Log inRegister

19
Fri, Apr

In late 2013, at the height of the holiday shopping season, Target Corporation's point-of-sale payment network was breached, and over 70 million customers had their card payment information stolen, including this author, creating a mass issuing of new cards, limits on purchases for some customers, and various actions by banks who attempted to protect accounts from theft.

After staying quiet for several weeks, Target finally acknowledged the breach a few days before Christmas, causing a loss of several percent in holiday sales. The fallout continued for months with the resignation of the President and CEO, Gregg Steinhafel, and the layoffs of nearly 500 employees. (Clark, 2014) If Target had been the only large retail corporation to be breached with POS malware the story might have died, but others would follow including Neiman Marcus, Michaels, PF Changes, Home Depot, Staples, and others. (Hardekopf, 2015)

The Target fiasco should have been enough to convince other retailers to make immediate changes, but corporations move slowly, and because credit card numbers can be sold on the black market, criminals adapted faster than the corporations. Attacks would adapt and more customers would have their card numbers stolen, thus costing banks and merchants millions of dollars.

How Point-of-sale (POS) Works

To better understand the areas of vulnerability we will review the payment process. For the user of a payment terminal or other payment tool, paying with a debit or credit card feels seamless and simple, but for every payment made multiple parties are involved. Like anything, more entities equal greater risk, and the more access points for a hacker to attack. In a standard card transaction, there is the payment terminal – or Point-of-sale device, then there are one, two, or more banks involved – the issuer, acquirer, and merchant bank. Then there is the payment processing network – most often Visa or MasterCard.

The path that only takes seconds is listed below.

  1. Customer swipes a card at the merchant
  2. The Merchant's POS sends the transaction through to the processor
  3. The Processor encrypts the payment and sends it from the POS device to the payment processing network (Visa, MasterCard, Discover, etc.)
  4. The payment processing network verifies that funds are available from the card issuing bank
  5. The card issuing bank then releases the funds back to the processor
  6. At the end of the day or a sales cycle, the merchant runs a batch with the processor
  7. The processor then authorizes the release of the funds to the merchant's bank
  8. Later the customer receives a statement from the card issuing bank noting that funds were removed from a debit account, or that payment is due for credit card purchase.Point-of-sale transaction process semplified

It is easy to see, from the list above and the simplified transaction process graphic, that there are multiple places for malware to attack or for a criminal using social engineering to manipulate the process.

PCI and Payment Safeguards

When a data breach occurs it can cost businesses and banks anywhere from a few dollars per customer to hundreds of thousands to millions for a large breach with thousands of victims. The actual costs vary depending on the source, but whatever the total numbers, the cost is staggering and is costing everyone, including card holders. Target finally figured their losses at $162 million. (Lunden, 2015) The Ponemon research project noted in their 2015 annual study on the cost of a data breach, that the costs were 15% higher than the year before. (Ponemon, 2014) The total estimate cost of credit card theft to banks in 2014 was around 11 billion. (Vlachos, 2015)

Even with the high numbers of breaches it could be much worse if not for payment security standards set by the Payment Card Industry Data Standard (PCC DSS), which is a security standard set by the Payment Card Industry Security Council (PCI SSC). This organization was formed as a partnership between the leading payment companies including MasterCard, Visa, JCB, Discover, and American Express. (PCI, 2015)

The PCI council provides a standard and safety measures for merchants about the security of their payment systems, and it provides a standard for companies providing payment services at any phase of a transaction. The PCI standard has twelve requirements to follow to receive PCI certification. They are:

  1. Install and maintain a firewall configuration to protect cardholder data
  2. Do not use vendor-supplied defaults for system passwords and other security parameters
  3. Protect stored cardholder data
  4. Encrypt transmission of cardholder data across open, public networks
  5. Use and regularly update anti-virus software or programs
  6. Develop and maintain secure systems and applications
  7. Restrict access to cardholder data by business need-to-know
  8. Assign a unique ID to each person with computer access
  9. Restrict physical access to cardholder data
  10. Track and monitor all access to network resources and cardholder data
  11. Regularly test security systems and processes
  12. Maintain a policy that addresses information security for employees and contractors

Current POS Threats

There are multiple and ever evolving threats to the payment landscape. The threats below are only a review, and it is advised that anyone working in payment security watch daily for new vulnerabilities. And it is advised that the security teams protecting point-of-sale networks have a security strategy in place before an attack occurs so that the incident response team can respond quickly.

