Securing the system: in the wake of viruses, hackers and worms, insurers maintain constant guard over their computer systems. (Cyber-Security: Technology).With cyber-crime on the rise, many insurers have formed security teams to monitor and protect their computer systems in what they say is a never-ending battle to protect their systems from attacks. Those charged with protecting their companies' computer security speak like generals under attack, peppering their language with expressions such as "monitoring the perimeter," "looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. weaknesses in the system" and "updating defenses." The enemy they face includes an unknown legion of sophisticated hackers who may try to break into a company's system to steal data or disrupt service or to cause damage just because they can. But one need not be a computer expert to cause damage to an insurers' systems. Those savvy hackers who find flaws in the systems often share their knowledge by posting programs on the Internet, which can give even novices the key to break into a system at will. Cyber-security threats also come from within. The most common computer security breaches, experts said, come from disgruntled dis·grun·tle tr.v. dis·grun·tled, dis·grun·tling, dis·grun·tles To make discontented. [dis- + gruntle, to grumble (from Middle English gruntelen; see or former employees who know the company's system. If that weren't enough to worry about, insurers also face the daily threat of malicious programs, called viruses and worms, that have the potential to corrupt a company's entire system and destroy information. These destructive codes are often embedded Inserted into. See embedded system. in e-mail or can be downloaded from a Web site, and can be unleashed by accident by an unsuspecting employee. "It's a big deal. Every year the problem increases, and there are more losses and more incidents and more types of attacks going on," said Jay Ehrenreich, senior manager of cyber-crime and prevention for PricewaterhouseCoopers. "Everyone is at risk, and certainly financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. are a very big target." According to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. the Computer Security Institute's 2002 Computer Crime and Security Survey, 90% of the survey's respondents--mostly large corporations and government agencies--reported computer security breaches in the past 12 months. About 80% said those breaches caused financial losses. A total of 44% who were willing and able to quantify their financial losses estimated $455.8 million in losses, with the most serious incidents stemming from theft of proprietary information and financial fraud. Another study by ASIS International ASIS International (each letter pronounced separately), previously known as American Society for Industrial Security (ASIS) is an international organization for security professionals. Founded in 1955, it has more than 34,000 members in 204 chapters worldwide. estimated that U.S. companies lost up to $59 billion in proprietary information and intellectual property from July 2000 to July 2001 caused by computer security breaches. Cyber-security "is an important area," said Edward Cheadle, director of technical services for Salt Lake City-based Beneficial Life Insurance Co. "People don't need to get paranoid par·a·noid adj. Relating to, characteristic of, or affected with paranoia. n. One affected with paranoia. about it, but you have to look at risks and make sure you are doing the right thing for the company." Viruses and Worms Tom Miele, director of information security at Penn National Insurance Penn National Insurance is a property-casualty insurance company, headquartered in Harrisburg, Pennsylvania. Founded in 1919 by the Pennsylvania Farmers and Threshermen's Mutual Protective Association, under the name Pennsylvania Threshermen's and Farmer's Mutual Casualty Company, , said the company has set up layers of protection to prevent intruders from reaching important information. "We call it our defense in-depth strategy;" Miele said. Harrisburg, Pa.-based Penn National provides standard and preferred property/casualty insurance focusing on small and medium-sized commercial and personal accounts. Pennsylvania is Penn National's largest state market, providing 41% of its written premiums. With $447 million in net premiums written for year-end 2001, Penn National was ranked as the 93rd largest property/casualty insurance company, according to A.M. Best Co. The company starts its security with its own staff, Miele said. "Every single employee here is the key to our security, it's not just the technology and my staff. The employees are our first line of defense." Every employee goes through a security awareness Security awareness is the knowledge and attitude members of an organization possess regarding the protection of the physical and, especially, information assets of that organization. program that touches on cyber-security and physical security, too, Miele said. "Physical security can be just as important as cyber-security. Anyone can walk in and sit down at a desk and get a lot of information without being on a computer." Employees are instructed on maintaining strong passwords A password that is hard to detect both by humans and by the computer. Two things make a password stronger: (1) a larger number of characters, and (2) mixing numeric digits, upper and lower case letters and special characters ($, #, etc.). See password. , and what to do if they receive a suspicious e-mail message. Like most companies, Penn National uses several different programs to filter e-mail and attempts to weed out any viruses or worms before they reach the desktop of the employee, but new intruders are being developed every day. A virus is a program that is designed to replicate itself and spread from file to file. When the application is run, the virus begins to spread. It can destroy or corrupt files and information. Often, viruses are hidden in e-mails that ask the receiver to open them with a tempting description. Viruses need human interaction to spread. Examples include the "Melissa" and "I Love You" or "Love Bug A famous virus that arrived as an e-mail attachment using the "double extension trick." The file name was "I LOVE YOU.TXT.vbs." The .vbs extension slipped by users who thought it was a safe text (.TXT) file. " viruses. Worms are spread to other computers over the network or Internet automatically without the action of humans. Worms don't alter or delete files See file wipe and delete. , but instead reside on a computer's memory and eat up a system's resources until the computer is almost useless, Miele said. Examples include the "Code Red" and "Nimda" worms. Worms look for vulnerabilities and can infiltrate infiltrate /in·fil·trate/ (in-fil´trat) 1. to penetrate the interstices of a tissue or substance. 2. the material or solution so deposited. in·fil·trate v. 1. a system through Internet connections or e-mail. "Our anti-virus software anti-virus software n → Antivirensoftware f can be updated a couple times a day," Miele said. "One thing about the security business, in relationship to virus detection, is you are always in the react mode. You can be proactive in other ways, but anti-virus is always reactive." Penn National employs close to 1,000 people and has an e-mail volume of about 10,000 messages daily. In one month, Penn National detected 2,900 messages for spain, or unsolicited e-mail; 18,000 messages related to pornography; 99 messages with possible worms attached; 230 messages with possible viruses; plus 83 messages with profanity Irreverence towards sacred things; particularly, an irreverent or blasphemous use of the name of God. Vulgar, irreverent, or coarse language. The use of certain profane or obscene language on the radio or television is a federal offense, but in other situations, profanity and 1,200 "chain" e-mail letters. Penn National employees are also told about restricted Web sites, such as pornography sites. While the company has software to block access to such sites, hundreds of new pornographic sites are developed every week, Miele said. And the danger of allowing employees to visit such sites is more than fostering a hostile work environment A hostile work environment exists when an employee experiences workplace harassment and fears going to work because of the offensive, intimidating, or oppressive atmosphere generated by the harasser. . "Some pornography sites have viruses attached to them. You could download the virus and not know it," Miele said. Jim Huddleston, director of information security for Zurich North America North America, third largest continent (1990 est. pop. 365,000,000), c.9,400,000 sq mi (24,346,000 sq km), the northern of the two continents of the Western Hemisphere. , said the company has formed an information security organization in the past year to concentrate on maintaining and enhancing computer security. Viruses are a top concern for Zurich North America, Huddleston said. Zurich North America is part of the Zurich Financial Services Zurich Financial Services Group is a major financial services group based in Zurich, Switzerland. Global operations North America The US consumer market is served primarily by Farmers Insurance Group the third largest personal lines property & casualty insurance Group, a member of the Zurich/Farmers Group. With $17.01 billion in net premiums written at year-end 2001, Zurich/Farmers is the third largest property/casualty company in the United States United States, officially United States of America, republic (2005 est. pop. 295,734,000), 3,539,227 sq mi (9,166,598 sq km), North America. The United States is the world's third largest country in population and the fourth largest country in area. , according to A.M. Best Co. data. Zurich North America writes commercial property/casualty insurance focusing on multinational, the middle market and small-business sectors in the United States and Canada. Headquartered in Schaumburg, Ill., the company employs 11,650 people. "Viruses are a continual threat. They're always getting bigger and better and more sophisticated," Huddleston said. The Threat of Hackers While viruses and worms can cause tremendous damage, those malicious codes don't target specific businesses. Hackers can pick a specific target, however, and often do. "One of the challenges we have is companies say 'why would anyone want to hack us?'" said Dave Klugman, executive vice president of Vigilant-Minds, a security firm in Pittsburgh. "The reason is 'because they can.'" Hacking See hack and hacker. is breaking into someone's computer without authorization. Once in the system, hackers can steal information, which can be quite valuable. For instance, one major case involved an 18-year-old from Wales Wales, Welsh Cymru, western peninsula and political division (principality) of Great Britain (1991 pop. 2,798,200), 8,016 sq mi (20,761 sq km), west of England; politically united with England since 1536. The capital is Cardiff. , who pleaded guilty in 2000 to stealing as many as 28,000 credit card numbers from various e-commerce Web sites in the United States, Canada, Thailand, Japan and the United Kingdom, and caused an estimated $3.5 million in losses, according to the FBI's National Infrastructure Protection Center. "We have to protect our data," said Cheadle of Beneficial Life, which is affiliated with the Church of Jesus Christ Church of Jesus Christ may refer to:
