Printer Friendly
The Free Library
14,557,847 articles and books
Member login
User name  
Password 
 
Join us Forgot password?

Cyber-Crime Fighters: Recognizing their own vulnerabilities, insurers tighten security for their online operations. (Technology).


As more insurers place confidential data on network and web servers and invite customers to retrieve information, submit claims and ask questions online, the Internet is becoming an indispensable tool. The scope of Internet intrusions, however, has become a daunting daunt  
tr.v. daunt·ed, daunt·ing, daunts
To abate the courage of; discourage. See Synonyms at dismay.


[Middle English daunten, from Old French danter, from Latin  risk, and many insurers underestimate their vulnerability.

The "2001 Computer Grime and Security Survey" found that 85% of respondents detected computer security breaches within the last 12 months. The survey--conducted by the Computer Security Institute, an organization that trains information-, computer- and network-security professionals--polled more than 530 computer-security practitioners in U.S. corporations, financial institutions, government agencies, medical institutions and universities.

"Because the market has been driven by being the first to get online, companies have pushed security aside in the rush. However, now that they depend on this source of revenue for operations, they are starting to wake up about the risks associated with being online," said Rick Fleming, vice president of security operations for Digital Defense Inc., which provides vulnerability assessments and security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the  to companies with online access.

Conning & Co. recently released "Cyber-Security for Insurers: The Virtual Fortress?" to evaluate insurers' security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising"
security  for their online operations and propose ways for them to protect themselves against cyber-attacks. "It is critical that insurers address their cyber-security vulnerabilities, because of the substantial costs associated with breaches and reputational damage that could occur," said Conning Vice President Clint Harris, the author of the study. According to according to
prep.
1. As stated or indicated by; on the authority of: according to historians.

2. In keeping with: according to instructions.

3.  the study, losses associated with cyber-security breaches for all U.S. businesses are projected to increase to $43.6 billion by 2005, more than double the amount in 2000.

Insurers as Targets

Insurers were early adopters of technology and have used technology extensively to support their business operations Business operations are those activities involved in the running of a business for the purpose of producing value for the stakeholders. Compare business processes. The outcome of business operations is the harvesting of value from assets , said William Fandrich, president and chief operating officer Chief Operating Officer (COO)

The officer of a firm responsible for day-to-day management, usually the president or an executive vice-president.  of Cogentric, a developer of products that identify and prevent e-commerce infrastructure risks. "The nature of the information they retain in their systems, their size and their dependency on technology increase their susceptibility to cyber-attacks." For example, insurers' management of substantial amounts of liquid financial assets--both their own and those of others--makes them likely targets of cyberattacks. In addition insurers 'familiar brand names and their reliance on legacy systems to store vast amounts of confidential information--such as medical histories, policy applications and credit-card numbers--increase their risk of succumbing to these costly events.

"Insurers have a serious dependence on systems to run their businesses, and carriers spend billions of dollars on computer systems to manage their operations and their reporting agencies at the state level," said Phil Pierson, vice president of technology products and founder of Irvine, Calif.-based e-Sher Underwriting Managers, a division of Sherwood Insurance Services. As a result, insurers face the daily challenge of protecting this process.

Insurers' interconnectivity across the globe, such as network connections to national and international offices, also increases their vulnerability to computer-related crimes. "Not only does greater use of the Internet expose them to more types of vulnerabilities, but security may not have been adequately incorporated in their haste to catch up to other industries' use of the Internet," Harris said. Effective security must be part of the e-business planning process from the beginning and not bolted on at the end, he said.

Evaluating Exposures

Every time a company allows an outside entity, such as a client or partner, into its network, it opens a hole, said Thubten Comerford, chief executive officer of White Hat Technologies Inc., which provides internal and external network integrity audits for companies. A growing number of customers, partners, vendors and competitors venture onto insurers' Web sites and across their networks each day, escalating insurers' vulnerabilities to computer-related attacks.

