Risk Assessment and Mitigation for the Insurance Company

Risk Assessment and Mitigation for the Insurance Company

An insurance company in the financial sector handles sensitive data that is a priority target for hackers and constant cybersecurity threats. They are also a potential target for unauthorized third parties. Therefore, a resilient data and infrastructure security model are paramount. Risk assessment and mitigation strategies are significant due to numerous evolutions on cybersecurity and increased vulnerabilities in the system over time. Through business interruption, the plan will prevent network and data breaches, compromised logins, ransomware, phishing, malware, and reputation damage (EIOPA, 2019). However, a flaw in processes, data, physical location, and software can lead to vulnerability in the information infrastructure. Therefore, we require necessary security resources, patched system functionalities, and user security training in the risk mitigation strategy.

Potential threats and vulnerabilities for the company

Malware risks

Viruses

A user can infect the system by copying the network resources. Most viruses can self-replicate to resources in the network, such as workstations and servers, without users' knowledge (Firch, 2021). The viruses are sent via email attachments, web downloads, removable storage drives, instant messaging, and network connections.  Viruses are commonly embedded in files such as .doc/.docx, .exe, .xls/.xlsx, .zip, and .html. The attacker can use viruses to deliver payloads to the network infrastructure and resources in the network.

Logic bombs

This malware can deliver payloads to email servers, data servers, and web servers when triggered by the users in the network or when a specific date and time reaches (Firch, 2021). It can also be triggered when a user reaches several attempted logins to the system. Antivirus software such as Kaspersky will detect logic bombs in the network and computing resources when they are triggered.

Keyloggers

Keyboard capturing can give an attacker a log based on user keystrokes without their knowledge. According to a study, hackers in insurance companies target customer information such as personal details, credit card information, email addresses, usernames, and passwords (Deloitte, 2021). They are used to track activities and steal usernames and passwords. An attacker embeds a physical wire discretely to input peripherals like a keyboard or uses a trojan.

Trojan horse

These are computer programs usually disguised as legitimate to the system but hidden to avoid detection. Although they cannot self-replicate, they allow threat actors to create backdoors into the network for stealing sensitive data from the system (Firch, 2021). They are commonly spread through email attachments, instant messaging, and website downloads. An attacker can combine social engineering to deploy trojan programs and trick users into executing them.

Botnets, rootkits, and spywares

Robot networks are bots attached to a network after compromise to allow remote system control. For instance, they can control the printing devices in the network. They can also launch a DDoS attack by sending large data pieces to webservers, which may take it offline. Spyware and adware collect users' information such as identification, usernames, and passwords, and attackers sell the data to unauthorized people. Rootkits are backdoor control of the computer from a remote location that gives an attacker privilege for changing system configuration, logging files, and spying on users.

Social engineering threats

A threat actor can bypass authentication and security protocols through social engineering attacks. The users will be oblivious of attacks because attackers use tricks and psychological exploits to force users to surrender sensitive information capable of compromising the system. Social engineering can occur in various ways, including phishing, spam, dumpster diving, shoulder surfing, vishing, smishing, tailgating, and whaling. The most likely vulnerabilities, in this case, include pharming, vishing, and smishing. Pharming comprises altering the host file or exploiting a DNS server vulnerability to redirect the URL to a false site. However, this attack will be mitigated through URL filtering.  

Vishing

An attacker can combine phishing and voice exploits to launch an attack on a VoIP line. Threat actors use specific VoIP tools to compromise auto-dialers and pass robocalls or messages through a spoofed VoIP address (Firch, 2021). They confuse users by pretending to be friendly or threatening them that their security is compromised. They need to update the passwords.

Smishing

Uses SMS messages to trick users into giving unauthorized people personal information including credit card numbers, account names, and passwords. Additionally, the attacker may embed a URL to the message, invite them to click on the link, and redirect them to a third-party malicious website.  

