Insurer Considers Microsoft NT High-Risk

[InfoSec News <isn () c4i org>]

http://www.zdnet.com/intweek/stories/news/0,4164,2766045,00.html

By Robert Bryce 
Interactive Week
May 28, 2001 

Microsoft's server software is easy to install, loaded with features
and fairly reliable. It may also be more costly to insure against hack
attacks.

J.S. Wurzler Underwriting Managers, one of the first companies to
offer hacker insurance, has begun charging its clients 5 percent to 15
percent more if they use Microsoft's Windows NT software in their
Internet operations. Although several larger insurers said they won't
increase their NT-related premiums, Wurzler's announcement indicates
growing frustration with the ongoing discoveries of vulnerabilities in
Microsoft's products.

Some industry observers believe other insurers may follow Wurzler's
lead, which could affect the overall hacker insurance market, a sector
that the Insurance Information Institute estimates may generate $2.5
billion in annual premiums by 2005.

"We saw that our NT-based clients were having more downtime" due to
hacking, says John Wurzler, founder and CEO of the Michigan company,
which has been selling hacker insurance since 1998.

Wurzler said the decision to charge higher premiums was not mandated
by the syndicates affiliated with Lloyd's of London that underwrite
the insurance he sells. Instead, the move was based on findings from
400 security assessments that his firm has done on small and midsize
businesses over the past three years.

Wurzler found that system administrators working on open source
systems tend to be better trained and stay with their employers longer
than those at firms using Windows software, where turnover can exceed
33 percent per year. That turnover contributes to another problem:
System administrators are not implementing all the patches that have
been issued for Windows NT, Wurzler said.

According to Microsoft's Web site, more than 50 vulnerabilities - and
the patches to fix them - have been issued for Windows NT server
software since June 1998.

Microsoft spokesman Jim Desler said the hacker insurance market is
still too young to declare Wurzler's move a trend. "There's not enough
history or business to draw conclusions about rate-setting practices,"
Desler said. As the market matures, rates are likely to be based on
best practices, rather than on platforms or products, he predicted.
"We provide unparalleled support in the area of security."

American International Group, the country's largest insurance
underwriter, said it will not raise its rates for Windows NT-based
systems. Nor will Aon, the world's second largest insurance broker.
The use of NT is "just one factor in the overall assessment of risks.
It can be an indicator of other vulnerabilities, but you may also have
other things in place to counter that, like firewalls and
intrusion-detection systems," said Kevin Kalinich, a director in Aon's
technology and telecommunications group.

However, Harry Croydon, CEO of Safeonline, a London risk analysis firm
that works with underwriters at Lloyd's, predicted that Wurzler's
decision to charge more for Windows NT machines is "a trend we will
see increasing." Just as drivers who own rare cars pay more to insure
them, Croydon said, "certain types of software expose you to different
risks."

Although Wurzler's company is small - eight employees - digital
security firms are watching it closely. Bruce Schneier, Counterpane
Internet Security's co-founder and chief technical officer, said it
makes sense for underwriters to differentiate premiums based on the
type of software and hardware that's used. "Insurance companies are
looking to manage their risk effectively. If there's a technology that
reduces risk, they'll charge lower premiums," Schneier said.

Indeed, several insurers offer discounts to clients that use managed
security service providers or put certain security devices on their
networks. For example, last week, AIG said it will cut premiums up to
10 percent for clients that use a new security device made by Invicta
Networks, a Virginia company headed by Victor Sheymov, a former KGB
agent. Invicta claims its device, which uses an Internet Protocol
address-shifting technology, is impossible to hack.

Windows-based servers are frequently victimized by hackers. From
August 1999 to November 2000, 56 percent of all the successful,
documented hack attacks occurred on systems using Microsoft server
software, according to statistics posted at Attrition.org, a Web site
that records hackers' exploits.

Given Windows NT's record, Gene Spafford, the director of Purdue
University's Center for Education and Research in Information
Assurance and Security, believes higher insurance premiums may be
justified. "NT is more difficult to install correctly and keep up to
date than Linux," Spafford said.

Right now, it appears that Wurzler is going it alone among insurers by
charging higher premiums to Windows NT users. But Wurzler said the
higher prices are not costing his company customers.

A policy covering revenue lost due to hacking costs about $4,000 per
year for each $1 million in coverage, he said.

About half of his clients use Windows NT, Wurzler said; the rest use
Linux or Unix. Given that breakdown, he said it's easy to justify
higher rates for NT machines. "Why should a Unix player with fewer
vulnerabilities subsidize NT users?" Wurzler asked.

And Wurzler's not through with Microsoft. He said his firm is looking
at vulnerabilities in Microsoft's Internet Information Server
software, and that it may soon begin charging higher premiums for that
product, too.





ISN is hosted by SecurityFocus.com
---
To unsubscribe email isn-unsubscribe () SecurityFocus com.