Unwelcome guests: although anti-virus software, firewalls and other protective measures are helping companies protect against computer-related attacks, some insurers believe security is an even greater concern to companies today.It's not a virus, but it can make its recipient feel sick. Lurking in the hidden confines of computer workings, spyware secretly gathers information about a person's of company's online activity and feeds it to an advertiser or a competitor or a hacker of whoever chooses to use the software. Meanwhile, an employee efficiently downloading company information to a diseased personal digital assistant may feed the information back to the company network, thus spreading a virus of worm attack. Just when insurers may have thought it was safe in cyber-world, new threats are joining old concerns that refuse to go away. And while most insurers are taking precautions to protect their systems, some believe protection measures alone aren't enough and that making security a part of a company's business processes will help strengthen the fight against these attacks. New Attacks Abound The number of attacks against data systems is on the rise. At the heart of various attacks is the growing number of viruses targeting systems. Some industry experts deem 2003 to be the worst year in virus history--a history that dates back to the early 1980s when the first viruses hit Apple operating systems Operating systems can be categorized by technology, ownership, licensing, working state, usage, and by many other characteristics. In practice, many of these groupings may overlap. . In 2003, businesses suffered an estimated total of more than $1 billion in annual damage costs caused by viruses, and the number is expected to rise to $2 billion to $3 billion this year. Today, approximately 90,000 known viruses exist. Computer viruses remain the biggest information-security concern for more than 60% of insurance and financial services The examples and perspective in this article or section may not represent a worldwide view of the subject. Please [ improve this article] or discuss the issue on the talk page. companies, according to according to prep. 1. As stated or indicated by; on the authority of: according to historians. 2. In keeping with: according to instructions. 3. The State of Information Security 2003 survey conducted by PricewaterhouseCoopers and CIO CIO: see American Federation of Labor and Congress of Industrial Organizations. (Chief Information Officer) The executive officer in charge of information processing in an organization. magazine, which surveyed 7,500 senior security and information technology executives across various industries. Viruses are wreaking havoc, with 44% of insurers suffering network downtime and 50% reporting e-mail and customer applications unavailability as a result. In addition, carriers continue to see a growing number of insider threats by authorized and unauthorized users, according to the survey. The number of reported incidents grew from only six in 1988 to more than 114,850 incidents during the first three quarters of 2003, according to The CERT Coordination Center The CERT Coordination Center was created by DARPA in November 1988 after the Morris worm struck. It is a major coordination center in dealing with internet security problems. , a center of Internet security ''This article or section is being rewritten at Internet security is the process of protecting data and privacy of devices connected to internet from information robbery, hacking, malware infection and unwanted software. expertise, located at the Software Engineering Institute, a federally funded research and development center Federally Funded Research and Development Centers (FFRDCs) conduct research for the United States Government. They are administered in accordance with U.S Code of Federal Regulations, Title 48, Part 35, Section 35.017 by universities and corporations. operated by Carnegie Mellon University Carnegie Mellon University, at Pittsburgh, Pa.; est. 1967 through the merger of the Carnegie Institute of Technology (founded 1900, opened 1905) and the Mellon Institute of Industrial Research (founded 1913). . And insurers and other industry experts believe the problem may get worse before it gets better. "Every day insurers are faced with viruses, Trojan horses It may never be fully completed or, depending on its its nature, it may be that it can never be completed. However, new and revised entries in the list are always welcome.