Unpatched and outdated software

Unpatched software is a non-physical network vulnerability that affects Operating systems (OS), data, and other software installed in the information infrastructure. The software requires updating with patched versions the reduce risks and vulnerabilities. Microsoft currently supports Windows 7 OS, which means patches for bugs and OS vulnerabilities recently detected (Firch, 2021). These computers are a high-security risk. Therefore, it is significant to upgrade the five endpoints running windows 7 to windows 10. 

Misconfiguration of firewalls and software

Internal network and server misconfiguration increases risks to the organization's assets. It enables threat actors to analyze the network traffic, compromise resources on the network, and steal sensitive data from the organization and its clients. Misconfiguration of a network of resources is an avenue for attacks through code injection, cross-site scripting, brute force, forceful browsing, and buffer overflow. If the company uses cloud infrastructure, the correct configuration of cloud resources such as storage is required to minimize risks. Lack of data encryption and backup strategies also increases the risks of sensitive information.

Risk mitigation strategies for the network and information infrastructure

The initial step is identifying and prioritizing assets in the information system infrastructure. These resources include the PCI/PCII, five servers, the 50 endpoints, five printers, two branches, 50 VoIP, and 35 employees. Some of the necessary details to collect about the assets and information system security architecture include the software type, hardware components, the purpose of the assets, network topology, data storage and protection, system users, data, technical security controls, information flow charts, physical security for the assets. The details collected give insights on mission-critical assets in the network and the significance of each asset to the organization. We will use common categorization to categorize these assets: legal standing, monetary value, and technical importance to the infrastructure and its security protocols (EIOPA, 2019). The assets will be incorporated in security policy and classified as either minor, major, or critical to the infrastructure and organization in general. Threat management is vital to ensure security on the network.

Insurance companies must share information with the DHS and NPPD for compliance assessment and data-security standards analysis. The requirements for PCI include maintenance of firewalls, protection of passwords, cardholder details, encryption of sensitive data under the transmission, use of antivirus, updating software, data access restriction protocols, unique access IDs, and restricting physical access to sensitive components such as servers (Groot, 2021). The company will equally be required to maintain access logs into the network and resources. Proper program handling ensures secure sharing of data between insurance companies and the government through non-disclosure regulations. In addition, PCI/PCII requires a regular vulnerability scan on the network at least quarterly. It is equally significant to conduct scans after changes in the network, for instance, after adding a new component and upgrading the previous installations. These tests can be automated to hunt vulnerabilities in the infrastructure.

Physical protection of assets in the network is significant in the company network. This organization's network comprises physical assets, including workstations, servers, and printers. Among these, the five servers in the network are at higher risk of compromise. To ensure only authorized access, turnstiles should be used to secure server room entry points, and individualized access cards together with biometric scanners should be used to enter server rooms.

According to FCC (2021), user security training programs to minimize social engineering risks should be a priority for organizations such as insurance companies. Educating systems users on cybersecurity is a significant and often overlooked step in network and data security threat mitigation. Cybercriminals employ ways to trick system users into providing the sensitive information to launch attacks. In addition, they may conduct social engineering that puts users at risk when they do not have adequate training.

References

Deloitt. (2021). Global Cyber Executive Briefing: Insurance. Retrieved from Deloitte: https://www2.deloitte.com/be/en/pages/risk/articles/insurance.html

EIOPA. (2019, 1 1). Cyber Risk For Insurers– Challenges And Opportunities. Retrieved from European Insurance and Occupational Pension Authority: https://www.eiopa.europa.eu/sites/default/files/publications/reports/eiopa_cyber_risk_for_insurers_sept2019.pdf

FCC. (2021). Cyber Security Planning Guide. Retrieved from Federal Communications Commission (FCC): https://transition.fcc.gov/cyber/cyberplanner.pdf

Firch, J. (2021, 9 23). Common Types Of Network Security Vulnerabilities In 2021. Retrieved from Purple Security: https://purplesec.us/common-network-vulnerabilities/#Unpatched

Groot, J. d. (2021, 8 12). What is PCI Compliance? Retrieved from Digital Guardian: https://digitalguardian.com/blog/what-pci-compliance