Karsten Johansson, senior information security advisor for KSAJ (www. penetrationtest.com) agrees. It's not a matter of throwing a couple of firewalls up. You have to look at all types of threats and levels of control to mitigate the risk to an acceptable level.

Those points considered, asking most IT executives about the quality of their security is like asking about the quality of their driving. It's always excellent.'

But in the real world, do most systems hold up to an attack even one that's staged for a company's benefit? Matt Curtin, CEO of Interhack (www.interhack.com), is the guy who would know and he said, quite simply, they don't. Interhack runs security tests for businesses and finds it more common than not that his team can crack the client's system. It's pretty rare that we can't get inside and do something, he said.

If these systems can be cracked when the companies know an attack is coming, how secure do you think they are day to day?

And Curtin was surprised when he discovered how far behind some insurers' understanding of security issues was lagging. When he looked into insurance coverage for a customer and read the policy questionnaire, he encountered simplistic and even out of date questions, like Do you use a firewall?, Do you use anti-virus software?, and Is your system Year 2000 ready?

Danger Zone

The economy hasn't curtailed carriers' security expenditures and that's not entirely a good thing. According to Klaus, big spending today is a result of ignoring the problem for too long. Businesses under-invested so much over the last 10 years, he said. They can't ignore the fact that their networks are wide open, insecure, and under attack.

Johansson said the broader threat to homeland security in the wake of September 11 actually caused network security to fall off the radar. But, he said, It's back on track now. The risks are there. Attacks can happen and probably will.

Way back when, hacking into corporate systems was considered sport games amateurs could play to show off their skills. But Klaus said today's hackers are professionals looking to make money off their technical expertise. Sure, there are still plenty of script kiddies out there, but they aren't the real threat. (Script what? See the box.)

Today, Klaus says, the biggest vulnerabilities insurers have are their databases. The days when only a few key people had access to that database are gone. Today's insurance business model calls for any number of people to have access, including agents and remote workers. And such openings create a threat to the company. You have multiple layers of distributed access, and every layer you go into you can spread by 10 times the amount of people with access, Klaus said.

Companies used to worry most about major attacks against their databases, but Klaus said that's changed. They aren't looking to take huge bites, he explained. It's the smaller, more subtle attacks that are worrisome. And sometimes those attacks don't leave the calling cards associated with the more crude hackers. They might involve subtle corruption of data corruption that might take weeks or months to come to light. Or the intruders might simply be stealing your data.

Hacked Web sites make the evening news, but a Web site is minor compared to the back-end systems carriers rely on for their business. An attack on an insurance company's database is a huge violation of its customers' privacy and an embarrassment to the company. As Klaus said, If a company's Web site gets hit, it doesn't affect me. But if I have sensitive policy information on my insurer's database, or somehow my policy has been deleted from the database, I'm not going to be too happy with that company.

A Web page is the most obvious place to get attacked, but it usually is the least important, Johansson said. It's the hackers you don't detect right away that are doing the most damage. They're just siphoning off information about your clients from the database. Then there's the secondary damage that comes from an attack. What happens to your business partners? he asked. How will this affect your relationship if their system is damaged, particularly if it's a malicious insider who has done the damage?

Threat Assessment

Curtin knows you can't stop every attack, so he recommends quantifying various threats to your system. How much damage can attacks cause? he asked. Assign a dollar value to various types of attacks, from most likely' to least likely' and most expensive' to least expensive'. He also suggests using graphics to identify threats to the system, linking possible threats to the various safeguards you have in place. It gives you a nice relationship diagram, he explained. You can see how heavily you're planning on one way to save your system from an attack. This way you know that if a firewall fails, the threat can be mitigated by other factors.

A proper assessment looks at what you're trying to protect your system against. If it's a competitor, are they looking for money, your knowledge of the industry, or [to gain] knowledge of your company? Curtin asked.

Amateur attacks are easier to fight off than insider attacks from users you trusted but shouldn't have. You have to define what you are trying to protect, Curtin said. How much are you going to spend and how far are you going to fight? While there may be people looking to attack your company specifically, Curtin believes most attacks are crimes of opportunity. The bad guy just happened to get in, he said.

Klaus also believes companies must perform regular assessments of their security. You need to find out how secure you are, what components are in place, what additional components are needed, and look at the architecture, he said. With so many people having access to your network, Klaus recommends you perform what he calls good cyber hygiene that includes penetration tests on a regular basis.

Once you understand your security posture, you can design a comprehensive strategy that takes into account the network, the servers, the desktops, and the applications. When you see what's needed, don't place your entire strategy on a single solution. Multiple vulnerabilities demand multiple solutions best of breed products designed to thwart specific kinds of attacks. One example Klaus recommends is an intrusion detection system. It acts like a burglar alarm, he said. It tells you who is attacking and where.

He points out that a major expense of security is in labor. You may have over 10,000 vulnerabilities, he said, and determining how to deal with each takes time. One solution is to outsource the management of your security services, particularly if you don't have the resources to monitor your system on a 24/7 basis, Klaus said.

Johansson suggests defense means more than a couple of firewalls. An Offensive Operation Model looks at all types of threats and levels of control, he said. It helps you to mitigate risk to an acceptable level.

The bad news for companies is that investment in security is not a one-time shot. It's ongoing, Klaus said. Vulnerabilities represent a skeleton key for hackers. The responsibility of changing the locks has increasingly fallen on the shoulders of someone with the title chief information security officer, according to Klaus. Someone on the staff has to be responsible, he said.

Outside Help

You need someone from the outside as well. Assessment can be done in house, Klaus said, but, there is some advantage to having someone from the outside help. Security needs that independent validation.

A key for carriers is to make sure your vendors are giving you a product that has undergone rigorous security testing. You have to demand of your vendors 'Give us a secure product.' Otherwise this will be a perpetual problem, Johansson said. He also cautioned vendors not to challenge hackers. Oracle introduced a data security product with a name that tempted fate as well as every hacker in sight: Unbreakable. They found 20 ways of breaking Unbreakable, Johansson said. (Contrast the name of the as-yet-unbroken encryption software Pretty Good Privacy.)

Some companies have foolishly hired security experts when what they were really getting were attackers. Anyone can say they are a security company, Johansson said. All they have to do is establish a Web site. That's why a lot of companies are bringing their security in-house. You have to continually train your security people, though. It's an ongoing process.

With an estimated $11.8 billion lost in reported attacks last year, the business of attacking networks and Web sites is getting bigger. That means insurers (and any business that values its data as they would their first-born) will have to keep investing in time, talent, and software to combat this surge. Attackers aren't wearing ski masks and packin' heat, but the damage they can inflict on your company and its reputation make their threats just as scary.

Certified Security

Is the reason that your Web site or database have resisted attack because your defenses are strong, or because no one has gotten around to attacking you yet? Most likely it's the latter. There are millions of Web sites and only so many hackers, so you may have to wait your turn. If you are one of those fortunate sons who have never been attacked, you likely have a lot of questions. They go like this: How do I protect myself? Follow that with: How do I know I'm protected? And then add: Who do I trust for security? Finally we get to the heart of the matter: How much security is enough?

The Center for Internet Security (www.cisecurity.org) is seeking answers, particularly to that last question. A non-profit organization made up of 170 businesses, including Swiss Re, Allstate, and National Life Assurance of Canada, CIS is working to achieve global standards for the security of operating systems, according to Bert Miuccio, its director of benchmark services. What we hope to [do] is to place a marker out there a level of security that represents a consensus, he said. The agency is looking at a Level 1 minimum and a Level 2 of higher security for best practices. Then you can compare your own security with the benchmarks, he said.

CIS has established Level 1 benchmarks for Windows 2000, Solaris, Linux, HP-UX, and Cisco routers. (The benchmarks are free and available on the CIS Web site.) He said cooperation but not necessarily collaboration, from the manufacturers is being sought. Sun and Microsoft have reviewed the benchmarks for their systems and gave CIS some feedback, but the organization is not looking for the companies to become members. We might go beyond what they might recommend to their users, he explained.

Volunteer teams are formed to reach a small-group consensus. A draft of those recommendations is then circulated to a larger group before the entire CIS membership approves it. Our goal is to improve security for the Internet, Miuccio said. Security of your system is only as good as the security of someone connecting with it, even if it's only an Internet connection.

Miuccio said the insurance industry is in a unique position to promote network security. He likens business policies to automobile policies. I get reduced premiums on my car insurance if I have airbags, he said. You could do the same with Internet security. When the day comes that CIS benchmarks are widely used and insurers apply it to premiums, that will exponentially increase the rate that companies will use security. RRH

Whatcha Gonna Do When They Come for You?

Guess what? No matter how good you think your security is, there's a good chance you'll be the victim of a break-in or attack. Then what?

Companies need to develop an incident response plan, said Chris Klaus of Internet Security Systems. If the company's system has been attacked, the right people need to know what steps to take, from shutting down a router to calling the FBI. What's the decision tree on that? he asked.

Some companies don't like to get law enforcement involved in an attack because their network then becomes a crime scene. Corrective measures might have to be delayed while investigators look at the evidence.

Interhack CEO Matt Curtin also points out the difficulty of catching the attackers. Normally, it's too expensive to find the individuals involved in the attack, he said. The company just winds up eating the loss. That can be an expensive meal, though, particularly if your board of directors is blessed with 20/20 hindsight. You have to look at the cost of hiring staff to fix your security, Curtin said, but you can spend 10 times the amount on cleanup rather than prevention.

There are times when it is advisable to bring in law enforcement, and there are times when it is not, said Karsten Johansson, senior information security advisor for KSAJ. Sometimes you need to get your business up and running as quickly as possible. You can't do that if you bring in the police. He believes confidentiality is another key factor in that decision. You can bring up a whole heap of liability issues if a hacker gets into your network and gets hold of the credit card numbers of your customers. RRH