Consultants and those working closely with insurers on cyber-security believe it is crucial that insurers begin their protection process by evaluating their vulnerabilities. But lack of expertise and knowledge about complex security systems has caused some insurers to forgo such evaluation measures. "Because of the inherent complexity of most computer systems, many people, including trained information-technology staff, trust software vendors to build secure systems. However, very little software is built from the ground up with security in mind," said Digital Defense's Fleming.

Conning found that some insurers are not properly evaluating their security needs, because they haven't fallen victim to these attacks in the past, and they are denying their risks. Insurers argue that they spent millions of dollars on Y2K See Y2K problem and Y2K compliant.

Y2K - Year 2000 , which didn't occur, and they have no intention of repeating that, Harris said. New exposures, including more robust viruses and denial-of-service attacks, however, have hit the market since the turn of the century, placing insurers at even greater risk for new types of attacks and breaches. Advances in computer technology have increased complexity and, therefore, vulnerabilities to attacks. In addition, in the wake of the terrorist attacks of Sept. 11, insurers must consider the potential for cyber-terrorism.

In its study, Conning points to a "cyber-security cycle" as a way for insurers to evaluate the vulnerabilities in their online operations continuously and determine the level of protection they need.

The cycle begins with an assessment of an insurer's vulnerabilities, threats and estimate of potential losses. Conning advises insurers to then develop an enterprisewide security policy, which should be published publicly and explained to everyone within the business, including partners, customers and employees, to educate them about their part in the security process.

Insurers then should define and refine specific security rules, standards and procedures from the security policy, Harris said. This information, however, should not be made public, he said.

Finally, insurers should implement and enforce the process and then restart the cycle by conducting a reassessment, including reassessing vulnerabilities, ranking them by priority and updating the security policy, if necessary. "The overall policy probably won't change significantly. However, the rules, standards and procedures may change more frequently as exposures change," Harris said.

Because no company's system is 100% secure, it's important for insurers to put a series of steps in place to protect against Internet intrusions, breaches and denial-of-service attacks. Neil Bryden, a national partner champion for information security services for the professional services (job) professional services - A department of a supplier providing consultancy and programming manpower for the supplier's products.  firm KPMG KPMG Klynveld Peat Marwick Goerdeler (accounting firm)
KPMG Kaiser Permanente Medical Group
KPMG Keiner Prüft Mehr Genau (German)
KPMG Kommen Prüfen Meckern Gehen  LLP LLP - Lower Layer Protocol , believes protection against these attacks can be achieved through a balanced approach in three areas--people, processes and technology.

People Are Key

Conning recommends that insurers designate an employee to a high-level, central position to develop, maintain and enforce cyber-security policies. "It takes that level of a position, because that individual has to create and enforce an enterprisewide and 'enterprisewise' policy incorporated into all aspects of business," Harris said. In addition, the high level of this position affirms the importance of cyber-security to the company.

These individuals, who should report directly to the chief executive officer, should possess both technical and interpersonal expertise--the ability to work closely with the CEO (1) (Chief Executive Officer) The highest individual in command of an organization. Typically the president of the company, the CEO reports to the Chairman of the Board.  and other executives--to create an effective security policy. In addition, Conning advises companies to designate individuals who have both relevant senior-level experience and professional certifications, such as the Systems Security Certified Practitioner Systems Security Certified Practitioner (SSCP) is a vendor-neutral Information Security certification governed by the non-profit International Information Systems Security Certification Consortium (commonly known as ISC2). , Certified Information System Security Professional or Global Incident Analysis Center Certified Intrusion Detection See IDS and IPS.  Analyst.

Many insurers have appointed teams or individuals to oversee computer-related security responsibilities. "While this is commendable, the largest failure we see in this type of arrangement is not granting that person the authority to make procedural changes in the organization," Digital Defense's Fleming said.

In addition to security policies and the installation of various protective measures, cyber-security teams should pay particular attention to employees' technology activities. Seventy percent of all incidents occur within the network of a company's own employees, said Steven Haase, CEO of Insurectrust.com LLC (Logical Link Control) See "LANs" under data link protocol.