A common threat is caused by a well-meaning group, the integrators of POS systems. Integrators are companies that manage POS systems by configuring and maintaining the systems. Many small businesses do not have resources or technical skills to maintain their own payment systems, and rely on these integrators to keep their systems running. To access the systems integrators will often use remote access tools like Microsoft Remote Desktop, VNC, and PCAnywhere. These are valuable tools when used correctly, but it has been found that they are sometimes configured incorrectly. This allows for access by cyber criminals who can install malware to steal data and even track keystrokes. (Visa, 2015)

By following the latest PCI standard (PCI-DSS 3.1) known security issues can be mitigated, but if a system is not current malware like RAWPOS can be a threat. This malware is a memory scraper that has infected lodging merchants since 2008. This malware targets the memory dump, where payment information may be temporarily stored, and that data is staged on a network and removed later by a separate process.

The malware used to steal data from infected registers running on Windows at Target was BlackPOS. A few months later, a variant of BlackPOS was used to steal card data from point-of-sale systems at Home Depot. When this memory grabber finds what it's looking for it uploads the data via FTP to a remote server. (Dell SecureWorks CTU TI, 2013)

Chewbacca POS malware is another malware that runs on Windows and scrapes the memory for data. It is not currently widespread. To mitigate Chewbacca POS malware the use of TOR should be prevented and administrative rights should be tightly controlled as administrator permissions are needed to perform the malicious functions of this malware. (Visa, 2014)

A threat that is very simple, and different from the above threats in technology and approach, is the use of skimmers. While these are known to be used at gas pumps and ATMs they can also be used by waiters in restaurants who skim a customer's card out of site of the customer and other employees. By using chip-and-pin technology, and not allowing anyone to take one's card out of site, this crime will be reduced. The new technology will also reduce this crime when magnetic strips with a reusable number are no longer ubiquitous.

As noted above, these are not all of the threats to Pont-of-Sale systems, and new threats are being created daily.

The Chip and Pin Solution

By the end of 2015 a majority of credit cards will be chip-and-pin capable, also known as EMV (an acronym for Europay, MasterCard, and Visa). With the transition to chip-and-pin cards in the U.S. this will become the international standard for securing cardholder data. This is done by using a microprocessor inside of the card. Because of the microprocessor – or chip – the card generates unique data every time the card is used. This is much more secure than the magnetic strip cards we are accustomed to in the U.S. that contain a static number that can be stolen and reused. But, the first generation of chip-and-pin cards will keep the magnetic strip because the transition is not complete.

Starting in October of 2015 the liability will move wholly to the merchant if they do not have chip-and-pin enable terminals, and any banks that haven't issues chip-and-pin cards will be liable if fraud occurs and the terminal is up-to-date. This is to encourage businesses and banks to upgrade their equipment and cards. Magnetic strip cards will still be accepted, but in the next few years these old cards will be phased out.

There are those who believe that chip-and-pin won't stop criminals, and they are correct because criminals will always adapt to the latest technology, and they will always exploit new vulnerabilities. But the new chip-and-pin technology will reduce credit card theft substantially. (Schwartz, 2014) Merchants should always select a vendor that holds the latest PCI certification, as this will reduce many instances of successful POS attacks on their system, but everyone involved must also follow precautions that include being cautious with remote access tools, and maintaining updates and the latest anti-virus software. And, as before, merchants must be vigilant and continue to watch for fake cards and other card scams.

