Slashdot Mirror
[H|Cr]acker Insurance
Spellbinder writes "yahoo has an article on
Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."
if everyones site went down - as it almost did with the latestVuln in MSSQL - how would anyone ever cover the losses?
fp
Do they cover your bandwidth bill when some random infected virus sends packets to your secured site even if you dont get infected?
Hartford Steam Boiler offers good rates, but requires intrusive inspections. Before they insure something, they inspect and provide a list of things they want fixed. Then they inspect again, after the problems are fixed. Only then will they provide insurance coverage. They then have the right to inspect at any time, and they use it.
This works great for steam boilers (where they have great expertise) but they haven't tried to expand much out of their niche. Even though they do cover some computers, they're still mostly focused on boilers. It's good that others are now moving in that direction.
This is the right approach. When Hartford Steam Boiler started in 1866, steam boilers blew up regularly. Within a few years, boilers insured by Hartford Steam Boiler weren't blowing up. A similar approach may eliminate computer crashes as a major problem. The day may well come when you can't buy insurance because you have an insecure OS on the premises.
Car insurance is cheaper if you have an ignition disabler, and other anti-theft features.
If companies actually buy cracking insurance, they will want to get it at a low price.
The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.
How high are the premiums on MS SQL 2000?
You could clearly point to the insurance premiums and show how much bad security is costing the company.
I am just curious here and therefore my question here must be seen in that context. In the case of the slammer worm and with various other virus related incidents, the victim has almost always been shrink wrapped, standard off-the-shelf products (even if one includes operating systems in this league). So the argument could go that product liability is inappropriate because here you were given a tool if you like and its up to you to do what you wanted with it. Yes I admit that fundamental flaws should not be present but I am not sure if I am on terra firma on that ground alone.
Anyway, now what about bespoke software of the kind that runs banking systems? Surely there is a leap of faith here. When a company commissions software from another firm, apart from contractual agreements are there any standard practices that one can quote here to say this is how the industry handles the risk arising out of product defects that could potentially knock the person out of business or worse liable for external damages too?
- ramas opines !!
Would a firm get a break on their insurance if they ran 100 OpenBSD servers rather than 100 Windows servers or do they view a box as a box as a box?
Trolling is a art,
This reduces total overhead by removing the license fees associated with Windows, SQL, and Exchange, and eliminates the need for expensive insurance options. The money saved could be used to hire a qualified network security person in-house.
"...but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005..."
Even taking these predictions with a rather large grain of salt, this is still fairly impressive. Might be a good time to look into putting your money into (gasp!) the stock market?
"The power of accurate observation is frequently called cynicism by those who don't have it." - G.B. Shaw
'Mainstream' servers like IIS and Apache will have their flaws documentation within days, perhaps hours, of being discovered. This will make insurance on servers like this easier to judge. What about a home-brew image server? Or an obscure small scale database from sourceforge.
Auditing and insuring as apropriate for these applications would be a slow and tricky process (the cynic in me says it is yet another business oppertunity) as many thousands of apps would have to be tested and rated on an insurance-risk-table - if you do want to be insured from this so called 'h/cracker threat' it isn't going to come cheap.
OK M$ bashies, enough. One word, "bugtraq."
The issue here is really interesting. Do you think that by patching systems, and by going through security testing, the premiums for this type of insurance will go down? How do you determine a financial settlement (Kevin Mittnick allegedly cost several companies billions of dollars in damage, blah blah blah)? Will this make security teams wealthy and sysadmins better?
Furthermore, the article says that this type of insurance has been around for 3 years now, but I didn't get a hit when I typed in "network risk insurance" into Google...who is providing this?
Sounds like a scam I'd like to be a part of...
man rtfm
Speaking of home insurance, I just received my annual assessment and the new clauses explicitly exclude any damages due to "cyber attacks", i.e., hacking or net downtime, etc.
and don't forget to get your DDOS flood insurance coverage too.
The article title reads [H|Cr]acker Insurance
This regex works but I don't think it works for the reasons that the author intended. For example,
The [H|Cr] is a character class matching the single character H, C, r or |.
So this regex will match Hacker Insurance, and Cracker Insurance (bolding indicates what part of the word matches)... it will also match |acker Insurance
I wouldn't normally be so anal but the title involves hackers/crackers... you'd think you'd get the logic right, no?
I would humbly suggest the regex (H|Cr)acker Insurance
If the author was intending some weird regex syntax where [] indicates something other than a character class then I apologize in advance,
ID-10-T is a way of life
Imagine the billions and billions we wouldn't have to piss away on insurance if we clamped down on the trial lawyers.
When a medical malpractice suit can cost $100M, a doctor can't afford to diagnose a common cold without malpractice insurance.
And when that lawsuit can cost his malpractice insurance company $100M, no insurance company is going to write a policy unless your doctor pays $100K/year in premiums.
And when your doctor's paying $100K/year in premiums, is it any wonder that he charges you $100 to diagnose a common cold?
Gee, when it costs you $100 to get a common cold diagnosed, anyone with sprog can't afford to get medical care... without insurance. (Gee, what a coincidence :)
We need to break the trial lawyers by putting caps on the Landshark Lottery.
No, the best insurance is a competent admin and management that gives him the support he needs and listens to him (or her).
I speak from experience. At a company I used to work for, the "business manager" decided that connecting a server (admininstered by another company, I couldn't legally touch it) with NO root password (AIX, BTW) to a modem anyone could dial into (no logging either) was a good idea. I objected, in writing, but was overruled.
It was about a week before the hard drive suddenly went blank. The company administring it said it was a bad hard drive. I disagreed, and said someone had broken into it. Again, I was overruled, and they replaced the hard drive and restored the system from the last system backup (charging about $800 for this service). They put the modem back online.
Exactly a month later, same thing. This time the company says it's a bad controller card (and again won't listen to me). The company claimed it would take a very sophisicated attack to do what was happening. Apparently, they never heard of cron and "rm -rf /*"! Anyway, again they restored the last system backup (not checking anything either; I watched). Another bill (unknown amount).
Month 3, same time, same blank hard drive. Now they belived me and did an install off known good media. They refused scan the data backups for leftovers though. Fortunately, it doesn't appear like the visitor left anything there. The business manager also finally gave the ok to disconnect the modem.
They eventually did reimburse for some of the bills for non-faulty equipment, but the billing department (it was "their" server) was down for about 7 days. I have no idea how much that cost.
The best admin in the world can't protect squat if management ties his (or her) hands.
I predict every claim will be turned down, under the guise of a preexisisting condition. If the admin can't secure the sytem, they certainly won't be able to prove the system was clean before purchasing insurance.
Where the CTO for Counterpane Internet Security says:
"I believe that within a few years hacking insurance will be ubiquitous," Schneier said. "The notion that you must rely on prevention is just as stupid as building a brick wall around your house. That notion is just wrong."
Uh, my house has brick walls on all sides for that very purpose..
I guess he is saying that now we should all just forget about applying patches, and installing firewalls. We should just buy insurance for when we get hacked.
-- -- Warning. Do not stare directly at the sun.