Insurance would seem about as far away as one could get from a James Bond-like life of fighting agents of hostile foreign powers and international criminal organizations. But carriers' IT security professionals increasingly are confronted with such adversaries through the emergence of advanced persistent threats (APT). The term can refer both to the perpetrators and the sophisticated malware and other techniques they use to penetrate the defenses and steal sensitive data from all sorts of entities, including insurance companies.
The roots of APT are in international espionage, as a means of one country spying on another, according to Chip Tsantes, a New York-based principal in the financial services office of Ernst & Young, where he leads the information security practice. While nation-state actors have moved on from these activities into more commercially related espionage, other kinds of actors also have emerged, including collaborative groups of "hactivists," such as the Anonymous group, and large organized criminal enterprises.
What distinguishes APT from other IT security threats is, as the name suggests, not only the advanced types of toolkits and malware that hackers employ, but the patience with which they act and often the collaborative nature of the attacks, Tsantes explains. "The APT-style of attack involves a great deal of investment, and they will spend time researching the best attack vectors and look for very specific information," he says. "A sign of APT malware is that it's very specific to the target and actually won't work in other environments."
APTs commonly seek intellectual property (IP) and personally identifiable information (PII) that resides within large financial institutions. But they target companies of all sizes, and it's not always obvious why they're doing so, Tsantes warns. Typically, he says, the attacks are indirect.
"They may try to compromise a vendor or, perhaps in the case of insurance, independent agents, and use that as a conduit to the target entity," Tsantes observes. "They often compromise one thing to get to another."
'Monster' In the Dark
The danger of APTs to commercial entities was illuminated by the Stuxnet attack on Iranian IT infrastructure, which was aimed at Microsoft Windows and Siemens software and appliances, according to Jason Malo, a Leesburg, Va.-based research director with CEB TowerGroup. "The likelihood of such attacks was always there, like a monster under the bed," he says. "With Stuxnet we can now verify the monster's existence."
Malo says larger companies have been more active in defending against APTs. "They are the more likely targets, and they also have better resources to deal with them," he notes.
[550 Pound Bomb Near Munich Re Shows Risk Mitigation FAIL]
Columbus, Ohio-based Nationwide is just such a company, acknowledges Dan Greteman, SVP and CIO of Allied Group, a Nationwide (more than $18.6 billion in 2011 revenue) affiliate. "Advanced persistent threat is a key risk we are monitoring very closely," Greteman says. "We recognize it is a reality that can significantly impact an organization's reputation and brand. Our focus will continue on educating associates and customers to follow good security practices, such as not opening or responding to emails or attachments that look suspicious."
APT attacks are by no means limited to large companies, emphasizes E&Y's Tsantes. Among the types of indirect attacks, for example, hackers may target companies announced as future acquisitions by bigger companies. "It's hard to know what threat actors are thinking, but they may attack smaller companies to provide a gateway to target institutions, or simply as practice," he says. "Because they are often nation-state actors, they don't necessarily have to drive revenue through the theft of IP or PII."
Smaller companies need to be alert because they often are viewed as soft targets, asserts Jerry Irvine, CIO of Prescient Solutions (Chicago), an IT services provider to SMBs and local governments. "Smaller companies don't have deep pockets to buy the tools and do the testing that large companies do," notes Irvine, who also is an appointee to the National Cyber Security Task Force. "Hackers may target several small entities to achieve the kind of gains that would require more resources and time at better-defended large entities."