You’ve Been Hacked

“We regret to inform you that, you’ve been hacked”

Ha!

Following the Florida Association of Professional Employer Organization (FAPEO) conference in Tampa this past Summer, I had to skip a flight to Las Vegas to visit with Brother Abram Finkelstein and his extended StaffLink family.  Little did I know that such a seemingly mundane flight to “Sin City” would frighten the hell out of me, and for once, not just because I was 40,000 feet in the sky.  As I sit on another flight to San Antonio going to the National Association of Professional Employer Organization (“PEO”) annual conference, it occurred to me, I had not shared a story with my extended family.

I sat on the aisle, and beside me were a couple normal gentlemen who appeared to be already “Vegas-ready”.  Both in their thirties, the white and black gentlemen were close friends it appeared.   As usual, I was trying to clean out my second home (aka inbox), minding my own business, and then I hear “You going to Defcon?”, from the seat next door.

I paused; I had heard of Defcon and knew that it was a big cyber/computer-related conference, but answered no.  Being a computer/data nerd that sells property and casualty insurance, to include cyber coverage, I started to ask some questions.  My curiosity was now piqued. 

The cyber market is extremely dynamic at present, with both the frequency and severity of cyber events are moving targets.  Too many people with too much time on their hands and open access to “loot” through the world wide web.  Due to my intrigue, and with four hours to spare; I got a quick overview of the biggest hacker convention/bash in the world. 

“I’m not going, but have heard of it.  What is Defcon about?” 

For those that are interested in the history behind Defcon, it was founded in 1993 by self-proclaimed hacker, Jeff Moss. In the first year, Jeff’s parent’s left him in Las Vegas for a weekend.  Bad idea. Shortly thereafter, one hundred invited hackers converged to the desert from the US and Canada and created what is now the world’s largest and most notable hacker convention, held annually still by Mr. Moss, still, and always in, Las Vegas, Nevada.  There have been many documentaries made about this event and the incredible history behind it, in which I have since checked out.  A mini-series, never-mind an article, on its own.

Now split into two conferences week after week, “Black Hat” and “Defcon”, attendees at both events include computer security professionals, journalists, lawyers, federal government employees, security researchers, students, and hackers with a general interest in software, computer architecture, hardware modification, conference badges, and anything else that can be “hacked”.  The event consists of several tracks of speakers about computer- and hacking-related subjects https://forum.defcon.org/node/236142.  Black Hat is more geared to the cyber professionals, engineers and law enforcement meant to prevent hacks.  A higher cost and more formal event.  Defcon is anyone and everyone.  The “curriculum” for Defcon is widely varied with many contests and prizes based on who can hack who, to include the Defcon tickets themselves. That’s the fun of it all.  

My internal IT department was less than enthused about “the fun of it all” when it was understood I was going to be in the cyber equivalent of Beirut.  Hacking is encouraged and celebrated, and you are an unknown participant to the theater if not careful.   This is where the hackers and the enforcement that tracks them converge.  The “white hats” use their knowledge for good; protection and identification of perils.  The “black hats” use this same knowledge, or new technologies/intelligence, for malicious intent.  It is the “gray hats” that create a more opaque quandary; the vigilantes of the cyber community, gray hats are “for-pay” mercenaries used for either side, arguably the most dangerous based on the unknown purpose of their mission and who is behind it.

Defcon was virtual last year (2020), so was sure to be an “out of control” cyber bash in 2021, in accordance too my two new friends.  Some of the highlights that they were looking forward to attending:

  • A follow up to the 60 minutes special on “could the election have been hacked”
  • The ease to “pirate” any commercial marine vessel without ever having to go aboard – in essence, through nothing but the internet, take over all command of a c-5 vessel
  • “Sky Talks” – this is when hackers (black, white or gray hat) go into a sealed off environment and without identity, explain some act of hacking that moves the needle in one way or another
  • Finding fellow ham radio operators because, “what are you going to do if the grid goes down?”

As we continued our discussion, my new friend Tom, probably seeing the fear in my eyes, made the comment “one really should not use the public wi-fi”.  I nervously chuckled, as of course, my computer was connected to the airplane’s wi-fi.  He proceeded to turn his computer towards mine, where my inbox appeared on his screen, and with a big smile asked, “do you want to send your mom an email”. Ha! Big smiles…

This type of hack, very common, is called “Man/Machine in the Middle”.  It is when one computer is taken over by a hacker, whereby the new user has full control, and access, to anything.  Passwords, emails, health info, share drives… anything.

Getting into my system, finding the name of my mother and teeing up an email in Outlook to her took all of three minutes… maybe.

