Insurance coverage

Cyber ​​insurance coverage expert advice

Mike Foster has been keeping ‘bad guys from hooking up’ for 25 years.

Cybersecurity specialist, CEO of the Foster Institute and author of The Secure CEO: How to Protect Your IT Systems, Your Business, and Your WorkFoster has consulted with organizations across North America and given speeches around the world on cybersecurity issues.

Foster’s goal is “to make the world a safer place to live and work”.

One of his consulting roles is to prepare business owners, CEOs, and IT professionals for the process of applying for and renewing cyber insurance coverage. Below is a discussion of some of the most common questions insurance companies might ask and Foster’s advice on how to answer them:

Why do insurance companies ask if an organization uses two- or multi-factor authentication?

Foster said the reason for multi-factor authentication is to prevent an attacker from logging in even if they somehow obtain a user’s username and password.

Foster: The most basic form of two-factor authentication is text message. The user enters their username and password and then receives a text message containing a code that they must enter to complete the login process, which greatly increases the security of the login. Other options are more secure than text messages, but text messages are common.

One of the reasons why we need multi-factor authentication so badly is because some users have a habit of reusing the same usernames and passwords across multiple websites.

When attackers find a username and password for a site or service, they will try that same username and password on other sites such as LinkedIn, Facebook, and Microsoft 365. When the attacker starts plugging that same username and password into all those other sites to see if it works, that’s a term called credential stuffing. Criminals use this technique to compromise users who have reused passwords.

This is why multi-factor authentication is so important. Even when a bad guy has the username and password per user, the bad guy still can’t log in because he doesn’t have that second factor. Attackers can bypass multi-factor authentication, but this security check makes access more difficult.

Why do insurance companies ask if an organization provides password management tools to users?

Foster: The beauty of a password manager is that users don’t have to remember passwords. Having to remember a password is one of the main reasons people reuse them.

When users have different passwords for all of their logins, credential stuffing fails.

Why do insurance companies ask if an organization provides password management tools instead of just having users let their browsers remember their passwords?

Foster: Most current browsers, such as Edge, Firefox, Chrome or Safari, ask you: Do you want to remember the password? It is not a password manager. The browser remembers passwords. Using password managers can be more secure than storing passwords in browsers because attackers often have easier access to browsers than to password managers. Attackers are constantly trying to break into browsers. That’s what they do.

A password manager is a separate program, and it often has what’s called a browser plug-in. Yet it can be much more difficult for a hacker to access usernames and passwords in a password manager than in a browser. Even though browser developers do a great job trying to keep browsers secure, insurance companies feel reassured if users have password managers.

Why do insurance companies ask if an organization uses geo-blocking or geo-filtering?

Foster said geo-filtering or Conditional Access by country settings can block logins or authentication requests based on geographic location.

Foster: If you have people connecting only from specific countries such as the United States, Canada, Mexico, and Europe, configure all of your systems to only accept user connections from those geographic locations . This way, if someone tries to connect from another country, they won’t even get the chance. They will just be bounced, which will defeat a large number of attacks.

Now there can be an attacker in another country and they can use the proxy, which means the attacker would compromise a computer in the United States, for example, and then try to connect through the computer in a location approved.

Just because you’re filtering out countries X, Y, and Z doesn’t mean someone in that country can’t attack you. It just means that person would have to connect by proxy to a computer in the US or elsewhere and then try to connect through that proxy.

Why do insurance companies want to know if users are local administrators?

Foster: If you’re using off-the-shelf Windows and Apple computers, which some small businesses are starting to do, users have local admin privileges, which can be terrible from a security standpoint, because local admins can install applications and perform many other functions. .

If an attacker compromises a user’s login account, the attacker will have the same level of access as the user they compromised. This is why users should be limited to least privileges to do their job. Privilege levels are something you can change. Whether you’re connecting to Microsoft 365, Windows, or Apple operating systems, you definitely want users to be standard users.

By default, operating systems give users a high level of privileges in case it is a home computer and people want to take their computer home and install software. This is an intentional step to create a second account to be an administrator and reduce the day-to-day privileges of the user. This process is described as either making the user a standard user or no longer making them an administrator.

It is essential to have a local administrative account in case the user or an IT professional needs to install software or perform other administrative tasks. But the user authenticates to an account with fewer privileges to make it harder for attackers to compromise the machine if the user makes a mistake, such as clicking a link in an email that connects to a server that an attacker controls. Converting all users to standard users in an organization can sometimes interfere with the software. So making the change isn’t always easy, but it’s essential to explore, and often users won’t even notice the difference. This subject could be the subject of another article.

— To comment on this article or suggest an idea for another article, contact Kevin Brewer at [email protected]ma.com.