The first thing to do, Woody advises, is for carriers to examine where technology affects their business functions. What are their critical business functions? she asks. If e-commerce and a Web site to communicate with customers are key pieces of your strategy, then, obviously, technology is a key component that is important to you. You need to think about what would happen if it goes out for four hours, if it goes out for a day, or if you cant get to it for a week. What would each level of catastrophe mean to your business?

Most businesses dont recognize their dependency on technology, she contends, because its grown slowly over time. You also are dealing with an existing population that is heading these businesses that has not seen how technology can and is being used, says Woody. So, you have things such as instant messaging suddenly becoming a major communication vehicle in your environment, and it just happened overnight. Nobody really planned it. You have people working on BlackBerrys all over the place. You didnt plan that, but now your business environment is dependent on it.

Recognizing and understanding these situations are the first steps in the process, claims Woody. Once you recognize your dependency, you can start looking at how important it is if something should happen, she says. What you do might vary depending on what you view as a threat. Is it natural disasters? Do you have widely dispersed resources that are relying on public networks, so you have potential risks of snooping? Do you have high turnover in your employee population or a lot of contractors? Who is looking at data and how they are looking at it could be a major threat.

Once they understand the dependency of the business, CIOs can study what can hurt the company and establish their tolerance for pain. Its a balancing act between how much pain you can tolerate vs. how much money or effort or energy you have to throw at doing something that will help you avoid that pain, says Woody. Its almost like going to the doctor and deciding how much preventive medication you want to take.

SOX It to Em

The Sarbanes-Oxley Act (SOX) has been a major force in the security world, requiring publicly traded companies to meet certain requirements in the area of security and privacy. SOX has helped CIOs, Headley asserts, because they no longer have to do battle with CEOs to get more security money in the budget. Being a regulated industry and subject to regulatory audit, [SOX] leads to a great deal of cooperation within the company, he says. The Sarbanes-Oxley Act forces compliance with technical security practices. So, it is much easier today than it was 10 years ago. I havent seen any of the regulatory requirements or even compliance with SOX that would be unreasonable. They all support reasonable business practices.
Regulatory compliance has forced carriers to enhance the way they look at and focus on the security area, particularly in securing data and their systems access control, according to Mike Lang, chief technology officer at GE Insurance Solutions. Within GE, weve always been very aware of those needs and requirements, but its nice now that from a business level, everybodys aware, he says. Its not just the security guys or the IT guys worried about who has access to your systems and your data. Its now a corporate initiative, which makes it easier for folks in our roles.

SOX has helped GE in the carriers test plans, Lang believes. Its always great to have an external auditor come in and look at those control plans to validate you so you can see whether you actually are as good as you were hoping you were, he says. As much work as [SOX] has been, its probably been a very good exercise for us here, and Im sure its been a good exercise for everyone involved.

Kevin Yeamans, IT security officer with GE Insurance Solutions, suggests constant reminders to users about their responsibilities are invaluable. The SOX stuff has helped us get in front of [users], so when we start talking about segregation of duties, access controls, access based on rules and a need to know, they understand it, he says. [Users] now really are part of our security team. Its not just the IT people who manage the controls; its the data owners and the users. It makes the team bigger and enhances the business focus.

Dave Powell, senior Web technical engineer for Applied Systems, agrees SOX has been helpful for IT departments. In the past, security and privacy always took the back seat, he says. They never received funding. Companies didnt think [security] was important. It helps the companies be secure and everybody do the right thing. Most of the legislation is there for a reason. Has some of it gone overboard? Yes. But there are tools out there to help everybody comply. At times it does become expensive, but it still is within reach of companies.

Keep Them Out

There are only two basic ways to hack into a computer system, Winkler claims, no matter what the technologies are. The first basic way is to take advantage of problems built into the operating system, he explains. Problems built into operating systems can be countered by updating. All software has bugs, he says. Some bugs create elevated privileges or information leakage. Those bugs are security vulnerabilities. When they are found, vendors put out updates for them. People just have to remember to stay on top of the dates. Not that thats overly simple, but its relatively free.

Winkler understands some people have a problem with installing upgrades, but he doesnt believe upgrades should create problems. There is fear if you install something, it is going to break the system, but for 90 percent of the systems inside an organization, there is little risk in just blindly uploading [upgrades], he says. Its not perfect, but for non-mission-critical systems, people have to consider implementing these fixes as quickly as possible.

One hundred percent of Republics personal lines business comes in over the Web, Headley states. Its a secure site, he says. We have written our own access security within that site. Its user-ID and password protected. One problem carriers face is getting independent agents to do things such as changing passwords. They do not have direct access into our systems, he notes. All the information they are entering is pre-edited before it hits our production systems for both new business and changes. They have direct access on a query basis for billing and claims. Weve sent notices out to our principals and our agencies highlighting the importance of security and the implications if they allow an ex-employee to access [the systems]. They are independent businessmen, though, so it can be hard to enforce.