LLC - Logical Link Control  of Alpharetta, Ga., which provides e-business risk management to corporate networked communities. Monitoring passwords and employees' internal and external use of the Internet are two ways companies can protect against potential internal intrusions.

"There is no way to make companies bulletproof Refers to extremely stable hardware and/or software that cannot be brought down no matter what unusual conditions arise. See industrial strength.

bulletproof - Used of an algorithm or implementation considered extremely robust; lossage-resistant; capable of correctly , but the concentration now should be on the human-element policies and procedures Policies and Procedures are a set of documents that describe an organization's policies for operation and the procedures necessary to fulfill the policies. They are often initiated because of some external requirement, such as environmental compliance or other governmental  training, including looking at the latest patches and configuration issues for software," Haase said.

Ongoing Processes

"Insurers need to articulate security programs that contain policies driving overarching o·ver·arch·ing  
adj.
1. Forming an arch overhead or above: overarching branches.

2. Extending over or throughout: "I am not sure whether the missing ingredient . . .  rules for everything--it's the linchpin linch·pin or lynch·pin  
n.
1. A locking pin inserted in the end of a shaft, as in an axle, to prevent a wheel from slipping off.

2.  between people and technology," said KPMG's Bryden. These programs include guidelines, standards, operational and monitoring procedures, and control mechanisms to ensure that security precautions are conducted effectively and in a continuous manner.

Insurers also should have appropriate nondisclosure agreements in place with partners and contractors so they know what information is proprietary and how to manage the information, said e-Sher's Pierson. In addition, insurers should incorporate procedures for employees to follow in the event that information "falls into the wrong hands," he said.

Due diligence Research; analysis; your homework. This term has caught on in all industries, because it sounds so "wired." Who would want to do analysis or research when they can do due diligence. See wired. , which requires companies to take prudent precautions and verify they are doing so, is another important process. Insurers should be able to prove that they're adhering to at least minimum required security standards, said Clint Kreitner, president and CEO of the Center for Internet Security ''This article or section is being rewritten at

Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. , a nonprofit organization Nonprofit Organization

An association that is given tax-free status. Donations to a non-profit organization are often tax deductible as well.

Notes:
Examples of non-profit organizations are charities, hospitals and schools.  that helps businesses manage information security risks.

A trust relationship with outside entities, including business partners and contractors, requires due diligence to ensure that their systems meet insurers' security controls. Heavy reliance on outside entities for functions, such as Web hosting Making a Web site available on the Internet. Many ISPs host a few personal Web pages for an individual at no additional cost above the monthly service fee, but the address is subordinate to the ISP; for example, www.friendlyisp.com/pat_smith. , creates new security vulnerabilities, and insurers need to perform background checks and determine what level of trust to put into connections with these outside contractors.

In addition, many outsourcing firms have indemnification clauses in their contracts to protect them in case their clients are attacked. Rob Hammesfahr, a managing attorney with Cozen coz·en  
v. coz·ened, coz·en·ing, coz·ens

v.tr.
1. To mislead by means of a petty trick or fraud; deceive.

2. To persuade or induce to do something by cajoling or wheedling.

3.  O'Connor in Chicago, said that before insurers contract with outside vendors they should ask three questions--the scope of the idemnification that will be provided, the minimum operating or performance standards in the contract, and the security for the indemnification from the vendor, including quality, type and amount of insurance that will be maintained. If a company out-sources or contracts with an emerging technology business or any business with limited resources, an indemnity is only as secure as the business that provides it. If there is an insurance clause, the contract should provide that the company will be an additional named insured in the vendor's policies.

Technology Protects Technology

"Each year, more than 600 new vulnerabilities are identified in a multitude of software applications and operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. , and in order to combat this threat, companies need to deploy technology that can assist them in performing a recurring assessment of their systems," said Digital Defense's Fleming.

Most insurers are using fire walls to protect themselves against intruders. It's important that these devices are properly configured to provide adequate protection and that they are installed at every possible point of entry.

