What Does Climbing Mountains Have in Common with Cyber Security?

Carrauntoohil and the Hag's Tooth

Picture of Carrauntoohil and the Hag’s Tooth (the Reeks mountain range in County Kerry, Ireland)

Why am I writing about mountains? Well I have just come back from Ireland after climbing the highest peaks in both Northern Ireland (Slieve Donard) and the Republic of Ireland (Carrauntoohil) with my son.

Yes we climbed the infamous Devil’s Ladder on Carrauntoohil on Saturday the 31st of August, 2019 (it was more like the Devil’s Waterfall or Stream that day, as it had rained extensively for the last week).

The path to the base of the Devil’s Ladder – The bottom of the Devil’s Ladder – My Son about a quarter way up the Devil’s Ladder

So, this meant that we had to adapt our risk models, our strategy, our plans to conquer it and to get back down safely after summiting the mountain…

This may seem to be a silly analogy, but you’d be surprised how much they have in common:

In fact, they both require:

  • Extensive preparation, including testing that your plans/equipment/tools and your skills are relevant and fit for purpose, and that they work (as expected) before you need them for real.
  • The ability to be adaptable to changing conditions/threats/risks, etc.
  • Risk analysis/rating and to be able to classify risks as low (acceptable), neutral or high (unacceptable, or unwise).
  • Stamina (staying power), perseverance and digging deep (at times) to ensure success or when dealing with an incident (or potential incident) or the immediate workload.
  • Teamwork (in an ideal world) to be really successful; both mentally and physically. Also understand that you may need different perspectives (both in knowledge and risk) and skill sets.
  • That you need to have experts (or at least people with more knowledge than you) available if things go wrong; for small incidents you may be able to deal with it yourself, or with limited assistance, but when things go badly wrong you need ‘real expertise’ on call.
  • Suitable insurance; so that you have a way to offset risk and associated costs with an incident (just in case; worst case scenario).
  • That you understand you haven’t succeeded when you’re at the peak, but when you have returned to BaseCamp (normal business operations aka steady state).

Yes, we successfully summited the mountain which we did with nothing more than getting wet (several downpours, and even hail on the last push to the summit) and cold; it was about 20c at the bottom, but close to 0c at the top, when we were over 1,039m (3,409 feet) up, and a complete white-out, and my son slipped and twisted his ankle (slightly) when climbing up the Devil’s Ladder.

As it was a complete white-out  at the summit (well actually the top third of the mountain for most of the day), it can be easy to lose your way as visibility is very limited (a matter of a few meters at best), so veering off the path is easy and can be lethal, as there are cliffs around the summit on most sides of the mountain. I however had two GPS devices (with maps on and the route pre-planned) so that this was not an issue for us. I also had a compass and a paper map (as well as two smartphones with the 1:30,000 Harvey’s map on); so I had multiple backups in case one or more of the technical solutions failed!

Does this sound familiar to cyber security best practice?

Start of the Devil's LadderTop of the Devil's LadderAt the top (honest!)
Left to Right: Bottom of Devil’s Ladder – Top of Devil’s Ladder (looking down) – At the summit of Carrauntoohil
Please Note: The photos of the Devil’s Ladder do not show just how steep and technical it is in reality!
We also summited a second mountain in the Reeks range that day (Cnoc na Toinne), as we decided not to risk coming back down the Devil’s Ladder (the risk was high/unacceptable that day, going up was an acceptable risk), we decided to take the lower risk (but not risk free) route down via the second peak via the Zig-Zags*.

Most of the experienced hikers/climbers that day also decided against going down the Devil’s Ladder; like us deciding on a safer way down, either using the Zig Zags or the Heavenly Gates and/or Brother O’Shea’s Gully route instead!

As we were descending via this route, ironically a very experienced hill/fell/mountain walker just ahead of me tripped and almost fell over the edge, so this shows that things can still go wrong, even to the most experienced. Luckily that day, if he had fallen over the edge there were members of the Irish Mountain Rescue on the mountain (just below him, in fact), so help was at hand, had it been required, luckily he was fine, with just a few bruises to his body and his pride!

