September 5, 2012 - How does insurance IT leadership keep up with the cat-and-mouse games being played by the latest data deviants? Some say it’s comparable to the U.S. Homeland Security Department being careful not to take credit for the fact that terrorism is not making major news today. They want to work diligently and quietly to win the battle, and they don’t want to boast about it, lest it results in a massive, horrific world-changing incident. In reality, competitive advantage also keeps insurers from sharing details away from the known basics that all companies employ to ensure information security and thwart cybercrime (managing authorization, authentication, and accountability).
But this closed-door, “don’t tempt fate” attitude hardly makes the deviants less active. The Open Security Foundation's DataLossDB, which gathers information about events involving major loss, theft, or exposure of personally identifiable information (PII), reports that to date in 2012, there have already been 906 such incidents reported as compared to a total in 2011 of 1,041. What’s not specified here is whether these incidents are tied to advanced persistent threats, botnets or current threats against mobile devices.
Insurers have a lot at stake, not the least of which is the vulnerability of their proprietary networks and data to hackers who are seeking competitive advantage of their own. Other considerations include a host of risk management issues as applied to an insurer’s customer base. In either case, insurers, like most companies, are in a scramble to do whatever is necessary to stop the next union of cyber criminals from wreaking havoc on the rest of us.
So it’s not surprising that the latest news coming out of this dark world has a Kevin Mitnick-like feel to it. (Recall Mitnick, now an American computer security consultant and author, was at one time the most-wanted computer criminal in the United States after hacking into Digital Equipment Corporation’s Ark computer system at the ripe old age of 16.) Mitnick was one of the first to climb into and out of the dark side to teach us all some data security common sense.
Now, thanks to support from the Air Force and National Science Foundation grants, researchers from the University of Texas at Dallas are in a race to keep up with cyber criminals with the creation of yet another malware invention, this one fashioned after programs from the early 1980s that, in the most basic of terms, reproduce by copying themselves onto new machines. The genesis of this one, however, is a “semantic blueprint,” not itself computer code, just a description of what the generated code needs to do, meaning it can be safely hidden from defensive programs with traditional encryption.
Fittingly named “Frankenstein” by researchers Vishwath Mohan and Kevin Hamlen, the proposed (it’s still a proof of concept) self-camouflaging malware propagation system overcomes shortcomings in the current generation of metamorphic malware.
“Specifically,” say the researchers, “although mutants produced by current state-of-the art metamorphic engines are diverse, they still contain many characteristic binary features that reliably distinguish them from benign software. Frankenstein forgoes the concept of a metamorphic engine and instead creates mutants by stitching together instructions from non-malicious programs that have been classified as benign by local defenses. This makes it more difficult for feature-based malware detectors to reliably use those byte sequences as a signature to detect the malware. The instruction sequence harvesting process leverages recent advances in gadget [snippets of code] discovery for return-oriented programming. Preliminary tests show that mining just a few local programs is sufficient to provide enough gadgets to implement arbitrary functionality.”
The researchers call their initial version of Frankenstein a "toy," so it will not propagate itself onto other computers, but can instead make variants of itself by stealing different code from different programs. In essence, every "mutant" version of the malware it creates of itself will be different, but will still check out when looked at under scrutiny.
Along with other similar types of malicious software, malware, notes the Economist, supports a multibillion-dollar industry in which “those who use them to steal information and subvert computers struggle with those who devise and sell digital protection.”
Toy or not, Frankenstein represents a challenge—and an opportunity—for insurance IT and risk management professionals alike.
This article originally appeared in Insurance Networking News.
Pat Speer is an editorial consultant for Insurance Networking News. She can be reached at: firstname.lastname@example.org.