Intel’s Massive Microprocessor Vulnerabilities: Meltdown & Spectre
Computer security experts discovered last week what’s to be the largest cybersecurity vulnerability disclosure to date, potentially affecting nearly every computer across the globe. At risk are personal and workplace computers, servers and even cloud service providers in the likes of Amazon, Google and Microsoft.
The disclosed vulnerabilities, known as Meltdown and Spectre, are strictly a hardware design flaw in microprocessors, making them much harder to secure compared to software vulnerabilities. The microprocessor, made by Intel, is “used in nearly 90 percent of the computer servers that underpin the internet and private business operations,” according to a recent New York Times article. This also means it will likely be a problem that will stick around for a while, as the problem cannot be solved by simple patching techniques. Others are calling for enterprises to replace every processor delivered in the last 15 years, a financial burden too large for small and medium-sized enterprises (SMEs).
In short, Meltdown breaks isolation between the user application and operating system, so the application allows a memory dump for data theft. Meltdown could also allow hackers to bypass the hardware barrier between applications run by users and the computer’s memory, potentially letting hackers read a computer’s memory and steal passwords. While Meltdown will likely be the first vulnerability secured, or at least patched, experts are already saying computing power could be reduced by as much as 30 percent.
The second vulnerability, Spectre, is slightly different. Spectre goes a step further—application to application—and is harder to exploit, but also harder to mitigate. This means vulnerable machines have to be running malware to exploit the vulnerability. However, many servers are already running malware that system administrators fail to discover. Secondly, Spectre could require entirely redesigning the processors, according to researchers, and patches must be made for every application. Not to mention, vendors will likely never write patches for legacy machines, which have been out of support for years.
According to a recent joint report by Lloyd’s of London and cyber risk analytics firm, Cyence, a hypothetical catastrophic cyber-attack targeted against a cloud service provider could result in average losses of $53 billion in just a matter of days. In the most extreme situations, an attack could cost $121 billion, greater than the total losses from catastrophic natural disasters such as Hurricanes Katrina and Sandy.
Is this the vulnerability that nation-sate actors and cybercriminals have been waiting for? Perhaps. An attack on cloud service providers could have detrimental and global consequences. Surely, nation-sate actors, and commercial actors connected to nation states, are already looking for ways to exploit the vulnerability and monetize it. The motivation is surely there. The question is, if those motivated have the technical skills to exploit the vulnerabilities, how fast they can download data? And if they can beat those trying to secure the vulnerability, do they have the capacity to store such an immense amount of data?
This situation brings to life what the cyber insurance world has long feared, as a breach of this magnitude would have severe implications on the insurance industry. Insurance companies must view this as a risk-based model and understand that an attack with “Sandy-like” losses could cripple the insurance industry. Unlike other lines of business, which rely on hundreds of years of historical data to hedge risk, cyber insurers struggle to estimate potential losses due to the possibility of aggregate loss scenarios. “Because cyber is virtual, it is such a difficult task to understand how it will accumulate in a big event,” explained Lloyd’s of London CEO Inga Beale.
While the true effects from Meltdown and Spectre are far from known, if cybercriminals or nation-state actors can exploit the vulnerabilities before the government or tech world can patch them, millions of potentially insured individuals and organizations will be at risk for cyber extortion and data loss.
The Council’s Cyber Market Watch Survey
The Council recently released its fifth biannual Cyber Insurance Market Watch Survey. Results were consistent with those in May 2017, as take-up rates remained relatively low at around 31 percent. While many clients were curious about cyber insurance, their interest did not necessarily translate to the purchase of a policy. It is interesting to note that widely publicized international events, including the Equifax breach and the WannaCry and Petya ransomware attacks, did not greatly influence adoption.
“Cyber coverage is becoming an increasingly critical line of business for our members’ clients,” explained Ken A. Crerar, President/CEO of The Council. “However, as cybercrime continues to increase around the globe, with the average cost of a data breach approaching $4 million, it’s essential for broker members to continue emphasizing the importance of adding cyber policies to clients’ risk-portfolios.”
What We’re Reading
AIG explores the transitioning role of cyber insurance, as cyber risk develops from a systematic risk to a large-scale, dynamic threat affecting business and individuals around the world. Cyber insurance companies must evolve to protect against unprecedented risks.
Most corporate boards are not taking tangible actions to shape their companies’ security strategies or investment plans, a PwC study shows. Of the more than 9,500 senior executives in 122 countries who participated in PricewaterhouseCoopers’ Global State of Information Security Survey (GSISS) 2018, only 39 percent say they are very confident in their attribution capabilities — that is, their ability to detect and trace cyberattacks.
The National Association of Insurance Commissioners (NAIC) formally approved the Insurance Data Security Model Law (model law) this past October. The model law applies to “licensees,” including brokerages, and has similar prescriptive requirements to The New York State Department of Financial Services (NYDFS) Cybersecurity Rule. Now, the states must choose whether or not to adopt the model law.
Coalition is making its formal debut into the cyber insurance space, but with a twist. The San Francisco-based startup is also a cybersecurity firm. Licensed as an insurance producer in all 50 states and the District of Columbia, Coalition distributes its products through insurance brokers, who can access the company’s products from an online platform for their small-to-midsize clients.
Its implementation will hand individuals vastly increased powers over the way their personal data is collected and processed, including the much-discussed ‘right to be forgotten.’ While the GDPR delivers significant advantages for consumers, it brings to the surface serious concerns for businesses, particularly relating to the financial implications that are associated with cyber breaches.
2017 saw seven of the top 20 all-time largest breaches in terms of number of records exposed worldwide. As cyber liability transitions from simply records lost to personal damage, financial loss, reputational loss and physical loss, the insurance industry has transitioned in turn, making the terms and conditions in a cyber-policy more important than ever.