Why not broaden your risk appetite and knowledge, go on I know you want to, it will expand your knowledge and maybe get you out of your chair 😉

If you want to read more about our mountain climbing adventures (we have done all of the 5 highest peaks in the British Isles), you can find far more details on my other site, here: https://talkytoaster.me.uk/category/blog/

*The Zig-Zags is often described as the ‘easy route’ up and down the mountain, however that same week there had been two accidents where the victim underestimated or didn’t respect the path (which although easier is not without challenge and risk). One wrong or missed step can see you falling down the side of the mountain (with nothing to stop you) until you get near to the bottom. This is a potential fall of over 800m (or over 2,500 feet)! To put this in perspective, the Shard in London is 310m (just over 1,000 feet) tall, so it would be the equivalent of falling over 2.5 times the height of the Shard (ouch)!

All photographs used in this article are Copyright, 2019 by Martin Overton, All Rights Reserved.

Cyber Catalyst; Dead Cert or Rank Outsider?


Disclaimer: The views in this article/blog posting are my own opinion based on the available data that Marsh has made public.

As mentioned in episode 3 of my OMG Cyber! podcast, a number of insurers/brokers have joined a new cyber ratings project known as “Cyber Catalyst”.

More details can be found here: https://www.darkreading.com/risk/insurers-collaborate-on-cybersecurity-ratings/d/d-id/1334258 and direct from Marsh here: https://www.marsh.com/us/campaigns/cyber-catalyst-by-marsh.html

Here are a few snippets from the article on the Marsh site:

In the Cyber CatalystSM program, leading cyber insurers evaluate and identify solutions they consider effective in reducing cyber risk. Participating insurers include Allianz; AXIS; AXA XL, a division of AXA; Beazley; CFC; Munich Re; Sompo International; and Zurich North America. Microsoft is a technical advisor to the program.

Cybersecurity products and services viewed as effective in reducing cyber risk will be designated as “Cyber CatalystSM”. Organizations that adopt Cyber Catalyst-designated solutions may qualify for enhanced terms and conditions on cyber insurance policies from participating insurers.

I applaud Marsh for doing something to try and address the lack of cyber risk analysis, profiling, etc. However, I do question the value of this initiative; I will outline below my concerns and thoughts on why this is, I believe, not a helpful offering.

I do not see the value of Insurers/brokers carrying out product/solution ratings, as:

1. They (the insurers/brokers) are not experts in this area, and
2. There are already plenty of other independent testing/rating organisations that have been doing this for many years, to a very high standard. These include ISCA, NIST, AV-Test, and so on… It would have been far more sensible to partner with one of these instead, and it would have added more credibility…

So, this seems to be a strange thing to attempt; a bit like reinventing the wheel and coming up with a different shape that is not as efficient as the one we already have which has served us rather well, so far.

The program is, by my understanding, stating that if a client/insured has product/service x, y or z from the list of “approved/recommended” ones, that the client will get better rates (such as higher limits/lower premiums) and so on.

1. Now, this is fine, apart from the perspective that just because the client/insured has purchased an “approved/recommended” product/solution, it does not mean that they have rolled it out or installed it.
2. Even if they have done so, where are the checks and balances to confirm this, that it is not only rolled out, but actually configured correctly?
3. Furthermore, where is the ongoing validation? Without that, this is pretty much just a box ticking exercise, and therefore no better than the existing risk rating mechanisms they already use.
4. They state that “Microsoft is a technical advisor to the program.”, this does not really help, as they are not a trusted independent review organisation/body. What happens when Microsoft review their own products and solutions?
5. Their disclaimer doesn’t exactly offer a ringing endorsement of the value of the program, read it for yourself and see if you agree?

I would say that this is little more than a “beauty contest” and it doesn’t really do anything to address cyber risk in a new way.

