XL Group’s Cyber Insurance Business Builds Prequalified Data Breach Response Specialists Network

NEW YORK, Dec. 22, 2014 /PRNewswire/ — XL Group’s Cyber & Technology insurance business unveiled its network of prequalified breach response specialists to provide its cyber liability insurance clients with the market’s most comprehensive selection of industry experts to help navigate complex data breach issues when they arise.

“There are more than 73,000 cyber-attacks on mid-to-large companies annually. When such an attack occurs and leads to a data breach, an accurate and timely response is critical,” said John Coletti, Chief Underwriting Officer of XL Group’s Cyber & Technology unit. “We have not only teamed up with market-leading breach response providers, but have also built the most comprehensive pre-qualified cyber response network available in our industry.  Our network includes computer forensics, data breach notification providers and legal counsel to help our clients navigate sensitive breach situations expeditiously. This collection of expertise gives our clients more options and greater flexibility to choose the most suitable vendors for their needs.”

For XL Group Cyber insurance clients, XL Group has identified and negotiated preferred rates to provide a broad variety of breach response services.  A 24/7 hotline staffed by XL Group’s expert cyber claims team provides access to best-in-class firms that specialize in:

  • Computer Forensics: XL Vendor Partners Include: Navigant Consulting, Inc., General Dynamics Fidelis Cybersecurity Solutions, Kivu Consulting, Kroll, McGladrey LLP and Stroz Friedberg;

Click here to read the complete Press Release

The cloud is becoming an ever-increasing repository for email storage. One of the more popular email programs is Gmail, with its 15 GB of free storage and easy access anywhere for users with an Internet connection. Due to the great number of email accounts, the potential for large amounts of data, and no direct income, Google has throttled back on backups to lessen the burden on their servers worldwide.

This blog post is the start of a series of articles that will review Gmail collection options for computer forensic purposes. Kivu initiated a project to find the most efficient and defensible process to collect Gmail account information. The methods tested were Microsoft Outlook, Gmvault, X1 Social Discovery and Google scripts.

All four programs were run through two Gmail collection processes, with a focus on:

  • Discovering how the program stores emails.
  • Identifying whether the program encounters throttling? If so, how does it deal with it?
  • Determining if current forensic tools can process the emails collected.
  • Measuring how long the program takes to process the email, and the level of examiner involvement necessary.

Kivu employees created two Google email accounts for this analysis. Each email account had over 30,000 individual emails, which is a sufficient amount for Google throttling to occur and differences in speed to become apparent. The data included attachments as well as multi-recipient emails to incorporate a wide range of options and test how the programs collect and sort variations in emails. Our first blog post focuses on Gmvault.

What is Gmvault and How Does It Work?

Gmvault is a third party Gmail backup application that can be downloaded at Gmvault.org. Gmvault uses the IMAP protocol to retrieve and store Gmail messages for backup and onsite storage. Gmvault has built-in protocols that help bypass most of the common issues with retrieving email from Google. The process is scriptable to run on a set schedule to ensure a constant backup in case disaster should happen. The file system database created by Gmvault can be uploaded to any other Gmail account for either consolidation or migration.

During forensic investigation, Gmvault can be used to collect Gmail account data with minimal examiner contact with the collected messages. The program requires user interaction with the account twice – once to allow application access to the account and again at the end to remove the access previously granted. Individual emails can be viewed without worrying about changing metadata, such as Read Status, and/or Folders/Labels because this information is stored in a separate file with a .meta file extension.

How to Use Gmvault for Forensic Investigation

Gmvault needs very little user input and can be initiated with this command:

$> gmvault sync [email address]

We suggest using the following options:

$> gmvault sync –d [Destination Directory] –no-compression [email address]

“d” enables the user to change where the download will go, allowing for the data extraction to go directly to an evidence drive, (default: Usercloudgmvault-db)

“no-compression” downloads .eml files rather than the .gzip default. Compression comes with a rare chance of data corruption during both the compression and decompression processes so, unless size is an issue, it is better to use the “no compression” option. Download speed is unaffected by the compression, although compressed files are roughly 50% of the uncompressed size.

