On Tuesday, November 11, the National Institute of Standards and Technology (NIST) released a critical vulnerability with 'Godmode' exploitation summary for CVE-2014-6332 relating to a bug within the Windows operating system that has been around since Windows 95. Microsoft released a patch for this nearly 20-year-old bug called WinShock for all currently supported operating systems. Unsupported operating systems like Windows XP will not get a patch.
What does this mean for Windows XP users?
WinShock can completely compromise any computer running Windows XP. Per IBM's Security Intelligence website, the attack can be initiated remotely when you visit a malicious website using any version of Internet Explorer and can bypass any system security layer designed to thwart such an attack. Even up-to-date anti-virus and anti-malware programs will not prevent a hacker from exploiting the vulnerability.
Once exploited, a machine may have malicious software installed that could cause the loss of stored data, theft of data, disruption of network capabilities, disclosure of private information, logging of keystrokes, remote access and installation of ransomware. Once compromised, any machine that the hacked machine has access to, such as networked servers or other workstations, could be exploited regardless of what operating system is installed.
How does this affect insurance agencies and carriers?
As an insurance agent, you have access to the complete profile of Personably Identifiable Information (PII). This includes, but is not limited to, data points like contact information, birthday, government identification numbers, financial account numbers, payment card information, transaction information, and credit report information. As such, many laws have been passed at a state level regulating notification and civil fines should your clients' data become compromised from your system.
Data breaches make national news these days. Target and Home Depot are prime examples. Like these retailers, should your data become breached, you must notify each individual affected by the breach. If the number of affected individuals exceeds 500, you may also need to report the breach to a government organization and, in some cases, the media. As a trusted advisor in charge of protecting your clients' future, nothing will hurt your reputation more than telling them you introduced them to the world of identity theft.
Each state has defined their own fine structure when it comes to the breach of PII. On average they run between $1,000 and $100,000 per incident. Some states base an incident as a collective, others provide that each individual affected is a separate incident.
Federal laws have also been passed regulating data security for insurance-related operations.
Health Insurance Portability and Accountability Act (HIPAA)
According to the 164.308(a)(1) Security Rule provision of HIPAA, any covered entity or business associate must 'Implement policies and procedures to prevent, detect, contain, and correct security violations.' It further states that entities must 'Conduct an accurate and thorough assessment of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information held,' and 'Implement security measures sufficient to reduce risks and vulnerabilities to a reasonable and appropriate level.' As Windows XP cannot pass an audit relating to this provision, any entity running the unsupported operating system is in violation due to willful neglect and is subject to a minimum of $50,000 per violation and an annual maximum of $1.5 million.
Health Information Technology for Economic and Clinical Health (HITECH)
Subtitle D of the HITECH acts extends the HIPAA Security Rule and Notification Rule not only for covered entities, but upon business associates, vendors of personal health records (PHR) and related entities if a breach of unsecured protected health information (PHI) occurs. This is known as the 'Omnibus Rule.' Per the Agents Council for Technology HIPAA workgroup, 'Agencies which sell any health insurance products (medical, dental, vision, long term care, Medicare supplements) for companies like Blue Cross/Blue Shield, Humana, Aetna, Principal, Delta Dental, etc. are likely to be Business Associates and their agent agreements will include provisions that require them as Business Associates to comply fully with the HIPAA Security Rule, as well as with the portions of the HIPAA Privacy and Data Breach Rules that are applicable to them.' This extension again causes any organization running Windows XP to be further subjected to the fines mentioned above.
Other factors relating to the exposure of PII include the following:
Cyber Liability, Professional Liability, Errors and Omissions Policies
All cyber liability and many professional liability and errors and omission policies include provisions relating to the protection and security of consumer data. Many policies provide that the carrier will not pay damages for any known defect or bug that could reasonably be expected to cause harm. Knowing that you are running unsupported and unpatched operating systems, which expose vulnerabilities, such as CVE-2014-6332 aka WinShock, would violate a similar provision lurking within your policy causing you to be liable and uncovered.
Payment Card Industry Data Security Standard (PCI DSS)
Do you take credit cards? Do you store credit card numbers in your agency management or accounting system? If you do your merchant account provider requires that you must 'Ensure that all system components and software are protected from known vulnerabilities by having the latest vendor-supplied security patches installed.' Running Windows XP will cause you to be out of compliance with this requirement.
So many more...
If you are subject to the Sarbanes-Oxley Act of 2002 or Gramm-Leach-Bliley Act through ownership of or by a bank, mortgage company, or other financial organization, running Windows XP will fail the audit. What about your agreement with carriers? Have you actually read it? What does that say about the protection of consumer data?
I could continue, but I think you get the idea. After reading this you should know that continued usage of Windows XP is considered willful neglect and will introduce you to higher fines.
Flexibility of Approach
There are provisions in most of these statues that allow you to weigh the risk against the cost of implementation. Should your analysis conclude that it would be cost prohibitive to prevent the vulnerability, you may be able to forgo the implementation. However, this will not save you when it comes to Windows XP. The cost to upgrade relative to overall risk is minimal. The notification, consumer protection, and legal costs alone would easily pay for a complete overhaul of your technology infrastructure, and you would still be forced to upgrade anyway.
Upgrading is not as expensive as you think. You can get a new desktop computer running Windows 7 Pro for around $300. In addition to upgrading to a supported operating system, you will get newer and faster equipment that will help your producers do what they do best... produce.
For Everyone Else
The amount of PII that insurance organizations collect make them prime candidates for targeted attacks. While the bakery shop down the road might be hit via an opportunistic hacker just looking for an easy target. As an insurance agent, you are actively being targeted. I know this. We see it every day in our server, security and web logs. Hackers from all over the world are attempting to access your data because they know you have some of the most lucrative data out there.
It is time to take security seriously. If you don't take the security of your data seriously, you place your agency, carriers, vendors and, most importantly, your clients in irreparable harm.
Patch and upgrade your systems. Install and maintain security features, such as firewalls, anti-virus and anti-malware software. Regularly assess who and how people access your systems. Invest in technology. It is meant to help, not hurt your business.
And please, get rid of Windows XP.
MS14-064 - Vulnerabilities in Windows OLE Could Allow Remote Code Execution (3011443) -
MS14-066 - Vulnerability in Schannel Could Allow Remote Code Execution (2992611) -
A Killer Combo: Critical Vulnerability and 'Godmode' Exploitation on CVE-2014-6332 (with how to exploit) - http://blog.trendmicro.com/trendlabs-security-intelligence/a-killer-combo-critical-vulnerability-and-godmode-exploitation-on-cve-2014-6332/
IBM X-Force Researcher Finds Significant Vulnerability in Microsoft Windows-
State Data Breach Statues -
HIPAA Omnibus Rule will have Big Impact on "Business Associates" -
No HIPAA or Meaningful Use Compliance with Windows XP -
What is Ransomware? -
HIPAA Security Rule -
PCI DSS Requirements and Security Assessment Procedures - https://www.pcisecuritystandards.org/documents/pci_dss_v2.pdf
About the AuthorFollow on Twitter Follow on Linkedin More Content by Laird Rixford