Now, just to be completely transparent, I used to work for AIG as a Cyber Risk Specialist (and so I understand Cyber Insurance quite well). I helped AIG design their Cyber rating solution known as “CyberMatics”. Let me be very clear, I have no axe to grind with any of the insurers, and receive no financial benefit from “CyberMatics” or AIG on this, or any other article/blog posting that covers cyber insurance.

The difference with “CyberMatics” is that is collects telemetry and/or meta data to validate that:

1. The insured has the solution/service installed correctly, and more importantly
2. That it is being used correctly; not just once, but on-going, and this is shared with the client/insured via a secure portal, to help them further improve their cyber defences and resilience.

That is a huge difference!

You can find out more about “CyberMatics” here: https://www.aig.com/business/insurance/cyber-insurance/cybermatics

What are your thoughts on this?  Please let me know…

“Cyber Catalyst” and “Cyber Catalyst by Marsh” are registered trademarks of Marsh LLC
“CyberMatics” is a registered trademark of AIG

Insurance, Silent Cyber, and Refused Claims, Oh My!

This is a companion blog posting to my Episode 1 Podcast about Insurance, etc. which can be found on the Podcast page of this site, or on all good podcasting platforms, including Google, Apple, Spotify, Pocket Casts, etc.

Disclaimer

I am not an insurance specialist, I am a techie with over 30 years of real-world experience in malware, over 15 years of ethical hacking experience and over 10 years of digital forensics (incident response) as well as working for a large cyber insurer for over 2 years (note past tense) where I worked hand-in-glove with underwriters, brokers and claims staff in helping them understand cyber risks, defences and remediation. I also used to meet with CISOs, IT Security Managers and Risk Managers/Legal Council to understand their risks and processes, procedures, technologies, business partners, supply chain and cloud/outsourced services.

I run my own business; I do not work for an insurer or sell insurance (of any type). However, when I did work for an insurer, along with being the cyber risk specialist assisting underwriters, brokers and claims adjusters. I also trained many cyber underwriters, helping them to understand the technology, the lingo (acronyms) and what are the right questions to ask (and what are good answers), when to ask them, and to who (so that they could have meaningful risk dialogue with CISOs, IT Managers, etc.) The underwriters then can understand the answers given and price the risk appropriately, rather than just fearing a worse case scenario, and pricing according to their fears/expectations (which is far better situation (both on cover/limits and pricing) for the insured/client too)!

“Silent” Cyber

For those of you that are not in the insurance industry, you may not be aware of this term and what the implications are to existing (non-Cyber) policies, such as Property, Casualty, D&O, Kidnap and Ransom or Crime.

In simple terms, Silent Cyber is used to describe the case where cover for Cyber threats is not explicitly mentioned in the policy wording/coverage. As the insurers would say, these non-Cyber policies do not have “affirmative” cover.

What this means to you as a policy holder is that the insurer may not honour a claim if it is Cyber related for a non-Cyber policy (even if you have a Cyber extension to that non-Cyber policy). Why, because the wording and terms and conditions in force will be those from the master policy (the non-Cyber one/the main policy). This can cause claims to be rejected, as can be seen in the next section of this article.

Refused Claims

There have been two recent cases reported where the insurer has declined to pay a claim in relation to the NotPetya attacks back in June 2017, these are Hiscox vs DLA Piper and Modelez vs Zurich.

Despite what the press and other media has claimed, in both cases that the policy was a cyber policy and the reason stated by the press or other media for the claim being declined was down to an “act of war, or hostile action”.

From what I have found out, neither of these claims are in relation to Cyber Insurance policies, in fact they both are related to Property policies (which are, even with a cyber extension added on, not the same as a dedicated Cyber Policy.   Very sloppy reporting, which doesn’t help anyone…

So, this has resulted in every person and their pet of choice making statements, such as “well, what is the point of buying insurance as the insurer will weasle their way out of having to pay” and “there is no point in buying cyber insurance, as I’ve seen what happened to the claims from Mondelez and DLA Piper”.

