Weekly podcast: Cisco, Tesla and cyber insurance

This week, we discuss a new Cisco vulnerability, a remote attack on Tesla cars, and the implications of the new Insurance Act on cyber security insurance policies.

Hello and welcome to the IT Governance podcast for Friday, 23rd September. Here are this week’s stories.

You may remember from our 19th August podcast that a group of cyber criminals calling themselves the Shadow Brokers claimed to have hacked Equation Group – a hacking team linked to the NSA, according to Kaspersky Lab – and were trying to sell the so-called “cyber weapons” they’d plundered to the highest bidder.

Cisco soon confirmed that two of the exploits the Shadow Brokers were trying to sell – EPICBANANA and EXTRABACON – were legitimate. Now, Cisco has announced that it’ll be releasing a patch to address a new exploit that’s similar to another Equation Group tool – BENIGNCERTAIN.

The newly discovered vulnerability – CVE-2016-6415 – “could allow an unauthenticated, remote attacker to retrieve memory contents, which could lead to the disclosure of confidential information”. All products – including firewalls and routers – running versions of CISCO IOS XR from the 4.3, 5.0, 5.1 and 5.2 releases are affected. IOS XR 5.3.x and newer are OK. There are no workarounds as yet – if you’re affected, you’re advised to use an intrusion protection system or intrusion detection system to try to block attacks that attempt to exploit this vulnerability.

Security researchers from Keen Security Lab in China have demonstrated a remote attack that allowed them to manipulate the braking system of a Tesla electric car from 12 miles away. In a video posted on YouTube, the team appeared to gain access to an array of electronic functions, opening the car’s doors without a key, opening the sunroof and boot, moving the driver’s seat, turning on the indicators and windscreen wipers, and even manipulating the brakes while the car was driving. The hackers informed Tesla before going public; Tesla has updated its software – and as its vehicles can receive updates automatically, drivers won’t need to visit a dealership to update their firmware.

The Telegraph reports that 90% of big businesses in Europe “have suffered a significant cyber attack in the last five years” according to a survey conducted by Lloyd’s of London. Lloyd’s CEO Inga Beale said European businesses were complacent about cyber attacks: “It is a reality,” she said, “you will be hacked or attacked in some way. There’s been an element of complacency in the past, but it’s going to become more prevalent.”

When the EU General Data Protection Regulation comes into effect in May 2018, companies that process EU residents’ data will be required to notify supervisory authorities and data subjects of data breaches, and will face fines of up to €20 million or 4% of their annual global turnover if they fail to protect data properly. It’s therefore no surprise that insurers such as Lloyd’s are increasingly focusing on underwriting cyber risks.

Companies in the UK that are thinking of taking out cyber security insurance should be aware of a new law: The UK’s Insurance Act 2015 came into force last month, requiring the insured to make “a fair presentation of the risk” before entering into an insurance contract. In practice, this means that, as far as cyber security insurance is concerned, organisations must be fully aware of the cyber risk they face or run the risk that any policy they buy could be invalid. If you don’t know your cyber security posture and haven’t conducted a cyber security risk assessment, you should look to the international standard for information security management, ISO 27001, or, at the very least, consider gaining certification to the government’s Cyber Essentials scheme. Visit our website for more information: itgovernance.co.uk/iso27001.

Well, that’s it for this week. As ever, please feel free to comment below, telling us a bit about yourself and what you’d like more information on and we’ll do our best to answer in the coming weeks. Until next time, remember that you can keep up to date with the latest information security news on our blog.

And don’t forget to check out our book of the month, Nine Steps to Success – An ISO27001:2013 Implementation Overview by Alan Calder. Revealing the methodology used by IT Governance’s consultants in hundreds of successful ISO 27001-compliant ISMS implementations, this book will help you through every stage of your ISO 27001 project.

Whatever your cyber security needs – whether regulatory compliance, stakeholder reassurance or just greater business efficiency – IT Governance can help your organisation to protect, comply and thrive. Visit our website for more information: itgovernance.co.uk.