Slashdot Mirror
Hacking Insurance For Net Businesses
Spasemunki writes: "ZDNet is carrying a story today on the new partnership between Lloyd's of London and Counterpane to offer 'hacking insurance' to businesses with big, expensive net presence. Is this a good-for-business acknowledgement that even the best security framework has flaws, or companies stepping back from protecting their customers in favor of covering themselves? According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk." Of course, I'd rather have cracker insurance.
> penetrated and compromised is not from
> remote exploits, but from the inside. The
> careless SysAdmin who leaves a root console
> open; the stupid employee who writes his
> password on postit notes next to the monitor;
> the disguntled and angry employee that did
> not get the raise he thinks he deserved.
How would insurance companies handle a more meatspace version of those kinds of problems? A clueless employee or security guard forgetting to lock the doors after closing? Would the insurance companies just consider that 'self-inflicted' and leave them to handle it themselves?
Myself, I'd be more interested in finding a concrete way to determine how much a company loses in an attack. Preferably in real money. Anyone can get their web page cracked and replaced for 4 hours and claim they lost three percent of Japan's net worth as a result. In fact, 'anyone' seems to - even the slightest compromise claims to have millions or tens of millions of dollars in damage.
Just how can they prove that they lost, say, $6M on a thirty-minute DDoS smackdown or something? Exactly what company earns a quarter billion dollars a day anyway?
-Patrick Stewart
"All that is necessary for evil to succeed is for good men to do nothing." - Edmund Burke
Wouldn't it be more of a process audit? Things like:
pooptruck
That's exactly what's GREAT about this... if there's one thing cranky, over-zealous, greedy insurance companies are good for, it's forcing it's clients to cover their bases. If idiot clients aren't paying attention to their security issues, they'll be charged up the yin-yang for high-risk insurance, or left behind by corporate customers who see coverage as a high-priority element in choosing an IS provider.
My only concern is in making sure that the little guy, who actually puts a significant amount of effort into properly securing their services, gets a fair rate for eye-candy "reassurance" insurance.
"You know, Hobbes, some days even my lucky rocketship underpants don't help" -- Calvin
But is there a right way to calculate damages resulting from data theft? I mean, sure, there are certain things that are (relatively) easily calculated business lost during the time it took to fix a system, being the best example, but if someone hacked Adobe and "stole" an alpha version of the latest PhotoShop, what's the damage? Adobe still owns the version, so they haven't LOST anything... Bandwith loss is extremely negligable. However, in that case it merely isn't right to charge something like $25 in damages.
Or is it?Mark Prindle, the most underappreciated genius on the web.
That was my first thought exactly.
The problem here is that definitions and verifications of those definitions is really touchy stuff. It's going to be for quite some time.
This is a needed thing, I believe... but it's also much too slippery a slope. There are too many 'wellll... maybe' issues.
Besides spreading the risk, one thing about insurance that many people forgot is, insurance companies have every incentive to suggest practical measures to the client to prevent those claiming situation. For example, when you buy fire insurance, they would evaluate your premises, tell you the premium, and suggest effective ways of prevention to lower your premium. Mostly those so call experts or consultant of fire prevention tells you to buy something impractical (consultant=sales), while the insurance companies are not interested in selling those thing.
Some of you may have experiences of getting advice from those so call risk management consultants of e-business from those large consultanting firms which actually are selling you M$ solutions, I think insurance on network security is a more pratical way. To know how good your measures of network security is, ask the insurance companies to give you assessment.
A sig is redundant.
Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.
Reading sites like CERT, l0pht and rootshell (And hoist a beer to the now-seemingly-defunct 8lgm) is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.
At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.
That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.
All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation. Lazy bastards.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why would you NEED insurance for crakers? All the boxes of crackers I buy have a 'money back if not satisified' label. And, if the saltines aren't right, I just throw them out.
Seems like a waste to buy cracker insurance.
As for hacker insurance, I guess there ARE risks with using chairs made with axes. You would think tho, if you LIKE axe-made chairs, you'd inspect the craftmanship before you bought it.
If it was said on slashdot, it MUST be true!
'For the right price, my boys could offer you "protection", because we wouldn't want to see what happened to you if you didn't buy our "protection." hehehehe.'
Donate background CPU time to fight cancer.
void has a point, the percentage of inside hacks seems to be upwards of 70% of all breaches--but any decent insurance policy (and we are talking L loyd's) will cover insider hacks as well.
Importantly, thoght, what's the mantra of the security aware? No system is secure. OK, a system filled with concrete unplugged at the bottom of the ocean comes close. But, there will always be a new vulnerability, an insider bribed, a way in. Always. Insurance is really the only solution for businesses in this area, much like, as other posters have realized, the niches where insurance is popularized in the real world.
In an uncertain world, insurance becomes needed. The wonderful and insidious thing about this, however, is that you know what the trend of insured internet businesses will drive? security! You want a good rate on our security insurance? Better freakin' install the latest patches, have a subscription to Security Focus, get a good firewall, implement access policies, do background checks, shred your paper trash...
This will be a fantastic wave of actual implemented security.
Returned Peace Corps IT Volunteer
...so I won't. Yes, the DoS attacks have already been mentioned, but this is a perfect example of what the insurance is there for. If it can be proved (aside from bandwidth theft) that your business suffered a loss because of an attack of this sort, they will recompense you for it accordingly.
It's not like they're insuring solely (if at all) the security of your own systems, but they are offering a source of aid assuming that you fall prey to a business-impacting loss if internet service in one way or another. It's also not like the system won't be defrauded at all, mind you, but then again all insurance systems have been and are being defrauded on some level. These people are either caught or not, and it won't be any more difficult in this setting.
One more thing that hasn't been mentioned in any significant amount yet is the fact that a large number of business have not been significatnly impacted by h/crackers. Many of these would still pay a fair amount for a secure feeling - which, more than anything else, the insurance business is there to provide. I personally would probably pay for this, not because I can't secure a system a fair amount, and not because I think that evil computer geniuses really want to take down my t-shirt shop, but because of self-same "warm fuzzy feeling".
"I'm not even supposed to BE here today!"
I don't know if I'd trust Lloyd's of London for insurance with all the internal troubles they've had in recent news.
There are actually audit standards already extant for high-security hosting--financial hosting sites all go through something called a SAS-70, which--depending on the level of the institution, are pretty harsh security.
Returned Peace Corps IT Volunteer
"Remember: Robots ARE out to get you," etc.
Is this policy REALLY necessary, or is this the insurance equivalent of yellow journalism?Mark Prindle, the most underappreciated genius on the web.
The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions? That's what'll end up in front of a judge eventually, unless the contract is exceedingly well written.
Also, don't just go assuming that it's always insurance companies who are the rip off artists. In both consumer and commercial insurance, there are many more instances of fraud and legalistic shenanigans by the people covered than by insurers.
Case in point: my brother in law works for the firm that insures Microsoft (Zurich Intl.). Among other things, they cover them with a standard indemnification plan - a.k.a if Microsoft is sued in civil court, the Zurich is responsible for both the defense and the damaages (if any). Just like with many automobile plans, it is the insurance company's lawyers who defend the case, which is only fair since they are the ones on the hook for the monetary loss. Insurers will often settle cases their clients would have fought, because they have less of an emotional attachment to the idea of being proven right in court.
Microsoft is now suing Zurich because they want to be reimbursed for all the attorney's fees they've spent in defending themselves in the anti-trust lawsuit. Microsoft is trying to twist a clearly written indeminfication plan into a blank check for all their exceedingly high-priced lawyer's fees, while giving Zurich no say in how the defense is actually presented.
Needless to say, Zurich is defending itself.
Almost exactly how this works!
:-)
This insurance has been available for several years, usually tacked onto an existing data center loss prevention policy. This is a press release to show how our beloved Bruce Schneier has become a partner with a big insurance house.
The insurance company will require at least two audits, the first to determine the policies and attitudes of the management, and to locate holes in enforcement of a good security policy. After the fixes have been made, the second audit will show whether the management can accomodate the change necessary to implement a proper security policy. Its more about attitude than open ports
There are several parts to the audit. The hack/crack part does all the usual stuff, such as wardialing the whole company looking for unauthorised modems, running customised exploit scripts and custom versions of ISS and nmap. They also make sure every system connected to the network is documented, and they log on every server and check the security from inside as well.
