http://www.zdnet.com/zdnn/stories/news/0,4586,2805929,00.html?chkpt=zdnnp1tp02 By Robert Bryce Interactive Week August 20, 2001 12:05 PM PT Insurance broker J.S. Wurzler Underwriting Managers has started charging up to 15 percent more in premiums to clients that use Microsoft's Internet Information Server software, which the Code Red worm feasted on. In light of the $2 billion in damage caused by Code Red, founder and CEO John Wurzler's decision just before the virus hit seems prescient. Wurzler gained notoriety earlier this year for hiking cyberinsurance rates on companies that use Microsoft NT software on their servers. So far, Wurzler appears to be the only insurer singling out Microsoft for higher rates. And some security officials are not kind in their comments. "Wurzler is full of it," said Russ Cooper, the editor of the NTBugTraq Web site and an employee of computer risk management and security firm TruSecure. According to Cooper, Windows NT and IIS are easier to secure than comparable Unix- or Linux-based servers because Microsoft does a better job of publicizing and supplying the needed security patches for its products. "It's easier to manage Microsoft server software because you can get all the patches in one place," he said. Wurzler, who has been selling hacker insurance since 1998, based his decision on more than 400 security analyses done by his firm over the past three years. Wurzler found that system administrators working on open source systems tend to be better trained and stay with their employers longer than those at firms using Windows software. That turnover may mean that security patches don't get installed, said Wurzler, who offers lower rates to clients that use NT and IIS if they can show that their administrators are following best practices. Microsoft itself fell victim to Code Red. "We have been very good in patching our own systems. But we haven't been perfect," said Microsoft spokesman Jim Desler, who believes Wurzler's move isn't supported by the facts. "Within the last month, every major software vendor has had a major vulnerability discovered," Desler said. Emily Freeman, a senior vice president of giant insurance brokerage firm Marsh, said the industry is watching Wurzler's move with interest. Insurers are "concerned that some systems are more vulnerable" than others, she said. But, she added, "There aren't any actuarial tables yet to justify different rates." Those arguments don't faze Wurzler, who insists his approach is the right one. "Hackers hate Bill Gates, so they want to write code that embarrasses him," Wurzler said. And because that attitude won't change anytime soon, Wurzler said, the most reasonable course is to charge higher premiums for NT and IIS. - ISN is currently hosted by Attrition.org To unsubscribe email majordomoat_private with 'unsubscribe isn' in the BODY of the mail.
This archive was generated by hypermail 2b30 : Wed Aug 22 2001 - 05:14:41 PDT