• Sharebar
Crime and Fraud
Friday, December 25, 2015 - 03:16
Essenhtial to understand

The insurance industry is the target of cyber attacks from a wide range of hostile operators, both internal and external, including current and former employees, organised crime and nation states.
“To understand the full extent of the threat, it’s essential to consider how threat actors perceive institutions, along with their assets, information and systems – not to mention their interconnectivity with other institutions. It’s also important to consider the actor’s broad motivations,” says Samuel Higgins, Security Analyst at MWR InfoSecurity.
Financial gain is only one of many motives for attacking insurance institutions. Often, the aim is to cause long-term reputational damage and hence undermine confidence, or to gather information on the organisation’s clients
Different Types of Cyber Threat
Cyber threat can be broadly categorised as either Computer Network Attack (CNA), aiming for the disruption, degradation or destruction of information and systems; or Computer Network Exploitation (CNE), which focuses on accessing, stealing and exploiting information.
CNA is likely to be used by activists, either groups or individuals, who are taking direct action in protest against an organisation or its policies. However, CNE is demonstrably the primary tool used against the insurance industry.
In combination, these two threats challenge the confidentiality, integrity and availability of systems, information and assets. Cyber attacks can be highly specialised and bespoke; however, the majority of hostile actors opt simply for the most time and cost-effective methods of compromise.
A closer look at Computer Network Exploitation
“Social engineering is now a common aspect of CNE, whereby sophisticated attackers use highly targeted phishing attacks as opposed to attacks where emails are sent to thousands of random users,” he says.
Spear phishing is extremely effective, as specific details relating to the recipient’s work or personal life might be included, making the email far more believable.
Alternatively, the attacker might use watering holes, where websites regularly visited by targeted individuals are compromised and infected with malware for the targets to unwittingly download.
Such attacks often take place in distinct phases, with organised attackers having teams dedicated to each phase. The structure of many insurance company networks has led to a number of vulnerabilities of particular relevance to the industry: vulnerabilities that attackers actively exploit.
Companies that have grown through acquisitions and mergers, or where there is a diversity of companies within a group, often opt to connect to a group infrastructure for interoperability benefits. However, doing so could undermine cyber defences and increase the company’s attack surface, providing more routes by which an attacker can gain access to critical systems and assets.
Outsourcing IT systems management – and providing third parties with access to the company’s networks – creates additional challenges, as hostile insiders need not be permanent employees. In addition, cyber attacks via individuals often take place without that individual’s knowledge or complicity.
As a result of vulnerabilities in their own information security, contractors and other third parties known to have access could themselves be targeted by persistent threat actors who find direct compromise more challenging. For the insurance industry, this could mean clients being targeted to exploit their access through online or mobile client-accessible platforms, allowing attackers to gain illicit access to the insurance provider’s network and information.
How Can Organisations Protect Themselves?
Increasingly, organisations require defensive programmes designed to protect them against advanced, targeted attacks.
Higgins says that traditional information security controls have failed, because they have been implemented without understanding the attack paths and techniques of attacking groups – and, in many cases, the underpinning governance of IT has not supported these controls.
The root cause of unsuccessful defence lies in changing attack trends.
Whereas attacks predominantly used to target the perimeter infrastructure, relying on compromise of this infrastructure to provide a route into the internal network, modern attackers tend to target users on the internal networks. They then assume the business privileges of these users, before moving laterally within the network to target the organisation’s assets.
“Despite this altered trend, the vast majority of organisations still persist with defence spending that focuses on the perimeter, a strategy that fails to address the types of attack that directly target their key assets. Hence security teams often provide over-optimistic and unintentionally false reassurance to boards.”
Organisations that demonstrate the ability to successfully defend against targeted attacks tend to have the same characteristics. Generally:
• They have a good understanding of the motives of the attacking groups likely to target them
• They have undertaken an extensive programme to identify their information assets
• They have undertaken an extensive project to identify all the attack paths connected to these assets
• They have justified the cost of removing these attack paths, and/or consolidating the assets to reduce the attack surface area
• They have greatly augmented their attack monitoring and response, so that attacks can be efficiently curtailed in the early phases
Such is the persistence, resourcing and resolve of advanced attackers targeting the insurance industry, that a holistic approach – underpinned by an in-depth understanding of the threats – is essential.
“Only in this way can an organisation effectively limit its vulnerability, build and secure its resilience, and mitigate cyber attacks. Board-level and enterprise-wide management of cyber risk will help to avoid unnecessary risk-taking, while preventing inappropriate risk aversion in decision-making,” says Higgins.
After all, managing cyber risk is not about inhibiting business; on the contrary, when done properly and with the correct expertise, it ensures that institutions are best placed to manage cyber risk while driving forward innovation and success in a turbulent geopolitical environment.

Copyright © Insurance Times and Investments® Vol:28.12 1st December, 2015
1322 views, page last viewed on May 11, 2020