No Surprise: Cyberinsurance is Not Improving Cybersecurity; Microsoft Investigating How Malicious Windows Drivers Got Through; More Google Play Security Around Developer Accounts

The important quote in this report is something I told insurers back in the early 2000’s when I was at Gartner: “The difficulties inherent in understanding cyber risk, which is anthropogenic and systemic, mean insurers and reinsurers are unable to accurately quantify its causes and effects.” OK, I didn’t use the term “anthropogenic” – I had to look that up: basically, it means “caused by humans.” My version: bad guys exploit vulnerabilities in people and software. There are no tables of material strengths for either people or software, thus human engineering and software engineering are oxymorons – they are not engineering disciplines and broad, rigid standards can’t be driven by insurance companies. The report’s number one recommendation is that “essential security hygiene” be mandated, in this case the UK Cyber Essentials which is similar to the CIS Critical Security Controls Implementation Group 1.

John Pescatore

Cyber insurance is too new to expect it to affect business. At this point, insurance companies are experimenting with the product and collecting data to refine their business. I hope insurance companies will bring the same data-driven approach they use for other insurance products to cyber security in the future.

Johannes Ullrich

Purchasing cyber insurance doesn’t alleviate the responsibility to implement cyber security. The past year, with ransomware payouts by insurers, has been the first time they are operating in the red, so I expect insurers to either stop or modify their coverage for ransomware, or raise the bar by developing a cybersecurity “clean bill of health” (aka minimum standards) before providing coverage, as well as monitoring breach and incident notifications to ensure their insured clients are maintaining a healthy cyber security posture.

Lee Neely

The scary part is that this malicious driver was apparently intended to cheat at online games. This wasn't a sophisticated state-sponsored or organized crime organization, but an individual managed to get Microsoft to sign a malicious driver to either play appearing to come from other countries or to reduce the network speeds of competitors.

Johannes Ullrich

So far, the good news is Microsoft does not believe a signing certificate was compromised. So, looks like an issue with the WHCP testing and certification process. Every software testing process has to continually be improved but app stores/driver testing etc. are highly effective in reducing the volume of malicious software and updates that cause any meaningful damage.

John Pescatore

The changes are being phased in; starting in August new accounts must specify account type and contact information, and 2FA will be required. Later this year all existing accounts must also set their type, update contact information, and enable 2FA. Google is also providing guidance on keeping your account in good-standing. This will help trace applications to known good sources; when coupled with Play Protect, the security and integrity of applications in the Play Store will increase as well.

Lee Neely

Another example of continual improvement around application testing and certification, and 2FA being mandated.

John Pescatore

How do you think you’d fare in a password spray attack? (Where a few common passwords are used to try to access a large number of accounts.) Make sure externally facing services use MFA, and where passwords are used integrate the password process with data breach checks to disallow common or compromised passwords. Make sure that you’re getting alerts from these sorts of activities. Then engage a team to attempt password compromise to verify your position.

Lee Neely

ALL input has to be validated. We have seen vulnerabilities in other communication protocols, not just NFC, where developers implemented the standard without considering non-standard transmissions. The best example is probably various 802.11 implementations that followed the standard and expected the SSID to be limited to 32 bytes, only to be "surprised" with malicious actors triggering buffer overflows by using longer SSID strings.

Johannes Ullrich

The net effect is that NFC interface can be used to trigger a buffer overflow, and indicates caution is needed when adding new interfaces to legacy systems. In this case, the exploit could be used to read mag-stripe data from cards but not an EMV card or chip PIN. As a user, it’s best to use the chip reader over the mag stripe reader when a choice is presented.

Lee Neely

Only allow WAN based administration of your VPN from trusted devices. Verify the security settings are as they should be. After applying the update from Zyxel, and someone logs in as admin, the VPN a security check will pop up to alert of any security misconfigurations. Even without a pop-up, double check things are as you expect.

Lee Neely

This flaw permits unauthenticated XSS attacks against a user of the web services interface on a vulnerable service. There are no published workarounds or mitigations other than updating your firmware here; make sure that you’re actually running an affected product, e.g. vulnerable release of the ASA software plus a vulnerable AnyConnect or WebVPN configuration.

Lee Neely

Patches have been out now for a couple of months. With a PoC available now, exploitation attempts are likely already underway.

Johannes Ullrich

It is a pretty broad definition, which is realistic. The Critical Software part of the EO is on a fast track – by July 11 NIST/NSA will publish minimum standards and requirements vendors need to meet in testing their source code. This can be a very good thing: while many major software vendors already will likely meet the requirements, many security software products and lots of open source tools likely do not.

John Pescatore

This definition is very broad, including operating systems and web browsers. Read the table as well as the definition, then turn to the FAQs to understand scope, definitions and applicability; such as embedded, Open Source and GOTS, all of which could be EO-critical. While initial focus is on-premise software, cloud based products and services are also in scope. Expect more information and guidance as we move forward with the EO implementation.

Lee Neely

Key lesson here, ransomware attacks cost far more than just the ransom. There are tremendous costs in the down and recovery time, having to rebuild both systems and networks to truly ensure the systems can be trusted again. What is frightening here is the potential cost in lives due to delayed care.

Lance Spitzner