Another step that will improve cardholder security is consumer education. With the introduction of chip-and-pin consumers will be confused. This may be a time of increased social engineering attacks, when criminals attempt to gain the trust of consumers by posing as bankers or other parties that "need" their cardholder information, or worse. Banks and issuers must improve their communication to consumers, and while there have been some efforts, not enough has been done. And, beyond education, as high as 42% of merchants have taken no steps to move to the technology. (Amato-McCoy, 2015) But this author believes that merchants and banks will continue to update to the new technology over the next few years.

Criminals have not stopped robbing banks, despite improvements in security, and criminals will continue to look for vulnerabilities in cards because, like banks, that's where the money is. But, all involved with the processing and issuing of cards must continue to improve security.

The average 10,000-employee company spends $3.7 million a year dealing with phishing attacks, according to a new report from the Ponemon Institute.

The report, which surveyed 377 IT professionals in companies ranging in size from less than 100 to over 75,000 employees, showed that about half of the costs were due to productivity losses.

The average employee wastes 4.16 hours a year on phishing scams.
In addition, 27 percent of the costs was the risk of having to respond to a data breach caused by a compromised credential, 10 percent was the direct costs of addressing compromised credentials, 9 percent was the risk of a data breach caused by malware, and the remaining 6 percent were the direct costs of containing malware.

"Everyone understands the cost of a breach, and one of the biggest threat vectors is phishing," said Joe Ferrara, CEO at Wombat Security Technologies, which sponsored the report.

According to the latest Verizon data breach report, phishing is the second most common threat vector, implicated in around a quarter of all data breaches last year.

"But I don't think anyone really had a handle on all the costs layered into it," said Ferrara.

But the Ponemon report wasn't all bad news. Companies can substantially reduce their phishing-related costs with employee education, such as the automated training offered by Wombat, which was spun off from Carnegie Mellon's CyLab cyber security research center.

Companies who roll out training programs see improvements of between 26 and 99 percent in their phishing email click rates, with an average improvement of 64 percent, according to Ponemon.

Adding in a 25 percent drop in retention, Ponemon calculated a phishing-related cost savings of $188 per user for the average company.

This translates to $77 per user for the lowest-performing training program.

At a cost of less than $4 per employee, that results in a 20-fold return on investment over a year from the worst-performing training program, and a 50-fold return from the average program.

This calculation does not include the training time, however. According to Ferrara, it takes a user about 30 minutes to go through all three of the company's anti-phishing training modules, and the "teachable moment" of interacting with a simulated phishing email is under a minute.

With that adjustment, the total savings drops to around $137 for the average training program, and $24 for the least effective one, making for a 37-fold and seven-fold return on investment, respectively.

"The important thing to keep in mind is that the potential loss after a phishing attack is far greater and far more devastating than just the loss of productivity," Ferrara added.

A good way to get employees motivated to do the training is to first run a simulated phishing attack, said Ferrara.

Not only does that provide a baseline metric for how often phishing emails are clicked on, but it also demonstrates to employees that they are vulnerable.

"We had a customer who ran a simulated attack against their IT organization and they had a huge failure rate -- it was a real eye-opener for them -- more than 50 percent of the people failed," said Ferrara. "We used that as motivation to get them to take training. As long as you don't hammer them over the head or belittle them, you can get a great response."

Banks have been sending millions of Americans credit and debit cards equipped with computer chips to improve the security of in-store purchases.

Meanwhile, banks and credit card companies are pushing merchants to upgrade their payment terminals so they can read the chips on the cards and bring the U.S. in line with credit card security used in much of the rest of the world.
The conversion process from older magnetic stripe cards to chip cards has sped up in recent months because of an Oct. 1 deadline. That's the day when liability for credit card fraud will shift from banks to merchants or the party using the least-secure technology. Credit card users, who won't bear liability for fraud, are unlikely to notice the deadline at all.

However, card users might want to know what's happening so they'll be ready when lines form at checkout lanes this holiday shopping season because merchants will have begun deploying chip-card readers. Some industry analysts say chaos will ensue because chip cards take a few seconds longer to read than magnetic stripe cards, and some customers and store clerks will be unfamiliar with how to use them.

The following is information you can share with other shoppers (after Oct. 1) if you happen to be (patiently) waiting in line at the checkout counter.

