P&C the July/August 2015 issue

Beginning at the End

Identifying a hacker at the endpoint substantially reduces your discovery time for detecting an invasion.
By Dan Bonnet Posted on July 28, 2015

Nonetheless, it’s your responsibility to do everything you can to secure the personal information of your prospects and clients. To help you do that, some of your favorite people at the National Association of Insurance Commissioners have released a set of guidelines.

The NAIC’s “Principles for Effective Cybersecurity: Insurance Regulatory Guidance” looks to state insurance regulators “to ensure that personally identifiable consumer information held by insurers, producers and other regulated entities is protected from cybersecurity risks.”

Basically, the two-page document says people working in the insurance industry need to protect personally identifiable information and recommends they follow a nationally recognized cyber-security standard, such as that of the National Institute of Standards and Technology (NIST) framework. The NIST framework is composed of top security practices recommended by the most respected cyber-security organizations from a variety of industries. Although the NIST framework is written in non-technical language, you will still need to work with a cyber-security professional to help you diagnose your network and analyze what steps you need to take to secure your network. The framework is no magic potion, but it will help you understand the preventive measures you need to take to block most attacks, and it will guide you on how to quickly detect and respond to a breach before much damage has been done.

At some point, all businesses will experience a breach—no matter how many layers of protection they have. It’s important to recognize the breach immediately and get the attackers out of your network quickly before your data are stolen. It takes about 48 days for most organizations to recognize they’ve been breached, according to the Ponemon Institute. But it’s important to remember you can spot anomalous activity as soon as it occurs when you continuously monitor your network and endpoints, such as servers, laptops and workstations.

It takes about 48 days for most organizations to recognize they’ve been breached.

The Endpoints

These days, most attacks start with the endpoint user via a phishing email. If an insurance company has a firewall and an intrusion detection system/intrusion prevention system (IDS/IPS) around its network and more firewalls and IDS/IPSs around the most valuable servers that contain client data, it’s not going to be easy to break into the network from the outside.

It’s far easier to send a well-crafted phishing email to a large number of employees. All it takes is for one curious employee to open it and click on a malicious link or attachment to compromise one computer. Then the attacker can traverse his way through the network into your most prized servers. Since the employee is inside your network, your perimeter defenses (the firewall and IDS/IPS) that usually block iffy traffic won’t block the malware because your users’ computers sit inside the perimeter. The firewall won’t block users’ computers that sit inside the network.

Even your antivirus (AV) software often doesn’t block the malware when users click on malicious links or attachments because attackers create hundreds of new malware programs every day. Before sending the malware to their prey, the cyber criminals test it on AV products to make sure it slides by them. Once inside just one of your endpoints, attackers can use tools that help them discover login credentials for other users and administrators to traverse your network. 

A firewall won’t block users’ computers that sit inside the network.

You can minimize a breach if you have endpoint threat detection, which alerts you to anomalous activity as soon as it is detected. A company administrator can install endpoint sensors remotely, enabling the endpoints to be continuously monitored when connected to the network. This allows you to discover rogue activity almost immediately. Think of it as an early-warning system that an intruder may have just entered the network.

In a 2013 study, the Ponemon Institute says on average the most sophisticated attacks—known as Advanced Persistent Threats—go undiscovered for 225 days, a delay that respondents attributed to a lack of sufficient endpoint security tools. The later you are at stopping the attackers, the more time you give them to access data and the more time and costs you incur to expel them from your network.

An employee working on a laptop who inadvertently clicks a link on a malicious website could trigger malware to be downloaded to his or her computer. If the employee is away from the office and not connected to the network when the breach begins, the endpoint detector would notice the unusual activity and alert your security team as soon as the employee connects to the network. If the employee’s computer is already connected to the network when the malicious link is clicked, the security team would be alerted immediately.

What might this anomalous activity look like? It could be any one of a hundred things. It could be as simple as files being accessed by privileged system accounts rather than by authorized users. Or it could be an addition or subtraction of some part of a computer system. For example, attackers often add a DLL, or a Dynamic Link Library, which contains code that can be used by different programs in a Windows operating system. Windows has 172 DLLs, so if there are 173 DLLs in an endpoint, an attacker has likely broken into an endpoint and instructed his malware to download a rogue DLL that performs malicious activities.

Endpoint threat detection devices are best managed by security experts who can quickly analyze whether the alert is valid and, if so, can discern how the attackers entered the network, what damage they’ve caused since entering and how to get them out and close all the back doors so they can’t re-enter.

The NAIC and NIST offer no panacea, just guidance to protect your confidential data. When you’re monitoring your network and endpoints 24/7, you are more likely to get the attackers out so quickly that private data remain just that.

More in P&C

Council Q3 2024 P/C Market Survey Results
P&C Council Q3 2024 P/C Market Survey Results
More premium increase moderation, but umbrella sees effects of social inflation....
P&C Weathering Cyber Storms
Q&A with Joshua Motta, CEO and Co-Founder, Coalition
Certified Cybersecurity
P&C Certified Cybersecurity
HITRUST certification can give small to medium-sized businesses peace of mind th...