|
| Home | Software Providers | Consultants | Articles | Columns | Reviews | Headlines |
 Copyright © 2002 Business Insurance |
"Companie's Exposure to Cyber Terror Growing"December 2, 2002 |
- by SALLY ROBERTS
As the United States' war on terrorism intensifies, one front of that struggle involves protecting computer systems against politically motivated hacking attacks.
Cyber security experts say that though the first targets of such attacks tend to be government agencies, employers that have not implemented adequate security measures to protect their systems also are prime targets.
But regardless of hackers' motives, proper network security efforts are needed to mitigate the exposure of companies' computer systems to attacks, the experts say.
And although insurance policies are available to help transfer such risks, risk managers must be aware of the possible existence of war and terrorism exclusions in such coverage.
"Typically, spikes in cyber activity following political events have been in the form of denial-of-service attacks, transfer of malicious code and Web site defacements-things we broadly classify as nuisance activity,'' said Patrick Donnelly, director of technology and professional risks in the financial services group at Aon Risk Services Inc. in Chicago. "That's not to minimize the importance of it, because it can be very costly for corporations.''
"More concerning for the populous, however, is the potential for defective information that could compromise national security or compromise systems that control critical infrastructure such as banks, utilities and air traffic control,'' Mr. Donnelly said.
Chief information officers, chief security officers and the like "are not necessarily concerned with the motive behind the attacks as much as they are concerned with the loss or legal liability from them,'' he said.
Nonetheless, corporations today face an increased risk of politically motivated cyber attacks-or attacks from so-called "political hactivists.''
According to the London-based mi2g Intelligence Unit, a security company that tracks hacking activity, a rise in politically motivated hacking is contributing to an overall increase in the number of digital attacks occurring each month around the world. The company estimates that the month of November saw between 15,000 and 17,000 digital attacks, compared with the 16,167 recorded digital attacks in October and 11,114 in September.
A spokesman for the company attributed the growth activity to politically motivated hacking, as well as to vandals and criminal syndicates involved in credit card and identity theft.
"Politically motivated hackers were initially many disparate individual groups, but in May 2002, we began to notice the coming together of many of these groups to form larger hacking groups, in particular, those hacking to protest Islamic-interest issues,'' the mi2g spokesman said.
One of the more-prolific pro-Islamic hacker groups-Unix Security Guards-increased its hacking activity tenfold in September to show solidarity with the Arab world amid rising tension between the United States and Iraq and the ongoing Israeli/Palestinian conflict, according to mi2g.
The mi2g spokesman said USG has successfully carried out nearly 2,000 hacking attacks since May, primarily centering on data deletion, business interruption, data piracy and data modification. In anonymous interviews with mi2g, USG also has claimed to have been involved in denial-of-service attacks, but the mi2g spokesman pointed out the company has not confirmed that activity.
"In the beginning, USG's activity seems to have been limited to Israeli systems,'' he said. "However, in order to accomplish these large numbers of attacks, they have had to set their sights on systems in the U.K., Europe, U.S. and Australia.''
Cyber security experts say that it is employers that have not taken the proper security steps that are most vulnerable to such attacks.
"This is the age of automatic attack tools, which are freely available on the Internet,'' the mi2g spokesman said. "As a consequence...there has been a tendency for hackers to choose low-hanging fruit, such as the ill-prepared small to medium-sized business enterprises, rather than the large and well-protected corporate networks, which will often require a great deal of skill and experience, together with extensive social engineering, to penetrate,'' he said.
Rick Fleming, vp-strategic technology at Digital Defense Inc., a computer security firm in San Antonio, noted that most organizations still have a "head in the sand'' mentality when it comes to cyber attacks. They think they don't have any information on the Web that anyone would want, don't care if anyone has the information or regard themselves as such "a small grain of sand in the beach of the Internet'' that no one will find them, he said.
"With hackers, they don't sit and say, `Who do I target next?''' Mr. Fleming said. Unless they are engaged in focused attacks, hackers "start scanning a wide variety of addresses looking for vulnerabilities and take targets of opportunity,'' he said. "I think of it as network sniping.''
Mr. Fleming said that if an employer wants to mitigate its exposure to attacks, it needs multiple layers and techniques to defend its systems.
In addition to installing anti-virus software, firewalls and intrusion detection software, an employer should develop and enforce security policies, train employees at all levels about general security and awareness and develop some sort of electronic testing program to determine how the company would respond if it were attacked, he said.
"The best way to secure your system is to lock all the doors and build a strong defense,'' Mr. Fleming said.
Aon's Mr. Donnelly added that the key to cyber security is "a level of corporate awareness, and then diligence in an appropriate fashion.''
To achieve this, he advises that companies form a multidepartmental team that includes individuals from risk management, information technology, legal, financial, human resources and other company departments. This team should then conduct a risk assessment and regular audits. It should establish a corporate strategy that includes not only defensive technology such as intrusion detection and anti-virus software but also business continuity, disaster recovery and crisis management plans, he said.
"These plans need to allow for a gradual response that takes into account the severity of the attack and the appropriateness of the response,'' Mr. Donnelly said.
According to a 2002 survey conducted by The St. Paul Cos. Inc., though, many companies have yet to take some of these steps.
Of the 251 risk managers surveyed, 76% said they have developed and implemented companywide privacy policies, and 67% said they've worked with other departments to identify Internet risks. But only 45% said they have developed employee awareness and training programs, and only 41% said they have retained consultants to conduct network security assessments, according to the survey.
Another protection against cyber terrorism is insurance. But while there are policies out there to purchase, "many companies we speak to are still waiting to be scared,'' said Michael Zeldes, senior vp of Kaye Insurance Associates Inc., a member of Hub International based in New York. "They are waiting for that major business interruption loss or major third-party liability loss where they can clearly show a hack led to a major financial loss,'' he said. "We clearly believe there are many of these cases, but they are not publicized.''
Risk managers with cyber policies and those interested in purchasing such policies need to pay attention to whether they cover cyber terrorism, experts caution.
For example, American International Group Inc., one of the largest writers of cyber insurance policies, excludes terrorism from its standard policy but offers it on a buy-back basis for additional premium, explained Ty R. Sagalow, executive vp and chief operating officer of AIG e-Business Risk Solutions in New York.
© Copyright Business Insurance 2002