After the fear settled down, I came to a very personal realization that we all need someone like Tom in our lives to help us navigate the cyber threats that accelerate by the day.  The convenience and efficiency of the internet, and all it brings to us, is scattered with unknown perils to most anyone that is not expert to it.  And if you are expert today, tomorrow is yesterday in this field, at the rate it is growing in intellect, opportunity and impact.  Due to our lives now revolving around a “wi-fi Sun”, our control of who comes in and out of our “digital lawns” will be paramount in protecting our business, and ourselves. Make sure to build a fence and lock your doors, as to our hacker friends, “Freedom is Slavery”.

Defcon Conference Badge

FAPEO is Right Around the Corner!

FAPEO’s annual business meeting is next Wednesday (8/4).

Click here to access the agenda. If you haven’t registered yet, you can email Suzanne Hurst at suzanne@helpmembers.org

In addition to the important legislative updates, we are certain that cyber security for PEOs will be a hot topic. Below is an overview of how we at Libertate look at cyber coverage. We will be available at FAPEO and would love to discuss further.

Paul HughesSharlie ReynoldsDavid Burgess
321.217.7477305.495.5173321.436.8214
phughes@libertateins.comsreynolds@libertateins.comdburgess@libertateins.com  

CYBER RISKS & LIABILITIES – Penetration Testing Explained

Image

Keeping workplace technology up and running is vital to any organization’s success. While this task seems feasible, it’s growing harder and harder each year as cybercriminals expand their reach.  It’s not enough to simply protect workplace technology with software and security protocols. It’s also critical for your organization to test the overall effectiveness of these protocols on a regular basis. That’s where penetration testing can help.

Essentially, penetration testing consists of an IT professional mimicking the actions of a malicious cybercriminal to determine whether an organization’s workplace technology possesses any vulnerabilities and can withstand their attack efforts. Conducting a penetration test can help your organization review the effectiveness of workplace cybersecurity measures, identify the most likely avenues for a cyberattack and better understand potential weaknesses.

Review this guidance to learn more about what penetration testing is, the benefits of such testing and best practices for carrying out a successful test within your organization.

What Is Penetration Testing?


Put simply, penetration testing refers to the simulation of an actual cyberattack to analyze an organization’s cybersecurity strengths and weaknesses. This testing usually targets a specific type of workplace technology, such as the organization’s network(s), website, applications, software, security systems or physical assets (e.g., computers and smart devices). Penetration testing can leverage various attack methods, including malware, social engineering, password cracking and network hacking, among others. Generally speaking, penetration testing is often performed by a professional from a contracted IT firm who is not associated with the organization being assessed in any way. This helps the cyberattack simulation seem as authentic as possible. Penetration testing is typically either external or internal in nature. The primary differences between these forms of testing are as follows:

  • External penetration testing requires the IT expert to attack an organization’s external-facing workplace technology from an outside perspective. In most cases, the IT professional won’t even be permitted to enter the organization’s physical establishment during external penetration testing. Rather, they must execute the cyberattack remotely—often from a vehicle or building nearby—to imitate the methods of an actual cybercriminal.
  • Internal penetration testing allows the IT expert to attack an organization’s internal-facing workplace technology from an inside perspective. This form of testing can help the organization understand the amount of damage that an aggrieved employee could potentially inflict through a cyberattack. 

In addition to these testing formats, there are also two distinct types of penetration tests. How much information an organization provides the IT professional prior to the cyberattack simulation will determine the penetration test type. Specifically:

  • An open-box test occurs when the IT expert is given some details regarding the organization’s workplace technology or cybersecurity protocols before launching the attack.
  • A closed-box test occurs when the IT expert is provided with no details other than the organization’s name before conducting the attack.

Ultimately, the penetration testing format and type should be selected based on the particular workplace technology elements or cybersecurity measures that an organization is looking to evaluate.


Benefits of Penetration Testing

Penetration testing can offer numerous advantages to your organization, including:

  • Improved cybersecurity evaluations—By simulating realistic cyberattack situations, penetration testing can help your organization more accurately evaluate its varying security strengths and weaknesses—as well as reveal the true costs and of any security concerns.
  • Greater detection of potential vulnerabilities—If any of your workplace technology or other cybersecurity protocols fail during a penetration test, you will have a clearer picture of where your organization is most vulnerable. You can then use this information to rectify any security gaps or invest further in certain cyber initiatives.
  • Increased compliance capabilities—In some sectors, organizations are legally required to engage in penetration testing. For example, the Payment Card Industry Data Security Standard calls for organizations that accept or process payment transactions to execute routine penetration tests. As such, conducting these tests may help your organization remain compliant and uphold sector-specific expectations.
  • Bolstered cybersecurity awareness—Mimicking real-life cyberattack circumstances will highlight the value of having effective prevention measures in place for your employees, thus encouraging them to prioritize workplace cybersecurity protocols.

