Does having breach insurance matter?

What I’ve Been Thinking About

My first exposure to breach insurance was when I was a security director and our company needed to add a policy. I was tasked with filling out the security-related portions of the application, and I found it quite challenging. It was a series of yes or no questions, and I didn’t truly grasp the depth of our security program. The questions also forced me into what I felt was a slight moral dilemma. Questions were seeking strict answers to nuanced problems and I felt it hard to answer yes to some things when we were in the process of improving. This was frustrating, and I found it odd that this basic questionnaire was supposed to correctly reflect our risk posture and consequently determine what our premiums should be. But I also knew it was important to have the insurance, especially with the rise of ransomware and incidents. This was several years ago and — as time has gone on — we’ve seen a continued rise in the cost of breach insurance, and a continued decrease in the coverage it provides. So this leads to the question of whether it truly matters to have breach insurance versus investing that money into your security program and effectively self-insuring? Truthfully, breach insurance is needed, due to many benefits and factors. Breach insurance does help when it comes to incident response and breach notification support. They also will have discounted retainers on IR firms to help with investigations. And if you’re doing business with any large enterprise, those enterprises will require you to have insurance with minimum coverages. So having breach insurance is necessary and important.

But it does beg the question as to how insurance coverage and providers can improve? Insurance providers need to incorporate the policy holders' security trends rather than simple snapshots at policy renewal time. This data will also continue to be valuable over time to help identify conditions that may lead to more (or fewer) breaches. Continuing to focus on cyber hygiene and proactive security is where insurance providers have a great opportunity. There also needs to be a better standard when communicating risk posture across companies. This risk scoring standard should be public and well understood. Finally, investments should be geared toward helping companies avoid a breach. Insurance companies could work with service providers and vendors to provide discounts on proactive assessments and tooling to support improved posture and hygiene. It’s extremely valuable to have IR retainers when you need them, this concept should be taken to the proactive side of the house as well. I view this concept similar to how health insurance needs to continue to focus on wellness and preventative health, like paying for gym memberships, nutrition education, etc.

In summary, it is important to have breach insurance. However, I think that the insurance industry must continue to focus on a better system for understanding the risk posture of companies and provide the right level of coverage for them and their needs.? Additionally, they should not just be providing retainers for IR providers, but also for proactive assessments and preventative tooling as well. As companies, we need to continue to focus on proactively identifying our biggest risks, to what threat actors we are susceptible, and how we are improving our prevention and detection capabilities around said threats to avoid major breaches. The closer we all are to a standardized view of risk, the better off everyone will be with respect to breach insurance. Here is an interesting report from NAIC summarizing some research on the breach insurance market. There is a lot more I could dive into on this topic, but I’m curious to know your opinions of the breach insurance market and its current state??

Hackathon culture

My Musing on Leadership

As we begin to wind down the calendar year, you’re likely wrapping up annual planning as well as envisioning what your goals are for next year. As you do this, you may consider working in a hackathon as part of your annual plan. Some may be familiar with a hackathon, but others may not. Others may hear the term hackathon and think that it’s purely a technical exercise. But that isn’t always the case. Generally speaking, a hackathon is an event that dedicates time to your team to work on a discrete problem or project and then show off their results at the end. It’s an opportunity for your team to take a small break from their daily routine and unleash some creative juices.?

The goals of a hackathon can vary, but they really should be geared toward building a culture of innovation, learning new skills, and building teamwork. If you haven’t participated in or conducted a hackathon before, I highly recommend looking into it. You can start small and grow from there. Many companies will make it a big company-wide event that is looked forward to every year, while others may leave them to individual teams.? When you do engage in a hackathon, I think you’ll be surprised by what it can accomplish. I’m not an expert in hackathons, but here are a few tips I’ve picked up along the way on how to structure and run them:

• Scheduling: Give your team enough time in advance to plan for the hackathon. When scheduling the hackathon, I’ve seen it work best where you give the team 1-2 business days to work on their projects but carry the event over a weekend, giving them time to wrap it up without putting too much pressure on the business. Then schedule your end-of-hackathon party and awards ceremony where the teams will present their projects. It’s a great time to show off all the cool work.?