The second way people break in is by taking advantage of the way users and administrators configure and maintain the system, according to Winkler. Just by changing a permission setting or deleting some demo files that tend to sit on systems, those simple things really help to increase security. For example, Winkler broke into a large financial company because the password on the administrator account was administrator. Im talking about really simple things. Changing passwords, changing account names off the defaultthe little things make a huge difference, he advises. Im not saying its going to create perfect security, but its definitely going to cut 95 percent of the problems by doing the simple things.

At Republic, upgrades are controlled through the carriers development methodology, which requires the user to accept and sign off on any change or new implementation from a systems perspective. We require the users to approve everything we move, says Headley. They are part of the approval process. The quality assurance group will not make a production migration without the appropriate authorization, and that authorization must come from the user and the IT organization.

As for passwords, Headley claims the Republic system forces password change every 30 days. We send reminders out the password must be so long and there are certain restrictions, but you cant police them all, he says. We force them to change, but you cant stop them from using their dogs name [as a password].

Carrier Options

In the process of its research, Woody reports CERT got a good sense of two effective areas that are being addressed. One of them is basically outsourcing the security function, but outsourcing it with security people who are familiar with that size of business, she says. There are two ways because there are two strategies for doing it. One of them is the business itself retains the equipmentthe software and the technology controlunder its umbrella, but it hires someone else to help make [the equipment] secure.

The second strategy is to outsource everything so carriers remotely connect to some application servers or some support group that handles not only security but all business needs. There are pros and cons to both of them, but they can be effective if they are well managed, says Woody. [Security outsourcing] has the same problems outsourcing has in large organizations. Its not just something [for which] you pick somebody out from the Yellow Pages and feel comfortable. [Carriers] really need to make this assessment before they make a contract with the outsourcer so they understand how much value they will gain or what risks this particular strategy will help them address. This really is a mitigation approach. You dont want to hire all the expensive resources and manage them all yourself. You are going to find somebody with the expertise to do that for you.

Reaction to an incident is an important part of the process, as well. GEs Yeamans says with any incident, whether its a security breach or a vulnerability, its important to take responsibility and do some form of root-cause analysis. Based on that analysis, take some irrevocable corrective action, whether its patching a hole, cleaning up access, installing server patcheswhatever the case might be, he says. You have to have that ability to pull together a tiger team and come look at the problem. People need to understand when incidents occur and the team is called together that you cant take the various IT leaders and give them the ability to say they dont think it involved them and they are not going to participate. You get the input from anybody and everybody who could have actions that possibly need to be taken.

GE has tied a tremendous amount of change control into its systems, and security personnel can look at specific times or applications that may have caused hiccups. We can correlate those back to intentional changes or unintentional outages, says Yeamans. We can find out whether that event was within our control or out of our control.
Its Out There

Woody points out people choose to ignore potential security problems, even in the face of daily news accounts of the dangers. Some businesses felt they were less vulnerable in the past because they didnt have any assets people would bother with, she says. What they now are recognizing is just the fact they have a computerthey have a resource someone else might like to use and potentially use it illicitly. There certainly have been cases where, unbeknownst to individuals, their machines have been used to store illegal copies of music, pornography, communication with spam, and suddenly they are a base for illegal e-mail.

Companies should first determine their vulnerabilities, Winkler adds. They should figure out potential loss resulting from vulnerabilities, and frankly, in many cases, the losses are huge for insurance companies, he says. And then determine which measures counter the vulnerabilities they have and figure out how to implement those. Security has to be looked at as an ongoing process, not like a couple of annual educational sessions.


Top Vulnerabilities to Windows Systems

1. Internet Information Services (IIS)

2. Microsoft Data Access Components (MDAC)Remote Data Services

3. Microsoft SQL Server

4. NETBIOSUnprotected Windows Networking Shares

5. Anonymous Log-onNull Sessions

6. LAN Manager AuthenticationWeak LM Hashing

7. General Windows AuthenticationAccounts With No Passwords or Weak Passwords

8. Internet Explorer

9. Remote Registry Access

10. Windows Scripting Host


Top Vulnerabilities to Unix Systems

1. Remote Procedure Calls (RPC)

2. Apache Web Server

3. Secure Shell (SSH)

4. Simple Network Management Protocol (SNMP)

5. File Transfer Protocol (FTP)

6. R-ServicesTrust Relationships

7. Line Printer Daemon (LPD)

8. Sendmail

9. BIND/DNS

10. General Unix AuthenticationAccounts With No Passwords or Weak Passwords