2021-08-13 Patrick Walsh
How the Cyber Insurance Industry Can Stop Ransomware
Breaches are costly. You have to notify anyone whose data is or might be affected. You need to hire folks to come in and do forensics to help you understand how they got in, where they went, what they took, and what they changed. You have to fix the issues and rebuild all the compromised systems. You may have to engage a PR firm. You’ll likely need to provide identity theft insurance.
The average breach in the U.S. cost $9.05 million in 2020*, which is why businesses carry Cyber Insurance.
There are a set of security measures that all mature companies are already doing. These include transparent disk encryption, two-factor authentication, strong password requirements, network level firewalls, web application firewalls, intrusion detection, encrypted communications with TLS, and a collection of policies and procedures from a framework like SOC2 or NIST.
But no one gets a gold star for these things. They’re table stakes. It’s the security equivalent of making sure your doors are locked at night. And these mature companies with these measures are the ones we see in the news every week for getting hacked or for losing days to a ransomware attack.
General liability insurance generally excludes anything related to a data breach. To cover breach costs, you need a special policy.
Insurance is simple. The insurer distributes risk among many policyholders where the individual risk for each insured is relatively low and the premiums of the many cover the losses of the few. But as cyber crime balloons, the chance that any given organization is breached has ballooned with it, which breaks the model. This leaves insurers with three levers to adjust: raise the rates, reduce the overall risk of the group, or reduce costs by covering less or lowering caps.
At my company, IronCore Labs, when we seek quotes for cyber insurance, the insurers just want to know how many servers and other devices we have and what high risk data we hold. Those are the factors that determine our rates. But this misses the fact that we’re an incredibly low risk company to insure. We do all the table stakes security items, but we also encrypt all of our customers' data end-to-end, so we can’t see anything sensitive. But that doesn’t matter to Cyber Insurers. Their models are too naive.
Arguably one of the biggest threats today is ransomware, which is just malware that lets an attacker monetize their access to a computer. But that extra trick makes it very popular with attackers and has allowed some groups to turn professional. This changes the dynamic of private-sector attacks. Before ransomware, most full-time professional and organized groups of hackers worked exclusively for governments.
But while some of these groups are more sophisticated, we’ve been defending against malware for decades now. Why isn’t this a solved problem?
In fact, the problem of malware, and by extension, ransomware, has been solved for years. But rather than embrace the technology that could fix the problem, most companies pretend that antivirus software will do it for them. Spoiler alert: it won’t. Antivirus is like a pair of well-worn shoes: you know they’re falling apart, but they’re just so comfortable you don’t want to give them up.
The first part of the solution has been around for years. In fact, your mobile phone probably already makes use of it. It’s something called Trusted Computing and amazingly, most computers already ship with the critical components it requires.
It works like this: a chip in the computer is responsible for making sure no unauthorized software runs on the machine. The chip is called a TPM and it ensures the computer’s firmware and operating system are all signed by trusted vendors like Microsoft and Apple.
Then the operating systems themselves make sure that they only run applications that are signed. So on an iOS device, each application is signed first by the developer and then, following a review, by Apple before being put in the app store. This is why malware is a near-zero problem for iOS devices.
Alas, it isn’t perfect. Malicious apps sometimes make it into app stores and from there onto people’s phones. And vulnerabilities in the operating system or the TPM firmware can allow code to bypass protections. On laptops, people can choose to disable the protections, so they can install software that isn’t in an app store. But despite these issues, trusted computing is easily our most powerful tool for stopping malware. And it has support from all major software and operating system vendors.
Sadly, you almost never see trusted computing used on servers. The computers that hold our most sensitive data utilize less security measures than the phones in our pockets. It’s mind-boggling.
One reason for this is that most people run their infrastructure in the cloud and cloud providers have only recently introduced support for virtual TPMs:
- GCP: The furthest along, GCP offers Shielded VMs that can use virtual TPMs to protect the integrity of servers.
- Azure: Microsoft recently released a virtual TPM feature, now in beta, called “Trusted Launch.”
- AWS: Does not offer customers any way to do this.
The other reason for the lack of adoption is laziness. SysAdmins like to install things at-will and as-needed, which creates an ideal breeding ground for ransomware.
As companies have become more adept at backing up their computers and testing those backups, ransomware briefly faded as a threat. Companies could just restore their files rather than pay the ransom.
So ransomware authors built in a new trick: data exfiltration. Now, before locking the data up, the ransomware first ships data to the hackers. Companies are then extorted: pay up or the data will be made public. For companies holding sensitive customer data, preventing it from becoming public is extremely motivating.
Again, we’ve had a solution to this problem for years: application-layer encryption or ALE.
Today, when stored data is encrypted at all, it’s typically done transparently at the disk level. This is an important measure that prevents against data loss when media is stolen or when hard disks are thrown away. It also checks all the data protection boxes necessary for NIST, ISO standards, HIPAA, and other regulations. But it doesn’t do anything to stop a hacker from accessing data on a running machine.
And unfortunately, low-level transparent encryption is the only data security offered by AWS, Azure, and GCP.
Application-layer encryption combines encryption with access controls. The data is encrypted in the application before it’s sent to the database or disk. Only authorized users or services can decrypt it.
Full disclosure: I co-founded IronCore Labs to make application-layer encryption more accessible to everyone. I hold a deep belief that this is the path we as an industry must travel to fix our security woes.
With application-layer encryption enabled, hackers, curious administrators and service providers with access to the machines don’t get backdoor access to the protected data.
Additionally, with ALE, companies can enforce unbypassable audit trails for all data access, which are invaluable when investigating an incident and for compliance purposes.
A ransomware attack on a company using ALE will give the attackers a lot of garbage bits of data that are useless without a key. And if that’s all they get, then a company doesn’t have to disclose the breach publicly, which drastically reduces the costs for the incident.
The way things are going, Cyber Insurers will have no option but to aggressively increase their rates. And, frankly, I think they should. Just not for everyone.
Insurers need to ask the right questions, rate companies on their actual risk of losing data as well as the likely costs if a breach does occur. In short, they need to get a better handle on the risk in their portfolio. Then they need to incentivize the measures that reduce that risk by encouraging companies to
- fix the problem of rogue software, and
- fix the epidemic of unsecured data.
Even more than Government, Cyber Insurers are in a position to exert systemic pressure on the tech industry that improves overall security and reduces the risk of breaches across the board.
By tying rates to measures like Trusted Computing and Application-layer Encryption, companies will have clear and unmistakable reasons to do more than table stakes security we see today. It’s a win-win-win: the tech industry experiences fewer breaches and an increase in consumer trust; insurers get a more profitable and less risky line of business; and end users don’t have to get near constant notices about their data being stolen.