Hack insurer adds Microsoft surcharge

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/zdnn/stories/news/0,4586,2805929,00.html?chkpt=zdnnp1tp02

By Robert Bryce
Interactive Week 
August 20, 2001 12:05 PM PT
 
Insurance broker J.S. Wurzler Underwriting Managers has started
charging up to 15 percent more in premiums to clients that use
Microsoft's Internet Information Server software, which the Code Red
worm feasted on.

In light of the $2 billion in damage caused by Code Red, founder and
CEO John Wurzler's decision just before the virus hit seems prescient.
Wurzler gained notoriety earlier this year for hiking cyberinsurance
rates on companies that use Microsoft NT software on their servers.

So far, Wurzler appears to be the only insurer singling out Microsoft
for higher rates. And some security officials are not kind in their
comments.

"Wurzler is full of it," said Russ Cooper, the editor of the NTBugTraq
Web site and an employee of computer risk management and security firm
TruSecure. According to Cooper, Windows NT and IIS are easier to
secure than comparable Unix- or Linux-based servers because Microsoft
does a better job of publicizing and supplying the needed security
patches for its products. "It's easier to manage Microsoft server
software because you can get all the patches in one place," he said.

Wurzler, who has been selling hacker insurance since 1998, based his
decision on more than 400 security analyses done by his firm over the
past three years. Wurzler found that system administrators working on
open source systems tend to be better trained and stay with their
employers longer than those at firms using Windows software. That
turnover may mean that security patches don't get installed, said
Wurzler, who offers lower rates to clients that use NT and IIS if they
can show that their administrators are following best practices.

Microsoft itself fell victim to Code Red. "We have been very good in
patching our own systems. But we haven't been perfect," said Microsoft
spokesman Jim Desler, who believes Wurzler's move isn't supported by
the facts. "Within the last month, every major software vendor has had
a major vulnerability discovered," Desler said.

Emily Freeman, a senior vice president of giant insurance brokerage
firm Marsh, said the industry is watching Wurzler's move with
interest. Insurers are "concerned that some systems are more
vulnerable" than others, she said. But, she added, "There aren't any
actuarial tables yet to justify different rates."

Those arguments don't faze Wurzler, who insists his approach is the
right one. "Hackers hate Bill Gates, so they want to write code that
embarrasses him," Wurzler said. And because that attitude won't change
anytime soon, Wurzler said, the most reasonable course is to charge
higher premiums for NT and IIS.

 


-
ISN is currently hosted by Attrition.org

To unsubscribe email majordomo () attrition org with 'unsubscribe isn' in the BODY
of the mail.