New York, Middle Atlantic state of the United States. It is bordered by Vermont, Massachusetts, Connecticut, and the Atlantic Ocean (E), New Jersey and Pennsylvania (S), Lakes Erie and Ontario and the Canadian province of Life. In addition to existing threats, insurers are seeing a wave of new threats. Spyware is one example, and while insurers believe the spyware problem isn't of epidemic proportions yet, it's an annoying situation that is tricking individuals who visit certain Web sites into downloading code. Blended threats, which combine the characteristics of viruses, worms and Trojan horses, are beginning to spread rapidly and are causing widespread disruption to some companies' systems. The Nimda and CodeRed attacks, which gained much publicity in 2002, were two examples of threats that combined virus and worm propagation techniques with automated hacking capabilities in separate programs. "Even though many companies have protection against these threats, they still end up with a lot of work putting up patches of fixes to code, something that's been keeping a lot of organizations very busy," said Ken Tyminski, chief information-security officer for Newark, N.J.-based Prudential Financial. Spam continues to be a major problem that virtually no company can escape. "Spam is literally killing companies," said Tom Miele, director of information security for Harrisburg, Pa.-based Penn National Insurance Penn National Insurance is a property-casualty insurance company, headquartered in Harrisburg, Pennsylvania. Founded in 1919 by the Pennsylvania Farmers and Threshermen's Mutual Protective Association, under the name Pennsylvania Threshermen's and Farmer's Mutual Casualty Company, . The company receives about 110,000 blocked e-mails a month, a majority of which Miele classifies as junk mail See spam and junk faxes. . And spam continues to grow. Approximately 10% of a person's working day is spent dealing with unsolicited e-mail, according to MessageLabs, which provides managed e-mail security services Security services are state institutions for the provision of intelligence, primarily of a strategic nature, but also including protective security intelligence. Examples include the Security Service (MI5) and the Secret Intelligence Service (MI6) in the United Kingdom, and the to global businesses. Last year, spam increased to one in six e-mails across all industry sectors, up from one in 11 e-mails in 2002. Some companies are also seeing a rise in internal threats by authorized and unauthorized users. The Gartner Group (company) Gartner Group - One of the biggest IT industry research firms. Address: Connecticut, USA. estimates that 80% to 90% of security breaches are internal, costing companies millions of dollars in areas of productivity, intellectual property and litigation An action brought in court to enforce a particular right. The act or process of bringing a lawsuit in and of itself; a judicial contest; any dispute. When a person begins a civil lawsuit, the person enters into a process called litigation. costs. Finally, compliance in general is becoming a mounting concern as companies strive to make sure they know their customers. "Where security ends and where compliance begins is sometimes a gray area because of the security issues that are in fact compliance-related issues," said Steven Landberg, a managing director and founder of Alpha Financial Services Consulting in Greenwich, Conn. Fighting Back The fear of new and existing threats has sent insurers looking for Looking for In the context of general equities, this describing a buy interest in which a dealer is asked to offer stock, often involving a capital commitment. Antithesis of in touch with. ways to fight back in the war against cyber-attacks and other data system vulnerabilities. About 93% of carriers have some type of virus protection in place, according to PricewaterhouseCoopers' recent security survey. "But who are the 7% of organizations that don't have even the basics of virus protection? At this point in time, we should be seeing 100% of companies having such protection in place," said Mark Lobel, a senior manager. Of the insurers, 63% said they have installed intrusion detection systems, while 69% implemented security policies, procedures and standards. And even though only about 70% of financial services companies and insurers use these various protection measures, they have the highest usage of any industry, including manufacturing, telecommunications, energy, and entertainment and media. "But financial services companies and insurers have some real challenges,' said Lobel. "They've spent some real money, but they have to remember to do the blocking and tackling, do the basics every day and do them well, and then look to new solutions such as event correlation Event Correlation is the processes involved with reducing a large number of incident alerts to a much smaller, more manageable number within automated monitoring and incident/problem management in a Support Management System. to help manage the challenges identified by the basic blocking and tackling." They must then decide what they are going to do with all the data they receive. "The message is clear that you need to have a current virus program in place that is running on all machines and can be easily maintained to be effective," said Prudential's Tyminski. The company, for example, was well prepared to update about 60,000 of its computers last summer when new threats emerged. Other blocking mechanisms that a growing number of companies are turning to are anti-spam software and filters. In fact, consulting and market research firm Radicati Group expects anti-spam software to grow into a $4.4 billion industry by 2007. For Penn National, content filtering See Web filtering and parental control software. software is helping to keep out unsolicited e-mail messages. E-mails coming into the company pass through several servers that scan for viruses, worms and malicious code, and the filters quarantine information based on key indicators, profanity Irreverence towards sacred things; particularly, an irreverent or blasphemous use of the name of God. Vulgar, irreverent, or coarse language. The use of certain profane or obscene language on the radio or television is a federal offense, but in other situations, profanity and general spam. The company is now testing a new plug-in filter that looks at