What's a chip card?

A chip card, also called a smart card, is a credit or debit card with a computer chip embedded in the face of the card. That's the only difference in its appearance. Nearly all of the chip cards that banks are sending their customers still have magnetic stripes that will be used by stores that don't have chip-card readers. Magnetic stripe technology is decades old and is still widely used in the U.S. even though it is relatively easy to hack.

According to industry estimates, about half of the 12 million card readers at payment terminals in the U.S. will be converted to support chip cards by the end of 2015. Meanwhile, there are about 1.2 billion debit and credit cards in circulation among the 335 million people who live in the U.S. Eight major banks account for half of the U.S. card volume; they estimate that nearly two-thirds of their cards will be reissued as chip cards by the end of the year.

There are 3.4 billion chip cards in use worldwide, primarily in 80 countries, according to the EMV Connection website. EMV stands for Europay, MasterCard and Visa, the companies that originally developed chip cards.

The numbers are important because there won't be a complete conversion to chip cards for many years. It took Canada about eight years to reach 90% conversion to chip cards. Major retailers like Wal-Mart have been converting payment terminals to support chip cards for years.

How do I use a chip card?

GoChipCard.com, a website supported by major banks and credit card companies, posted a three-step illustration for how to use a chip card. Step 1 is to insert the card at the bottom of the terminal, with the chip toward the terminal facing up. That's instead of swiping the magnetic stripe along the side of the machine.

Many new terminals will support both methods, as well as NFC payments via smartphones and smartwatches such as the latest iPhones or the Apple Watch, which use Apple Pay. NFC payments are usually done by just touching, or nearly touching, a device to a payment terminal and entering a confirmation on the phone. In addition to "touch and pay" with a smartphone, some retailers like Rite-Aid will support the ability to touch the terminal with a chip card to pay.

As the GoChipCard graphic notes, a key detail of the first step is that users should not remove the card from the reader "until prompted." Analysts have noted that, on the first few tries, U.S. shoppers who are accustomed to swiping magnetic stripes may be likely to remove their chip cards quickly. Sales clerks will have to be ready for this -- and patient enough to remind users to leave the cards in place until the terminal beeps or a light goes on, or until the clerk gives the customer the thumbs up. There are more than 20 vendors of payment terminals, and they have varying methods for confirming that a sale is complete and that a card can be removed.

There are a wide variety of chip card payment terminals, but they mostly look alike, as indicated in the GoChipCard.com illustration. Some will be attached to a pedestal, just as older magnetic-stripe card readers are today. The terminals will almost all have a keypad to capture a PIN (personal identification number) and a screen and a digital pen to capture a signatures.

Step 2 in the graphic is to "provide your signature or PIN as prompted by the terminal." Many retailers won't require either, especially if the transaction is for a small amount, usually under $25. There's disagreement in the industry about whether a signature or a PIN will be required for larger purchases, but the decision will be made by the banks issuing the cards. (More on that below.)

Step 3 is to remove your card when the transaction is complete. As mentioned above, different terminals may have different ways to indicate that it's OK to remove the card.

Are chip cards really more secure, and are they necessary?

Yes. Chip cards are light years ahead of magnetic stripe cards in terms of security. The main thing to know is that the chip in the card is communicating with the network behind the terminal to enhance security instead of just forwarding your card number and related data to the network, as with the magnetic stripe approach.

The chip can communicate a unique encrypted token (or an alias) with the network instead of your actual credit card number. That way, the network, and even the store, won't know your card number. When the token reaches your bank, it is decrypted so the bank can verify your account and then authorize payment. This all happens in a few seconds or less.

As to whether the security is necessary, the answer is again, yes, especially for banks, but not necessarily for card users. Obviously, it is in everyone's interest to reduce fraud where possible, and banks have long said that customers aren't held liable for fraud. That policy of keeping customers harmless will continue with chip cards. Enhancing security helps banks reduce the cost of paying for stolen card numbers and stolen merchandise, which theoretically keeps costs in check for average bank customers. In countries where chip cards have been used for years, as in Europe and Canada, fraud rates have dropped dramatically.

