Brian Pennington

A blog about Cyber Security & Compliance


April 2014

Zurich Insurance identifies the “Seven cyber risks that threaten systemic shock”

A recent Zurich Cyber Risk Report argues that cyber-risk management professionals need to look beyond their internal information technology safeguards to interconnected risks which can build up relating to:-

  • Counterparties
  • Outsourced suppliers
  • Supply chains
  • Disruptive technologies
  • Upstream infrastructure
  • External shocks

Zurich warns that a build-up in these risks could create a failure on a similar scale to the 2008 financial crisis. Such interconnected risks are compounded when a company outsources the management of its servers, information technology and cyber security to focus on its core activities.

Little information may be known about the third party’s information security or business continuity safeguards and it may also in turn outsource activities to other companies.

The report calls for organisations to incorporate the best ideas from financial governance such as creating a G20+20 Cyber Stability Board to enhance cyber risk management and identifying and improving the governance of G-SIIOs (Global Significantly Important Internet Organisations).

Axel Lehmann, Group Chief Risk Officer and Regional Chairman Europe at Zurich Insurance Group, said: “The internet is the most complex system humanity has ever devised. Although it has been incredibly resilient for the past few decades, the risk is that the complexity which has made cyberspace relatively risk-free can and likely will backfire.

“Organizations are unknowingly exposed to risks outside their organization, having outsourced, interconnected or exposed themselves to an increasingly complex and unknowable web of networks.

“Few people truly understand their own computers or the internet, or the cloud to which they connect, just as few truly understood the financial system as a whole or the parts to which they are most directly exposed

Zurich’s Seven Cyber Risks are:-

Description Examples
Internal IT enterprise Risk associated with the cumulative set of an organization’s (mostly internal) IT Hardware; software; servers; and related people and processes
Counterparties and partners Risk from dependence on, or direct interconnection (usually non-contractual) with an outside organization University research partnerships; relationship between competing/cooperating banks; corporate joint ventures; industry associations
Outsourced and contract Risk usually from a contractual relationship with external suppliers of services, HR, legal or IT and cloud provider IT and cloud providers; HR, legal, accounting, and consultancy; contract manufacturing
Supply chain Both risks to supply chains for the IT sector and cyber risks to traditional supply chains and logistics Exposure to a single country; counterfeit or tampered products; risks of disrupted supply chain
Disruptive technologies Risks from unseen effects of or disruptions either to or from new technologies, either those already existing but poorly understood, or those due soon Internet of things; smart grid; embedded medical devices; driverless cars; the largely automatic digital economy
Upstream infrastructure Risks from disruptions to infrastructure relied on by economies and societies, especially electricity, financial systems, and telecommunications Internet infrastructure like internet exchange points, and submarine cables; some key companies and protocols used to run the internet (BGP and Domain Name System); internet governance
External shocks Risks from incidents outside the system, outside of the control of most organizations and likely to cascade Major international conflicts; malware pandemic

65% of organisations have been breached by a SQL Injection attack

Ponemon Institute have released their The SQL Injection Threat Study sponsored by DB Networks. The purpose of the research was to understand how organisations respond to the SQL injection threat and their awareness about different approaches to managing this risk.

The study surveyed 595 individuals who work in IT and IT security. The majority of respondents were familiar with core IDS technologies that detect rogue SQL statements on the network that connect the web application to the database.

SQL injections are defined as:-

being used to attack data driven applications, in which malicious SQL statements are inserted into an entry field for execution (e.g. to dump the database contents to the attacker). SQL injections exploit security vulnerabilities in an application’s software. SQL injection is most commonly known as an attack vector through public facing websites but can be used to attack SQL databases in a variety of ways

Key findings extracted from the report:-

  • The SQL threat is taken seriously because 65% of organizations represented in this study experienced a SQL injection attack that successfully evaded their perimeter defences in the last 12 months.
  • 49% of respondents say the SQL injection threat facing their company is very significant. On average, respondents believe 42% of all data breaches are due, at least in part, to SQL injections.
  • Many organizations are not familiar with the techniques used by cyber criminals. 46% of respondents are familiar with the term Web Application Firewalls (WAF) bypass. Only 39% of respondents are very familiar or familiar with the techniques cyber criminal use to get around WAF perimeter security devices.
  • BYOD makes understanding the root causes of an SQL injection attack more difficult. 56% of respondents say determining the root causes of SQL injection is becoming more difficult because of the trend for employees to use their personally owned mobile devices (BYOD) in the workplace. Another challenge, according to 41% of respondents, is increasing stealth and/or sophistication of cyber attackers.
  • Expertise and the right technologies are critical to preventing SQL injection attacks. While respondents see the SQL threat as serious, only 31% say their organization’s IT security personnel possess the skills, knowledge and expertise to quickly detect a SQL injection attack and 34% agree that they have the technologies or tools to quickly detect a SQL injection attack.
  • Measures to prevent SQL injection attacks are also lacking. Despite concerns about the threat, 52% do not take such precautions as testing and validating third party software to ensure it is not vulnerable to SQL injection attack.
  • Organizations move to a behavioural analysis solution to combat the SQL injection threat. 88% of respondents view behavioural analysis either very favourably or favourably.
  • 44% of respondents say their organization uses professional penetration testers to identify vulnerabilities in their information systems but only 35% of these organizations include testing for SQL injection vulnerabilities.
  • 20% continuously scan active databases, 13% do it daily, 25% scan irregularly and 22% do not scan at all.

The full report can be found here.

Profile of growing attacks against the internet infrastructure - infographic

Cisco’s 2014 Security Report as an infographic

Blog at

Up ↑

%d bloggers like this: