Cyber attacks beyond identity theft by jennyyingdi


									                                                                                                                                                                                                                                                                                             insights 12
    Cyber attacks                                                     beyond identity theft
    over the past decade, cyber attacks have evolved faster than the speed at which most
    companies	and	organizations	can	build	adequate	defenses	against	them.

    The	exposures	arising	from	cyber	attacks	   however, there are several additional         •	 take	over	industrial	control	systems	                                                                                                     impact
    have	advanced	at	an	equal	pace.	It	         exposures	that	have	materialized	that	                                                         some recent examples of these attacks include:
                                                                                              •	 damage	physical	machinery	                                                                                                                The potential impact of these events goes
    should come as no surprise that cyber       could prove to be more catastrophic                                                            stuxnet (June 2009) – a worm took control of a global company’s industrial
    security is one of the top five risks to    in nature.                                    •	 take	control	of	networks	that	control	        control systems embedded in an Iranian nuclear facility. The virus caused centrifuges       beyond the traditional response of providing
    watch according to the Global risks                                                          critical infrastructure like traffic          to spin out of control in the uranium enrichment facility causing physical damage to        notification, credit monitoring, public
                                                data breach reports seem commonplace                                                                                                                                                       relations, and so on since the attacks are not
    report, 2011 issued by the world                                                             lights, power grids, water supplies,          the hardware.
                                                these days largely since legislation in the                                                                                                                                                focused on theft of personally identifiable
    economic Forum.                                                                              military networks, telecommunications,
                                                united states and european union                                                               night Dragon (november, 2009) – allegedly targeted global oil, gas and                      information. Incident response to events like
                                                                                                 and financial systems
    the financial impact associated with        requires	most	organizations	to	disclose	                                                       petrochemical companies, as well as individuals and executives in Kazahkstan,               the ones outlined above may include:
    cyber attacks resulting in theft or         the loss of third party or employee           •	 steal	valuable	intellectual	property	         Taiwan, Greece and the US. The attacks extracted industrial intelligence from
    disclosure of personally identifiable       personally identifiable information.             like source code, business plans,             corporate network assets in the targeted enterprises, and are reported to have              •	 comprehensive	forensics	examination	by	
    information	is	traditionally	quantified	    while data breach and privacy laws are           designs, and information used in              compromised a number of control system computers.                                              a third-party organization
    by analyzing direct costs associated with   generally helpful, most are aimed at             contract bids                                                                                                                             •	 repair	or	replacement	of	damaged	property	
                                                                                                                                               anonymous (november/December, 2010) – a hacker collective known as
    breach response such as notification,       protecting the privacy of individuals
                                                                                              •	 disable	systems	to	create	the	                ‘Anonymous’ allegedly launched Distributed Denial of Service attacks against a              •	 medical	bills	for	physically	injured	parties
    credit monitoring, forensics, public        and making them aware of instances
                                                                                                 perception of chaos.                          number of credit card companies, payment processors, and supporting vendors,
    relations consultation fees, and legal      in which their sensitive personally                                                                                                                                                        •	 lost	time	and	allocation	of	manpower
                                                                                                                                               it is claimed, in retaliation for their actions against the secret document disclosure
    defense along with indirect costs such      identifiable information has been             such attacks have the potential to cause
                                                                                                                                               website Wikileaks. The targeted companies suffered down time on their websites              •	 devaluation	of	intellectual	property	and	
    as loss of customer confidence and          compromised. as such, the general             severe financial harm, bodily injury, property
                                                                                                                                               and some were unable to process online transactions for a short period of time.                trade secrets
    decreased stock price. Costs may also       public may be less aware of different         damage, and harm to credibility. each one
    include fraudulent charges or other         types of cyber attacks directed at            bears strikingly consistent characteristics in   Pentagon attack (november, 2008) – a flash drive containing malicious code was              •	 overhaul	of	network	security	programs	
    expenses	to	an	individual	that	result	      businesses and government                     that they are perpetrated by highly              allegedly inserted into a laptop at a US base in the Middle East. The code succeeded
    from identity theft. effective risk         organizations that intend to:                 organized, technically sophisticated, and        in uploading itself onto a network run by US central command. The code ran                  •	 overhaul	of	defense	systems
    management can mitigate these costs;                                                      well-funded	groups.	                             undetected on both classified and unclassified systems and intended to transfer             •	 redesign/engineering	of	critical	
                                                                                                                                               data to outside servers.                                                                       infrastructure
                                                                                                                                               estonia attack (May, 2007) – Distributed Denial of Service (DDoS) attacks                   •	 personnel	reclassification.
                                                                                                                                               disabled Estonian banking and government websites. At the time, 90% of all
                                                                                                                                               financial transactions were conducted over the internet, and 70% of the population          Catastrophic loss is estimated in many of the
                                                                                                                                               of 1.3 million filed tax returns electronically. It is widely speculated that the primary   scenarios outlined above due to the systemic
                                                                                                                                               goal of the DDoS was to damage the credibility of the Estonian government.                  impact on a mass volume of individuals and
                                                                                                                                                                                                                                           property. Losses arising from such attacks
                                                                                                                                                                                                                                           could be quantified using not only financial
                                                                                                                                                                                                                                           impact, but potentially bodily injury and
                                                                                                                                                                                                                                           property damage as well.                          >

