Slashdot Mirror
[H|Cr]acker Insurance
Spellbinder writes "yahoo has an article on
Hacker insurance, also known as "network risk insurance," has been on the market for about three years, but is expected to explode from a $100 million sideshow into a $2.5 billion behemoth by 2005, according to insurance industry projections."
if everyones site went down - as it almost did with the latestVuln in MSSQL - how would anyone ever cover the losses?
fp
Do they cover your bandwidth bill when some random infected virus sends packets to your secured site even if you dont get infected?
Hartford Steam Boiler offers good rates, but requires intrusive inspections. Before they insure something, they inspect and provide a list of things they want fixed. Then they inspect again, after the problems are fixed. Only then will they provide insurance coverage. They then have the right to inspect at any time, and they use it.
This works great for steam boilers (where they have great expertise) but they haven't tried to expand much out of their niche. Even though they do cover some computers, they're still mostly focused on boilers. It's good that others are now moving in that direction.
This is the right approach. When Hartford Steam Boiler started in 1866, steam boilers blew up regularly. Within a few years, boilers insured by Hartford Steam Boiler weren't blowing up. A similar approach may eliminate computer crashes as a major problem. The day may well come when you can't buy insurance because you have an insecure OS on the premises.
Car insurance is cheaper if you have an ignition disabler, and other anti-theft features.
If companies actually buy cracking insurance, they will want to get it at a low price.
The insurance industry, by charging high-premiums for bad IT management, bad security, bad policy, and bad software, could force companies to improve themselves.
How high are the premiums on MS SQL 2000?
You could clearly point to the insurance premiums and show how much bad security is costing the company.
OK M$ bashies, enough. One word, "bugtraq."
The issue here is really interesting. Do you think that by patching systems, and by going through security testing, the premiums for this type of insurance will go down? How do you determine a financial settlement (Kevin Mittnick allegedly cost several companies billions of dollars in damage, blah blah blah)? Will this make security teams wealthy and sysadmins better?
Furthermore, the article says that this type of insurance has been around for 3 years now, but I didn't get a hit when I typed in "network risk insurance" into Google...who is providing this?
Sounds like a scam I'd like to be a part of...
man rtfm
The article title reads [H|Cr]acker Insurance
This regex works but I don't think it works for the reasons that the author intended. For example,
The [H|Cr] is a character class matching the single character H, C, r or |.
So this regex will match Hacker Insurance, and Cracker Insurance (bolding indicates what part of the word matches)... it will also match |acker Insurance
I wouldn't normally be so anal but the title involves hackers/crackers... you'd think you'd get the logic right, no?
I would humbly suggest the regex (H|Cr)acker Insurance
If the author was intending some weird regex syntax where [] indicates something other than a character class then I apologize in advance,
ID-10-T is a way of life
No, the best insurance is a competent admin and management that gives him the support he needs and listens to him (or her).
I speak from experience. At a company I used to work for, the "business manager" decided that connecting a server (admininstered by another company, I couldn't legally touch it) with NO root password (AIX, BTW) to a modem anyone could dial into (no logging either) was a good idea. I objected, in writing, but was overruled.
It was about a week before the hard drive suddenly went blank. The company administring it said it was a bad hard drive. I disagreed, and said someone had broken into it. Again, I was overruled, and they replaced the hard drive and restored the system from the last system backup (charging about $800 for this service). They put the modem back online.
Exactly a month later, same thing. This time the company says it's a bad controller card (and again won't listen to me). The company claimed it would take a very sophisicated attack to do what was happening. Apparently, they never heard of cron and "rm -rf /*"! Anyway, again they restored the last system backup (not checking anything either; I watched). Another bill (unknown amount).
Month 3, same time, same blank hard drive. Now they belived me and did an install off known good media. They refused scan the data backups for leftovers though. Fortunately, it doesn't appear like the visitor left anything there. The business manager also finally gave the ok to disconnect the modem.
They eventually did reimburse for some of the bills for non-faulty equipment, but the billing department (it was "their" server) was down for about 7 days. I have no idea how much that cost.
The best admin in the world can't protect squat if management ties his (or her) hands.