Attacks like this make me think there's a real ($1+ billion opportunity) business in making an tech-first insurance company for security incidents.
Write insurance policies to major companies. But as a pre-condition for getting under-written you have to submit to periodic security review by legit security pros. Failure to adhere to security recommendations means your policy gets dropped.
That insurance already exists. Periodic review by security pros is pretty much worthless, however. Nearly every company that has been hit had review by security pros, and many had compliance certifications.
What exactly are these security "pros" doing? I just don't understand how the ransomware guys could destroy the snapshot backup copies of the database in my desk drawer. Why don't companies with this much data to protect have air-bridged offsite backups?
How good are these reviews really? I'm thinking of top tier security pros on the calibre of Project Zero/Google. Doubt most hacks would have gotten past a thorough audit by those folks.
No material difference from a defense perspective. Offensive prowess does not result in defensive prowess. Just look at the Android bug bounty program [1], only $250K for an remote kernel arbitrary code execution, or Apple [2], $250K for a one-click kernel arbitrary code execution. To be fair though, that is on the high end of security, you could probably totally compromise any Fortune 500 company for less than that. And no, I am not joking or exaggerating that is actually a serious statement.
Really all these audits do is validate your security. If they find something at a price point then you are probably vulnerable at that price point. Think of it like a live-fire test of a bulletproof vest against a gun. If a bullet goes through then you probably can not protect against that. If it does not go through, you still can not be certain that it actually does provide comprehensive defense against that gun and bullet, but it is at least not totally ineffective. In the current state of the industry, any competent audit will find multiple critical vulnerabilities at these price points. It is like shooting an airsoft pellet at a "bulletproof vest" and seeing it pierce through. It is so fundamentally flawed that testing against a real gun (better offensive specialist) is kind of meaningless since to actually solve the problems you already need to completely redesign everything. Unfortunately, most companies who get such audits done think the takeaway is that the places the airsoft pellet went through must be the only problems, so if they just patch them up then everything else must be good because nothing pierced those other pieces instead of realizing that observable quality defects in one place probably means there are many unobserved quality defects in other places.
This is the point. Any review process that's sufficiently mechanical to be duplicated at scale becomes a box-[ticking|checking] exercise with little actual value. E.g. you can verify that backups are made and can be restored but how do you find mission critical data that isn't subject to backup?
I think those already exist. I’ve heard claims of insurance companies refusing to pay out for ransomware because they should’ve had backups (they’ll pay for recovery from backups, but not ransom).
It's a great idea, iff you can accurately price security risks.
Security is an org problem as much as a tech problem. Trying to estimate likely security risks caused by orgs is... complicated. You would blow your margin in assessment costs alone.
Besides, can you imagine a board asking the CEO why they're buying insurance with the infosec budget instead of, y'know, ensuring infosec?
Insurance puts skin in the game for the insurance/security company. If a security company audits my system and gives the greenlight, they should be willing to put money on the line to defend their work.
Write insurance policies to major companies. But as a pre-condition for getting under-written you have to submit to periodic security review by legit security pros. Failure to adhere to security recommendations means your policy gets dropped.