8                                                                                                                                                                                                                                                                                             9
                                                                                                                                                                                                                                                                                                                      insights 12
                                                                                                                                                                                                                                                                                                                      insights 11
     The unknown elements                           An international issue                                                                               effective risk management techniques and risk transfer:
     There are several elements associated with     It is clear from the examples above that most      supply. In a public statement consistent with
     cyber attacks that cannot be easily            developed nations share the same exposures         the ideology of the US and other developed
                                                                                                                                                         •	 Designate	a	senior	executive	with	                    •	 Prepare,	implement	and	test	a	formal	
     quantified and as such, cause great alarm.     when it comes to the risk of cyber attacks.        nations, German Chancellor Angela Merkel
                                                                                                                                                            enterprise responsibility for management                 incident response plan.
     For example, it might be easy to calculate     Apart from the laws established in the US,         declared cyberwarfare "as dangerous as
                                                                                                                                                            of information security.
     the replacement cost of damaged property,      many developed nations have already                conventional war."                                                                                         •	 Prepare,	implement	and	test	a	formal	
     but how would you quantify an economic         identified the exposure to individual data                                                           •	 Use	firewall	technology	at	all	points	of	                business continuity and disaster
                                                                                                       The North Atlantic Treaty Organization (NATO)
     loss if:                                       privacy and as a result, have enacted data                                                              presence and utilize formal firewall                     recovery plan.
                                                                                                       has for some time considered cyber attacks
                                                    protection laws. The UK Data Protection Act                                                             configuration standards.
     •	 a	nation's	power	grid	were	disrupted	                                                          among the greatest security threats to the                                                                 •	 Analyze	how	to	best	transfer	quantifiable	
                                                    of 1998 (amended in 2003), for instance, was                                                         •	 Utilize	intrusion	detection	and	prevention	              risk and defend your organization from
        or	taken	over	for	an	extended	period	                                                          developed world. Over three years ago, the
                                                    effected to control the permissible extent to                                                           systems (network and host based) and                     catastrophic	exposures.	
        of time?                                                                                       organization announced the opening of a
                                                    which personal data can be compiled,                                                                    update signatures and anomalies on a
                                                                                                       Cooperative Cyber Defense Centre of
     •	 a	rogue	nation	state	obtained	real-         collected and registered. Another example is                                                                                                                  •	 Take	steps	to	determine	what	risks	are	
                                                                                                       Excellence in Tallinn in the wake of the cyber       frequent	basis.	
        time	access	to	another	country's	           the EU Data Protection Directive, which serves                                                                                                                   insurable	and	which	must	be	self-insured.	Are	
                                                                                                       attack that disrupted Estonian government
        military communications?                    as a comprehensive, overarching law to                                                               •	 Deploy	anti-virus	software	on	all	systems.	              there policies in the commercial insurance
                                                                                                       and banking websites. More recently, the
                                                    protect the fundamental rights and freedoms                                                             software should also detect and remove                   market that would respond if an intangible
     •	 a	terrorist	group	obtained	access	                                                             Estonian government incorporated a volunteer
                                                    of EU citizens, in particular their right to                                                            other forms of malicious software.                       asset depreciated as a result of a cyber attack?
        to	a	nation's	water	supply?	                                                                   force named the ‘Cyber Defense League’ into
                                                    privacy with respect to the processing of                                                            •	 Use	commercial	grade	technology	to	
                                                                                                       its military structure.
     •	 a	competitor	obtained	access	               personal data. Other jurisdictions with data                                                            encrypt data in transit and while at rest
        to intellectual property and                protection laws include Austria, France,           Austria is in the process of building a cyber
                                                                                                                                                            on the network.
        trade secrets?                              Germany, Ireland, Norway, Russia, United           defense structure that will include 1,600
                                                    Arab Emirates, Japan, Korea (effective             soldiers as well as several secret service
     The answers to these questions are not                                                            departments while the Netherlands has
                                                    9/30/11), Taiwan, Uruguay, Canada, Mexico,
     easily quantifiable and therefore create                                                          allocated part of its armed forces budget to
                                                    and Australia. The fact that these jurisdictions
     additional concern. In the wake of several                                                        cyber warfare-related activities in 2011. The
                                                    have passed such laws indicates a general
     global, large-scale incidents, the US                                                             UK government has also allocated a
                                                    awareness of the importance of protecting
     Pentagon recently declared cyber attacks to                                                       substantial amount of funds to improve cyber
                                                    the privacy of individuals. However, many
     be acts of war and subject to traditional                                                         security. Equally as concerned, France and
                                                    are also beginning to increase their efforts
     military response. While follow through                                                                                                                                                                                                                       Tim stapleton
                                                    around securing highly valued intellectual         China are increasing their efforts to fortify                                                                                                               Assistant Vice President, Professional Liability
     remains to be seen, this declaration may                                                          their nations' infrastructure to defend against
                                                    property assets and critical infrastructure to                                                                                                                                                                 Product Manager, Zurich North America
     help provide incentive for foreign countries                                                      cyber attacks.
                                                    mitigate the potential catastrophic loss from
     suspected of state-sponsored attacks to                                                                                                             Sources:
                                                    cyber attacks.
     curb their behavior and actively seek to                                                          Given the actions of these developed nations,     examples of attacks
                                                                                                       it is resoundingly clear that cyber attacks are
     do the same to rogue factions within           In what is considered the first of its kind in
     those states.                                  Europe, Germany recently opened a Cyber            perceived as a legitimate threat to critical
                                                    Defense center to protect its critical             infrastructure and intellectual property on
                                                                                                       a worldwide scale.                      
                                                    infrastructure including electricity and water
                                                                                                                                                         an international issue

