CNA: A total breakdown of cybersecurity risk management

2021
CNA cyber insurance

The large, Chicago-based insurance carrier announced in March that they fell victim to the same ransomware attacks that they insure policyholders against. This is more than ironic; it attacks cybersecurity financial risk management at its core. Because ransomware gangs commonly syphon sensitive information before they encrypt it, they may have cquired a list of cybersecurity policyholders. And a list of cybersecurity policyholders is a list of organizations who will readily pay ransom.

CNA ensures the world that the list of policyholders and insureds was not acquired. If true, then this bullet was dodged in March. But the strategy is alive and well. The insurance carrier AXA’s Asian operations were attacked two months later in May. That ransomware gang announced the hack and data acquisition by showing samples of the acquired data to the world.

How’s this for a ransom offer … “pay us now or we attack your clients who you are contracted to cover.” If you thought Solarwinds was bad, CNA and AXA should make you feel worse. The organizations who we give sensitive information and access to may be our most frightening vulnerability.

While CNA did not disclose details about the nature of the attack and the affected systems and information, this is what the public generally knows:

  • CNA claims that information about policyholders and insureds were not involved in the scope of the ransomware.
  • CNA suffered many days of operational failure and slow-down because many systems were either taken off-line, or were locked by ransomware.
  • CNA reported in May that they paid $40MM in ransom.

This is what you should not be focused on:

  • Don’t try to find out which ransomware CNA was hit by so you can protect yourself against it. See the following chart for some tips on protecting yourself against all ransomware attacks.
  • Don’t give up on cybersecurity insurance.
  • Don’t shrug your shoulders as if thus is any other cybersecurity problem.

This is what you should be focused on:

  • When you engage a cybersecurity insurance firm, they will ask you about your security profile to provide you with the right coverage and pricing. You should also ask them what they do to protect your data when they have it. This is a two-way risk, so you should treat it that way. And don’t accept “We take your security seriously” as an answer. Explicitly ask what risk they expose you to when they hold your information, and have them answer you in DoCRA terms. “We believe there is an [x] likelihood of a [y] impact to your company. We have managed your risk to that level because we believe it would be generally acceptable risk for our policyholders.
  • Also, consider these ransomware prevention tips from eSecurity Planet.

Ransomware Prevention Tips

  1. Staff Awareness Raising awareness about ransomware is a baseline security measure. But it could only take one employee lowering their guard for an organization to be compromised. As training sessions have little influence over staff for every potential attack, it makes added security more imperative.
  2. Spam Filter Cybercriminals send millions of malicious emails to at-random organizations and users, but an effective spam filter that continually adapts alongside a cloud-based threat intelligence center can prevent more than 99% of these from ever reaching employees’ desktops.
  3. Configure Desktops Extensions Employees should be trained not to double-click on executable files with a .exe extension. However, Windows hides file extensions by default, allowing a malicious executable such as “evil.doc.exe” to appear to be a Word document called “evil.doc”. Ensuring that extensions are always displayed can go a long way to countering that kind of threat.
  4. Block Executables Filtering files with a .exe extension from emails can prevent some malicious files from being delivered to employees, but bear in mind that this isn’t foolproof. Malicious emails can instruct employees to rename files, and ransomware is also increasingly being delivered as JavaScript files (see below).
  5. Block Malicious JavaScript Files Ransomware being delivered in .zip files containing malicious JavaScript files are common. These are disguised as text files with names like “readme.txt.js” – and often just visible as “readme.txt”, with a script icon for a text file. You can prevent this vulnerability for staff by disabling Windows Script Host.
  6. Restrict Use of Elevated Privilege Ransomware can only encrypt files that are accessible to a particular user on their system – unless it includes code that can elevate a user’s privileges as part of the attack, which is where patching and zero trust come into play.
  7. Promptly Patch Software It’s a basic security precaution to ensure that all software is updated with the latest security patches, but it’s worth reiterating because breaches continue due to prolonging updating. Just in 2020, the SolarWinds hack could’ve been prevented for organizations that promptly patch software.
  8. Zero Trust Moving toward zero trust offers visibility and control over your network, including stopping ransomware. The next three actions: prioritize assets and evaluate traffic, microsegmentation, and adaptive monitoring are central steps of the zero trust architecture and greatly reduce your risks of an attack.
  9. Prioritize Assets and Evaluate Traffic With the use of inventory tools and IOC lists, an organization can identify its most valuable assets or segments. This full picture offers staff a look into how an attacker could infiltrate your network and gives needed visibility into traffic flows. This gives your team clear guidelines as to what segments need added protection or restrictions.
  10. Microsegmentation Microsegmentation is the ultimate solution to stopping lateral movement. By implementing strict policies at the application level, segmentation gateways and NGFWs can prevent ransomware from reaching what’s most important.
  11. Adaptive Monitoring and Tagging Once your micro-perimeters surround your most sensitive segments, there’s a need for ongoing monitoring and adaptive technology. This includes active tagging of workloads, threat hunting, and virus assessments, and consistent evaluation of traffic for mission-critical applications, data, or services.
  12. Utilize a CASB A cloud access security broker (CASB) can help manage policy enforcement for your organization’s cloud infrastructure. CASBs provide added visibility, compliance, data security, and threat protection in securing your data.
  13. Rapid Response Testing In the event of a successful breach, your team must be ready to restore systems and data recovery. This includes pre-assigning roles and ensuring a plan is in place.
  14. Sandbox Testing A common method for security analysts to test new or unrecognized files is by utilizing a sandbox. Sandboxes provide a safe environment, disconnected from the greater network for testing the file.
  15. Update Anti-Ransomware Software As noted, consistent updating of network software is critical. This is especially true for your existing intrusion detection and prevention system (IDPS), antivirus, and anti-malware.
  16. Offline Backups While virtual backups are great, if you’re not storing data backups offline, you’re at risk of losing that data. This means regular backups, multiple copies saved, and monitoring to ensure backups hold true to the original. Restoring data after an attack is often your best approach.
  17. Update Email Gateway All email for your network typically travels through a secure web gateway (SWG). By actively updating this server, you can monitor email attachments, websites, and files for malware. This visibility into attacks trending for your organization can help inform staff moving forward of what to expect.
  18. Block Ads All devices and browsers should have extensions that automatically block pop-up ads. With the extensive use of the internet, malicious ads pose a long-lasting threat if not blocked.
  19. Bring-Your-Own-Device (BYOD) Restrictions If you have a remote work staff or just a loose policy surrounding devices acceptable for network access, it might be time to crack down. Unregulated use of new or unique devices poses an unnecessary risk to your network. Enterprise mobility management (EMM) is one solution.
  20. Forensic Analysis After any detection of ransomware, there needs to be an investigation into its entry point, time in the environment, and confirm that it’s been fully removed from all network devices. From there, the task of ensuring it never returns begins