Slashdot Mirror
Hacking Insurance For Net Businesses
Spasemunki writes: "ZDNet is carrying a story today on the new partnership between Lloyd's of London and Counterpane to offer 'hacking insurance' to businesses with big, expensive net presence. Is this a good-for-business acknowledgement that even the best security framework has flaws, or companies stepping back from protecting their customers in favor of covering themselves? According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk." Of course, I'd rather have cracker insurance.
> penetrated and compromised is not from
> remote exploits, but from the inside. The
> careless SysAdmin who leaves a root console
> open; the stupid employee who writes his
> password on postit notes next to the monitor;
> the disguntled and angry employee that did
> not get the raise he thinks he deserved.
How would insurance companies handle a more meatspace version of those kinds of problems? A clueless employee or security guard forgetting to lock the doors after closing? Would the insurance companies just consider that 'self-inflicted' and leave them to handle it themselves?
Myself, I'd be more interested in finding a concrete way to determine how much a company loses in an attack. Preferably in real money. Anyone can get their web page cracked and replaced for 4 hours and claim they lost three percent of Japan's net worth as a result. In fact, 'anyone' seems to - even the slightest compromise claims to have millions or tens of millions of dollars in damage.
Just how can they prove that they lost, say, $6M on a thirty-minute DDoS smackdown or something? Exactly what company earns a quarter billion dollars a day anyway?
-Patrick Stewart
"All that is necessary for evil to succeed is for good men to do nothing." - Edmund Burke
Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.
Reading sites like CERT, l0pht and rootshell (And hoist a beer to the now-seemingly-defunct 8lgm) is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.
At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.
That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.
All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation. Lazy bastards.
"You're right," Fisheye says. "I should have set it on 'whip' or 'chop.'"
Why would you NEED insurance for crakers? All the boxes of crackers I buy have a 'money back if not satisified' label. And, if the saltines aren't right, I just throw them out.
Seems like a waste to buy cracker insurance.
As for hacker insurance, I guess there ARE risks with using chairs made with axes. You would think tho, if you LIKE axe-made chairs, you'd inspect the craftmanship before you bought it.
If it was said on slashdot, it MUST be true!
'For the right price, my boys could offer you "protection", because we wouldn't want to see what happened to you if you didn't buy our "protection." hehehehe.'
Donate background CPU time to fight cancer.
The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions? That's what'll end up in front of a judge eventually, unless the contract is exceedingly well written.
Also, don't just go assuming that it's always insurance companies who are the rip off artists. In both consumer and commercial insurance, there are many more instances of fraud and legalistic shenanigans by the people covered than by insurers.
Case in point: my brother in law works for the firm that insures Microsoft (Zurich Intl.). Among other things, they cover them with a standard indemnification plan - a.k.a if Microsoft is sued in civil court, the Zurich is responsible for both the defense and the damaages (if any). Just like with many automobile plans, it is the insurance company's lawyers who defend the case, which is only fair since they are the ones on the hook for the monetary loss. Insurers will often settle cases their clients would have fought, because they have less of an emotional attachment to the idea of being proven right in court.
Microsoft is now suing Zurich because they want to be reimbursed for all the attorney's fees they've spent in defending themselves in the anti-trust lawsuit. Microsoft is trying to twist a clearly written indeminfication plan into a blank check for all their exceedingly high-priced lawyer's fees, while giving Zurich no say in how the defense is actually presented.
Needless to say, Zurich is defending itself.
Is to see how the claims get handled. If basic security proceedures were not followed (patches, closing off extraneous ports, etc) will the claim be paid? If they are paid, it will set a bad precendent, and give companies an excuse to maintain poor security, hire less qualified admins, and just file claims when bad stuff happens.
If they DO deny claims based on lack of basic preparedness, it could benefit the overall community by making it worth the company's pocketbook to make sure their admins are well trained, and have the equipment and software they need. Lawyers LOVE it when companies have insurance policies - it means larger settlements for them.
Check out Magic Firesheep!
If you act now, you can get a 25% discount on Alien abduction insurance too!
Why is this news ? Surely this is exactly the same as insuring a standard company against burglary ?
Its just another case where everyone is suprised because the eWorld is the same as the normal world.
To use the real world, basic security is important, but investment in a patrolled compound to protect a pizza parlour is excessive, while spending $100 on insurance per year makes pretty good sense.
There is no "e" or "v" world, there is this world.
An Eye for an Eye will make the whole world blind - Gandhi
I just can't wait for the first claim to come in:
Business: Look! We were attacked by hackers and lost X millions of dollars, call the insurance company!
Insurance Company: We're sorry, but you were attacked by CRACKERS, not Hackers, and you only purchased the Hacker insurance. It's an extra 50K a year for the Cracker insurance. Sorry. (Evil cackle)
Kintanon
Check out JoshJitsu.info for Brazilian Ji
A fool and his money are easily parted...
Hey, if someone's willing to buy hacking insurance instead of securing their systems, then they deserve to make these insurance companies rich.
What I wonder is, when one of these companies gets cracked, will the insurance provider pay off if it was due to negligence? I mean, most insurances only apply to accidents. If I buy flood insurance for my home, and I leave all the windows and doors open during a flood/hurricane, I can't make a claim. I don't believe drunk drivers can collect from claims on their auto policy either. Same with this situation--what insurance provider will pay up if you leave your box sitting totally unsecured on the Internet?
I would like to see how they will value the damage. It seems to me that every time there is a cracked machine on the web the damage bill seems to run into millions.
For example while the "I love you" virus pissed alot of people off and caused more then a few email servers to crawl to a holt, I think the estimate of 5 Billion dollars of damage was a little overstated.
After all how do you factor in Brand name damage, future loss revenue from deterred surfers and knock on advertising revenue effects when assessing a claim. No doubt most companies will pick a random figure and multiply it by 10.
I will be interested to read about the first claim.
"Do you think we could wipe out world hunger forever if scientists figured out how to make AOL's Free CD's edible?"-
Don't laugh. The British firm Goodfellow Rebecca Ingrams Pearson actually offered a policy against Alien impregnation.
Sadly, they discontinued the service in the wake of the Heavens Gate cult suicide. Insane people are just too likely to make claims against the policy.
"If one is really a superior person, the fact is likely to leak out without too much assistance" -- John Andrew Holmes
Hackers have been known to attempt to undermine your business interests with subversive activities like replacing IIS with Apache, and porting your product to Linux. Here's what we offer for protection:
Maybe these companies will be forced to actually provide some evidence when they claim "we lost $42 million dollars when our web site got cracked." I don't think the insurance company is just got say "sure, $42 million, here ya go!"
---
DO NOT DISTURB THE SE