Next, sign in to the Gmail account to authorize Gmvault access. The program will create 3 folders in the destination drive you set, and emails will be stored by month. The process is largely automated, and Gmvault manages Google throttling. It accomplishes this by disconnecting from Google, waiting a predetermined number of seconds and retrying. If this fails 4 times, the email is skipped, and Gmvault moves on to the next set of emails. When finished with the email backup, Gmvault checks for chats and downloads them as well.

When Gmvault is finished, a summary of the sync is displayed in the cmd shell. Gmvault performs a check to see if any of the emails were deleted from the account and removes them from the database. This should not be a problem for initial email collections, but it will need to be noted on further syncs for the same account. The summary shows the total time for the sync, number of emails quarantined, number of reconnects, number of emails that could not be fetched, and emails returned by Gmail as blank.

To obtain the emails that could not be fetched by Gmvault, simply run the same cmd line again:

$> gmvault sync –d [Destination Directory] –no-compression [email address]

Gmvault will check to see if the emails are already in the database, if so skip them, and then download the skipped items from the previous sync. It may take up to 10 times to recover all skipped emails, but the process can probably be completed within 5 minutes.

Be sure to remove authorization once the collection is complete.

Now you should have all of the emails from the account in .eml format, stored by date in multiple folders. Gmvault can then be used to export these files into a more useable storage system. The database can be exported as offlineimap, dovecot, maildir or mbox (default). Here’s how:

gmvault-shell>gmvault export -d[Destination Directory] [Export Directory]

Following are the Pros and Cons of Using Gmvault:

Pros:

  • Easy to setup and run
  • Counts total emails/collected emails to quickly know if emails are missing
  • 50% compression
  • Can be scripted to collect multiple accounts

Cons:

  • No friendly UI
  • Needs further processing to get to a user friendly deliverable
  • Will sometimes not retrieve the last few emails

The enduring onslaught of data breach events such as the theft of 4.5 million health records from Community Health Systems or the recent staggering loss of information for 76m JP Morgan accounts continues to highlight the need for robust information security and the ability to proactively prevent and redress potential security incidents. In response, organizations have increased investment in better information security programs and supporting technologies. However, while more organizations may be better positioned to cope with data breach events, information security continues to lack appropriate coverage of cloud and mobile device technology risks.

Lags in InfoSec Deployment:

According to the 2014 Global State of Information Security® Survey of information, executives and security practitioners, organizational leaders expressed confidence in their information security activities (nearly three-quarters of study respondents reported being somewhat or very confident). However, the survey reveals gaps in the application of information security for cloud and mobile technologies. Nearly half of respondents reported that their organizations used cloud computing services but only 18% reported having governance policies for cloud services. Furthermore, less than half of respondents reported having a mobile security strategy or mobile device security measures such as protection(s) for email/ calendaring on employee-owned devices.

Real Issue is Lack of Knowledge

Gaps in cloud and mobile information security represent a broader trend that even exists in regulated industries. For example, in the 2013 Ponemon report, “The Risk of Regulated Data on Mobile Devices & in the Cloud”, 80% of IT professionals could not define the proportion of regulated data stored in the cloud and on mobile devices. The gap in information security does not appear to be limited to the deployment of polices and controls. Instead the potential issues with cloud and mobile information security stem from lack of knowledge concerning storage and use of data. As noted in the study “Data Breach: The Cloud Multiplier Effect” their organizations as having low effectiveness in securing data and applications in the cloud.

Reducing Cloud and Mobile Technology Risks

Developing an appropriate security posture for cloud and mobile technologies should begin with the realization that information security requirements for these technologies differ from traditional IT infrastructure. For example, the responsibility for storage and use of data in the cloud is shared by a greater number of parties—organization, employees, external vendors, etc. Additionally, contracts and written policies for cloud applications must specify more granular coverage for access, use, tracking and management of data. In the event of a potential security incident, possible sources of evidence, such as security logs, are stored externally and may require the assistance of specific employees or service providers.