n. See Mormon. Noun 1. Latter-Day Saint - a member of the Church of Jesus Christ of Latter-Day Saints Mormon . The company, which had ranked as the 100th largest life insurer in 2001 with admitted assets of $2.14 billion, focuses on universal, whole and term life, as well as individual deferred annuity Deferred Annuity A type of annuity contract that delays payments of income, installments or a lump sum until the investor elects to receive them. This type of annuity has two main phases, the savings phase in which you invest money into the account, and the income phase in which and group term life products, according to A.M. Best Co. data. "Hackers can't steal our money, but they can destroy the data," Cheadle said. Penn National's Miele agreed. "Your data about your customers is at the center of everything," he said. Huddleston of Zurich said the company "is always being probed from the Internet. Individuals are always testing the external networks. People will try just about anything to access your systems and networks." For example, inexperienced in·ex·pe·ri·ence n. 1. Lack of experience. 2. Lack of the knowledge gained from experience. in , often young, hackers--called "script kiddies"--can easily access the programs created by expert hackers and offered free of charge on the Internet. "Accessing the tool itself is not illegal, but certainly using it could be," Huddleston said. "But if you have an Internet presence, you are going to be probed. Some will just probe, just look around, but some will attack. You have to monitor these things "These Things" is an EP by She Wants Revenge, released in 2005 by Perfect Kiss, a subsidiary of Geffen Records. Music Video The music video stars Shirley Manson, lead singer of the band Garbage. Track Listing 1. "These Things [Radio Edit]" - 3:17 2. to access the level at which you are being probed." There are steps that insurers can take, he said. For instance, if the insurer can't identify the source of the probe, it can ask the Internet service provider Internet service provider (ISP) Company that provides Internet connections and services to individuals and organizations. For a monthly fee, ISPs provide computer users with a connection to their site (see data transmission), as well as a log-in name and password. to block it. Sometimes the attack can be related to a denial of service A condition in which a system can no longer respond to normal requests. See denial of service attack. , where the hacker A person who writes programs in assembly language or in system-level languages, such as C. The term often refers to any programmer, but its true meaning is someone with a strong technical background who is "hacking away" at the bits and bytes. floods the Web site with network traffic so customers are blocked from gaining access to the site. But how do businesses know if their systems are secure? "You have to monitor your systems and see what is being attempted," Huddleston said. "You have to have a high level of vigilance VIGILANCE. Proper attention in proper time. 2. The law requires a man who has a claim to enforce it in proper time, while the adverse party has it in his power to defend himself; and if by his neglect to do so, he cannot afterwards establish such claim, the to know what is going on in your environment, know what your risks are and what is happening. There's no such thing as perfect security; the best you can do is protect those things you know about and close up any holes that exist, and constantly keep aware and maintain your systems." Patching the System Often viruses and worms prey on existing weaknesses or holes in a system. In fact, through 2005, about 90% of cyber-attacks will exploit security flaws for which a solution, or "patch" is known, according to GartnerG2, a research unit of Gartner Inc. "It's like a race," said Ehrenreich, noting both software vendors and hackers are looking for vulnerabilities or holes in the security. The software companies try to write a patch to cover the hole before the hackers can exploit it by releasing a virus or worm, or hacking into the system themselves. Major computer network companies, such as Microsoft and Sun, send out warnings on possible security threats with recommended patches, or updates, to close the potential vulnerability. "It's like leaving the door to your house unlocked," Miele said. "The patch locks the door." Penn National has a team that reviews the alert and decides what action, if any, to take. The patch may not always be worth adding to the system, Miele said. "First, we decide if it applies to us. If it does, we determine what security level it is--critical, moderate or low--and do we use that function on our system. If we have that specific function shut off, we don't worry about it. Or maybe it doesn't apply to our system. Every quarter, we review everything that happened in the last three months," he sald. The tricky thing about patches is sometimes they cause more trouble than they prevent. "You have to be careful," said Cheadle of Beneficial Life. "Certain patches stop applications from working. Sometimes getting a patch off is more difficult than getting it on:" An unprotected computer--without anti-virus software, patches or other protections--can be compromised within four hours of being linked to the Internet, Klugman said. Companies can also use tools, such as firewalls, to prevent unauthorized users from getting into their