Catch up on stories from the past week (and beyond) at the Slashdot story archive


Forgot your password?
The Internet

Hacking Insurance For Net Businesses 117

Spasemunki writes: "ZDNet is carrying a story today on the new partnership between Lloyd's of London and Counterpane to offer 'hacking insurance' to businesses with big, expensive net presence. Is this a good-for-business acknowledgement that even the best security framework has flaws, or companies stepping back from protecting their customers in favor of covering themselves? According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk." Of course, I'd rather have cracker insurance.
This discussion has been archived. No new comments can be posted.

Hacking Insurance for Net Businesses

Comments Filter:
  • by Zibblsnrt ( 125875 ) on Monday July 10, 2000 @07:27AM (#945830)
    > The best and most innocuous way a system is
    > penetrated and compromised is not from
    > remote exploits, but from the inside. The
    > careless SysAdmin who leaves a root console
    > open; the stupid employee who writes his
    > password on postit notes next to the monitor;
    > the disguntled and angry employee that did
    > not get the raise he thinks he deserved.

    How would insurance companies handle a more meatspace version of those kinds of problems? A clueless employee or security guard forgetting to lock the doors after closing? Would the insurance companies just consider that 'self-inflicted' and leave them to handle it themselves?

    Myself, I'd be more interested in finding a concrete way to determine how much a company loses in an attack. Preferably in real money. Anyone can get their web page cracked and replaced for 4 hours and claim they lost three percent of Japan's net worth as a result. In fact, 'anyone' seems to - even the slightest compromise claims to have millions or tens of millions of dollars in damage.

    Just how can they prove that they lost, say, $6M on a thirty-minute DDoS smackdown or something? Exactly what company earns a quarter billion dollars a day anyway?

    -Patrick Stewart

  • And then when someone launces a Denial of Service attack against you, you just pull our your tape backup drive and....what?
  • Wouldn't it be more of a process audit? Things like:

    • Sysadmin performs daily/weekly security maintenance on servers
    • Company disables VB Scripts on all workstations
    • Machines are tested and assaulted before being put into production
    • ...etc.
  • That's exactly what's GREAT about this... if there's one thing cranky, over-zealous, greedy insurance companies are good for, it's forcing it's clients to cover their bases. If idiot clients aren't paying attention to their security issues, they'll be charged up the yin-yang for high-risk insurance, or left behind by corporate customers who see coverage as a high-priority element in choosing an IS provider.
    My only concern is in making sure that the little guy, who actually puts a significant amount of effort into properly securing their services, gets a fair rate for eye-candy "reassurance" insurance.
  • What keeps this from degenerating to "toilet papering insurance" (e.g., a bribe to *NOT* be hacked/papered, etc)?

    if ($user =~ m/shaldannon/i) {
    print "\n-- $user :)\n"
  • I wonder what kind of terms and conditions will be on this insurance? Will insurees be required to run a certain OS or web software, and will there be certain security guidelines that they must follow?
  • you made the cracker comment! there is no such thing as crackers, its a term basterzied by the media to mean another type of hacker. there is no point in calling them that, call them what they are:
    Thieves, extortionest, criminals, ect ect!!!!

    My is now vent complete.

  • Very good point. Almost every cracker lawsuit involves a company grossly overestimating the damage done... See Kevin Mitnick's trial for a prime example of this; Sun calculated its damages by the amount of money it took Sun's programmers to develop their product... That's clearly not the right way to calculate damages.

    But is there a right way to calculate damages resulting from data theft? I mean, sure, there are certain things that are (relatively) easily calculated business lost during the time it took to fix a system, being the best example, but if someone hacked Adobe and "stole" an alpha version of the latest PhotoShop, what's the damage? Adobe still owns the version, so they haven't LOST anything... Bandwith loss is extremely negligable. However, in that case it merely isn't right to charge something like $25 in damages.

    Or is it?
  • Simple. You crack open the cartridge, unwind the spool, and hang yourself with the tape. But of course, that just creates more insurance problems. ;-)
  • What do you expect from a company that insured Jenifer Lopez' ass for a million bucks.
  • That was my first thought exactly.

    The problem here is that definitions and verifications of those definitions is really touchy stuff. It's going to be for quite some time.

    • Hacked - So, what is that exactly? Or rather.. where do you draw the line? Someone gaining root... someone gaining an account... someone executing foreign code (say some perl thing)... someone installing foreign programs (wanna boost those stats?). What about being DoS'd? How about if someone spoofed their IP to look like it came from your place, and you ended up catching their backlash? Portscanning? Pinging? I mean, seriously.. what?
    • Security - How secure are you? Well.. I have brand X routers, brand Y boxes, brand Z OS, Foo Web Server, etc. etc. etc. There are too many combinations.. so they're going to get lumped. Then how attentive are they? Is there an admin wired in to the server farm? Is he on a pager leash? Does he check for patches daily? Etc. etc.
    • Verification - How are you going to prove to me that what you said happened really did? This could end up being quite costly in and of itself, having to around and trace where the stuff came from, what happened, etc. etc.

    This is a needed thing, I believe... but it's also much too slippery a slope. There are too many 'wellll... maybe' issues.

  • Then you should've insured yourself against that possibility. You only have yourself to blame.
  • And how does your tape backup drive save you from the class action lawsuit from the customers of the site who had their credit card and personal information compromised?

    Well, if the intruder destroyed the systems after stealing the info, the backup tape would let you know what info was stolen, so you could go and notify the CC companies and let them know what numbers were stolen, etc. This might save you from a lawsuit, because it shows that you took steps to mitigate the damage. (At least, I hope it would, but that murky world of lawyers scares the hell out of me ;)

  • Wait... You lost me.

    hackers == happy men
    crackers == homosexuals

    ah... I think I've got it. another group emerges and takes control of the word (although certainly not in an organized fashion). The crackers (homosexuals) emerge and take the word hacker (gay). So a real hacker (happy guy) could be understandably upset by the meaning shift of this word as.

    Okay... I get it.

    A hacker is more of a word you use to define yourself as though. No one really 'had' the word gay before it was used for the homosexuals.


    Also, I think 'gay' has more of an accepted popular definition than 'hacker'. I could just be naive though.

    The happy guy in my opinion has a right to be a little miffed, but he's much less likely to be.
  • Besides spreading the risk, one thing about insurance that many people forgot is, insurance companies have every incentive to suggest practical measures to the client to prevent those claiming situation. For example, when you buy fire insurance, they would evaluate your premises, tell you the premium, and suggest effective ways of prevention to lower your premium. Mostly those so call experts or consultant of fire prevention tells you to buy something impractical (consultant=sales), while the insurance companies are not interested in selling those thing.

    Some of you may have experiences of getting advice from those so call risk management consultants of e-business from those large consultanting firms which actually are selling you M$ solutions, I think insurance on network security is a more pratical way. To know how good your measures of network security is, ask the insurance companies to give you assessment.
  • Of course, insurance against Ritz crackers carries a much higher premium than Wheat Thins or reg'lar ol' saltines.

    Hey... this puts a new spin on the name of Premium(tm) brand saltines! :)
  • From an insurance point of view, business is business. Threats exist, are catalogued, and defended against. Part of the defence is insurance to help limit loss if a threat manifests itself. An important form of liability insurance that may come into vogue is insurance that protects company A from suits from downstream companies in the event that A is compromised by a cracker. A's own internal loses may pale in comparison to suits mounted by other companies affected via A's site/connection/hardware. This would seem to be the equivalent of Internet enant Insurance. And I wouldn't worry about insurance fraud - insurance companies like to make money. They also like to catch frauds. Bet that this is no less true on the Net. There will be fraud (smart guys get away with stuff), but that's always been the case and slightly impacts premiums. It is the cost of insurance. But the insurance companies (because it hurts their bottom line) and their insured (because higher premiums hurt them) will both have an incentive to drive better security forward. So all in all, this is likely to be a good thing. T.
  • The person you're looking to describe when the word's "hacker" and "cracker" are used isn't really either. When the threshold between simply entering a system and actually doing intentional damage is breached, the people doing the damage are considered "vandals", "thiefs", or simply "crooks". Their really isn't any need to redefine something that's ages old.

    As for insuring a company against theft and vandalism, the first step is to get the best lock system and security your money can afford, and maybe a little insurance on the side. Especially if you're a target, their's no substitute for properly safeguarding your site.

    A better solution is to charge for insurance based on how easily broken into a 'puter may be. Once the company's can get a dollar amount they could save through proper security, their WILL be a stampede to set up better protection.
  • Certainly, any large corporation should both secure themselves to the best of their ability, AND take out a policy.

    Reading sites like CERT, l0pht and rootshell (And hoist a beer to the now-seemingly-defunct 8lgm) is never going to become useless, because at some point they will charge you so much for your coverage that you can no longer afford to remain in buisness. There will continue to be a need for security.

    At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.

    That will last just long enough for them to lose some truly critical data or buisness which will seriously impair their ability to operate. At that time, they will take the money their policy pays out to them and hire a team of badasses to come in and secure their network, because they can't afford to have that happen again, even if someone does throw money at them when it occurs. Money doesn't turn back the clock, at least not yet.

    All you security consultants are safe, but you might want to lay in some ramen for the next few months if you just got off a four month vacation. Lazy bastards.

  • I didn't think of that, that's why I was asking the question, dickweed.

    I'm sorry I'm not elevated to your exaulted level of intellect, but that is no reason to be so damn offensive about it.

  • by mr ( 88570 ) on Monday July 10, 2000 @07:29AM (#945850)
    Why would you NEED insurance for crakers? All the boxes of crackers I buy have a 'money back if not satisified' label. And, if the saltines aren't right, I just throw them out.

    Seems like a waste to buy cracker insurance.

    As for hacker insurance, I guess there ARE risks with using chairs made with axes. You would think tho, if you LIKE axe-made chairs, you'd inspect the craftmanship before you bought it.
  • It must be about time to see some insurance against bad design - both on behalf of the user - and the site that contracted it! Perhaps the insurer could take their site to arbitration and ask for recompense for inordinately complicated navigational tools. Then again it's probably their own fault (often) for using a committee to choose a color scheme designed to afflict the visitor.
  • How come I haven't heard the name "Bruce Schneier" crop up in this thread?
  • 'For the right price, my boys could offer you "protection", because we wouldn't want to see what happened to you if you didn't buy our "protection." hehehehe.'

  • "Of course, I'd rather have cracker insurance." -- emmett, esq

    Methinks emmett doesn't know the difference between one who loves to learn about computers (hackers) and one who loves to learn about computers (crackers). Hmm... one would also deduce that he hasn't quite yet figured out the definition of a Skr1pt K1dd13.

    2600: The Hacker Quarterly
    Phrack (Phreak + Hack)

    I rest my case. Nutty emmett.
  • void has a point, the percentage of inside hacks seems to be upwards of 70% of all breaches--but any decent insurance policy (and we are talking L loyd's) will cover insider hacks as well.

    Importantly, thoght, what's the mantra of the security aware? No system is secure. OK, a system filled with concrete unplugged at the bottom of the ocean comes close. But, there will always be a new vulnerability, an insider bribed, a way in. Always. Insurance is really the only solution for businesses in this area, much like, as other posters have realized, the niches where insurance is popularized in the real world.

    In an uncertain world, insurance becomes needed. The wonderful and insidious thing about this, however, is that you know what the trend of insured internet businesses will drive? security! You want a good rate on our security insurance? Better freakin' install the latest patches, have a subscription to Security Focus, get a good firewall, implement access policies, do background checks, shred your paper trash...

    This will be a fantastic wave of actual implemented security.
  • next is companies hiring their own hackers to break into their own websites or cause downtime to collect the insurance
  • If you are worried about the wind you build the building so strong it can't be hurt by any windstorm.

    Risk Management is a lot more sophisticated than this. A Risk Manager would consider the cost of new construction vs. the cost of insurance vs. the potential loss and the probabilities of that loss.

    The insurance discussed in this article is not for the little guy. The little guy also dosn't have a potential loss measured in the $millions/day of lost sales.

    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • I won't. Yes, the DoS attacks have already been mentioned, but this is a perfect example of what the insurance is there for. If it can be proved (aside from bandwidth theft) that your business suffered a loss because of an attack of this sort, they will recompense you for it accordingly.

    It's not like they're insuring solely (if at all) the security of your own systems, but they are offering a source of aid assuming that you fall prey to a business-impacting loss if internet service in one way or another. It's also not like the system won't be defrauded at all, mind you, but then again all insurance systems have been and are being defrauded on some level. These people are either caught or not, and it won't be any more difficult in this setting.

    One more thing that hasn't been mentioned in any significant amount yet is the fact that a large number of business have not been significatnly impacted by h/crackers. Many of these would still pay a fair amount for a secure feeling - which, more than anything else, the insurance business is there to provide. I personally would probably pay for this, not because I can't secure a system a fair amount, and not because I think that evil computer geniuses really want to take down my t-shirt shop, but because of self-same "warm fuzzy feeling".
  • Right. Now, kids, we all know who is Counterpane's CTO, don't we? No? Oh, I see.

    Bruce Schneier is one of the most respected cryptography experts in the world. If you are at interested in code-making and code-braking you probably read his book, "Applied Cryptography" .

    Bruce also projected the Solitaire algorithm used in the "Cryptonomicon", and Counterpane newsletter is a required reading for anyone interested in the field.

    So, this probably is not another meaningless partnership to extract some money for nothing from scared Fortune-1000 CEOs.
  • How about corporate fraud? For example; the millions of dollars the companies claimed to have lossed when Mitnick copied some files from their systems. Will the insurance companies evaluate the real loss and put those companies figures back in line? Of course the DoS attacks ammounted to real losses, but file copying, give me a break.
  • by Anonymous Coward
    As a Southern Gentleman, I am shocked and offended by the use of the term "Cracker", especially in connection with criminal activity. This politically-loaded word is an indication of primative thinking and gross stereotypes, as is the expression, "poor white trash".

    In future, please call us by the term we would prefer to have applied to us: "Redneck Peckerwoods".

  • I don't know if I'd trust Lloyd's of London for insurance with all the internal troubles they've had in recent news.
  • your moms a cracker .. hee hee heee heeehaaawww
  • There are actually audit standards already extant for high-security hosting--financial hosting sites all go through something called a SAS-70, which--depending on the level of the institution, are pretty harsh security.
  • Does this story remind anyone of the old SNL skit involving the sale of "robot insurance" to senior citizens?

    "Remember: Robots ARE out to get you," etc.

    Is this policy REALLY necessary, or is this the insurance equivalent of yellow journalism?
  • by StevenMaurer ( 115071 ) on Monday July 10, 2000 @07:55AM (#945866) Homepage

    The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions? That's what'll end up in front of a judge eventually, unless the contract is exceedingly well written.

    Also, don't just go assuming that it's always insurance companies who are the rip off artists. In both consumer and commercial insurance, there are many more instances of fraud and legalistic shenanigans by the people covered than by insurers.

    Case in point: my brother in law works for the firm that insures Microsoft (Zurich Intl.). Among other things, they cover them with a standard indemnification plan - a.k.a if Microsoft is sued in civil court, the Zurich is responsible for both the defense and the damaages (if any). Just like with many automobile plans, it is the insurance company's lawyers who defend the case, which is only fair since they are the ones on the hook for the monetary loss. Insurers will often settle cases their clients would have fought, because they have less of an emotional attachment to the idea of being proven right in court.

    Microsoft is now suing Zurich because they want to be reimbursed for all the attorney's fees they've spent in defending themselves in the anti-trust lawsuit. Microsoft is trying to twist a clearly written indeminfication plan into a blank check for all their exceedingly high-priced lawyer's fees, while giving Zurich no say in how the defense is actually presented.

    Needless to say, Zurich is defending itself.

  • Almost exactly how this works!

    This insurance has been available for several years, usually tacked onto an existing data center loss prevention policy. This is a press release to show how our beloved Bruce Schneier has become a partner with a big insurance house.

    The insurance company will require at least two audits, the first to determine the policies and attitudes of the management, and to locate holes in enforcement of a good security policy. After the fixes have been made, the second audit will show whether the management can accomodate the change necessary to implement a proper security policy. Its more about attitude than open ports :-)

    There are several parts to the audit. The hack/crack part does all the usual stuff, such as wardialing the whole company looking for unauthorised modems, running customised exploit scripts and custom versions of ISS and nmap. They also make sure every system connected to the network is documented, and they log on every server and check the security from inside as well.

    There's a bunch of naff stuff going on at the same time like policy audits and background checks on all the IT staff and secretaries. In the end there is a big report, and based on a security score, determines your policy rate.

    The policy holder sometimes puts a security consultant on the site for a while, to monitor the state of the network and how well the IT idiots follow the required security policy.

    The whole exercise is to raise the bar against script k1dd13s, and give the shareholders a warm and fuzzy feeling. It also gives the lawyers a defence if a cracker does damage and the company gets sued.

    What counterpane is probably doing is either renting out some tiger teams or training up some in-house teams to use their custom made tools.

    the AC
  • Ramen

    So here I am; The highpoint of my day.


    No longer am I content with such concepts as female companionship, wealth or pleasure; I find all that I need in Ramen.

    The ceremony commences. I enter the break-room. A medley of microfiche machines contrast the smooth curve of coffee pots filled with steaming liquid. I turn, facing the altar. I bow to my god Maruchan, the smiley face god, for he brings me ramen in such a pure form.

    Cuidado: Caliente! screams out the sacred Japanese vessel in Spanish. I extend my hands, never taking, only receiving. Maruchan smiles upon me as he bestows the vessel upon me. I find it strangely cool. The delightful feel of a smooth woman's skin on my flesh. My Ramen.

    I approach the fiery cauldron of water. Pure springs splash down into the pot, warming and bubbling. Steaming with cleanliness. My Ramen meets the water in a joyous union.

    Maruchan smiles in heaven.
  • I especially like the justification of "Well, we get X amount of money per hour due to the web. Since we were down for 3 hours, we lost 3X money." Who's to say they lost anything? I'll bet as soon as the site goes back up, they make almost all of the money they would have made in the first place-the few hours after the server is back up probably gets them twice the average revenue. The people still are going to buy the stuff they want, it's not like the demand just disappeared.

    Colin Winters
  • I want to buy Cracker Insurance so I can get some cold cash when my roommate eats my Triscuits.

  • If this is done in a clueful way, it will actually be really beneficial. At first, I'm sure all companies will pay an equal deductible, as in the early days of car insurance. But over time, the insurance companies will start to collect stats on who does the best security, and adjust deductibles accordingly. If this is handled objectively, and it turns out that NT-based systems are 32% more likely to be DoSed, then companies will have to pay.

    The nice thing is that, since money is on the line, the insurance company has a huge incentive to be objective and honest about what really works to prevent "hacking." My guess it that obscurity-based systems don't get rated as high as a Volvo :)
  • by wrenling ( 99679 ) on Monday July 10, 2000 @07:13AM (#945872)
    Is to see how the claims get handled. If basic security proceedures were not followed (patches, closing off extraneous ports, etc) will the claim be paid? If they are paid, it will set a bad precendent, and give companies an excuse to maintain poor security, hire less qualified admins, and just file claims when bad stuff happens.

    If they DO deny claims based on lack of basic preparedness, it could benefit the overall community by making it worth the company's pocketbook to make sure their admins are well trained, and have the equipment and software they need. Lawyers LOVE it when companies have insurance policies - it means larger settlements for them.

  • by British ( 51765 ) <> on Monday July 10, 2000 @07:11AM (#945873) Homepage Journal
    If you act now, you can get a 25% discount on Alien abduction insurance too!
  • Here's a startup that uses a policy similar to what you've outlined: insuretrust [] And here's a story [] about them.
  • Leave it to Lloyd's! My only question is what took so long. I really started to wonder about this when the DoS attacks were going on. Now I guess companies will be compensated for downtime when this happens? (Also more potential for insurance fraud!)
  • Others have tried this and are doing it correctly, but it's difficult. What the insurer must do is go in and analyze the insuree and then institute proper security policy, controls, and enforcement. Only after a revamp of the insuree, from management infrastructure and policy down to best practices by sysadmins, will the policy be written. Of course, the insuree must pay for all of this. This is what they mean by "managing risk."

    For some companies, this makes a lot of sense. Others take their chances. In any event, I foresee many other insurers and insurees getting in on this soon.
  • Of course, I'd rather have cracker insurance.

    Yeah, why worry about your computers when there's a much bigger threat out there: hordes of inbred white people?
  • Heh heh.
    After my auto insurer created an extra-high-risk category for me, I never figured I would affect the insurance industry so significantly again.


    Fsck the millennium, we want it now.
  • by MosesJones ( 55544 ) on Monday July 10, 2000 @07:12AM (#945879) Homepage

    Why is this news ? Surely this is exactly the same as insuring a standard company against burglary ?

    Its just another case where everyone is suprised because the eWorld is the same as the normal world.

    To use the real world, basic security is important, but investment in a patrolled compound to protect a pizza parlour is excessive, while spending $100 on insurance per year makes pretty good sense.

    There is no "e" or "v" world, there is this world.
  • True, but I'd suspect that for those they're treated as a one-off decision, and have correspondingly higher relative rates to compensate for the added workload.

    Since I couldn't see IS Insurance being profitable that way (well, unless they just target 'the companies that matter' in the Fortune 500, to slashback to the Apache/IIS article of earlier today) I'd think it would be more based on actuarials or moderately wild assed guesses. It could very well be I'm just extrapolating too far into the mass market application of IS Insurance, rather than a new one-off that's now available.

    Or maybe it's the lack of sleep. :)

  • People, I've read a lot of nauseating reactionary propaganda in response to technology in the past - but this is by far the most dangerous and vile, abuse of mainstream misunderstanding I have seen to date. I have never commented before, but this is horrifying: "The future of security will be driven not by technology, but by insurance," [ is the quote offered in this missive.] I only hope that the absurdity of this assertion is overwhelms and renders obsolete my own commentary. For such a simple mind, I can only hope that his children are threatened by cyber stalkers, his bank account is emptied, his pathetic private life made public, ridiculed and destroyed - all so he can be remunerated with his precious insurance. Insurance!
  • I think a fair number of those claims (at least, in terms of virus storms like the Love Bug) aren't real damages, but lost time and wages. I don't think that insurance companies would be too likely to cover that.

    I'd also love to see the requirements and riders they'd put on the policies. I can imagine that ANY publicised vulnerability being used in the attack would nullify the coverage (and it should, IMO).

    Heck, this could give us an entirely new pointless benchmark for the O/S wars! "My O/S is cheaper to insure than yours!" :)

  • wouldn't it be nice if they were thinking the real terminology of hacker/cracker so when companies tried to collect after being "hacked" they find out that their insurance only covers bad coding incidends from their hired coders (aka hackers). just a thought.
  • So the majority are right when it comes to language? Usage defines the word?

    Of course. They have the Académie Française in France, to make it illegal to call a computer computeur. However, the English speaking world generally doesn't go in for such authoritarianism.

    So if everyone started calling gay men 'fags' tomorrow, they'd be right?

    In the end, you have to decide who owns the right to define language. The only sensible answer is those who speak it.

  • The majority of people, who learn everything they know about "hackers" from a few paragraphs of a likely somewhat inaccurate news story, do not earn the right to tell computer literate people the correct way to speak in their area of expertise.

    If that is how it should be then it might as well be argued that doctors should have to change their speech so it matches what the majority think doctors should say (after watching a few episodes of ER of course).
  • Of course, I'd rather have cracker insurance.

    Not me. I'd rather go for Hacking insurance. I don't want no *NIX guru comming in and creatively solving my carefully crafted network problems, puttin me out of a job. Those damn hackers preventing us workin stiffs from keepin a nice little maintenance roll.

  • This can't really hurt (at least in the long run). If the insurance co. starts having to pay out, it may require that some decent security policy exist. Just requiring up-to-date patch levels would probably cut down on most of the problems.
  • title says it all - how exactly are they going to investigate fraud on this one, and just how easy will it be to fake a DoS... er, I guess it doesn't need to be faked.

    This is my new business plan. If anyone has VC and would like to invest in my company, I can guarantee a $50 million ROI. :)

  • by Kintanon ( 65528 ) on Monday July 10, 2000 @07:15AM (#945889) Homepage Journal
    I just can't wait for the first claim to come in:

    Business: Look! We were attacked by hackers and lost X millions of dollars, call the insurance company!

    Insurance Company: We're sorry, but you were attacked by CRACKERS, not Hackers, and you only purchased the Hacker insurance. It's an extra 50K a year for the Cracker insurance. Sorry. (Evil cackle)

  • by Anonymous Coward
    I can't help but wonder how many days will elapse between the announcement of "hacker insurance" and somebody hacking Counterpane's Web site. My best guess is less than one week.
  • Or how about buying a house, insuring it for more then it's worth and then having some body come and burn it to the ground?

    Insurance fraud has been around for a long time. In the US, the states have offices to handle this kind of thing and when it starts getting offered in that state then the Fraud division will hire on some computer admins to help them. They might be slow but they are rarely stupid.

  • offer "hack insurance" to companies that pass a strict audit.

    What would this audit include? Exploits for both OSS and closed source software appear on a daily basis. Passing an audit today means nothing about your security tomorrow or next week. How does Lloyd's plan to ensure companies keep up with patches (or service packs for those dumb enough to trust that other OS's security)?

    Also will there be an "approved" list of software and anything that doesn't appear on that list cannot be used in any way? I can see a certain large software company kicking enough money Lloyd's way to ensure its software is on the list and competitors are deemed "insecure".

  • One of the interesting features of this insurance is the liability coverage that shields companies from lawsuits stemming from their negligence. I wonder if companies will now feel less concerned with the safety of user information now that they can count on their insurance company covering them if worse comes to worst.

    Further, up until now many startup companies had shallow pockets, but with this kind of protection, we could see a lot of groundless litigation, and people just try to pressure these insurance companies into settling.
  • by Stiletto ( 12066 ) on Monday July 10, 2000 @07:42AM (#945894)

    A fool and his money are easily parted...

    Hey, if someone's willing to buy hacking insurance instead of securing their systems, then they deserve to make these insurance companies rich.

    What I wonder is, when one of these companies gets cracked, will the insurance provider pay off if it was due to negligence? I mean, most insurances only apply to accidents. If I buy flood insurance for my home, and I leave all the windows and doors open during a flood/hurricane, I can't make a claim. I don't believe drunk drivers can collect from claims on their auto policy either. Same with this situation--what insurance provider will pay up if you leave your box sitting totally unsecured on the Internet?
  • Never mind stealing raping, enslaving, and oppressing practically every other people, black, indian, native american, amerindian. just because your white ass is to lazy to work.

    sorry that one got me riled up.
  • Insurance companies are the most paranoid in the world, and they will want their own auditors to confirm that they are insuring a secure environment. At the least, they will set lower rates for sites with better security.

    Insurance is a line-item in company budgets with predictable cost. Managers get bonuses for lowering predictable cost.

    Working from those premises, I predict that a company with a verifiably secure Linux/BSD/$OTHER_OS_OS infrastructure will be able to negotiate a lower insurance cost than a company that says, "Microsoft insures us that this software is secure."

    I further predict that direct positive impact on the bottom line will do more to push open-source solutions into business than anything else.

    Keep all your benchmarks and anecdotal evidence. The insurance companies won't care. They will do the most indepth analysis you could ever imagine, because 1)the have the resources and 2)they'll have REAL money on the line. Smart money goes where the insurance companies do. (Well, at least I trust them to take care of their own money and not give a rats-ass about the OS wars.)

  • Heh, i wonder if there are different rates for different OSes.

    PLAN 1:
    UNIX Servers - $50 a month

    PLAN 2:
    Microsoft Servers - $50,000 a month.

  • 'hacking insurance'

    Hacking Insurance we make sure you cooler is jam packed with jolt cola and bawls to insure that your local hacker will keep on churing out tight code for hours on in.

    We filter all snail mail with offers to work at bigger and better companies to insure that your hacker stays with your company.

    We brutuallity kill any girlfreinds, freinds and realtives the local company hacker may have to insurnce he will spend endless hours hacking on company code, instead of wasting company time by pursing meanlingess and uncontructive things like "a life"
    that cost your company a lot of time and money.

    We do proactive code review to make sure you hacker isn't commenting all his code in 67AD Latin and insure any current or further hackers at your company will be able to decrypt the comments on your flagship product.

    We provide a 24-7 pizza and cola hot line. Anytime your hacker gets worn down call this 800 number and within 5 minutes a emegency response team with be there with hot pizza and cold soda. This insures you hacker doesn't try and leave or wonder off company property in search of food.

    Oh dammit, I got the "defination" of hacker wrong again I hate when that happens.

  • Okay I am a multi million dollar company, I can afford 300K / year for Insurance you better believe it this stuff HAS to work or we get sued to the bottom of the ocean.

    Hmmn, Would I rather do things with insurance which does not circumvent the problem merely patches it up (Lazy non proactive approach)

    Or should I hire a few REALLY skilled security people for that much every year? And take a proactive approach and have someone to hang when the system fails. I can make a point of failure.

    It all depends on how much and this is all in theory, but hmmn?


    If you think education is expensive, try ignornace
  • Having worked in the insurance industry (IT side) for many years, it is all a matter of risk/benefit analysis. Further, the actuarial guys and gals are just about anal at this stuff. Many can tell you, given a room of /. participants, how many are overweight, and by how much. How many drive cars over a certain value and what is the risk they will have an accident? How many work in a corporation and what is the risk of repetitive stress injury? And they are right at a nearly frightening rate. If it were gambling, you would never bet against the house.

    Real life example:
    Like it or not, a 50 year old, buying a new Porsche is far less of a risk than a 22 year old. It is not personal, it is not specific to you, it says nothing about your parents or your abilities. So guess what, you pay more at 22, than at 50.

    You may not even be able to get insurance at 22 on a certain type of car, until you enter the "risk pool". This would be the same for companies as it is for 22 years driving a Porsche. I may insure you but I am not taking the major risk. (i.e. $2000 deductible, $500/month payment and penalties for failure to pay)

    Now, given some company "X", operating a type of business "Y", for a period of time "Z", what is the average number of security breeches (internal and external) you can be expected to incur? What varies the result the most? What kind of loss per incident can be expected? What factors contribute to a claim (i.e. how often is notoriety a cause versus failure to update patches?)

    Now like your car, you are expected to take care of it. The "blue book" here however is what a company agrees to. Amazon out of commission for 12 hours is going to be a much bigger claim than slash dot. (No offense intended).

    Further, the claimant cannot facilitate the action.
    Have you had a security audit in the last "X" timeframe?(security like Swiss cheese)
    Did you act on its findings? (no funding for upgrades)
    Are you using reasonable precautions to protect yourself, data, and business?(haven't done a backup this week)
    Was this a known threat you failed to act on? (ILOVEYOU attack two weeks after it made the news)

    I think it is a great idea, because those with insurance must be attentive to collect on a loss. The more attentive people are the better it is for everyone.
  • "Cryptography : Theory and Practice" is certanly deeper in certain areas. But, and even for this very reason, I feel that Schneier's book is still a better introductory text. And for the practicioner (as opposed to the theorician), "Applied.. " is far more useful. Stinson also does not touch some subjects.

    I think both books are worth the money. Specially now that Applieds CD can be ordered from outside USA.
  • I think this will increase security. Hear me out.

    Company X buys hacker/cracker insurance from Company Y because they have done a risk assessment and see the need. Company Y says OK, your premium is $mumble a year, but in order to get a lower premium you will have to let us audit you. You have 6 months before the audit. Get cracking (ouch).

    Six months pass and Comapny X has really humped it. Security is tight, low incidence rate and a good security policy is in place. Comapny Y comes in says "Good Job", lowers the premium based on their audit of the risk that Company X poses to their bottom line. Company Y is happy because $mumble has become smaller, helping their bottom line and makes investors happy.

    A Good Thing, no?

    Only problem I can see is the security hardening industry's ability to keep up and whether or not the insurance company can bring on-line a quality risk assessment team with expertise in IT security. Are those big 'ifs'?

  • What??... does this ensure that your website is never worked on? Wow, perhaps Microsoft should invest in this, they would at least guarantee the instability of their OS, and at best reduce the number of holes in their next release!
  • Lloyd's of London has a famous reputation for assessing and insuring all sorts of odd risks, such as Mary (Entertainment Tonight) Hart's legs. Check this [] out for some examples. Businesses can even insure against a couple employees winning the lottery and not coming back to work...
  • According to the CTO of Counterpane, e-commerce businesses 'don't have to prevent hacking; they have to manage their risks.' Interesting perspective from a security wonk.

    Will, actualy its a pretty common perspective "wonk"s

    Any security specialist will tell you that the only secure system is either one that isn't connected to a network of any kind or one that has the power switch in the off possision

    Network security is a constent game of risk managment. The more secure you make something, the less funtional and intuitive you make it for your end user. FTP is an inherently unsecure protical, but how many customers would be ready to kill you if you were running say a web host and killed the FTP service? Same goes of services such as telnet. There are secure alternatives, but again, your alianating your customers by forcing them to use something that in there minds at least is non-standard.

    So it comes down to seeking a constent balence between the services you need to provide to make a buck and the risk your willing to take onto yourself againt crackers

    This is also an attitude that is common among those in e-commerce circles. Companies don't even try to prevent all credit card fraud, the only way to do that would be to not offer credit card payments at all, they just try to keep within the "acceptable limits" of risk that they have set for there company.

  • So the majority are right when it comes to language? Usage defines the word?

    What about when the guy at Radio Shack tries to tell you that this computer comes with 20 gigs of memory?

    How about the all too common confusion of multiple personalities disorder with skitzophrenia (sp? grr... tried looking it up.)?

    So if everyone started calling gay men 'fags' tomorrow, they'd be right?

    I think hackers have a perfectly valid complaint here.
  • As far as I remember, if you leave your car doors unlocked, then it's tough noogies on the car theft insurance claim.

    Probably varies from firm to firm, though.

  • I assume it would be very similiar to the car insurance policies. Was the accident caused by you? Someone else's fault that you couldn't avoid at all? Insurance companies determine how much money the car-owner gets based on these types of things, and I can see how it could also be applied to internet businesses.
  • This is just calculated risk on the insurers part.

    It goes without saying, that no respectable insurance company will pay (or even sell you a policy) without auditing and/or making sure you're up to protecting your own system by either having your own able sysadmins or contracted ones.

    Just think one or two milliseconds before you call people stupid.


    (and this gets an "Insightful"......)
  • by RollingThunder ( 88952 ) on Monday July 10, 2000 @07:17AM (#945910)

    Probably because of the wild difference in assessibility of risk.

    You can fairly easily get a good idea of how secure a physical site is. Check the locks, the alarm systems, review the security staff and their training, etc etc etc.

    But for a moving target like infosec, I can't see how they can determine a risk assessment, unless they're not even bothering to and just using actuarial tables.

    Given the generally paranoid and overly cautious attitudes of insurance companies, I'd say a change like this does signify news.

  • According to this Jan 2, 2000 Reuter's article [], crackers have broken into Lloyd's in the past. I could just imagine the sales pitch, "never mind that I just crashed my car, let me sell you some auto insurance..."
  • The best and most innocuous way a system is penetrated and compromised is not from remote exploits, but from the inside. The careless SysAdmin who leaves a root console open; the stupid employee who writes his password on postit notes next to the monitor; the disgruntled and angry employee that did not get the raise he think he deserved.

    If systems were just insured from outside cracking, then it would make more sense. But the vulnerability of MOST systems is from the users, and so the problem of insurance fraud cannot be avoided. Why can't the CEO and CTO collaborate to make more money for the company? The last time I heard, no audit can discover what a bunch of powerful and willing conspirators want to hide.

  • The dispute will more likely center on the "X millions of dollars" part. Does this cover salaries for fixing the system? Revenue lost because of downtime? Upgrading software to more secure versions?

    When an insurance policy is granted, the company will have in place a well written procedure detailing exactly how each system will be fixed in case of a cracking incident. That will include an estimate of hours to reload the OS from scratch, and then recover the system configuration and data from backup tapes. The policy will specify how much will be paid for recovering a system after a crack, what the losses per hour for the loss of functionality, and whether a consultant can be paid to further secure the machine after the attack.

    If a system is critical to a company's well-being, then it becomes cheaper to buy some hot standby systems ready to be switched in almost immediately. Of course, this increases the cost of a system by 4x to 10x or more. Somebody does the math, and figures out which will be cheaper, a second system, or a few hours downtime of the system.

    the AC
  • Hey, here's an idea:


    Cripes.. this isn't a new problem...

  • will be how much will be paid if a claim is validated. Maybe the insurance companies will keep companies from flagrantly inflating their reported losses from being hacked.
  • by Anonymous Coward
    determine how much the site is worth? by the amount of traffic, or the networth of the company that the website is for.... i can name several sites that get millions of hits daily with no affiliation with a large corporation
  • I would imagine that insurance premiums may very well be partially based on the security of the system, as determined by "experts" within such insurance firms. This is akin to the premiums we pay for health insurance - a "healthy" adult will, on average, pay less in premiums than an overweight adult with high blood pressure, high susceptibility to heart disease, and a smoking habit who happens to enjoy sky diving and tinkering with Russian nuclear reactors in places beginning with the letter "C".

    This may prove to be a very interesting market for persons in the IT industry. (Lookout Lloyd's - here I come! *grin*) I imagine that such insurance agencies will also insist on having certain bare minimum security procedures fulfilled in order to even be eligible for coverage.

    Interesting to see which OS would have higher premiums on average, eh?

  • Here's a company who's doing a great job at doing it all wrong.

    I don't agree with the 'don't have to prevent hacking; they have to manage their risks.' bit.
    If cracking was prevented they wouldn't have to spend so much money 'managing their risks'.
    And one of the best ways to keep crackers away is to make sure they don't know about you. This is something Lloyds of London is not achieving with this kind of news coming up in Sci-Tech sites...
    I bet they just got all kinds of crackers lining up to 'test' their new insurance...
  • A moronic ISP (not the one this IP is attatched to, so piss off...) that i have to deal with from time to time at work has cracker insurance, and to keep that up they regulate what ports you can listen on, what OS versions you can run, and where you can peer/tunnel/etc... on your internal network. In any case, my suspition that they are a bunch of blithering idiots was confirmed when they dropped our link by fucking with our router (which they had drop shipped, black box style, and refused to tell us the passwords...) and as a last resort they called us and walked us through setting the link back up, and you know what? The dumb bastards keep the router passwords set at factory default. Oh well, i pitty the underwriter of their insurance policy...
  • In recent times, companies that have been cracked or have clients that have been cracked have lashed out at the most easily available target. Usually this means that some poor service provider or host service somewhere has to take the heat for "letting" someone misuse their services. Like suing someone (especially a service provider or software developer) for not having tight enough security (it's way too easy to find recent examples of this.) If nothing else, maybe insurance for being cracked will pacify the attacked, so there won't be as many silly lawsuits.

    Unless they crack their own site, collect the insurance, and then sue their tech people for not being good enough to prevent their attack. That'd definately be silly.
  • by sstrick ( 137546 ) on Monday July 10, 2000 @07:43AM (#945926)
    I would like to see how they will value the damage. It seems to me that every time there is a cracked machine on the web the damage bill seems to run into millions.

    For example while the "I love you" virus pissed alot of people off and caused more then a few email servers to crawl to a holt, I think the estimate of 5 Billion dollars of damage was a little overstated.

    After all how do you factor in Brand name damage, future loss revenue from deterred surfers and knock on advertising revenue effects when assessing a claim. No doubt most companies will pick a random figure and multiply it by 10.

    I will be interested to read about the first claim.

  • by / ( 33804 ) on Monday July 10, 2000 @07:44AM (#945927)
    Don't laugh. The British firm Goodfellow Rebecca Ingrams Pearson actually offered a policy against Alien impregnation [].

    Sadly, they discontinued [] the service in the wake of the Heavens Gate cult suicide. Insane people are just too likely to make claims against the policy.
  • At the same time, I do think that for a short time at least, this will lead to lax security in companies which do purchase these policies. Some of them will doubtless reason that simply because they have purchased this policy they have all the protection they need.

    Just like your insurance company may require you to install an alarm system before they cover you for burglary this type of insurance will require you to be audited and then continously monitored by a company like Counterpane systems.

  • It would be good to see something along the lines of auto-insurance here. Vehicles that are statistically more dangerous or more expensive to replace get higher premiums. Safer and cheaper vehicles are cheaper to insure.

    If this were applied to computer systems, it might become a market influence. It may provide incentive to some companies to improve the quality of their software if the risk for insecure products means losing business.
  • This will be a great step forward for computer security. In order to keep their premium down, companies will have to agree to basic external security audits and to implement a set of minimum security procedures. This will generally raise the bar in the field of web security.

    © Copyright 2000 Kristian Köhntopp
  • Insurance works when the event you are insuring against is out of your control. Business interruption insurance for various wind perils is entirely appropriate and economically viable because wind perils are (1) unable to be anticipated and (2) not controllable by the insured.

    Insurance against Hackers or Crackers is uneconomic because the element of controllability is not present. The organization has various means at it's disposal to avoid service disruptions from firewall configuration to fully-redundant, offsite backup servers. Yes, they need good Risk Management, but Insurance is not the answer to every Risk Management problem.

    Though if some deep-pockets on Lloyds want to chance going broke on poorly-conceived Insurance schemes, it wouldn't be the first time.

    Anomalous: inconsistent with or deviating from what is usual, normal, or expected
  • by 11223 ( 201561 ) on Monday July 10, 2000 @07:21AM (#945939)
    Here at XYZ Insurance Corporation, we're proud to announce our new Hacking Insurance - protecting your business interests against hackers!

    Hackers have been known to attempt to undermine your business interests with subversive activities like replacing IIS [] with Apache [], and porting your product to Linux []. Here's what we offer for protection:

    • Instant Apache uninstall - we keep secured backup tapes that let you go back to your secure, responsive IIS environment instantly!
    • Linux replacement - with proprietary tools [] we can search out Linux computers connected to your network and replace them with secured NT workstations!
    • Source code security - we offer to help you write Windows-specific code so your developers can never switch to Linux if their hacker instincts flair up! As you can see, hacker insurance has many benifits. Protect your business investments today!
  • Seems to me that this may open up a new way to ripoff insurance companies.

    Imagine a company insuring themselves against hackers, and then actually striking a deal with someone to hack into their system, damage some part of their system, and get rich off of the claim!

  • by Pfhreakaz0id ( 82141 ) on Monday July 10, 2000 @07:23AM (#945943)
    Maybe these companies will be forced to actually provide some evidence when they claim "we lost $42 million dollars when our web site got cracked." I don't think the insurance company is just got say "sure, $42 million, here ya go!"

Last yeer I kudn't spel Engineer. Now I are won.