The following considerations provide a starting point for the development of information security practices that are relevant to cloud and mobile technologies.

1. Identify security measures that are commensurate with cloud and mobile technologies.

a. Use security features that are built into cloud and mobile technologies. This includes access controls and encryption. Frequently, security features that would have prevented major cloud-based breaches (such as multi-factor authentication and text-to-cellphone warnings of suspicious activity) are already made available by cloud service providers. However, users of these services, whether individuals or large corporate clients, are frequently delaying full implementation of available security options due to cost or organizational concerns.

b. Implement additional security tools or services to address gaps in specific cloud and mobile technologies. For example, software-based firewalls to manage traffic flow may also provide logging capability that is missing from a cloud service provider’s capabilities.

2. If possible, use comprehensive solutions for user, device, account, and data management.

a. Manage mobile devices and their contents. Mobile device management (MDM) solutions enable organizations to coordinate the use of applications and control organizational data across multiple users and mobile devices.

b. Use available tools in the cloud. Cloud service providers such as Google Apps provide tools for IT administration to manage users, data and specific services such as Google Drive data storage. Unfortunately, many organizations do not utilize these tools and take risks such as losing control over email account access and content.

3. Maintain control over organizational data.

a. IT should control applications used for file-sharing and collaboration. Cloud- based tools such as Dropbox provide a robust method of sharing data. Unfortunately, Dropbox accounts often belong to the employee and not the organization. In the case of a security incident, IT may be locked out of an employee’s personal account.

b. Users should not be responsible for security. Organizations often entrust employees and business partners with sensitive data. This includes maintaining security requirements such as use of encryption and strong passwords. The organization that owns the data (usually its IT department) should have responsibility for security, and this includes organizational data stored outside of an organization’s internal IT infrastructure.

c. Encryption keys should be secured and available to IT in the case of a potential incident. With the advent of malware such as ransomeware that holds data captive and employees who could destroy encryption keys, securing encryption keys has become becoming a vital step in the potential recovery of data. If IT does not maintain master control over encryption keys, important organizational data could be rendered inaccessible during a security incident.

4. Actively evaluate InfoSec response and readiness in the cloud.

a. IT should have a means to access potential sources of organizational data. If data is stored on an employee’s tablet or at a third-party data storage provider, IT should have a vetted plan for access and retrieval of organizational data. Testing should not occur when a potential security incident arises.

b. Important digital assets should be accessible from more than one source and should be available within hours and not days. IT should have backup repositories of corporate data, in particular for data stored in cloud environments. This may include using a combination of cloud providers to store data and having an explicit agreement on the timing and costs required to retrieve data (in the event of an incident).

c. Audit systems should be turned on and used. Cloud providers often have built-in auditing capability that ranges from data field tracking (e.g., a phone number) to file revision history. The responsibility for setting up audit capability belongs to the organization. As part of using a cloud provider’s technology, the use of auditing should be defined, documented and implemented.

d. IT staff should have the knowledge and skills to access and review log files. The diversity and complexity of log files have grown with the number of technologies in use by an organization. Cross-correlating logs files across differing technology platforms requires specialized knowledge and advanced training. If an organization lacks the skill to analyze logs files, the ability to detect and investigate potential security events may be severely compromised.

5. Incident response plans and investigation practices should cover scenarios where data is stored in the cloud or on mobile devices.

Hackers have become more aggressive in seeking out data repositories. As organizations continue to adopt cloud and mobile technologies, information security must keep pace and extend the same internal focus on information security to external sources of organizational data. In particular, incident response plans should cover an increasing phenomenon—where attackers infiltrate an organization’s physical network solely to gain the keys to its cloud data repository.