Internet intelligence firm Renesys has identified a new breed of "Man-in-the-Middle" (MITM) cyber attacks in which data is being volleyed across the world by hackers in quick, quiet and largely undetected operations.
The routes can span a global scale. MITM hijacks are not obvious, where they damage data hemorrhages or blocks, but rather are a subtle anaesthetized bloodletting: it is now possible to siphon internet traffic miles from its intended course, copy or distort it, and circulate it back to its intended location in one heartbeat.
"Data goes where the Internet takes it; it's not a choice of directing its course along the way," says James Cowie, founder and chief technical officer of Renesys. "But you can observe it."
In monitoring MITM attacks occurring across the world in 2013, Renesys observed more than 60 hijacks by November, with about 1,500 individual IP addresses affected across 150 cities. The victims are financial institutions, Internet Service Providers and world governments.
The unknown hackers rely on established Internet Service Provider (ISP) systems to manipulate data paths. In one case study from August, information sent from an office in Denver to another location in the same city was handed off to a provider in London, where it was diverted to Iceland, sent to Montreal, then to Chicago, New York and several U.S. cities before landing in Denver—milliseconds later.
"People used to transmit private, dedicated communication for important traffic via an intra-office line, but now enterprises are using the Internet," says Cowie. "They assume that data passing from one city branch to another goes through a direct line, but on the Internet, the path it takes depends on hidden variables providers don't see."
An MITM scheme's geography may be intricate, but its execution is literally grabbing chunks of random, unencrypted data ("Whatever is being transmitted" from a location at that time, according to Cowie) and snooping through it to find something interesting for hackers to use.
Whether employee or customer data, medical information, Social Security numbers—"just the fact that it may have been looked at" is enough to create legal problems for an entity, says Tim Francis, vice president of portfolio management at Travelers Bond & Financial Products.
Nearly all states now require companies to notify potential victims of a data breach, which will often involve customers across several states and incur notification costs and credit monitoring, which can be covered by a cyber policy. However, says Francis, the greatest cost of data breach is uninsurable, which is "never having customers do business with you again".
The way companies respond to and learn from a breach determines its fallout as much as prevention, which is a great creative challenge to businesses around the world in the absence of wider regulation.
The U.S. Department of State's International Traffic in Arms Regulations (ITAR) requires all manufacturers, vendors and exporters of defense-related technical data and services to register with the Directorate of Defense Trade Controls (DDTC). But when a financial company's data is leaked, it is our defenses that come down.
"No organizations can be completely self-sufficient in cyber security in 2014," says Jacob Rosengarten, executive vice president and chief enterprise risk officer of XL Group. "It will take a partnership with specialized companies, whether hiring companies to attack you to see where your weaknesses are, to creating industry associations [surrounding cyber risk]."
For now, the Internet is a poorly-understood system where traffic travels murky and undetermined paths.
"We can't all afford to become experts in the Internet, but if we all pay a little more attention we will all benefit, just like we all benefit from better prices and choices when a market is more transparent," says Cowie.
Want to continue reading?
Become a Free PropertyCasualty360 Digital Reader
Your access to unlimited PropertyCasualty360 content isn’t changing.
Once you are an ALM digital member, you’ll receive:
- Breaking insurance news and analysis, on-site and via our newsletters and custom alerts
- Weekly Insurance Speak podcast featuring exclusive interviews with industry leaders
- Educational webcasts, white papers, and ebooks from industry thought leaders
- Critical converage of the employee benefits and financial advisory markets on our other ALM sites, BenefitsPRO and ThinkAdvisor
Already have an account? Sign In Now
© 2024 ALM Global, LLC, All Rights Reserved. Request academic re-use from www.copyright.com. All other uses, submit a request to [email protected]. For more information visit Asset & Logo Licensing.