So if the chip makes the card so secure, why do I need a PIN or a signature?

The main reason for a PIN or signature is to provide the merchant (and the bank behind the card) further evidence that the user of the card is the actual owner of the card. If your card is lost or stolen, even with a chip, it can still potentially be used by someone else.

Security experts at Kaspersky Lab recently observed a big wave of malicious VBE files targeting Brazilian users to distribute Financial Trojan.
Recently security experts have seen old tricks rising from the dead (like for example word/excel macros attachment in e-mails) and malicious VBE files are being spread via email targeting Brazilian users.

This VBE files end up to be downloaded by users and when opened serve a banking Trojan malware on the victim's machine.

Talking about the attack itself, all starts with an email with a .ZIP attachment or including a link to the malicious VBE file. These emails can be related with many subjects, recently attackers are using the Windows 10 release as subject.

The malicious file attached or downloaded is very small, normally less than 1KB. Analyzing the file, we may find it encoded and looking like this:

malicious VBE file email 3

After decoding, it will be possible to see the real intentions of the person or group who wrote the malicious file, in the specific case we see a reference to a website:

malicious VBE file email 4

This malware belongs to the family of Banload and looking worldwide we see Brazil, Portugal and Spain as the most targeted countries:

malicious VBE file email 2

This is another case among many others, it is necessary to adopt mitigation techniques that can help security departments to control such kind of attacks.

The images used in this post were taken from a blog post published by the security expert Fabio SecureList post.

Elsio Pinto (@high54security) is at the moment the Lead Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge. He also owns his own blog Mcafee Security Engineer at Swiss Re, but he also as knowledge in the areas of malware research, forensics, ethical hacking. He had previous experiences in major institutions being the European Parliament one of them. He is a security enthusiast and tries his best to pass his knowledge.

The worldwide cybersecurity market is defined by market sizing estimates that range from $77 billion in 2015 to $170 billion by 2020. We broke these numbers down in a previous blog.

Globally, venture-backed cybersecurity companies raised $1.9 billion last year, a record, according to Dow Jones VentureSource.

CB Insights reported that in the first half of 2015, venture firms invested $1.2 billion into cybersecurity startups. Yup, you read it correctly - one point two billion in just the first six months of 2015.

Allegis Capital, a leading seed and early stage venture capital investor in companies building disruptive and innovative cybersecurity solutions for the global digital economy, has raised a $100 million fund to back cybersecurity startups. "There is a substantial need for new and promising cyber security startups and a huge investment opportunity in them," said Allegis Founder and Managing Director Robert Ackerman.

Our list of recent noteworthy investment deals, by the largest dollar figures:

CrowdStrike, provider of the first true Software-as-a Service (SaaS) based next-generation endpoint protection platform, completes a $100 million Series C financing round, led by Google Capital. Rackspace, a CrowdStrike customer, also participated in the round along with existing investors Accel and Warburg Pincus. This brings the company's total funding raised to $156 million.

Checkmarx, a global leader in software application security, secures an $84 million investment from New York-based venture capital and private equity firm, Insight Venture Partners. The new round of capital will be primarily used to further accelerate growth through product innovation and global expansion.

Tanium, the company that has redefined security and systems management, announced that Andreessen Horowitz invested an additional $52 million in the company. This subsequent investment in Tanium is a follow-up to Andreessen Horowitz's initial financing of $90 million in May 2014 and constitutes one of its largest investments to-date.

Cylance, the first next-generation endpoint protection company to successfully apply artificial intelligence to predictively identify and stop cyber attacks before they ever execute, has closed more than $42 million in Series C funding. Led by DFJ Growth, the round includes investments from KKR, Dell Ventures, Capital One Ventures and TenEleven Ventures.

Venafi, the immune system for the Internet and leading provider of Next Generation Trust Protection, receives $39 million in additional funding. The financing was led by QuestMark Partners and other new investors Intel Capital and Silver Lake Waterman and existing investors. The investment will accelerate development of the Venafi Trust Protection Platform to secure more Global 5000 businesses and governments and support its fast-growing worldwide customer base.

