[ISN] Insurer Considers Microsoft NT High-Risk

From: InfoSec News (isnat_private)
Date: Tue May 29 2001 - 00:15:46 PDT

  • Next message: InfoSec News: "[ISN] FBI Says Jailed Turncoat Warned of Spy Suspect"

    http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html
    
    By Robert Bryce 
    Interactive Week
    May 28, 2001 
    
    Microsoft's server software is easy to install, loaded with features
    and fairly reliable. It may also be more costly to insure against hack
    attacks.
    
    J.S. Wurzler Underwriting Managers, one of the first companies to
    offer hacker insurance, has begun charging its clients 5 percent to 15
    percent more if they use Microsoft's Windows NT software in their
    Internet operations. Although several larger insurers said they won't
    increase their NT-related premiums, Wurzler's announcement indicates
    growing frustration with the ongoing discoveries of vulnerabilities in
    Microsoft's products.
    
    Some industry observers believe other insurers may follow Wurzler's
    lead, which could affect the overall hacker insurance market, a sector
    that the Insurance Information Institute estimates may generate $2.5
    billion in annual premiums by 2005.
    
    "We saw that our NT-based clients were having more downtime" due to
    hacking, says John Wurzler, founder and CEO of the Michigan company,
    which has been selling hacker insurance since 1998.
    
    Wurzler said the decision to charge higher premiums was not mandated
    by the syndicates affiliated with Lloyd's of London that underwrite
    the insurance he sells. Instead, the move was based on findings from
    400 security assessments that his firm has done on small and midsize
    businesses over the past three years.
    
    Wurzler found that system administrators working on open source
    systems tend to be better trained and stay with their employers longer
    than those at firms using Windows software, where turnover can exceed
    33 percent per year. That turnover contributes to another problem:
    System administrators are not implementing all the patches that have
    been issued for Windows NT, Wurzler said.
    
    According to Microsoft's Web site, more than 50 vulnerabilities - and
    the patches to fix them - have been issued for Windows NT server
    software since June 1998.
    
    Microsoft spokesman Jim Desler said the hacker insurance market is
    still too young to declare Wurzler's move a trend. "There's not enough
    history or business to draw conclusions about rate-setting practices,"
    Desler said. As the market matures, rates are likely to be based on
    best practices, rather than on platforms or products, he predicted.
    "We provide unparalleled support in the area of security."
    
    American International Group, the country's largest insurance
    underwriter, said it will not raise its rates for Windows NT-based
    systems. Nor will Aon, the world's second largest insurance broker.
    The use of NT is "just one factor in the overall assessment of risks.
    It can be an indicator of other vulnerabilities, but you may also have
    other things in place to counter that, like firewalls and
    intrusion-detection systems," said Kevin Kalinich, a director in Aon's
    technology and telecommunications group.
    
    However, Harry Croydon, CEO of Safeonline, a London risk analysis firm
    that works with underwriters at Lloyd's, predicted that Wurzler's
    decision to charge more for Windows NT machines is "a trend we will
    see increasing." Just as drivers who own rare cars pay more to insure
    them, Croydon said, "certain types of software expose you to different
    risks."
    
    Although Wurzler's company is small - eight employees - digital
    security firms are watching it closely. Bruce Schneier, Counterpane
    Internet Security's co-founder and chief technical officer, said it
    makes sense for underwriters to differentiate premiums based on the
    type of software and hardware that's used. "Insurance companies are
    looking to manage their risk effectively. If there's a technology that
    reduces risk, they'll charge lower premiums," Schneier said.
    
    Indeed, several insurers offer discounts to clients that use managed
    security service providers or put certain security devices on their
    networks. For example, last week, AIG said it will cut premiums up to
    10 percent for clients that use a new security device made by Invicta
    Networks, a Virginia company headed by Victor Sheymov, a former KGB
    agent. Invicta claims its device, which uses an Internet Protocol
    address-shifting technology, is impossible to hack.
    
    Windows-based servers are frequently victimized by hackers. From
    August 1999 to November 2000, 56 percent of all the successful,
    documented hack attacks occurred on systems using Microsoft server
    software, according to statistics posted at Attrition.org, a Web site
    that records hackers' exploits.
    
    Given Windows NT's record, Gene Spafford, the director of Purdue
    University's Center for Education and Research in Information
    Assurance and Security, believes higher insurance premiums may be
    justified. "NT is more difficult to install correctly and keep up to
    date than Linux," Spafford said.
    
    Right now, it appears that Wurzler is going it alone among insurers by
    charging higher premiums to Windows NT users. But Wurzler said the
    higher prices are not costing his company customers.
    
    A policy covering revenue lost due to hacking costs about $4,000 per
    year for each $1 million in coverage, he said.
    
    About half of his clients use Windows NT, Wurzler said; the rest use
    Linux or Unix. Given that breakdown, he said it's easy to justify
    higher rates for NT machines. "Why should a Unix player with fewer
    vulnerabilities subsidize NT users?" Wurzler asked.
    
    And Wurzler's not through with Microsoft. He said his firm is looking
    at vulnerabilities in Microsoft's Internet Information Server
    software, and that it may soon begin charging higher premiums for that
    product, too.
    
    
    
    
    
    ISN is hosted by SecurityFocus.com
    ---
    To unsubscribe email isn-unsubscribeat_private
    



    This archive was generated by hypermail 2b30 : Tue May 29 2001 - 01:36:10 PDT