Merlin Labs Memo -- Week of May 15-19

Famous Insurance Market Drops Coverage for State-Sponsored Cyber Attack Damages

Lloyd’s of London, one of the most famous insurance markets, has made the decision to put protections in place to stop coverage of damages caused by state-sponsored cyberattacks. Quoting a study putting ransomware payments in the ballpark of $457 million in 2022, the article reminds readers of just how expensive cyberattacks are. An increasing amount of the infrastructure supporting our day-to-day lives is dependent on IT, making the effects of a successful breach potentially catastrophic to the insurance industry. Further, there continues to be a widespread failure of organizations to take the steps necessary to mitigate the risk of adversarial threat actors. While breaches will happen, a huge number of those breaches could have been stopped altogether or their impacts severely limited had the victim organizations simply practiced good cyber hygiene. Business leaders and CIOs everywhere should see Lloyd’s decision as motivation to invest more heavily in their cybersecurity operations. -- Via Infosecurity Magazine

Our Take: This is the kind of wake-up call nobody wants but we all apparently need. When the insurance industry stops covering certain types of damages, it’s because the likelihood of a financially insurmountable event is so high that they simply cannot take the chance. Translation: we’ve collectively allowed ourselves to negligently operate and blindly trust IT systems for every facet of our daily lives without appropriate regard for the degree of risk or the cost of a “highly likely” cyber disaster headed our way. We live in denial that it will happen to us despite the overwhelming evidence reflected in daily “latest cyber breach” headlines. Lloyd’s just told us that it very likely WILL happen to us. Are we listening yet?

Whether Lloyd’s decision is an isolated case or the first of many-to-come, the message is clear: it’s past time to embrace the threat landscape and the criticality of proactive cybersecurity mitigations. And because this story presents an overwhelming conundrum, I'll borrow some wisdom from Winston Churchill and say: when looking at the massive cybersecurity improvement task in front of you, don’t let perfection be the enemy of progress. For starters:

• Identify and reinforce protective controls (limited access, FIPS encryption) around the most critical data and system functions and build from there
• Patch the highest-priority vulnerabilities
• Establish a process for backup and recovery of critical systems
• Clean up and cinch in user accounts and role-based access
• Turn on encryption and run software in FIPS mode wherever possible
• Reconsider requirements around multi-factor authentication (MFA)
• One by one, re-visit the security tools in your stack and make sure they are implemented and configured based on the industry and manufacturer’s best practices.

Before you know it, you will have significantly improved your cybersecurity posture and be well on your way to a much healthier and hacker-resistant IT operation. A full-on resilient, phishing-resistant, anti-ransomware, least-privilege, zero trust architecture doesn’t happen in a day; rather it happens by making sure every day involves taking a few steps in the right cybersecure direction. -- Sarah Hensley

Additional Reading:

• What is cybersecurity insurance (cybersecurity liability insurance)? (TechTarget)
• Lloyd’s of London battles insurers over ‘state-backed’ cyber attacks (Financial Times; paywall)
• Bank of America concerned by Lloyd’s cyber war insurance exemption clauses (Tech Monitor)
• New Lloyd’s of London cyber insurance exclusions land amid “a certain amount of panic” (The Stack)

Phishing 2.0: Enter the Deepfakes

I just completed my annual security training. It included tips on how to spot phishing emails – look for the spelling mistakes, the bad grammar, things like that. And those are still sound signs of a human-generated phishing email. Now imagine the same attacker using AI tools to fix those grammar and spelling mistakes and we’re deprived of two major sniff tests for detecting phishing. Worse, with just a few seconds of a voice sample, AI-generated voice scams can sound exactly like someone else that you may know. Sure, there are odd pauses and vague answers now, but we all know the inexorable march of technology will mean that those issues will be engineered out eventually. What do we do to protect ourselves? 

Our Take: Fortunately, my phishing training gave me other tools, and these will be our salvation. Even if the Caller ID looks right or the reply-to email adds up, when we get unusual requests involving urgency, money, and/or elevated access requests, we need to ask questions. We need answers that an AI trawling publicly available information correlated to ourselves and the person contacting us won’t have access to. If we get a call from a loved one or business associate, offer to call them back. Chances are, the AI on the phone would reject that offer but a real person would accept it as a sadly necessary security protocol. 

We have legitimate worries about propaganda deepfakes – social engineering for the masses – but we also need concern about the one-on-one, data-driven social engineering that AI makes possible like never before. -- Dean Webb

Additional Reading:

• Chatbots, deepfakes, and voice clones: AI deception for Sale (FTC)
• Audio deepfake scams: Criminals are using AI to sound like family and people are falling for it (Euronews)
• Voice deepfakes are calling – here’s what they are and how to avoid getting scammed (The Conversation)

Readers of our Newsletter: What’s working, what’s not, and what’s on your mind? Leave a comment below or email [email protected]. Thank you!