There's a bunch of naff stuff going on at the same time like policy audits and background checks on all the IT staff and secretaries. In the end there is a big report, and based on a security score, determines your policy rate.
The policy holder sometimes puts a security consultant on the site for a while, to monitor the state of the network and how well the IT idiots follow the required security policy.
The whole exercise is to raise the bar against script k1dd13s, and give the shareholders a warm and fuzzy feeling. It also gives the lawyers a defence if a cracker does damage and the company gets sued.
What counterpane is probably doing is either renting out some tiger teams or training up some in-house teams to use their custom made tools.
the AC
Hemos is like...sci-fi fans;he thinks technology is cool, but he hasn't bothered to understand the science it's based on
If this is done in a clueful way, it will actually be really beneficial. At first, I'm sure all companies will pay an equal deductible, as in the early days of car insurance. But over time, the insurance companies will start to collect stats on who does the best security, and adjust deductibles accordingly. If this is handled objectively, and it turns out that NT-based systems are 32% more likely to be DoSed, then companies will have to pay.
:)
The nice thing is that, since money is on the line, the insurance company has a huge incentive to be objective and honest about what really works to prevent "hacking." My guess it that obscurity-based systems don't get rated as high as a Volvo
Can your IM do this?
Is to see how the claims get handled. If basic security proceedures were not followed (patches, closing off extraneous ports, etc) will the claim be paid? If they are paid, it will set a bad precendent, and give companies an excuse to maintain poor security, hire less qualified admins, and just file claims when bad stuff happens.
If they DO deny claims based on lack of basic preparedness, it could benefit the overall community by making it worth the company's pocketbook to make sure their admins are well trained, and have the equipment and software they need. Lawyers LOVE it when companies have insurance policies - it means larger settlements for them.
Check out Magic Firesheep!
If you act now, you can get a 25% discount on Alien abduction insurance too!
Others have tried this and are doing it correctly, but it's difficult. What the insurer must do is go in and analyze the insuree and then institute proper security policy, controls, and enforcement. Only after a revamp of the insuree, from management infrastructure and policy down to best practices by sysadmins, will the policy be written. Of course, the insuree must pay for all of this. This is what they mean by "managing risk."
For some companies, this makes a lot of sense. Others take their chances. In any event, I foresee many other insurers and insurees getting in on this soon.
Of course, I'd rather have cracker insurance.
Yeah, why worry about your computers when there's a much bigger threat out there: hordes of inbred white people?
10 PRINT CHR$(205.5+RND(1)); : GOTO 10
Why is this news ? Surely this is exactly the same as insuring a standard company against burglary ?
Its just another case where everyone is suprised because the eWorld is the same as the normal world.
To use the real world, basic security is important, but investment in a patrolled compound to protect a pizza parlour is excessive, while spending $100 on insurance per year makes pretty good sense.
There is no "e" or "v" world, there is this world.
An Eye for an Eye will make the whole world blind - Gandhi
I just can't wait for the first claim to come in:
Business: Look! We were attacked by hackers and lost X millions of dollars, call the insurance company!
Insurance Company: We're sorry, but you were attacked by CRACKERS, not Hackers, and you only purchased the Hacker insurance. It's an extra 50K a year for the Cracker insurance. Sorry. (Evil cackle)
Kintanon
Check out JoshJitsu.info for Brazilian Ji
Or how about buying a house, insuring it for more then it's worth and then having some body come and burn it to the ground?
Insurance fraud has been around for a long time. In the US, the states have offices to handle this kind of thing and when it starts getting offered in that state then the Fraud division will hire on some computer admins to help them. They might be slow but they are rarely stupid.
offer "hack insurance" to companies that pass a strict audit.
What would this audit include? Exploits for both OSS and closed source software appear on a daily basis. Passing an audit today means nothing about your security tomorrow or next week. How does Lloyd's plan to ensure companies keep up with patches (or service packs for those dumb enough to trust that other OS's security)?
Also will there be an "approved" list of software and anything that doesn't appear on that list cannot be used in any way? I can see a certain large software company kicking enough money Lloyd's way to ensure its software is on the list and competitors are deemed "insecure".
Finkployd
A fool and his money are easily parted...
Hey, if someone's willing to buy hacking insurance instead of securing their systems, then they deserve to make these insurance companies rich.
