Coordinating the Three Prongs

Granado believes specialization has drained the pool of quality security professionals. Five to seven years ago, an information security guy was an information security guy, he says. He did the policy, he did the firewall, he was the incident response guy. Today, the field has grown to a point where you have a specialist in each of those areas, and there is a shortage [of personnel] in each of those respective elements.

Even with the right people and great technology, if the process is not in place, a company is vulnerable to attack. Granado believes businesses need a security agenda. It drives what you are trying to protect, he says. It involves why and how you are going to allocate finances, people, and resources. Without such a strategy, he says, You are putting out fires as they come up, and youre never going to gain ground with respect to increasing your security posture, which is what everyone should be striving for.

The technology most mentioned for protecting back-end systems is intrusion detection software. Granado says intrusion detection complements the perimeter defenses and is aimed at specific applications. Knowing when someone is inside your system and where that person is going are just two basic areas. He believes insurers also need to have good housekeeping practices. Security personnel need to know the configuration of all applications on the server. You need to challenge these kinds of things because if someone does compromise that application and the application has administrative access, whoever has gained access can do whatever he wants to whatever it is connected to.

Tackling these kinds of issues, Tom Borton, chief security officer at Firemans Fund Insurance Co., participated in the establishment of a new set of security standards for Firemans Fund parent Allianz, the huge German-based insurance group. By establishing corporate standards, each Allianz company must be in compliance in areas such as security management, how to craft policies, and meeting standards or guidelines. Once you electronically connect yourself to another entity, its insecurities become yours, says Borton. We all need to have that baseline.

One area that Firemans Fund studies is vulnerability assessment, according to Borton. Im proactive in making sure our customers data is protected at all costs, he says. There is no total protection from vulnerabilities, but I certainly work hard to reduce that to the absolute minimum.

Using vendors such as TruSecure to conduct its vulnerability assessment, regular checks are made at Firemans Fund, particularly on Internet-facing connections. Anytime you have a human being involved, you want to be a little careful, and we all use human beings to manage our firewalls, Borton says.

Whats Your Flavor?

There are two types of intrusion detection software for companies to consider, according to Steve Korb, a security analyst for RedSiren, an information security services provider in Pittsburgh, and a Certified Information Systems Security Professional (CISSP). One defends against external attacks, he says, the other defends against attacks from within. A network-based system monitors all traffic on the network and searches for specific patterns. A second system is host based and is designed to monitor internal attacks and illegal behavior. It will alert you to things such as an administrator logging on to the system at 3 a.m., he says.

Which brings security professionals to yet another problem: the detection of so-called false positives. Security people want to know when something is wrong, but too often they receive false alarms or the software misinterprets normal network activity. Its giving you an indication something is wrong, but in fact it could be normal behavior, says Korb.

False positives are costly to a company, both in time and money. The move to reduce them will be a combination of the technology itself as well as the human factor of someone looking at the alerts on the back end, Korb says. He believes vendors are heading toward anomalous behavior detection and says the technology will get a sense of what normal traffic is on the network and alert the security personnel to something out of the ordinary.

Proactive vs. Reactive

Rather than wait for business to get around to finding the best way to secure data on its customers, the federal government has stepped in several times, most recently with its antiterrorism mandates and with the earlier Gramm- Leach-Bliley Act. Frank Petersmark, vice president of IT for the Farmington Hills, Mich.-based Amerisure, believes insurers would have found their way to better security and privacy considerations without the governments help.

A lot of us have grown up with the thought process that you have to have at least a decent security infrastructure in place, he says. I thought companies were getting to that and in a lot of cases were more adept at getting there than the government. Petersmark understands todays world, though. In light of recent events, I dont think its bad that weve seen a big increase in awareness in the private and the government sector, he says.

Jeff Fehn, director of IT at Virginia Farm Bureau Insurance, says the competitive insurance environment brought about some of the security awareness. A lot of [data] is on the public record to begin with, he says. But on the other hand, we dont want folks poking around our customer lists and some of the things we feel are our valuable assets. We probably would have taken [security] steps anyway.

Regional insurers face many of the same problems as national carriers, according to Fehn. Security has picked up as we provided more opportunities for people to get in [to the systems], he says. Once you start doing that, you have to get serious about letting in only those you want to come through those doors and only allow them in as far as you want them to go.

Petersmark agrees it is a balancing act. Weve had a big focus on protecting information from the privacy perspective, he says. At the same time, we are trying to satisfy legitimate business requests from agents and policyholders who want a more liberalized access to that informationlet me see it on the Internet when I want it and let me download it.

He believes the conflicting needs of customers and agents were a major challenge for insurers even before the heightened awareness of security began following 9/11.

Inside Job

Its much easier for IT people to worry about external attacks from faceless enemies than to consider that someone down the hall may knowingly (or unknowingly) be the culprit. Petersmark says whatever you do to ensure security internally may not be enough. A lot of problems come from within your own organization, he says. Thats more problematic. People need a certain amount of authority to do their job.