system. A firewall is software that places a barrier between an interior network and a public network or Internet, said Ehrenreich of PricewaterhouseCoopers. "It's like an electronic sentry that checks who can go in and who can go out electronically through the network." It's not enough to have a firewall, and patches, Ehrenreich warned. "You must make sure your system is configured correctly, and then monitor it." Penn National, like many companies, also backs up its information daily, and has an "incident response" plan to handle a security breach when it happens. "We have a way of shutting down and isolating the problem. That doesn't mean we shut down business, but we can shut down one particular item and isolate it from the network," Miele said. Penn National has on-site and off-site backups, and a disaster recovery plan to use if its headquarters shuts down. That makes sense, Ehrenreich said. "You need incident response plans, because you can have all the security in the world, but things will still happen and you need to respond quickly and effectively." White Hat Hackers People who break into a computer system and inform the company that they have done so. They are either concerned employees or security professionals who are paid to find vulnerabilities. White hat hackers are the "good guys." Contrast with black hat hacker and blue hat hacker. While many companies don't acknowledge or report when their systems have been breached, the damage can be tremendous. Beneficial Life said it was infected by a virus in July when an employee accidentally opened a contaminated contaminated, v 1. made radioactive by the addition of small quantities of radioactive material. 2. made contaminated by adding infective or radiographic materials. 3. an infective surface or object. Web page and downloaded a virus. "We shut down the world at noon, and people spent the night working on it. That one incident cost us $50,000 to $60,000. We found the weakness in the system and deployed a better system, but that wasn't the way we wanted to find it" Cheadle said. One way companies can find out how secure their systems are is to hire a "white hat" hacker. Also called "ethical hackers A programmer who legally attempts to break into a computer system or network in order to find its vulnerabilities. See penetration test. ," they intentionally attempt to hack, or gain unauthorized access, to a company's computer systems, in order to identify and fix any vulnerabilities. VigilantMinds, one such company, said insurers face a particular challenge. "Insurance companies have a mothership that has all kinds of information; then they have agents out in the field that can access the mothership. The challenge is how to deploy security. It's like a chain and is only as strong as its weakest link," said Kiugman of VigilantMinds. He said there's a gap between people's perception of risk and what the real risk is. And if the same people who built the security system are the ones to test it, it's not really an objective test, he said. "Companies pay us to attempt to get into their systems without any prior knowledge," Klugman said. "It's a real-world proof of how secure you are." Often, it's a breach of security that gets a business to call on VigilantMinds, he said. "A significant portion of our customer base has come to us immediately after a security event," Klugman said. "It's like buying car insurance after your first accident." While many top level executives don't worry about cyber-security, the insurance industry is ahead of other sectors because at least company leaders are accustomed to thinking about risk, Klugman said. The company helps insurers "harden hard·en v. hard·ened, hard·en·ing, hard·ens v.tr. 1. To make hard or harder. 2. To enable to withstand physical or mental hardship. 3. ," or tighten, their security. "If you think of your system as a house with doors and windows Doors and Windows is a multimedia disk by the Irish band The Cranberries. Track listing
The company also monitors a system's usage, and can see if there's an unexpected surge in one area that may signal an intruder An attacker that gains, or tries to gain, unauthorized access to a system. See attacker, intrusion and IDS. in the system. "When a bank puts together its security process, it buys a vault. You cannot buy an invulnerable in·vul·ner·a·ble adj. 1. Immune to attack; impregnable. 2. Impossible to damage, injure, or wound. [French invulnérable, from Old French, from Latin vault; you can't buy one that guarantees that no one can break into it. It's just a question of how long it will take to have someone break into it. The key is to limit the amount of time someone has to try to break in," Klugman said. "If you give someone enough time, they will break in. We don't necessarily prevent anyone from getting in, but we prevent them from taking anything of value or harming anything of value." A Never-Ending Battle Cyber-security is a "quiet risk management success," said Robert Hartwig, chief economist The Chief Economist is a single position job class having primary responsibility for the development, coordination, and production of economic and financial analysis. It is distinguished from the other economist positions by the broader scope of responsibility encompassing the with the Insurance Information Institute. In 2000, the "Love Bug" virus caused an estimated $9 billion in damage worldwide. In the wake of Sept. 11, 2001, the "Nimda" worm caused just $590 million in damage. "The 'Love Bug' was the watershed event when it comes to cyber-security," Hartwig said. "In the same way that Hurricane Andrew This article is about the 