What I wonder is, when one of these companies gets cracked, will the insurance provider pay off if it was due to negligence? I mean, most insurances only apply to accidents. If I buy flood insurance for my home, and I leave all the windows and doors open during a flood/hurricane, I can't make a claim. I don't believe drunk drivers can collect from claims on their auto policy either. Same with this situation--what insurance provider will pay up if you leave your box sitting totally unsecured on the Internet?
Insurance companies are the most paranoid in the world, and they will want their own auditors to confirm that they are insuring a secure environment. At the least, they will set lower rates for sites with better security.
Insurance is a line-item in company budgets with predictable cost. Managers get bonuses for lowering predictable cost.
Working from those premises, I predict that a company with a verifiably secure Linux/BSD/$OTHER_OS_OS infrastructure will be able to negotiate a lower insurance cost than a company that says, "Microsoft insures us that this software is secure."
I further predict that direct positive impact on the bottom line will do more to push open-source solutions into business than anything else.
Keep all your benchmarks and anecdotal evidence. The insurance companies won't care. They will do the most indepth analysis you could ever imagine, because 1)the have the resources and 2)they'll have REAL money on the line. Smart money goes where the insurance companies do. (Well, at least I trust them to take care of their own money and not give a rats-ass about the OS wars.)
Aah, change is good. -- Rafiki
Yeah, but it ain't easy. -- Simba
Having worked in the insurance industry (IT side) for many years, it is all a matter of risk/benefit analysis. Further, the actuarial guys and gals are just about anal at this stuff. Many can tell you, given a room of /. participants, how many are overweight, and by how much. How many drive cars over a certain value and what is the risk they will have an accident? How many work in a corporation and what is the risk of repetitive stress injury? And they are right at a nearly frightening rate. If it were gambling, you would never bet against the house.
Real life example:
Like it or not, a 50 year old, buying a new Porsche is far less of a risk than a 22 year old. It is not personal, it is not specific to you, it says nothing about your parents or your abilities. So guess what, you pay more at 22, than at 50.
You may not even be able to get insurance at 22 on a certain type of car, until you enter the "risk pool". This would be the same for companies as it is for 22 years driving a Porsche. I may insure you but I am not taking the major risk. (i.e. $2000 deductible, $500/month payment and penalties for failure to pay)
Now, given some company "X", operating a type of business "Y", for a period of time "Z", what is the average number of security breeches (internal and external) you can be expected to incur? What varies the result the most? What kind of loss per incident can be expected? What factors contribute to a claim (i.e. how often is notoriety a cause versus failure to update patches?)
Now like your car, you are expected to take care of it. The "blue book" here however is what a company agrees to. Amazon out of commission for 12 hours is going to be a much bigger claim than slash dot. (No offense intended).
Further, the claimant cannot facilitate the action.
Have you had a security audit in the last "X" timeframe?(security like Swiss cheese)
Did you act on its findings? (no funding for upgrades)
Are you using reasonable precautions to protect yourself, data, and business?(haven't done a backup this week)
Was this a known threat you failed to act on? (ILOVEYOU attack two weeks after it made the news)
I think it is a great idea, because those with insurance must be attentive to collect on a loss. The more attentive people are the better it is for everyone.
Lloyd's of London has a famous reputation for assessing and insuring all sorts of odd risks, such as Mary (Entertainment Tonight) Hart's legs. Check this out for some examples. Businesses can even insure against a couple employees winning the lottery and not coming back to work...
Stop by my site where I write about ERP systems & more
So the majority are right when it comes to language? Usage defines the word?
What about when the guy at Radio Shack tries to tell you that this computer comes with 20 gigs of memory?
How about the all too common confusion of multiple personalities disorder with skitzophrenia (sp? grr... tried looking it up.)?
So if everyone started calling gay men 'fags' tomorrow, they'd be right?
I think hackers have a perfectly valid complaint here.
If systems were just insured from outside cracking, then it would make more sense. But the vulnerability of MOST systems is from the users, and so the problem of insurance fraud cannot be avoided. Why can't the CEO and CTO collaborate to make more money for the company? The last time I heard, no audit can discover what a bunch of powerful and willing conspirators want to hide.
Here's a company who's doing a great job at doing it all wrong.
