feature

networks which look like real targets forpro hackers — E-commerce and bankingsites, for instance — rather than the cur-rent production network model.

That could catch a different breed ofhacker, the dedicated criminal looking formonetary gain, rather than hacker statusor cheap thrills. And, as Kurtz says: "itwill provide a much broader picture ofthe types of attacks taking place and theaptitude of the attackers".

A matter of financeHowever, the second phase of the projectpresents something of a funding chal-lenge.

Honeynet was set up as a voluntaryeffort by founder Lance Spitzner, whogained his intelligence skills in the USarmy and his IT experience at SunMicrosystems.

So far, the project has not received anymajor funding — even the equipment hasbeen donated. It depends largely on theefforts of 30 active volunteer members,ranging from technology officers andexecutives at companies such as Sun,Cisco, and Foundstone, to academics and'reformed blackhats'.

The project has received charitablestatus, and expects to raise some funds by the sale of the book Know your

enemy based on the first phase of theproject.

But, Honeynet is now "actively pur-suing other funding alternatives"according to George Kurtz, and has justsubmitted a $340 000 grant applicationto the National Institute for Standardsand Technology (NIST). The NISTdecision is expected imminently. It'salso been suggested that some ISPs will

assist with the rollout of the secondphase.

It will be interesting to see how theHoneynet Project progresses. Certainly,computer security — indeed security ofall kinds — has moved up the priority listafter the events of 11 September. Thismight help.

Visit http://project.honeynet.org to findout more.

As security practitioners, we’re used tobeing exposed to change and new tech-nology. Virtual private networking, newsecurity vulnerabilities and exploits,intrusion detection — we’ve all had ourturn at trying to get our hands and minds

around these issues. Quickly masteringthese concepts and applying them to theprotection of networks, data, and applica-tions is our bread and butter.

But, insurance, risk transferral, actu-arial tables — how do these seemingly

off-topic subjects apply to digital secu-rity? As anyone in this business knows,it’s difficult, if not wholly impossible,to secure all of an organization’s digitalassets.

Even now, when information securityefforts are garnering more attention —and more budget — than ever, there’salways another Web server to bepatched, another database to be backedup, another virus update to be down-loaded, and there are only so manyhours in the day.

To fill this gap between what we wantto protect and what we are able to pro-tect, more and more insurance companiesare coming forward to offer insuranceprotection against digital threats andattacks.

9

Forensic challengeThe Forensic Challenge was a contest organized by the Honeynet Project to pro-mote learning about incident response. It allowed incident handellers around theworld to use real data to investigate the same intrusion, with access to all the samedata. It was taken from a real honeynet.

The rational for so doing was:• Honeynet Project is not short of compromised systems. • Not everybody can (or should) set up their own honeypots. • Nobody had yet answered public demand in the community for "in the wild" disc

images to practice on. • Everyone gets to share data without having to deal with corporate privacy issues.

The prize for the challenge was a copy of a security book, yet competitiors put inmany hours of their time to produce their analysis. The Project accepted 13 solutions.

Honeynet Project members will use the information gathered to share best prac-tice guidelines and tips with the community.

Dave Dittrich from the Project commented on the results, “One thing is for cer-tain. It is much harder and takes more skill to figure out what was damaged than todo the damage. Take a very close look at the top submissions and you'll see what Imean.”

Check out http://project.honeynet.org/challenge/results/index.html for more.

Should I Buy ‘HackerInsurance’?Jason Chan, @stake

With website defacements and hacker attacks rife, businesses are increasingly look-ing toward digital insurers for protection. How do these insurance policies impactupon the uptake of security precautions, at a time when the need for protection isjust beginning to be heard.

dec.qxd 11/20/01 4:00 PM Page 9 (Black plate)

feature

It’s a simple enough concept — paysome amount of money per month, and ifyour website is compromised, you get apayoff to cover downtime and lost rev-enue.

How it works But,the issues aren’t so clear-cut, and thistype of coverage is not simply an exten-sion of ordinary business insurance.Especially now, as more organizations arestarting to take digital security seriously,these insurance initiatives must be fullyunderstood.

These are the issues that must be under-stood. • How is this so-called “hacker insur-

ance” different? • What are the salient issues tied to its

growth? • How will these policies affect the rela-

tive security of covered companies, andwith what issues should the Internet, asa whole, be concerned? To shed light on some of these ques-

tions, it’s useful to draw parallels andillustrate differences between these digi-tal insurance policies and a type ofinsurance coverage we’re all familiarwith — car insurance. After all, theInternet is the “InformationSuperhighway,” isn’t it?

Driving carefullyPardon the stale reference, but there aresome concepts that can be cleared up withthis comparison.

First, consider some of the commonfactors that can influence a given driver’sauto insurance premiums.

In general, “safer” cars, as defined byyears of actuarial data and other informa-tion, bring with them lower insurancepayments — i.e. insuring a Volvo ischeaper than insuring a Porsche.

Even in its infancy, we’re seeing similartrends in digital security insurance — safesystems should be cheaper to insure thanriskier systems, right?

Quantifying the riskFor customers using Microsoft’s NToperating system, premiums for some ofthe Wurzler Group’s insurance offeringsare 25% higher1.

So, based on this premium difference,are we to assume from a risk perspectivethat Volvo is to Porsche as Unix is toWindows? The problem with this sort ofdiscrepancy is simple: data, or the lackthereof.

Data poverty

There are informal and incomplete sta-tistics (check any of the popular Webdefacement mirror sites), as well asplenty of anecdotal evidence that couldpoint to Microsoft being the more inse-cure platform, but there certainly existsnothing like the years of verifiable actu-arial data available for auto insuranceand certainly no evidence that can justify 25 percentage points on a premium.

And, more importantly than the lack ofhard data, anyone who has worked insecurity for any time knows that the cho-sen product is just a minor factor affect-ing risk; it’s the implementation,management, and policy that accompa-nies the fielded system that will determinethe security exposure any given devicegenerates.

Training

Turning to another method of loweringcar insurance premiums, some insurersoffer discounts for drivers who have com-pleted defensive driving courses or driver’seducation classes.

The idea is to target and reward driverswho have taken a proactive approachtoward reducing risk. Again, years ofresearch go into supporting this means ofpremium reduction.

Similar to the auto insurance indus-try, many digital security insurers areoffering significant premium discountsfor organizations that are workingtoward recognizing and reducing theirrisk, mostly through network securityassessments.

Assessments

In fact, many insurers require initialand recurring assessments for contin-ued coverage. In most cases, networksecurity assessments are effective atstrengthening an organization’s networksecurity, at least in as much as theassessed entity takes action on issuesdiscovered and works to improve andmaintain its security.

The issue here is not whether theseassessments and scans are a good idea.If done correctly and thoroughly, whichanyone who has done a network assess-ment or penetration test will testify isnot a simple matter, these steps are ben-eficial. However, for these kinds ofassessments to be more than simplyitems to be crossed off a checklist, thesecurity reviews must be undertakenand understood within the businesscontext of the organization being evaluated.

Core business diversityOnline casinos have different securityrequirements to banks; hospitals havesecurity policy issues that vastly differfrom those faced by public utility compa-nies, and so on. Will these security check-ups for insurance purposes address theseissues?

And even in highly secure sites, inci-dents inevitably occur. So what happensthen? How are losses quantified? Withauto insurance, losses are fairly discrete:a broken fender has a fairly standardprice; medical bills are somewhat pre-dictable; missed workdays are easily

10

Are we to assume, from a risk perspective, that Volvo is toPorsche as Unix is to Windows?

1 see www.theregister.co.uk/content/8/18324.html

dec.qxd 11/20/01 4:00 PM Page 10 (Black plate)

feature

assigned a dollar value. Perhaps the onlyroom for variance is in damages assessedfor pain and suffering and related loss-es, although the history of such mone-tary penalties and awards is large andfull of precedent.

How much does a defaced website war-rant in an insurance pay-out? Yes, recov-ery expenses, forensic costs, and even lostrevenue can be quantified. But, whatabout the infinitely more important met-rics of reputation capital and customerconfidence?

Surely there are security events that could occur on the Internet thatwould so severely damage a company thatbusiness continuity would not be anoption.

What about the other guy?Damage to the insured is one issue, butdamage done to third parties is at least asmuch of a concern for automobile, digitalsecurity, and other insurers.

In exchange for your monthly carinsurance payment, you expect to becovered for damage done to your vehicle.

However, depending on your policy,you also expect coverage for harm thatyou and your car inflict on other peopleand property. This type of coverage inthe digital security insurance space islikely to be difficult to find and prohib-itively expensive to retain.

Damage limitation

With auto accidents, time and spacelimit the amount of damage that can bedone by an individual in a single event.However, on the Internet, everyone is within reach, and the amount of collateral damage that can be inflictedon inculpable and otherwise unin-volved parties is virtually limitless.

Credit card and other financial databas-es packed with critical customer or busi-ness partner data can be stolen;compromised systems on one networkcan be used to attack systems on the otherside of the world; email viruses seededwith addresses from a company directorycan spread rampantly and clog mail

servers — the possibilities for injury touninvolved groups are numerous and sig-nificant.

Counting the cost

Calculating the costs of such incidentsis difficult; appropriately compensatingthe affected parties is most likelyimpossible. Claims against a site used asa launch point for a successful andwidespread DDoS (Distributed denial-of-service) attack could easily outstripthe value of the insured company’sentire business, let alone its digitalinsurance policies.

And what about the influence ofincreasingly available digital insurance onattitudes toward information security ingeneral?

Complacency

Will the apparently stringent require-ments for initial and recurring coverage strengthen the push towarddigital security’s acceptance as a busi-ness requirement and enabler? Or willthe presence of an insurance policy create lax attitudes toward securingsome systems, with some administra-tors, buoyed by the belief that insur-ance will cover losses, postponing

system patching and hardening ofinsured systems?

Well, just because you have car insur-ance doesn’t mean you’ll be flying downthe road blindfolded. But, on the otherhand, doesn’t that same insurance poli-cy make you feel better about leavingyour CD collection in the car at night,comfortable with the fact that yourbeloved music compilation will bereplaced by insurance money should itbe stolen?

So, what is to be made of these digital insurance policies? Are they worth it? First, ask yourself a few questions.• Do you realize and accept that digital

threat insurance does not providesecurity, just a means of transferringrisk-associated losses to anotherparty?

• Do you understand the security risksthat your organization must mitigate?

• Do you understand the security risksthat your organization can bear ortransfer?Answer these questions for yourself,

and then you’re ready to decide on theappropriateness of digital threat insurancefor your organization. But, whatever youdecide, keep one thing in mind — alwayswear your seat belt.

11

Do you need hacker insurance? Some factors to consider:

• Does your company have annual sales or potential liability sufficient towarrant the expense of a "hacker insurance" policy?Large companies almost certainly do. SMEs need to think very carefullyabout this. Small companies mostly cannot justify the cost of the policyweighed against the risk.

• Does your company's online operations constitute a significant part ofyour business?The larger the share, the more necessary the coverage.

• Does your firm maintain a database of proprietary or confidential information which could be compromised by unauthorized electronicintruders.

• Would your company lose a significant amount of money per hour if anattacker blocks access to your website?

• What about the immeasurables such as damage to brand/reputation?Many firms use a different brand for their online presence in order to mitigate risk.

dec.qxd 11/20/01 4:00 PM Page 11 (Black plate)