Cyphort, a pioneer of Advanced Threat Defense (ATD) solutions, secures $30 million in Series C funding. Sapphire Ventures led the round and was joined by all existing investors: Trinity Ventures, Foundation Capital and Matrix Partners. The latest round of funding will be used to help with the security company's rapid growth and expansion into new markets. The new funding brings Cyphort's total investment to more than $53 million since inception.

Cybereason, a provider of threat detection solutions, closes a $25 million Series B funding round, with defense contractor Lockheed Martin participating as a strategic investor. Led by Spark Capital with existing investor CRV also participating in the round, the startup said the funds would be used to expand its research and development and support sales and marketing efforts.

HackerOne, the vulnerability management and bug bounty platform, secures a Series B financing of $25 million led by New Enterprise Associates (NEA). The round includes participation from existing investors, including Benchmark, as well as numerous angel investors including Salesforce Chairman and CEO Marc Benioff, among others.

Menlo Security closes a $25 million Series B funding round led by new investor Sutter Hill Ventures and joined by existing investors General Catalyst, Osage University Partners and Engineering Capital to support the company's rapid growth.

HyTrust, the cloud security automation company, raises $25 million in a Series D round, plus $8 million in venture debt and credit facilities from a syndicate of venture capital firms and strategic investors. This brings the total investment in HyTrust to $84.5 million from 11 investors.

Ziften, a leader in continuous endpoint visibility, raises $24 million in funding led by Spring Mountain Capital, with significant participation from Fayez Sarofim, an early investor in Ziften. The equity financing round will accelerate Ziften's go-to-market strategy and extend its global reach as it delivers on the demands of organizations for a security solution that swiftly discovers, analyzes, and plugs security exposures to harden corporate resiliency.

BitSight Technologies, the standard in Security Ratings, closes a $23 million round of Series B financing. Comcast Ventures joins as a new investor together with current investors Globespan Capital Partners, Menlo Ventures, Commonwealth Capital Ventures, Shaun McConnon and Flybridge Capital Partners, all participating in the round of funding. New funding will be used to extend sales and marketing into Europe and APAC, expand engineering and data science teams to accelerate the company's new data analytics products, and fund potential acquisitions of key data source partners. BitSight has raised $49 million to date.

Distil Networks, a company that analyzes website traffic and blocks malicious bots, closes a $21 million Series B round. Bessemer Venture Partners led the round. Investors Foundry, TechStars, ff Venture Capital, Idea Fund and Correlation Ventures also participated. The investment brings the total raised to $38 million.

Niara, a stealth security analytics company, closes a $20 million Series B financing round led by Venrock, with additional participants including New Enterprise Associates (NEA) and Index Ventures.

The developing world is increasingly using mobile banking apps to move money, but new research shows those apps are often poorly coded and pose security risks.

Researchers with the University of Florida looked at dozens of apps used for mobile money systems but extensively analyzed seven that have millions of users in Brazil, India, Indonesia, Thailand, and the Philippines.

The problems they found represent a large attack surface, including SSL/TLS issues, botched cryptography, information leakage and opportunities to manipulate transactions and modify financial records.

The impact of the problems is unknown, but "it is possible that these apps are already being exploited in the wild, leaving consumers with no recourse to dispute financial transactions," according to their research paper, to be presented on Wednesday at the 24th USENIX Security Symposium in Washington, D.C.

So-called "branchless" banking systems using mobile apps have revolutionized banking in developing countries, where the poor have long suffered from difficult access to traditional banking systems, they wrote.

In some countries, branchless banking apps are used for 30 percent of some nations' GDP, relying on the near universal deployment of cellular network and mobile devices.

The apps can let people send money to others, pay their bills, check account balances and buy airtime credits.

While the convenience is unparalleled for the developing world, the research paper shows that security is often lagging. Complicating the problem is that the terms of service for many services shift the liability to customers if there's a problem, they wrote.

