First-Ever Insurance Against Hackers

Reuters

14-JUN-98

By Therese Poletti

SAN FRANCISCO, June 4 (Reuters) - A computer security firm is so certain of its security prowess that it is offering to protect its customers with the first-ever hacker insurance, in the event a customer is successfully invaded by hackers.

ICSA Inc., the International Computer Security Association, is now offering as part of its TruSecure service, insurance against hacker attacks. ISCA will pay up to $250,000 if a customer's network is hacked into, after it has followed the TruSecure criteria.

$250,000 is not much for the millions of dollars in damages that companies like to claim as damage done by hackers, totalling billions according to sensational media reports..

``This is the first hacker-related insurance,'' said Peter Tibbett, president of the ICSA, based in Carlisle, Penn. ``It puts our money where our mouth is.''

ICSA sells its TruSecure service for $40,000 a year. The service, which it has been offering for several years, is a series of steps, methods and procedures that an ICSA client must adhere to. Some steps are simple, common sense procedures, such as having the server which hosts your company's Web site inside a locked room.

Other steps are more complicated, such as the requirement to have a secure firewall around an internal network.

But the ICSA does not sell products. Instead, it recommends a whole range of software that it has approved as secure and meets its standards, through open meetings and debates, with all its members, many of whom develop security products.

Then, ICSA tests a client's security by using typical hacker methods, through its 100 or so employees, none of whom are reformed hackers.

Using typical hacker methods? What about the a-typical methods? And "none of whom are reformed hackers"? So they don't test for weaknesses exploited by real hackers? How do you know? How can anyone ever say that with any certainty? I know many hackers that can dress up in a suit, and pass for 'corporate' very well. Not to mention, the 'reformed hackers' we personally know that went to work for ICSA.

ICSA believes, along with executives at International Business Machines Corp. who perform ``ethical'' hacking on its customers, that there is no such thing as a reformed hacker.

IBM hires ex-hackers. We know some of them.

``We spray them with hacker tools and see where their vulnerabilities are,'' Tibbett said, referring to many of the widely-used hacker programs that are available over the Internet or shared among hackers. ``The average site took about two weeks to get to the place where they meet all our requirements.''

If ICSA thinks that pointing a bunch of 'hacker tools' at a product is enough to mimick what a real hacker would do, they lost the battle long ago.

After ICSA completes a six-step process to test and improve a company's security, the customer is deemed secure and will then receive insurance.

The ICSA said it will pay its customers if they fall prey to a hacker, even if they are not financially harmed from the attack.

``Whether you lose money or not, we will pay,'' Tibbett said. ''We believe that we reduce the risk dramatically ... Yes, we expect to write some checks, but we don't expect to write very many.''

Tibbett likens the ICSA to the Center for Disease Control, because it tracks all hacker attacks and tests every hacker tool and virus its progammers can find. The ICSA also is known for its emergency response center, which tracks the fallout from known computer viruses and helps companies in a crisis.

Virus? Viruses aren't used for hacker attacks against a system. Trojans, custom malware and targeted attacks are.

``Good enough is never going to be perfect,'' Tibbett said. ''But we have a motivation to improve our service. If we have to write a check when someone gets hacked, it gives us another emphasis.''

The company said it is partnering with major nationwide insurance carriers who recognize the ICSA TruSecure certification as a requirement for hacker policies.


main page ATTRITION feedback