This is part of our blog series of continuous dialogue that you should be having with your Executive Leadership, to make them aware of issues that they should be making organizational decisions on:
“There is ongoing litigation whereby most insurance carriers are pushing back against its clients when it comes to “Cyber” security-related claims under an organization’s general liability insurance. Most recently, the insurance carrier for P.F. Chang is taking legal action against P.F. Chang’s claim that their commercial general liability policy covers defense cost and provides indemnity coverage for their recent credit card breach.
Leadership needs to understand that our general liability coverage will most likely not cover a digital security event, even if the coverage wording is vague (the carrier will most likely still fight against it, to avoid precedent-setting cases). If we want to pursue coverage for digital security issues, we would need to pursue a separate policy/rider specifically for it.”
For more information, continue to the following link.
Organizational leadership needs to understand that no matter the technical & procedural protections that are put in place, prevention eventually fails, especially (but not exclusively) against a targeted attack orchestrated by a motivated adversary. This means that the organization must plan for this eventual “failure”—To be able to detect and respond to these failures.
When this failure occurs, the questions that must be asked from leadership is not “Why did our defenses fail,” rather, “How long did it take for us to detect & respond to this failure?” According to industry sources, the mean time of detection of advanced attackers is around 8 months—This mean that the average organization does not know that they have been severely compromised for 8 months, which is typically more than enough time to achieve the adversary’s goals.
With all that in mind, what is your detection strategy?
Posted: 12th October 2014 by Josh in Uncategorized
Tags: Email, Malware, Spam
One configuration setup that I have run into a a number of times is the lack of outbound Spam/Anti-Virus filtering. The organization in question has their inbound mail queue running through their Anti-Spam/AV filter, but they do not have their outbound mail going through it. When asked about it, typically the response has been, “Never thought about it. We are really only concerned about inbound spam and viruses.”
Here is my typical response:
When a corporate mailbox is compromised and is used in a spam campaign, how will you know? When the user of the compromised account complains to the helpdesk because of the glut of bounced messages in his inbox? By that time, possibly your only static public IP has been listed on a number of Real-time Blackhole Lists (RBL).
Filtering outbound messages for Spam/Malware helps you detect internal compromised accounts/computers faster than waiting for the user or RBL to alert you. Just be sure to tweak alerts to get the right kind of alerts when they are needed, so that you don’t fall into alert fatigue.