"Providers must not marry such vulnerable systems with a liability model that refuses to take responsibility for the technical flaws, and these realities could prevent sustained growth of branchless banking," they wrote.

One app in India called the Oxigen Wallet is vulnerable to a man-in-the-middle attack. Poor authentication and cryptography could allow an attacker to compromise an Oxigen account and conduct unauthorized transactions.

GCash, used in the Philippines, uses a static encryption key when communicating with a remote server. A user's PIN and session ID are encrypted with the key, which is public, before being sent.

"An attacker with this key can decrypt the user's PIN and session ID if the encrypted data is captured," they wrote. "This can subsequently give the attacker the ability to impersonate the user."

They also found problems with Airtel Money and MoneyOnMobile, both used in India, mPAY of Thailand, Zuum of Brazil and mCoin of Indonesia.

All of the services were notified of the vulnerabilities before the publication deadline of the research paper, they wrote.

"Most have not sent any response to our disclosures," the paper said. "We have chosen to publicly disclose these vulnerabilities in this paper out of an obligation to inform users of the risks they face in using these insecure services."

What will happen if hackers will hit critical infrastructure in the US, which will be the economic impact of a cyber attack against a power grid? According to a poll done by Morning Consult firm, cyber attacks are just behind terrorism attacks on the list of biggest threats to US, it has been estimated that the insurance industry could face losses of about $21 billion. That poll was conducted in the period from May 29 and May 31 by interviewing a national sample of 2,173 registered voters. Nearly 36 percent of voters consider acts of terrorism atop a list of major security threats, followed by cyber attacks at 32 percent. According to the Lloyd’s of London, cyber attacks would have a significant impact on multiple types of insurance As reported in the “Business Blackout“, a joint report by Lloyd’s and the University of Cambridge’s Centre for Risk Studies, the insurance implications of a cyber attack on the US power grid could have a catastrophic impact. The “Business Blackout” report tries to describe the impacts of a cyber attack on the national power grid, which causes an electrical blackout that plunges 15 US states and principal cities, including New York City and Washington DC, into darkness. Nearly 93 million people will remain without power in the scenario hypothesized by the study. The experts simulate a malware-based attack which is able to infect the imaginary ‘Erebos’ trojan electricity generation control rooms in several locations in the Northeastern United States. The attack will cause health and safety systems fail, disrupting water supplies as electric pumps fail. The chaos will reign causing the failure of main services, including transportation. The malware is able to infect the Internet and search and compromise 50 generators that it will destroy, causing prolonged outages in the region. The total of claims paid by the insurance industry is estimated to be included in the interval comprised between $21.4bn and $71.1bn, depending on the evolution of the scenarios designed by the researchers. In this scenario the researchers estimated the economic losses could range from $243 million to $1 trillion, depending on the number of components in the power grid compromised by the attack. “Economic impacts include direct damage to assets and infrastructure, decline in sales revenue to electricity supply companies, loss of sales revenue to business and disruption to the supply chain. The total impact to the US economy is estimated at $243bn, rising to more than $1trn in the most extreme version of the scenario.” states the report. The researchers analyzed the “historical outages” estimating that currently the power interruptions, most of which last five minutes or less, already cost the US about $96 billion. The cost related to a prolonged outage is likely to be included in the range of $36 billion to $156 billion. The Commercial and industrial sectors are the sectors most impacted by the attack on the power grid due to their dependency on the electricity supply. “Evidence from historical outages and indicative modelling suggests that power interruptions already cost the US economy roughly $96bn8 annually.9 However, uncertainty and sensitivity analysis suggest this figure may range from $36bn to $156bn.” continues the report. “Currently over 95% of outage costs are borne by the commercial and industrial sectors due to the high dependence on electricity as an input factor of production.” It is the first time that the insurance industry propose a similar report, the estimates provided are merely indicative due to the large number of factor that can influence the cost, anyway it is important to understand the hish risks of a cyber attack against a critical infrastructure like a power grid and the necessity to adopt an effective cyber strategy to improve their security.
Page 3 of 5