and impacts many individuals and businesses. Here are some basic behavioural changes to help protect yourself, your organisation, and your employer:

  • Email Threat Awareness – DO NOT open attachments or click on links unless you trust and can verify the source. Malicious websites and infected attachments can install ransomware and encrypt your data.
  • Patch Management – Keep your operating system and software applications up to date. Software vendors are continuously updating their software to remove identified vulnerabilities. If your software is no longer supported, consider switching to an alternative product.
  • Pirated Software – DO NOT download software from peer-to-peer file sharing sites, including avoiding licence key generators and other software cracks. Threat actors alter versions of legitimate software to deploy malware. Also, as pirated software is unlicensed, security patches and further updates will not be available, leaving exploitable vulnerabilities in place. Worse still, so-called “security patches” from illegitimate sources may introduce additional malware.
  • Anti-malware – Keep all malware removal and protection software up to date. If a website popup claims your system is infected, it’s likely scareware designed to trick you into buying fake security software that may itself contain malware. Use a trusted brand.
  • Software Clutter Clearing – Uninstall software packages and browser plugins that are no longer required. Reducing software clutter lowers your attack surface.
  • Software Whitelisting – Allow only pre-approved applications to execute, while blocking everything else by default. This deny-by-default approach helps reduce malware, intrusions, and the use of unauthorised software.

Ransomware remains a persistent threat, but with simple, proactive habits and a security-first mindset, much of the risk can be avoided. By staying vigilant, keeping systems updated, and being cautious with unknown sources, you can significantly reduce the likelihood of becoming a victim.

Augmenting Strategic Plans with Tactical Solutions

Robert Broxup

Improving IT security and implementing governance controls is a high priority concern for corporate decision-makers. With IT security requirements continually changing as new threats emerge, the implementation of a strategic solution that only delivers results as some arbitrary point in the future is not always feasible when security threats exist in the here and now. Augmenting strategic delivery with tactical activity is a fundamental requirement often overlooked.

Several high-profile security breaches have been reported in the media and have been the cause of great concern, and rightly so.  But to what extent are assurance statements made to demonstrate corrective action which, in practice, have very little substance behind the words?

For example, reporting that a consulting company is undertaking a review, will publish the findings, and agree on actions based on their recommendations. This pending review might offer some protection in the event of a data breach. You could respond with “we know about the problems, and the matter is under investigation to mitigate the risks”, however, this does little in the short‑term to protect corporate systems and more to protect against ignorance and negligence.

Defining a set of tactical activities to reduce exposure to risk in the here and now, combined with a strategic review to address risk in the long-term, will make a world of difference.

Securing the Network Boundary

Robert Broxup

Understanding your organisation’s network boundary is essential to being vigilant and maintaining a high level of security.  Internet at home or in a single-site business can be straight forward. Still, as companies grow in size and complexity, it is easy to lose control by not understanding the boundary infrastructure, how it is maintained, and details of those responsible for its maintenance. This blog is not a comprehensive guide to boundary security but covers essential aspects that will provide an improved level of protection and reduced exposure to risk if implemented. In cases of outsourced firewall management, this also acts as a check against 3rd party suppliers.

Firewall Inventory

Maintaining an inventory of firewalls is an essential starting point for understanding the boundary and how it interacts with the outside world.

  • Do you have an inventory of all firewalls?
  • Does the inventory include the physical locations of each firewall?
  • Who are the manufacturers, and what are the models of each firewall?
  • What are the internal and external network addresses of each firewall?
  • Who is responsible for maintaining the accuracy of the inventory?

If you don’t know where all your firewalls are, then it follows that you will not be able to guarantee that strong passwords are applied, that firmware is up to date, or that firewall rules accurately reflect the requirements of the business. The inventory should also include other information covered in subsequent sections below.

Firewall Passwords

Strong passwords and secure storage of passwords are essential to controlling access to firewalls and preventing unauthorised configuration changes.

  • Have all manufacturer default passwords been replaced with strong passwords?
  • Are you able to verify that strong passwords apply to all firewalls in the inventory?
  • How frequently are firewall passwords changed?
  • What password vault do you have in place to store firewall passwords?
  • Do all persons with knowledge of firewall passwords or access to the password vault have a legitimate business requirement to do so?

Firmware

Firmware is the software installed directly in the hardware. Hardware manufacturers often release new versions of the firmware during the usable life of the equipment.

  • What is the latest version of firmware for each firewall’s make and model?
  • What is the current version of firmware for each of the firewalls in the inventory?
  • Are you able to verify that each of the firewalls in your business has the latest firmware version?
  • When was firmware last updated on each of the firewalls in the inventory?
  • Who is responsible for checking firmware releases and performing updates?

New versions of firmware are often released specifically to mitigate security risks. Not having processes to check and upgrade firmware to the latest version will allow exploitation of vulnerabilities.

Firewall Rules

Firewall rules need documentation for each of the firewalls in the inventory. Rule documentation should include:

  • What is the business purpose of the rule?
  • Does the rule control inbound or outbound traffic?
  • What IP addresses and Network Ports are ‘allowed’ or ‘denied’?
  • Who approved and who created the firewall rule?

Firewall rules change over time as business requirements change, not to mention unauthorised changes to firewall rules. Documentation and ongoing processes will ensure that the rules configured reflect business requirements.

  • When was each firewall in the inventory last checked to ensure that all firewall rules fulfil a genuine business purpose?
  • How frequently are firewall rules checked?
  • Who is responsible for checking firewall rules?
  • Are firewall rules disabled or deleted when they no longer have a legitimate business purpose?

Firewall Management

Having effective processes in place to manage firewall configuration will reduce the risk of unauthorised changes.

  • Can the firewalls in the inventory be administered from outside the network?
  • Which Network Port is used to administer the firewalls from outside the network?
  • Is this different from the manufacturer’s default Network Port?
  • Are time restrictions applied to control the administration of firewall changes from outside the network?
  • When accessing the firewall to manage the configuration, is the connection made using HTTP or HTTPS?
  • Does your business use ‘change management’ process to request, approve, and implement firewall configuration changes?
  • Who is responsible for approving firewall configuration changes?