Insurers also need to install fire walls and ensure that they are up to date, even if they're connecting to business partners through dedicated circuits. "This is very important, because these partners might be connected to the Internet without fire walls and if companies are not using these [devices], they are basically bridging themselves to the Internet with no protection mechanism," said Timothy Saltmarsh, corporate information security officer for CNA (Certified NetWare Administrator) See Novell certification.  Group.

While fire walls play a key role in computer and network security, they are not a panacea Some antidote or remedy that completely solves a problem. Most so-called panaceas in this industry, if they survive at all, wind up sitting alongside and working with the products they were supposed to replace.  or silver bullet-type solution, Fleming said. Many companies have Web servers behind their fire wall, but since the fire wall allows traffic to and from the server, it is imperative that the server also be secured against attack.

In addition to fire walls, many companies now are turning to intrusion-detection systems to increase their security protection. Operating much like virus scanners, intrusion-detection systems are used for such things as real-time attack monitoring and attack response. They also have been used in some situations to detect virus outbreaks, such as the recent "I Love You" computer virus that destroyed image files with a ".jpeg" suffix suf·fix  
n.
An affix added to the end of a word or stem, serving to form a new word or functioning as an inflectional ending, such as -ness in gentleness, -ing in walking, or -s in sits.

tr.v. .

This year, more than 70% of respondents to the Computer Security Institute's survey cited their Internet connection as a frequent point of attack, compared with 59% last year. Recent viruses, such as the "Code Red" virus that infected an estimated 225,000 computer systems around the world, have paralyzed par·a·lyze  
tr.v. par·a·lyzed, par·a·lyz·ing, par·a·lyz·es
1. To affect with paralysis; cause to be paralytic.

2. To make unable to move or act: paralyzed by fear.  some companies' systems and resulted in time-consuming measures to remove them from infected computers.

Insurers should make sure their virus-protection plans include protection on every desktop and regular updates, in addition to filtering gateways to the Internet. "It is important to have products and systems in place to detect an intrusion immediately and find out where it occurred and get it fixed quickly," said Pierson of e-Sher. Systems without these protection capabilities can be down or damaged for days or even weeks while companies try to examine what happened and where the problem occurred.

Cyber-Terrorism Threat?

Industries already are gearing up for potential broad-based, cyber-terrorism attacks against the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , and those closely tied to the insurance industry believe insurers also may be at risk.

"The need for vigilance has never been greater, and the events of Sept. 11 clearly showed how vulnerable we are," said Fleming of Digital Defense. Therefore, companies need to make online security a top priority.

Financial institutions and insurers are preparing for cyber-attacks, said Tracy Vispoli, assistant vice president of Chubb Corp.'s Department of Financial Institutions, which this year introduced a policy specifically designed to protect insurance companies and other financial institutions against losses resulting from Internet-related security breaches. Since Sept. 11, many financial-services associations are warning member companies about the potential for cyber-terrorism and other related attacks and what they can do to protect themselves.

But insurers need to remain confident in their protective measures to set an example for other industries. "U.S. business in general depends on insurance, and if the insurance industry is shaken, then business is shaken," said White Hat Technologies' Comerford.

RELATED ARTICLES: Top 10 Internet Viruses in September 2001

W32/Nimda-A accounted for more than two-thirds of the viruses reported to Sophos, an anti-virus software anti-virus software nAntivirensoftware f  vendor.

W32/Nimda-A is a Windows 32 virus that spreads via e-mail, network shares and Web sites.

W32/Sircam-A is a network-aware warm that spreads via e-mail and open network shares.

W32/Magistr-A specifically targets addresses from Outlook Express, Netscape Navigator An earlier Web browser for Windows, Macintosh and X Windows from Netscape that provided secure transmission over the Internet. Soon after its introduction in 1994, Navigator, or just "Netscape," as it was commonly called, quickly became the leading browser on the Web.  and Internet Mail See Internet e-mail service.  and News.

W32/Magistr-B is a variant of W32/Magistr-A, and is spread by infecting files and via e-mail.

