Olivia
Online
Garin Pace
@Garin_Pace
I like figuring out how things work. I work in the infosec & privacy (cyber) insurance space as an underwriter. Views are my own and not my employer’s.
Joined September 2015
851 Following
360 Followers
2.6K Posts
Pinned Tweet
@codywamsley @jeremiahg @JeffreyLS172 Some - myself included - think that this year may be the year that the falling rates, increasing coverage and threat (recent ransomware spikes) make the market have a largely unprofitable year. Folks who are judging cyber insurance profit on pre 2013 facts need to re-examine!!
:(
Just found out we're being audited by our cyber insurance provider.
They want to verify we actually have all the security controls we claimed we have.
Problem: we don't have all the security controls we claimed we have.
When we applied for the insurance, the application asked if we had multi-factor authentication on all admin accounts.
I checked "yes" because we were planning to implement it.
We never implemented it.
Now the auditor wants to see our MFA logs.I have 48 hours to either:
1. Admit we lied and probably lose our coverage
2. Implement MFA across the entire company in two days
3. Get creative
I'm going with option 3.I just enabled MFA on every admin account. Forced enrollment. Everyone had to set it up in the last hour.
Then I backdated our MFA implementation logs to show it was enabled six months ago.
Is this fraud? Technically maybe. But the security is actually in place now. We're just adjusting the timeline of when we claim we did it.
The auditor comes on Monday. By then we'll have 48 hours of MFA logs that I'll present as "recent activity" from our "six-month implementation."
Did we lie on the application? Yes. Are we fixing it before anyone finds out? Also yes.
Corporate compliance is just staying one step ahead of getting caught.
My favorite way to hack in my ethical hacking is phone call based hacking with impersonation. Why? Because it has the highest success rate. This is what we're seeing in the wild right now, too.
Let's talk about how phone call attackers think and how to catch Scattered Spider style attacks for Insurance companies (that are heavily targeted right now, Aflac recently)
1. *Impersonating IT and Helpdesk for passwords and codes*
They pretend to be IT and HelpDesk over phone calls and text message to ask for passwords and MFA codes or credential harvest via a link
2. *Remote Access Tools as Helpdesk*
They convince teammates to run business remote access tools while pretending to be IT/HelpDesk
3. *MFA Fatigue*
They will send many repeated MFA prompt notifications until the employee presses Accept
4. *SIM Swap*
They call telco pretending to be your employee to take over their phone number and intercept codes for 2 factor authentication
Sondeos Global, an SMS gateway provider, compromised. Delivers OTP codes over SMS for million of people... I can't say this enough: it's time to deprecate SMS for 2FA!
Who to follow
@a_greenberg “We’re supposed to make any exceptions,…”? Freudian slip?
I muted someone. Yet when they repost someone else’s post I see the original and that they reposted it. That seems odd.
@PyroTek3 So…this is another opportunity for folks to misconfigure and create impacts they don’t fully understand?
@AlyssaM_InfoSec Mind following for a DM? I’m not verified.
@AlyssaM_InfoSec @joshcorman I think carriers claiming to have access to “insights” is more marketing, though change is afoot. There are insurers out now buying or forming their own IR firms. And outside US it’s more likely to get detail, but US is biggest insurance market and location of ransomware victims.
@AlyssaM_InfoSec @joshcorman I work at one of the bigger cyber insurers; we don’t have the access to forensics data the world thinks we do. The privilege thing in the US really hurts and it’s more common not to get detailed info about incidents we pay on than it is to get it.
@rucam365 - Don't use them. 99.9% tasks performed w/ these roles don't require them & can be delegated w/ least privilege.
- If you must, only use from a Privileged Access Workstation (+ MFA, long unique PWs, cert-based auth)
- Never leave priv account creds/tokens where they can be stolen
You can view our disclosure at https://t.co/K6HIMf1qNP. Many of us worked on this including @LennertWo, @rqu53, @BusesCanFly, @samwcyo, @sshell_, and @WillCaruana.
We believe these locks have been vulnerable for over 36 years, way older than most of us!
An American Hospital Association survey reported on March 15 that almost 60% of respondents say the revenue impact is $1 million per day or higher, and 44% said the adverse effects on revenue will continue for two to four more months. #ransomware
https://t.co/i8jxNNphcd
@ebailey1367 @cisonaut @anton_chuvakin Can you share more on the segment of the market you see? My experience is rates have been falling, even before accounting for reduction in risk from control effectiveness. That doesn’t match the current threat, of course, but the market is the market.
Since people continue to fall for the ALPHV/BlackCat cover up: ALPHV/BlackCat did not get seized. They are exit scamming their affiliates. It is blatantly obvious when you check the source code of the new takedown notice. You will see code like this.
@UK_Daniel_Card @joetidy Fully agree; “you’re paying criminals for a promise?”. However, the “there business depends on their reputation” crowd pushes hard, and it’s also hard to not spend money towards helping the folks whose data was compromised (customers I mean).
Very interesting - NCA says that whilst searching through seized servers of LockBit they found data belonging to some victims who had already paid the gang's ransom. So - more evidence that paying these criminals does not mean that your data is deleted as they promise.
Every company who says they “identified a cybersecurity incident” when they really mean “we identified ransomware encrypted our files when stuff stopped working” makes me (irrationally?) angry. You didn’t identify anything until the threat actor wanted you to.
It wasn’t a cyber insurance policy
Production at the maker of Chrysler, Dodge, Jeep and Ram models is being affected after a cyberattack on an automotive supplier disrupted its operations, the automaker said Monday. #Ransomware?
https://t.co/P47qRMiOe4
Last Seen Users on Sotwe
Pakistani Maal
Seen from Pakistan
lady boy Thailand
Seen from Malaysia
A___22
Seen from Germany
Vogue Germany [NEWS]
Seen from Turkey
Mature Lover
Seen from Singapore
Bong Love Girl
Sandy
Seen from Turkey
♡ qυαηтυм ♡™
Seen from Turkey
รับนวดกาญจนบุรี เมืองกาญ รับช่วยคู่ และหญิงเดี่ยว
Seen from Thailand
Serkan
Seen from Turkey
Trends for you
Most Popular Users
Elon Musk 
@elonmusk
240.2M followers
Barack Obama
@barackobama
119.3M followers
Donald J. Trump
@realdonaldtrump
111.6M followers
Cristiano Ronaldo
@cristiano
109.4M followers
Narendra Modi
@narendramodi
106.9M followers
Rihanna
@rihanna
97.4M followers
NASA
@nasa
92.1M followers
Justin Bieber
@justinbieber
90.7M followers
KATY PERRY
@katyperry
87.1M followers
Taylor Swift
@taylorswift13
80.9M followers
Lady Gaga
@ladygaga
72.4M followers
Kim Kardashian
@kimkardashian
69.5M followers
Virat Kohli
@imvkohli
68.9M followers
YouTube
@youtube
68.6M followers
Bill Gates
@billgates
63.5M followers
The Ellen Show
@theellenshow
62.5M followers
CNN
@cnn
61.9M followers
Neymar Jr
@neymarjr
61.5M followers
X
@x
60.9M followers
Selena Gomez
@selenagomez
60.2M followers