Phish Tales

Governments and businesses are increasingly more vulnerable to cyber attacks that can cause damages disproportionate to the cost of launching the attack.

More to the point, the problem facing insurers is greater and even more complicated than assessing risk and crafting cyber risk policies and/or exclusions. The most vexing problem is in designing and implementing cyber risk resilience infrastructures for an insurer’s own corporate integrity and that of its clients that leaves many still scratching their heads.

The growing complexity of cyber systems and cyber threats has made it clear that the type and calibre of cyber breaches are increasingly more difficult to anticipate and, subsequently, prevent.

Insurers are aware that it is not feasible to prevent all possible attacks on infrastructure systems – be it their own or those of their clients. They are increasingly more aware as well that risk-based approaches to cyber threats do not necessarily create a cyber-resilient infrastructure.

Cyber resilience can be defined as an infrastructure’s ability to recover from or adjust to a breach. It would be the infrastructure system that provides the means within which an entity seeks to reduce potential damages while also enhancing its ability to recover from the attack.

NEW KIND OF ATTACK

To date, no other cyber breach reveals how frustratingly complex it has become to develop and implement cyber resilience management – both for insurers and the businesses they insure – as the cyber bank heist reported in the New York Times on February 14, 2015.

The attack reads like no spy novel before: So far, over US$1 billion has been stolen in about two years from banks worldwide. Shockingly, this attack is not over. The hackers continue to remove money despite the crime having been uncovered, leaving the financial institutions to adjust to this ongoing loss while determining how best to enhance a fast recovery from the attack.

Reports indicate that the heist was discovered late in 2013, when, in Kiev, an A.T.M. machine began dispensing money without the customer inserting a card or touching a button.

From the video footage, it appeared bank customers were taking “free” money. It was thought the A.T.M. had malfunctioned and these “customers” were simply at the right place at the right time.

As reported in the New York Times, the robbery seemed to start simply enough – a modern “bait and switch” referred to in the cyber world as “spear phishing.”

The criminals sent emails to targeted bank employees responsible for financial daily transfers and bookkeeping. These emails appeared to be sent from colleagues, but, when the emails were opened, unbeknownst to the reader, they would download the infectious Carbanak malware – a software containing a code used by the hackers to access the bank’s networking system.

The hackers were then able to search and find the employees responsible for administering cash transfer systems, or remotely connected A.T.M.s. But the heist does not stop there.

Once these employees were located, Sergey Golovanov of Kaspersky Lab, one of the organizations involved in the investigation, explained to the New York Times that the hackers then installed a “RAT” – remote access tool – to capture video and screenshots of the employees’ computers.

The purpose was to recreate a platform to mimic the actions taken by these employees. In doing so, the employees would remain unaware of having been hacked.

This infiltration allowed the hackers, through the exercise of patience and focus, to learn the unique systems of each bank. As such, they were able to see and record everything that happened on the screens of staff who service the cash transfer systems.

In this way, the hackers got to know every last detail of the bank clerks’ work and were able to mimic staff activity. This allowed the hackers to set up, entirely undetected, their own fake bank accounts to serve as destinations for transfers.

As stated by Golovanov on Kaspersky Lab’s website, “These bank heists were surprising because it made no difference to the criminals what software the banks were using. So, even if its software is unique, a bank cannot get complacent. The attackers didn’t even need to hack into the banks’ services: once they got into the network, they learned how to hide their malicious plot behind legitimate actions. It was a very slick and professional cyber robbery.”

CHANGE OF TARGET

The Carbanak attack evidenced the degree and variability of cyber-related threats that are beyond unauthorized access to sensitive data, such as credit card information, medical records and business trade secrets more commonly reported in the Sony Corporation and Target hacks.

The future of cyber risk will impact more directly on the operation of a business, resulting in a series of costs to do business, as well as on increasing concern, prompting the realization that the tools and expertise needed to assess that risk are still in their infancy.

Simply put, despite the sophisticated tools and skills in place within all of these banks, it could be argued that these very same systems effectively exploited vulnerabilities and allowed cyber hackers to manipulate them.

The Carbanak attack speaks to the very real issue of how a cyber loss is to be assessed on a real-time basis. When a cyber hack is still persisting despite its detection, how are the potential costs quantified? How is that business expected to determine its projected exposure following a cyber attack? If the loss for these financial institutions in the Carbanak heist is now estimated to be over US$1 billion, how much will it be when this hack is over?

Perhaps, the most frightening question is this: How will it be determined that the Carbanak hack has ended and the loss can be quantified and finalized?

There are no simple answers. But these types of cyber threats serve as a call to focus on resilience. Too often, cyber resilience leaves most with an unsatisfactory understanding, which is not surprising.

This area remains poorly understood, especially since risk is arguably a more studied concept by insurers than resiliency. Yet, insurers are well-positioned to rigorously develop the models and empirical data to quantitatively determine cyber resilience metrics. In doing so, they would serve a dual purpose: to develop more robust institutions, and to play a pivotal role in improving the resilience to cyber crimes within society.

SYSTEMIC APPROACH NEEDED

The goal of a cyber-resilient infrastructure is not a “one-size-fits-all” model. The sheer dynamic nature of cyber risk requires a systemic approach that is broken down by risk and contextualized by need.

A cyber resilience management platform must be a highly specialized system of management. It would serve to allow an insurer to manage its own internal exposures to cyber risk as well as delivering integrated approaches to identifying risks within various industries for which insurance products are developed.

Most particularly, the matrix of a cyber resilience framework would serve to determine and qualify the cyber protection needs of a particular business within an industry.

Despite the global importance, cyber resilience metrics is only at its early stages of development. The Carbanak attack demonstrates the level of collaboration required not only within an industry, but across various real-world networks comprised of technological, sociological, political and economic components.

Beyond that, these metrics require communication with an integrated whole of physical elements, communication devices, humans and environmental forces to form an entire system that must be flexible and in place prior to an attack.

The Carbanak heist, in particular, serves to show that the resilience of a system relies heavily on the effectiveness of cross-domain communication and co-ordination at each stage of the event managemen
t cycle.

In the end, it must be subject to review and reassessment as, otherwise, another hack is only a binary away.

Hughes Amys is a member of The ARC Group of Canada, a network of independent insurance law firms across Canada.