1992 hurricane; there was also a Tropical Storm Andrew during the 1986 Atlantic hurricane season. Hurricane Andrew is the second-most-destructive hurricane in U.S. history, and the last of three Category 5 hurricanes that made U.S. and the Northridge earthquake The Northridge earthquake occurred on January 17, 1994 at 4:31 AM Pacific Standard Time in the city of Los Angeles, California. The earthquake had a "strong" moment magnitude of 6. changed the way we prepare for hurricanes and earthquakes, cyber-security changed after the 'Love Bug.'" After the "Love Bug," companies stepped up their security systems and developed back-up plans that appear to have worked, Hartwig said. According to CFO See Chief Financial Officer. magazine, the cost to business from cyber-attacks fell to $12.3 billion in 2001 from $17.1 billion in 2000. That doesn't mean there are fewer cyber-attacks, but they aren't causing as widespread or extensive damage, he said. "If only mitigation in the rest of the insurance world could be as successful," Hartwig said, noting it takes decades to "turn over" housing stock, or build new storm-resistant houses or retrofit ret·ro·fit v. ret·ro·fit·ted or ret·ro·fit, ret·ro·fit·ting, ret·ro·fits v.tr. 1. To provide (a jet, automobile, computer, or factory, for example) with parts, devices, or equipment not in existing ones; whereas computer systems are changed much more frequently as new technology is developed. Jerry Winchell, Progressive Corp.'s information technology manager, said corporate America has taken steps to deal with and minimize the impact of certain viruses. "While these actions have helped reduce the impact severity and frequency of these viruses in 2002, we must not risk becoming complacent or start to think the threat is shrinking." Indeed, just 34% of the respondents of CSI's computer survey said they reported computer security breaches to the government, although 90% saw some security breach. "The biggest challenge is people keeping current," said Klugman. "You can't go out and spend a bunch of money and be secure. You may be secure, but it's just for one day. You have to look at the issue every day." [GRAPH OMITTED] [GRAPH OMITTED] RELATED ARTICLE: The Enemy You Know While security threats from the Internet get more press, just as many threats come from internal sources, industry experts said. "Almost daily you hear about some new threat, a new attack or virus, but various surveys continue to state you have as much threat from inside your network as from outside," said Jim Huddleston, director of information security for Zurich North America. Jay Ehrenreich, a senior manager of cyber-crime and prevention for PricewaterhouseCoopers agreed. "Disgruntled employees are the top threat," he said. PricewaterhouseCoopers, which also does ethical hacking--intentionally attempting to gain unauthorized access to a company's computer systems in order to identify and fix any vulnerabilities--for clients, said passwords are one of the weakest areas of most companies' security. Ehrenreich warned of free dictionary-like software on the Web which will attack a password with "brute force (programming) brute force - A primitive programming style in which the programmer relies on the computer's processing power instead of using his own intelligence to simplify the problem, often ignoring problems of scale and applying naive methods suited to small problems directly ," or try different combinations until the password is cracked. One way to stop that attack is to have the system shut down after three failed attempts at the password, Ehrenreich said. Also, users should make the password difficult to guess. "Don't use your first name. That's a lousy password," Ehrenreich said. "You want to make passwords harder. Use eight characters, not three. Use tipper and lower case letters and add numbers, not just letters." Ehrenreich recommends using two-factor authorization, or needing two "keys" to get into a system, such as a password and an identification card. One vendor sells a card with a screen that changes the serial number every 30 seconds, and a user would need both a password and the serial number to gain access to the system. Biometrics, such as eye scans and fingerprints Impressions or reproductions of the distinctive pattern of lines and grooves on the skin of human fingertips. Fingerprints are reproduced by pressing a person's fingertips into ink and then onto a piece of paper. , are also gaining in popularity, but haven't overtaken passwords as the main security key, Ehrenreich said. Safety Insurance Co., Boston, the third-largest auto writer in Massachusetts, uses a two-factor authorization system for access to its Agents Virtual Community Web portal See portal. , said Steve Varga, assistant vice president of information systems. The company operates solely in Massachusetts, offering private passenger and commercial auto insurance, as well as homeowners, dwelling fire, personal umbrella, commercial package and commercial umbrella coverage. It had $434.9 million in direct premiums written for year-end 2001, according to A.M. Best Co.'s State/Line reports. "Every agent and every person within an agent's office is assigned a unique, digital certificate to access our applications on the Web," Varga said. The digital certificate is a piece of software that is downloaded to a person's computer and tied to his or her Windows password. "If you tried to access our applications without that certificate, it would be logged as an attempt to sign on without authorization, and access would be denied," Varga said. |
|
||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion