Monday, November 17, 2014

Insure-Sec-Future-Fail

A few days ago @Wh1t3Rabbit @dearestleader  and I had a nice little conversation about insurance companies and Information Security with regards to breaches and how companies handle the potential risks. We already have red-teamers that are tasked with doing risk compliance testing for companies and now it seems that the blue-teamers are going to be dragged into being the “adjusters” in this new realm of cyber-insurance. (to be fair to the others, I will take responsibility for this post just in case it fails utterly, their good names won't be besmirched, but if they agree, even better!)

Now the article I am going to cite does not come out and say this, but this would of course be the natural progression, in my humble opinion. So without commenting any further, here is the article from  ZDNET to which I am referring: http://www.zdnet.com/police-cant-stop-cybercrimals-but-maybe-insurers-can-7000035514/

Of particular note are the following quotes:

“Encouraging the creation of an insurance market for online crimes could help enforce standards of security, just as home insurers insist on a particular type of locks on doors and windows before they will agree a policy. This makes it harder for burglars to break in as well as potentially reduces the burden on the police.”

OK, so from this we can glean that, if insurers are involved, upper management might buy into more stringent security measures because it will save them money? Really, well if they would invest and promote the best practices in security to begin with, then they wouldn't need insurance in the first place, right? Also, this begs the question, which “lock” would be the preferred lock, opening an avenue that only “insurance” approved security appliances can be used in a system?

And it continues:

”The government argues that insurers are in a good position to encourage businesses - small ones especially - to improve their cybersecurity by asking tough questions about their breach and operational risk policies.”

Again, really, it takes insurers to encourage this? I’ll say it again, this is the job of the C-level folk to make this happen not some third party that will make money off a lazy corporate security climate, regardless of a breach. Think about it this way, a bank’s physical location might be insured but they spend a hell of a lot of money on security, not to mention those large and very expensive vaults that are installed at every location. Hell, it’s easier to break into a banks IT infrastructure than it is to literally rob a bank (and get away with a respectable amount of money). Let that sink in for a minute…

To their credit, there is a somewhat sane response in the article:

“Whilst insurance offers financial protection to businesses, it does not incentivize businesses to invest in enhancing their cyber security defenses."

However, the paragraph continues down the spending the money trail with this:

“He said organizations that demonstrate good cybersecurity should be rewarded through lower premiums, adding: "This would align to steps taken by insurers offering protection against wider business interruption and ensure that such risks were being appropriately managed by businesses and not just managed through insurance coverage.”

Which looks good in print, but sounds to me like this is compliance taken to the next level instead of truly focusing on the real issues; creating and maintaining a stalwart security posture, instead of just adding another level of “bandages” into the mix.


So, is everyone ready to work for an insurance company?

Sunday, November 16, 2014

So...

this started out as a joke tweet about a new company called Misguided Security, a firm that, as the blog states, will "tell you what you want to hear and check all your boxes". The reason this is such a novel idea is because this is exactly what a lot of companies want from their security auditors, a report and a checkoff sheet. But, as we all know, this is not what security is supposed to be about, in any shape or fashion.

Not sure what I will write about in this space, but it will be security related and most likely will involve some of the more insane tales that lead to security failures, hopefully with a humorous tone. But we'll see where this blog goes in the future as I'm notorious for abandoning blogs, but I'll try to make this one last, if there is an interest.