W32/Hybris-B is a worm capable of updating its functionality over the Internet.

W32/Apology-B is a file-infecting virus with an e-mail-aware worm.

VBS/Kakworm is a visual basic script (language) Visual BASIC Script - (VBScript) Microsoft's scripting language which is an extension of their Visual Basic language. VBScript can be used with Microsoft Office applications and others. It can also be embedded in web pages but can only be understood by Internet Explorer.  worm that exploits security vulnerabilities in Microsoft Internet Explorer See Internet Explorer.  and Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see .

Microsoft Outlook or Outlook (full name Microsoft Office Outlook .

W32/Flcss installs the virus in memory and then attempts to infect *[.EXE Exe (ĕks), river, c.55 mi (90 km) long, rising in the Exmoor, Somerset, SW England, and flowing S across the Cornwall peninsula, past Exeter to the English Channel at Exmouth. .sub.1]*.SCR (Sequence Control Register) See program counter.  and *.OCX (OLE Control EXtension) A component software technology from Microsoft that enables a Windows program to add functionality by calling ready-made components. Generally called "OLE controls" or "OLE custom controls," they appear to the end user as just another part of  32-bit Windows files on the local hard drive and network directories.

W32/Bymer-A is a worm that propagates through open file shares.

W32/Badtrans-A arrives in an e-mail message with the text "Take a look at the attachment." 
W32/Nimda-A     71.2%
W32/Sircom-A    11.4%
W32/Magistr-A    3.7%
W32/Magistr-B    3.0%
W32/Hybris-B     1.5%
W32/Apology-B    0.7%
VSB/Kakworm      0.7%
W/32 Flcss       0.7%
W32/Bymer-A      0.5%
W32/Badtrans-A   0.4%
Other            6.2%

Source: Sophos
COPYRIGHT 2001 A.M. Best Company, Inc.
No portion of this article can be reproduced without the express written permission from the copyright holder.
Copyright 2001, Gale Group. All rights reserved. Gale Group is a Thomson Corporation Company.

 Reader Opinion

Title:

Comment:



 

Article Details
Printer friendly Cite/link Email Feedback
Comment:Cyber-Crime Fighters: Recognizing their own vulnerabilities, insurers tighten security for their online operations. (Technology).
Author:Chordas, Lori
Publication:Best's Review
Article Type:Statistical Data Included
Geographic Code:1USA
Date:Dec 1, 2001
Words:2498
Previous Article:Getting Together to Offer More Insurers need to partner with other financial institutions to provide clients with the customized financial services...
Next Article:Busy Signals: Insurers are scrutinizing their call centers for potential improvements in cost savings and efficiency. (Technology).(Statistical Data...
Topics:



Related Articles
Crime, fraud & cyberspace: common sense and the use of anti-virus software can help take a bite out of sinister cybercrime.(Technology and You)
US GOVT. "CYBER MOD SQUAD" SEEKS TO DISARM CYBER TERRORISTS.
"LAW OFFICERS' BULLETIN" & "CYBERCRIME LAW REPORT" FROM PIKE & FISCHER.(Brief Article)
Net Force: The cyber police cracks down an illicit internet activity. (Tech Talk).(Public Security Secretariat creates Cyber Police Unit)(Brief...
Deleting the risk: Hackers invading corporate Web sites by using more sophisticated techniques fuel the market for cyber-risk insurance. (Cyber-Risk:...
House votes to increase penalties for cybercrime. (News, Trends & Analysis).(Brief Article)
Securing the system: in the wake of viruses, hackers and worms, insurers maintain constant guard over their computer systems. (Cyber-Security:...
The unlikely heroes of cyber security: viruses, privacy breaches, and other malicious cyber activity regularly threaten organizations' vital...
Under separate cover: Internet risks have become so great that some insurers have taken them out of general liability policies and given them...
Defending against cybercrime and terrorism: a new role for universities.

Terms of use | Copyright © 2009 Farlex, Inc. | Feedback | For webmasters | Submit articles