flesh tones in e-mail embedded pictures. Clint Kreitner, president and chief executive officer of the Center for Internet Security, a nonprofit group dedicated to helping global organizations effectively manage the risks related to information security, believes there are four aids companies can use to establish a basic level of security protection: personal firewalls, anti-virus software anti-virus software n → Antivirensoftware f , properly configured technical controls and up-to-date patching. He said studies have demonstrated that just having basic technical controls and up-to-date patching eliminates about 90% of known vulnerabilities commonly being exploited. "There's an enormous amount of low-hanging fruit ready to be picked," he said. But are these measures enough? "Security is top priority on everyone's minds, and it's no longer just about firewalls, passwords and anti-virus software ... no particular security technology is going to be the silver bullet silver bullet - magic bullet ," said Marc S. Sokol, chief security officer for Guardian Life Insurance Company of America The Guardian Life Insurance Company of America (GLICOA) is a Fortune 1000 company founded in 1860 in New York, New York. It is the fourth largest mutual life insurance company in the United States of America. . "If you look at all the attacks and worms that occurred, most weren't stopped by firewalls of anti-virus software alone." In addition, many insurers believe establishing good physical security procedures and protection measures for all infrastructure must go hand-in-hand with IT security. Phase II of the Gramm-Leach-Bliley Act The Gramm-Leach-Bliley Act, also known as the Gramm-Leach-Bliley Financial Services Modernization Act, Pub. L. No. 106-102, 113 Stat. 1338 (November 12, 1999), is an Act of the United States Congress which repealed the Glass-Steagall Act, opening up competition , for instance, requires companies to protect customers' data both electronically and physically. "We must look at how effectively we can respond to security breaches--both physical or IT related--and ensure we can continue to maintain essential services, whether it be a critical infrastructure issue like we lose a power grid or another physical attack like 9/11," Sokol said. Security Spend Insurers recognize the importance of having all necessary precautionary measures in place, but unavailable dollars are adding to the challenge. "We're definitely seeing awareness of security breaches and issues increasing, particularly through budgets," said PricewaterhouseCoopers' Lobel. "If you look at strategic initiatives, one of the questions in the survey asks what presents a barrier to good security measures Noun 1. security measures - measures taken as a precaution against theft or espionage or sabotage etc.; "military security has been stepped up since the recent uprising" security in organizations." About 63% of insurers and 53% of financial services organizations cited limited budgets. Things seem to be improving somewhat, however, as 62% of companies across various industries have increased security spending in 2003 compared with only 50% in 2002, according to the PricewaterhouseCoopers/CIO survey. "Carriers are concerned about the need to be in the e-commerce world, and they want to have interaction and information back and forth between systems, customers and business-to-business partners, and they must do that on a secure level," said Jamie Bisker, director of research for TowerGroup's insurance practice. "They've gotten a lot of help from the industry on how to protect systems and maintained and accomplished a secure set of transactions. They are definitely aware of it and are spending money on it, and I believe they have been even more conservative in the approach than other industries." A Business Strategy Some insurers believe security must go beyond just the IT sector and needs to be a collaborative effort within business processes. "Companies need to recognize that security is another business decision, not an end state but a process," said Art Manion, Internet security analyst for the CERT Coordination Center. "You can choose to put money and resources into different parts of security to have better effects for the company, but thinking of it in a business sense is a good thing--something that has some cost but will have some sort of payoff in the end." In addition, Guardian's Sokol said organizations need to be vigilant about consistently implementing disciplines in the areas of prevention, followed by detection and response that allow the company to contain these issues and maintain essential services. They must continuously verify how well they're doing. "But most importantly Adv. 1. most importantly - above and beyond all other consideration; "above all, you must be independent" above all, most especially , they can't just focus on technology. It has to also be about the people and processes that use technology. If you implement firewalls and intrusion detection See IDS and IPS. but don't have a process for monitoring or responding to alerts, how have they really helped you?" He added that by doing these things "These Things" is an EP by She Wants Revenge, released in 2005 by Perfect Kiss, a subsidiary of Geffen Records. Music Video The music video stars Shirley Manson, lead singer of the band Garbage. Track Listing 1. "These Things [Radio Edit]" - 3:17 2. , businesses begin to see security recognized not only as safeguarding virtual information assets but also as a business enabler in meeting their regulatory obligations for safeguarding customer information. "It's a win-win situation, and security goes away from being the stop gap to becoming an enabler." In addition, insurers such as Guardian are taking a holistic approach holistic approach A term used in alternative health for a philosophical approach to health care, in which the entire Pt is evaluated and treated. See Alternative medicine, Holistic medicine. to security, rather than focusing solely on IT-related components. "By working closely with the business and IT, we can take a more effective and efficient approach to managing various risks," said Sokol. "Security is part of many larger carriers' IT decisions, strategies and governance, and as important as the concept of scalability of systems. Security has now reached that same level," said Bisker of TowerGroup. As opposed to being an