September 13, 2017 by Jason Contant, Online Editor
Cybercriminals will navigate away from their focus on data and start to target or threaten human life in the near future, cybersecurity expert Kevvie Fowler suggested in an interview with Canadian Underwriter.
“Moving forward the next five or ten years, I’m expecting a monumental shift where cybercriminals are going to skip the data – they’re not interested in data – they’re going to start to attack or start to focus on human life,” Fowler said.
While current ransomware cases typically involve encrypting a person’s hard drive, “what you are going to see are ransomware threats designed to specifically crash an airplane or to actually send lethal shocks via people’s pacemakers, etc.,” Fowler suggested. Another scenario could be shutting down power so people couldn’t receive air conditioning or hospital equipment wouldn’t work properly. “If you were to weaponize that into some form of malware, that could be a very, very serious threat organizations should have to look at,” Fowler said.
These sorts of attacks would result in a “cascading impact” that could include loss of life and cyber policies would have to better align with the new threat landscape. Law enforcement, the public and private sectors, third party organizations and even individuals in the community could also potentially be involved, Fowler said, using the example of a ransomware attack that targets people’s pacemakers, with a demand of payment or else 500 people will be killed.
“That ransom won’t be paid by one organization, it will be several people pooling together: people in the public sector, private sector, individuals in the community,” Fowler said. “So it will completely change the way we view cybersecurity, how these type of cases could be investigated and how organizations could proactively protect, how insurers can actually insure as well. When you start to get out of the data and focus more on life, how do your policies respond to that?” he asked.
Fowler reported that ransomware is a “massive issue globally,” but a lot of incidents aren’t reported. For insurers specifically, corporate data – information about employees – and product and portfolio data – sensitive information about corporations that could be lucrative to attacks – are major risks. Aggregators such as regulators have similar issues, Fowler added. “They have a lot of information about a lot of corporations all in one centralized area – that makes them a risk.”
For ransomware incidents, attackers use unpatched systems, vulnerabilities or weak configurations to get into the system. “Almost every single attack has some element of social engineering,” he reported, referring to the technique of manipulating people into divulging confidential information. “So whether it’s a ransomware email that comes in and someone is social engineered to click on a link, download a file or to navigate to a certain website, that’s the big issue that insurers are actually facing.”
The other aspect of human error is, for example, an employee who loses a USB key that was unencrypted and had a lot of sensitive information on it. “Cases like that still happen, but it’s not as widespread of an issue as social engineering,” Fowler said.
Security awareness training can help mitigate some cyber risks. Fowler recommends that organizations “test employees and if employees don’t pass the test that they’re educated right there on the spot.” Companies should also use social awareness or social engineering training not just proactively, but also as a deterrent because a lot of threats are actually being conducted by insiders, he reported. For example, during the 2015 Ashley Madison breach, attackers weren’t just trying to access user profiles, they were also doing it to lure victims into such actions as planting viruses or divulging usernames and passwords. “Information that is personal that they don’t want out there, people will actually conduct pretty heinous crimes just to try to keep their secrets safe,” Fowler told Canadian Underwriter.
Some organizations take a proactive response to a breach by, for example, contacting employees who used a corporate email account first before attackers try to get victims to do their bidding. The companies warn the employees that they may be contacted by cybercriminals, but not to give information to them, as well as the steps and controls the company has in place to detect people who divulge information and the support services for employees, Fowler said.
Other organizations are going out of their way to detect breaches. “So they are calling in third parties to actually come in and look at key systems, they look at the network traffic and they try and identify breaches that haven’t yet been discovered by the organization or by the insurer,” Fowler concluded. “The sooner you can find these things, the smaller the impact is and the more control you have over messaging and response.”
Kevvie Fowler will present at the RIMS Canada Conference, which runs from Sept. 24 to 27 in Toronto. The session, titled Cyber Extortion – TNG (The Next Generation), will discuss limitations of coverage, risk mitigation/loss prevention and how law enforcement views cyber crime.