Expecting wide-ranging/expert Cyber coverage from a Property policy is like expecting wide-ranging/expert Health insurance from your House and Contents policy! Not surprisingly you will not get comprehensive health cover backed by experts in this area. It’s a bit like expecting your gardener to offer health screening (without them being a medical practitioner).

A few days a go a written statement was sent to SC Media UK (owner of the SC Magazine) in which Kylie O’Connor, the head of group communications at Hiscox stated “The dispute we are in with DLA Piper, is not about a cyber policy and has nothing to do with a war exclusion.” This just proves that the press and other media were (shock, horror) making things up so that they could publish (without little things like “facts” get in the way!

However, in the case of Norsk Hydro, they do have a dedicated Cyber policy, and therefore are covered under that policy (up to their limit, and after taking into account any excess, waiting period, and loss adjustment).

Why do companies invest in cyber insurance?

Well, for lots of reasons, including the ones listed below:

  • Hacking (external or internal misuse)
  • Physical loss of data (left on train, back of cab, accidents (sending data to the wrong person, etc.)
  • Data corruption or eraser (cost to recover or recreate), even paying for ransomware decryption keys.
  • Business Interruption, such as DDoS, Ransomware, etc. including loss of business
  • Costs for first response (forensics, legal, PR), etc. covered under the policy
  • PCI and other fines covered (where legally allowed)
  • Bricking (where a device becomes unusable due to a firmware or other update failing).
  • Legal or contractual requirements (from industry, business partners, etc.)
  • In some cases the insurer will offer services/solutions/products to help the insured improve their overall security posture/maturity for free (as part of the policy) or at a discounted price.

At the end of the day suffering a cyber breach has almost become “normal” and “expected” as not a day seems to go by when we don’t hear about yet another breach (new or historical); a good cyber insurance policy can help offset the risk and related costs for such breaches/incidents.

Then there are new risks/attacks such as CryptoJacking and Password Spraying (O365 and GSuite targeted via IMAP and even if 2FA or MFA is enabled they may be able to get in to your account).

What are  the ways that companies could avoid falling into this crevasse?

Check the policy you have is fit for purpose, check with your insurer or broker. I strongly suggest that you ask your insurer or broker which scenarios/risks you are covered for by the policy and if you identify gaps in your existing coverage decide if the cost of taking out extra insurance is a good risk/benefit trade-off or solution.

Check that the coverage includes first response (forensics, legal and PR services), that you have enough cover for business interruption, including lost business and remediation costs. Also consider the brand/reputational damage and knock-on customer effects, loss of trust, etc.

Check to see that the policy will cover financial fraud, such as BEC/Fake CEO, employee fraud, if not, find a crime policy that includes this. Crime policies are not the same as a Cyber policy as what they cover is different, or from a different perspective.

Make sure that the Limits, waiting period and excess is suitable for your business needs.

Don’t go for the cheapest, especially if the insurer/broker only ask 5-10 questions and doesn’t sit down with your CISO or IT Manager, etc. to discuss the answers afterwards (very few questions can be answered yes or no; they are usually a bit of both and the answer may vary across a typical organisation), as may the questions that should be asked by the Insurer or Broker.

The Future?

Even though a dedicated Cyber policy is a far better bet in today’s incident/breach strewn world, there are some things that they still don’t cover.

I want to see the Insurance industry step up and make Cyber policies more inclusive; it would be better if Crime cover was also included (including not only crime and fraud due to hacking, but also fraud due to social engineering or insiders/insider collusion). This should include BEC/Fake CEO and Invoices, etc. even when NO hacking or breach has occurred!

In Summary

Organisations need to ensure (no pun intended) that the existing Insurance policy or policies they have are fit for purpose and will actually pay-out when needed. You need to purchase the right policy type for the right risk, as otherwise you could end up in the same situation as DLA Piper and Mondelez… If in doubt check with your insurer or broker, before it is too late!

Update 15th April, 2019: It has come to my attention that Merck is also suing their insurer for refusing a claim; again it is NOT a Cyber policy, it is in relation to their Property policy.