10                                                                                                                                                                                                                                                                                                                    11
                             for more information on Zurich's financial lines,
                             products and services, visit:

                        The information in this publication was compiled from sources believed to be reliable and is provided for
                        informational purposes only. All sample policies and procedures herein may serve as a guideline, which you can use
                        to create your own policies and procedures. We trust that you will customize these samples to reflect your own
                        operations and believe that these samples may serve as a helpful platform for this endeavor. Any and all
                        information contained herein is not intended to constitute legal advice and accordingly, you should consult with
                        your own counsel when developing policies and procedures. We do not guarantee the accuracy of this information
                        or any results and further assume no liability in connection with this publication and the sample policies and
                        procedures, including any information, methods or safety suggestions, contained herein. Moreover, Zurich reminds
                        you that this cannot be assumed to contain every acceptable safety and compliance procedure or that additional
                        procedures might not be appropriate under the circumstances. This is also intended as a general description of
                        certain types of insurance and services available to qualified customers through the companies of the Zurich
                        Financial Services Group, including, in the United States, Zurich American Insurance Company, Zurich Towers, 1400
                        American Lane, Schaumburg, Illinois 60196; in Canada, Zurich Insurance Company Ltd, Canadian Branch, 400
                        University Avenue, Toronto, Ontario M5G 1S7; and outside the U.S.A and Canada, Zurich Insurance Plc, Ballsbridge
                        Park, Dublin 4, Ireland; Zurich Insurance Company Ltd, Mythenquai 2, 8002 Zurich, Switzerland; Zurich Australian
                        Insurance Limited, 5 Blue Street, North Sydney, NSW 2060, Australia and other legal entities, as may be required by
133668a01 (12/11) ZCa

                        local law. Your policy is the contract that specifically and fully describes your coverage. The description of the
                        policy provisions contained herein gives a broad overview of coverages and does not revise or amend the policy.
                        Certain coverages are not available in all jurisdictions. You are in the best position to understand your business and
                        your organization and to take steps to minimize risk, and we wish to assist you by providing the information and
                        tools to help you assess your changing risk environment. In the United States, risk engineering services are provided
                        by The Zurich Services Corporation.

To top