afterthought, security is now one of the primary things companies are talking about. However, they know that it is up to them to establish their needs for security and security parameters, he added. In addition, many companies believe the fight against security threats needs to be a collaboration across the organization. "People don't question why there is security. Instead they usually ask what else they need to do or if they are doing enough," said Tyminski. He said Prudential views its IT security as core to its business environment in which everyone plays a role. "No one single group can do it all within a company." Comfort Level But are security measures already in place providing insurers the comfort they need? "I think what's really happening now is that the bar has been raised as to what companies should have done, and if they haven't, they probably won't be in the business very long," said New York Life's Attias. "We're seeing that four to five years ago, companies online had to have firewalls, anti-virus software, etc., of they got burnt. Now with so many consumers getting permanent connections to the Internet, via cable connections and DSL DSL in full Digital Subscriber Line Broadband digital communications connection that operates over standard copper telephone wires. It requires a DSL modem, which splits transmissions into two frequency bands: the lower frequencies for voice (ordinary lines, the bad guys can feast off their systems more easily." He said that New York Life has locked its doors with triple bolts, but consumers still have only one bolt. "So some of the attackers have diverted their efforts toward the software targets of home-users' systems." Others believe that security precautions are falsely alleviating concerns. "The plateau's been reached, but I think some carriers may have a false sense of security. They executed what they were told or think is sufficient, but unfortunately that may not be sufficient," said TowerGroup's Bisker. He suggested that companies perform a security audit, testing systems either themselves or through third-party vendors, to make sure their security measures are adequate. In addition, it's hard to dispute the human factor will ever completely disappear. "People will continue to be tricked into opening files, clicking on URLs and loading software," said CERT's Manion. Carriers need to be watchful and mindful of the "realities of the world" and be willing to spend money to ensure equipment and processes are maintained and people are trained to deal with these various concerns, said Bisker. An important component of everyone's IT budgets is to spend, prepare and maintain for probable attacks that may surface in the future, he said. A Host of Recent Threats About 90,000 computer viruses are known today. There are also an increasing number of worms surfacing. According to searchSecurity.com, a worm is a self-replicating virus that doesn't alter files but resides in active memory and duplicates itself. A virus, which is generally transmitted as attachments to an e-mail, as downloads or on a disk or CD, is a piece of progmmming code that is usually disguised as something else that causes some unexpected and usually undesirable event. The following viruses and worms have garnered much publicity recently: Beagle or Bagle (2004)--a worm passed by an e-mail with the subject "hi" and the word "test" in the message body. W32.Blaster (2003)--a worm that used the Internet to exploit the DCOM (Distributed Component Object Model) Formerly Network OLE, it is Microsoft's technology for distributed objects. DCOM is based on COM, Microsoft's component software architecture, which defines the object interfaces. , of distributed COM, vulnerability in the Remote Procedure Call service, targeting several Microsoft operating systems The following is a list of Microsoft operating systems. For the codenames that Microsoft gave their operating systems, see Microsoft codenames. Before Windows
Sobig.F (2003)--a worm that arrived as an e-mail attachment A file that rides along with an e-mail message. The attached file can be of any type. E-mail programs make it easy to attach a file. For example, in Eudora, all you do is select Attach from the Message menu, browse through the folder hierarchy to find the file you want and then double with a .pif or .scr extension and, when run, infected the host computer and then e-mailed itself to harvested e-mail addresses from the victim's machine. Nimda (2001)--a Windows 32 virus that spread via e-mail, network shares and Web sites. CodeRed II (2001)--exploited a security vulnerability in the Windows NT (Windows New Technology) A 32-bit operating system from Microsoft for Intel x86 CPUs. NT is the core technology in Windows 2000 and Windows XP (see Windows). Available in separate client and server versions, it includes built-in networking and preemptive multitasking. 4 and Windows 2000 Index Services. LoveLetter (2000)--a Windows 32-based e-mail worm that overwrote certain files on a hard drive and sent itself out to everyone in a user's Microsoft Outlook For the e-mail and news client bundled with certain versions of Microsoft Windows, see . Microsoft Outlook or Outlook (full name Microsoft Office Outlook address book. 911 Virus (2000)--a virus that worked its way onto a personal computer through online connections. PrettyPark (1999/2000)--used Microsoft Outlook to e-mail itself to everyone in the user's address book once every half-hour. Melissa (1999)--a Microsoft Word A full-featured word processing program for Windows and the Macintosh from Microsoft. Included in the Microsoft application suite, it is a sophisticated program with rudimentary desktop publishing capabilities that has become the most widely used word processing application on the market. macro virus that sent infected mail disguised as an "important message." W95.Babylonia (1999)--was disguised as a Y2K See Y2K problem and Y2K compliant. Y2K - Year 2000 fix, spreading through Microsoft software used for chat rooms. W32.CIH CIH Chartered Institute of Housing (UK) CIH Certified Industrial Hygienist (ABIH) CIH Constant Image Height CIH Camshaft in Head (engine) CIH Chen Ing-Hau .Spacefiller--a.k.a. Chernobyl (1999)--a portable executable infector that erased data on a hard drive and possibly kept machines from booting up. |
|
||||||||||||||||||||
Printer friendly
Cite/link
Email
Feedback
Reader Opinion