Buckeye has a standalone server that it uses for virus protection. It automatically screens e-mail and checks for virus definitions whenever a user logs on the PC. It also checks remote users as well. Haines points out that forming a defense of your network doesnt do much good if someone can gain access through holes in a remote users firewall.

Borton believes having a solid user platform process within a company is more cost effective and requires less maintenance and support. Such a platform allows carriers to build average user profiles. Such profiles can cycle passwords on a regular basis and allow companies to ensure the workstation is logged off when the user gets up and leaves the terminal for longer than 15 minutes.

Another potential soft spot involves independent agents. They are partners with carriers, but the relationship can be tricky when it comes to security. You want to make sure that Agent A has access only to Agent As information, says Borton. And that Agent B does not have access to Agent A. To do that, Borton says carriers have to establish a delegated administrative process so agencies can administer their own user ID accounts. Firemans Fund has its own solution in place for this. Were very careful in allowing just enough access, he says. You never want to just open your door and say, Here, you have full access. You want to facilitate that business relationship by providing the access required to do business.

The balance between protecting the corporate assets and helping agents to use those assets to make money for both sides is worthy of the Great Wallendas. We want to make the interface the least painful as possible, says Borton. But yet maintain security on their data, our data, and our customers data.

If a carrier never has been seriously hit by an attack, it may not be as willing to commit to a stronger defense. Its a risk management issue, says Granado. There is a fair percentage of folks who can say theyve never had an issue. But when that first issue occurs, all of a sudden theres money coming out of nowhere, and theres a huge emphasis on security. Ive seen a huge increase in the number of folks who made the turn from reactive to proactive.

Haines doesnt believe that size matters in this case. Ive known a couple of companies with 1,000-plus users who were down for a couple of days because a virus got them, he says. Were not going to be one of them.

Unfortunately, according to Borton, there seems to be only one surefirethough not very pragmaticsecurity solution: In a perfect world, the most secure computer is not opened and still at the manufacturer, he says.

Security Software and Consultants

AdminForce Remote LLC
Philadelphia, Pa.
610-734-1900
www.adminforce.net

CMS Peripherals
Costa Mesa, Calif.
714-424-5520
www.cmsperipheralsinc.com

DynTek, Inc.
Irvine, Calif.
949-798-7215
www.dyntek.com

Engedi Technologies, Inc.
Fairfax, Va.
703-273-3389
www.engedi.net

Financial Services Information Sharing and Analysis Center
Herndon, Va.
888-660-0134
www.fsisac.com

Oblix
Cupertino, Calif.
408-861-6800
www.oblix.com

Ovum
Boston, Mass.
800-642-6886
www.ovum.com

Psynapse Technologies
Washington, D.C.
202-298-2600
www.psynaspetech.com

RedSiren
Pittsburgh, Pa.
877-360-7602
www.redsiren.com

SysAdmin, Audit, Network,
Security (SANS) Institute
Bethesda, Md.
866-570-9927
www.sans.org

TruSecure
Herndon, Va.
888-627-2281
www.trusecure.com

Tumbleweed Communications
Redwood City, Calif.
650-216-2000
www.tumbleweed.com

How to Keep Out the Bad Guys

Depending on how much access a company allows outsiders to its data and how much money its willing to spend, there is a security match for just about anyone doing business electronically. Security can be as basic as a firewall or virus protection, or it can go into more detail with encrypted filestores and virtual private networks (VPNs).

Privacy is a factor in any security plan, says Jamie Bisker, research director for the insurance practice at consultant TowerGroup: You have to have a plan thats in place. One of the basic tenets of a good security system is not advertising what it is.

Insurers need intrusion detection software to understand traffic on the network and where its coming from. The ability to catch unauthorized visitors is important, but Bisker points out most systems need good monitoring. You can look at your filter logs or router logs and get an IP address thats horsing around, but to catch it in real time and react to it you have to have your routers set up for that.

Another step is authorization software. Hackers have the ability to get into a companys network through a corporate users broadband modem at home. When you send IP packets out, you are advertising where they came from, and another system will see that and go back for it, says Bisker. But if you use a router at home, its a simple level of security because it reassigns the address so nobody can get into your computer. Someone just gets your router.

Encryption software is necessary, particularly for health insurers dealing with privacy issues mandated by HIPAA. You have to be able to prove that no one can see the information other than the person who is supposed to see it, Bisker says.

Encrypted filestores encrypt the data filed in data stores. Bisker doesnt believe many insurers are going to the trouble of implementing this, but the danger to attack is real. If someone got in, that person would have access to raw data feeds, he says. Certainly companies want to start thinking about that. Its not if you get broken into, its when.

Insurers also can step up the security through a VPN. Its a level of security one up from the public Internet, says Bisker. The problem with a VPN is if you are using a non-broadband access mechanism, you may not have the throughput necessary for the routers to acknowledge your existence. Thats the ultimate privacy.