[ISN] Hack insurer adds Microsoft surcharge

From: InfoSec News (isnat_private)
Date: Wed Aug 22 2001 - 02:58:43 PDT

  • Next message: InfoSec News: "[ISN] CFP: Financial Cryptography '02"

    By Robert Bryce
    Interactive Week 
    August 20, 2001 12:05 PM PT
    Insurance broker J.S. Wurzler Underwriting Managers has started
    charging up to 15 percent more in premiums to clients that use
    Microsoft's Internet Information Server software, which the Code Red
    worm feasted on.
    In light of the $2 billion in damage caused by Code Red, founder and
    CEO John Wurzler's decision just before the virus hit seems prescient.
    Wurzler gained notoriety earlier this year for hiking cyberinsurance
    rates on companies that use Microsoft NT software on their servers.
    So far, Wurzler appears to be the only insurer singling out Microsoft
    for higher rates. And some security officials are not kind in their
    "Wurzler is full of it," said Russ Cooper, the editor of the NTBugTraq
    Web site and an employee of computer risk management and security firm
    TruSecure. According to Cooper, Windows NT and IIS are easier to
    secure than comparable Unix- or Linux-based servers because Microsoft
    does a better job of publicizing and supplying the needed security
    patches for its products. "It's easier to manage Microsoft server
    software because you can get all the patches in one place," he said.
    Wurzler, who has been selling hacker insurance since 1998, based his
    decision on more than 400 security analyses done by his firm over the
    past three years. Wurzler found that system administrators working on
    open source systems tend to be better trained and stay with their
    employers longer than those at firms using Windows software. That
    turnover may mean that security patches don't get installed, said
    Wurzler, who offers lower rates to clients that use NT and IIS if they
    can show that their administrators are following best practices.
    Microsoft itself fell victim to Code Red. "We have been very good in
    patching our own systems. But we haven't been perfect," said Microsoft
    spokesman Jim Desler, who believes Wurzler's move isn't supported by
    the facts. "Within the last month, every major software vendor has had
    a major vulnerability discovered," Desler said.
    Emily Freeman, a senior vice president of giant insurance brokerage
    firm Marsh, said the industry is watching Wurzler's move with
    interest. Insurers are "concerned that some systems are more
    vulnerable" than others, she said. But, she added, "There aren't any
    actuarial tables yet to justify different rates."
    Those arguments don't faze Wurzler, who insists his approach is the
    right one. "Hackers hate Bill Gates, so they want to write code that
    embarrasses him," Wurzler said. And because that attitude won't change
    anytime soon, Wurzler said, the most reasonable course is to charge
    higher premiums for NT and IIS.
    ISN is currently hosted by Attrition.org
    To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY
    of the mail.

    This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 05:14:41 PDT