Penetration Testing Best Practices

Consider these top tips for executing a successful penetration test within your organization:

  • Establish goals. It’s crucial for you to decide what your organization’s goals are regarding the penetration test. In particular, be sure to ask:
  • What is my organization looking to gain or better understand from penetration testing?
  • Which cybersecurity threats and trends are currently most prevalent within my organization or industry? How can these threats and trends be applied to the penetration test?
  • What specific workplace technology elements or cybersecurity protocols will the penetration test target?
  • Select a trusted IT professional. Consult an experienced IT expert to assist your organization with the penetration test. Make sure to share your organization’s goals with the IT professional to help them understand how to best execute the test.
  • Have a plan. Before beginning the penetration test, work with the IT expert to create an appropriate plan. This plan should outline:
  • The general testing timeframe
  • Who will be made aware of the test
  • The test type and format
  • Which regulatory requirements (if any) must be satisfied through the test
  • The boundaries of the test (e.g., which cyberattack simulations can be utilized and what workplace technology can be targeted)
  • Document and review the results. Take detailed notes as the penetration test occurs and review test results with the IT expert. Look closely at which cybersecurity tactics were successful during the attack simulation and which measures fell short, as well as the consequences of these shortcomings. Ask the IT professional for suggestions on how to rectify security gaps properly.
  • Make changes as needed. Based on penetration test results, make any necessary adjustments to workplace technology or cybersecurity protocols. This may entail updating security software or revising workplace policies.
  • Follow a schedule. Conduct penetration testing at least once every year, as well as after implementing any new workplace technology.

If you are a Risk Manager or Principal of a PEO and want to learn how you could help protect your client company’s interests through our affordable Master Cyber Liability program, eMail James Buscarini, Fl License #A036520 at jbuscarini@libertateins.com to find out more. The Master Cyber program is written through Axis, an A rated carrier, 250K in coverage, no underwriting, and a revenue generator!

Week in Rewind <<

If you haven’t noticed our focus has been heavily weighted in the area of cyber risk! Too many of our friends and clients have been impacted lately by cyber thieves. Yes, we sell insurance, but we are passionate about the benefits of insurance. We are all about Mitigating Risk and Loss Exposure!

So How Does Cyber Insurance Actually Help?

What Does It Cover?

First thing to know here is, in most cases you can design a plan to cover your business’ specific needs. As a generalization Cyber Coverage includes the following:

  • Defense and Settlement – civil proceeding or investigation
  • Regulatory fines and penalties including forensic examination
  • Re-certification services
  • Cyber extortion
  • Ransomware
  • Website media
  • Business interruption
  • Data recovery
  • Crisis management and fraud response
    • notification to breach parties
    • call center operations
    • design and implementation of website for advising breach parties
    • credit monitoring
    • public relations
    • associated legal expenses

What It Does Not Typically Covered

  • Potential future lost profits
  • Loss of value due to theft of intellectual property
  • Improvement costs to internal systems after cyber evet
    • Your other policies may be “activated” in the event of a cyber incident, but there are likely gaps in coverage for what damages are actually covered. The industry term, “Silent Cyber” refers to cyber loss exposure not covered under traditional, non-cyber insurance policies; namely the exposure is silent.

IT Risk Management

In an effort to further educate our audience we are providing links to our previously published articles on creating a better infrastructure to avoid successful attempts.

The Wall Street Journal reported that Colonial Pipeline authorized ransom payment of $4.4 million as a result of the company not being able to quantify the magnitude of the cyberattack breach to their system and the length of time to get things up and running again. Feet held to the fire for resolve and the decryption tool provided for ransom payment did not bring full restore back to Colonial. We can all feel the impact of the Colonial hack.

CNN reports that the Justice Department indicated that 2020 was the worst year for cyber attacks with ransomware demands, on average, exceeding $100,000 but as high as tens of millions of dollars. “….A key lesson here is that while technology and automation is good, we must also have the ability to efficiently operate manually as well. Attacks will happen, but how quick can you recover and restore critical services?”, Brian Harrel, former assistant secretary for infrastructure protection at the Department of Homeland Security, as reported by CNN. Having the support of insurance coverage through a Cyber policy is definitely one way to mitigate recovery exposure, should you fall victim.

NAPEO has pre-recorded webinars and information available on Cybersecurity. For non-members, follow this link to join.

Libertate Insurance Services has access to a variety of programs for Cyber Risk Coverage. Contact us, let us help you identify your Company’s Cyber Risk and find the best placement for your needs.