I don't agree with the 'don't have to prevent hacking; they have to manage their risks.' bit.
If cracking was prevented they wouldn't have to spend so much money 'managing their risks'.
And one of the best ways to keep crackers away is to make sure they don't know about you. This is something Lloyds of London is not achieving with this kind of news coming up in Sci-Tech sites...
I bet they just got all kinds of crackers lining up to 'test' their new insurance...
A moronic ISP (not the one this IP is attatched to, so piss off...) that i have to deal with from time to time at work has cracker insurance, and to keep that up they regulate what ports you can listen on, what OS versions you can run, and where you can peer/tunnel/etc... on your internal network. In any case, my suspition that they are a bunch of blithering idiots was confirmed when they dropped our link by fucking with our router (which they had drop shipped, black box style, and refused to tell us the passwords...) and as a last resort they called us and walked us through setting the link back up, and you know what? The dumb bastards keep the router passwords set at factory default. Oh well, i pitty the underwriter of their insurance policy...
---
Play Six Pack Man. I
In recent times, companies that have been cracked or have clients that have been cracked have lashed out at the most easily available target. Usually this means that some poor service provider or host service somewhere has to take the heat for "letting" someone misuse their services. Like suing someone (especially a service provider or software developer) for not having tight enough security (it's way too easy to find recent examples of this.) If nothing else, maybe insurance for being cracked will pacify the attacked, so there won't be as many silly lawsuits.
Unless they crack their own site, collect the insurance, and then sue their tech people for not being good enough to prevent their attack. That'd definately be silly.
Do something about world hunger. Click here
I would like to see how they will value the damage. It seems to me that every time there is a cracked machine on the web the damage bill seems to run into millions.
For example while the "I love you" virus pissed alot of people off and caused more then a few email servers to crawl to a holt, I think the estimate of 5 Billion dollars of damage was a little overstated.
After all how do you factor in Brand name damage, future loss revenue from deterred surfers and knock on advertising revenue effects when assessing a claim. No doubt most companies will pick a random figure and multiply it by 10.
I will be interested to read about the first claim.
"Do you think we could wipe out world hunger forever if scientists figured out how to make AOL's Free CD's edible?"-
Don't laugh. The British firm Goodfellow Rebecca Ingrams Pearson actually offered a policy against Alien impregnation.
Sadly, they discontinued the service in the wake of the Heavens Gate cult suicide. Insane people are just too likely to make claims against the policy.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.
Just like your insurance company may require you to install an alarm system before they cover you for burglary this type of insurance will require you to be audited and then continously monitored by a company like Counterpane systems.
----
Stop worrying about the risks of nuclear power and start worrying about the risks of not using nuclear power.
This will be a great step forward for computer security. In order to keep their premium down, companies will have to agree to basic external security audits and to implement a set of minimum security procedures. This will generally raise the bar in the field of web security.
© Copyright 2000 Kristian Köhntopp
Insurance works when the event you are insuring against is out of your control. Business interruption insurance for various wind perils is entirely appropriate and economically viable because wind perils are (1) unable to be anticipated and (2) not controllable by the insured.
Insurance against Hackers or Crackers is uneconomic because the element of controllability is not present. The organization has various means at it's disposal to avoid service disruptions from firewall configuration to fully-redundant, offsite backup servers. Yes, they need good Risk Management, but Insurance is not the answer to every Risk Management problem.
Though if some deep-pockets on Lloyds want to chance going broke on poorly-conceived Insurance schemes, it wouldn't be the first time.
Anomalous: inconsistent with or deviating from what is usual, normal, or expected
Anomalous: deviating from what is usual, normal, or expected
Canard: a false or unfounded repor
Hackers have been known to attempt to undermine your business interests with subversive activities like replacing IIS with Apache, and porting your product to Linux. Here's what we offer for protection:
Imagine a company insuring themselves against hackers, and then actually striking a deal with someone to hack into their system, damage some part of their system, and get rich off of the claim!
Attention all planets of the Solar Federation! We have assumed control! - Neil Peart
Maybe these companies will be forced to actually provide some evidence when they claim "we lost $42 million dollars when our web site got cracked." I don't think the insurance company is just got say "sure, $42 million, here ya go!"
---
DO NOT DISTURB THE SE