• Minimal structure: It’s important to set a few guidelines for the hackathon, but not have it be too structured. Typically I’ve seen the structure be that the project has to tie back to the business in some fashion. Whether it’s learning a new skill, converting that cumbersome spreadsheet to a database, or rapidly prototyping the next business line, it’s always fascinating to see what people choose to do. And you may also learn a little about areas of your business that need improvement. The most important aspect of your guidelines is to ensure that each team presents their project at the end. This provides some level of accountability and also sets a distinct timeline for completion. Completion is defined loosely, depending on the project. For example, a team may just complete the design phase of a larger project and present their findings.

• Encourage teamwork: Some people may pick a project and go it alone, but it’s also important to encourage people to team up and work together on a project. What I’ve seen work best is to have a centralized web page, like a wiki page, where people can register an idea for a project and state whether they want/need help and what types of skills they are looking for. This is also fantastic for cross-functional team members to connect.??

• Seek creativity and innovation: Don’t be too judgemental on what individuals or teams choose for their projects. As long as they’ve stayed within the guidelines you set forth, let it slide. The goals are to encourage creativity and innovation, and you never know what the results will be.

• Give Awards: As I mentioned before, you should schedule an end-of-hackathon party and this is where each team can present their project. Make this a fun, relaxing, and celebratory event. I encourage coming up with awards that revolve around the goals of the hackathon. You can give an award to the best overall project, best presentation, most creative, most promising, etc. The world is your oyster in terms of awards to hand out, but have fun and make it a rewarding experience for everyone.

As you can probably tell, I’m a fan of hackathons and encourage you to explore them as well if you don’t already. Remember, they don’t have to be tech focused events and can be applied to any business. I’d love to hear more about your hackathon adventures.

All neighbors require good fences

My Thoughts on the Latest Cybersecurity Headlines

Having been a pentester, I had to nerd out a little on the recently disclosed Nearest Neighbor Attack, not only for a better understanding of how it works but also how companies may need to mitigate risk around it. Volexity goes into depth about how they detected this novel compromise, but in simple terms, Russian APT GruesomeLarch, also known as APT28, deployed this new attack technique to compromise an organization via its WiFi networks without direct physical proximity. How does one access WiFi without direct physical proximity? By first compromising one's neighbor(s). This is what happened with APT28, they started their attack by compromising neighboring organizations to their target. After compromising said neighbors, the attackers continued to pivot through the neighboring organizations until they found a dual-homed machine that was within WiFi range of the target. From there the attackers were able to pivot into the target’s WiFi network and proceed with further compromise from there. Fascinating, creative, and scary.

It should be noted that this attack was largely conducted via commonly known living-off-the-land techniques. The initial vector into the target was a traditional technique–password spraying. But the mechanism for delivery was unique. You see, the organization did have Multi-Factor Authentication (MFA) enabled for its external facing services like VPN, etc.? But it didn’t have MFA enabled for its WiFi authentication, thus allowing for a standard password spraying attack to succeed and gain initial access.

So what should we take away from this? First, it highlights that zero trust truly means zero trust. You must layer protections everywhere and deploy controls across all access vectors.? Second, strong passwords and password policies are still important and MFA needs to be deployed at any and all entry points to the network. Finally, be proactive. Think like an attacker and outside the box. Understanding your threats, their techniques, and how you can identify them is critical to surviving your security battles. The best approach to security is understanding how threat actors operate and how your controls stand the test of either detection or prevention.

Referenced Sources?

https://content.naic.org/sites/default/files/cmte-h-cyber-wg-2024-cyber-ins-report.pdf

https://www.volexity.com/blog/2024/11/22/the-nearest-neighbor-attack-how-a-russian-apt-weaponized-nearby-wi-fi-networks-for-covert-access/

?https://www.darkreading.com/cyberattacks-data-breaches/fancy-bear-nearest-neighbor-attack-wi-fi