Cyber Insurance, Vendor Risk Management & the black magic of risk rating. (Part 2 of 3)
I will start off by saying that this article is completely written from my experience as a cyber security consultant, talking to customers, and doing research on my own. The views in this article represent mine and only mine. This industry is rapidly moving and I am NOT in the insurance business. I welcome comments from those in that business, as its a great business!
To pick off where we left off in Part 1, I talked about how insurance carriers look at regional regulations, the size of a company (people and revenue), and on data collected on the public internet to determine risk. This data comes from internal systems the insurers have built, as well as on third party risk companies. I also mentioned how companies are paying the same third party cyber risk rating companies when considering doing business with other companies or in M&A situations. I then left you (hopefully a cliffhanger) wondering how you can affect the risk rating you have been given. In order to do this, we have to look at the third party cyber rating companies and understand how they work...
A risk rating company evaluates companies and reports as to whether or not the company in question has a good security posture. In order to use a risk rating company, one simply pays a fee to access the data in the form of an interactive dashboard via a website. There are several (message me for a list) and they sell to insurers and companies looking at their own vendors or at companies for M&A. So how can a cyber risk rating company know a company's security posture without access to internal security architecture, network infrastructure, what systems are in place, etc? Obviously they aren't hacking in or asking to plug their box into a span port on the edge router! Instead, they gather data from the "public" internet. Here are 6 ways, and I am staying away from technical deep dives (let the tech argument comments begin):
1) Honeypots - systems designed to attract malicious traffic such as botnets or hacking attempts. Any IP addresses used in Honeypots are logged and are cross referenced with what is thought to be your company to see if there is a match. If there is a match, you are at a higher risk rating.
2) Netflow analysis and "threat intel" - this technology looks at the source and destination IP addresses of traffic flows and cross-references the IP address data with a database of known "malicious" IP addresses. It also can do statistical analysis and see anomalies outside of normalized day-to-day traffic flow. If what is thought to be your company's IP address is matched, or if you have anomalies outside of normal, you are at a higher risk rating.
3) Darkweb / Underground - This is the section of the internet that is not searchable by search engines. This is not all bad, but there are marketplaces that sell datasets such as financial databases and credential databases, as well as malware development kits. Risk rating companies research (and pay for) this information heavily, and if any of what is thought to be your company's IP address, your company's usernames, credentials, employee names, internal domain names, databases, etc. you are at a higher risk rating.
4) Media Outlets - Publicly announced breaches and any bad press you have had in the past will increase your risk rating. They keep an eye on "security watch" websites as well, as they have been known to publish articles about breaches/hacks before the company is even aware.
5) What operating systems you run and what patch levels you have. If traffic coming from what is thought to be your IP address is showing traffic consistent with depreciated versions of Windows, Linux, or depreciated browsers, risk rating will be increased.
6) Port scans on servers thought to be owned by your company - this is an age old method to find open ports (like SMB, RDP, etc.) as well as evaluate your website for holes. A risk rating company will, for example, query the web server type and version, and this is cross referenced with known vulnerabilities. If any versions show up to have a vulnerability, the risk is increased.
Lets assume you have invested in the best cyber security on the planet, you update all software regularly, your company has never been breached in the past, and you truly have a great security program in place. You should be on the lower side of risk, however; it is very possible you have a very bad risk rating from a third party cyber rating company, driving up costs and hurting reputation - how is this possible? Please read part 3 to find out!