The Internet has been around less than a decade, and already it has proved to be the quintessential double-edged sword-a potent weapon as well as a useful tool. The Melissa virus unleashed in 1999 cost companies as much as $385 million, followed shortly after by the Love Bug in 2000, which infected more than 10 million systems and cost businesses an estimated $10 billion.
For the fourth year in a row, more security professionals (70%) cited their Internet connection as a frequent point of attack than cited their internal systems (31%), according to a survey by the San Francisco-based Computer Security Institute and the FBI. Threats of unauthorized Internet access to corporate systems, denial of service, and tampering with company and customer information are only expected to grow.
By 2005, total losses from Internet crime will increase to 870% of 1997 losses, according a Conning & Co. report, titled "Cyber-Security for Insurers." Using an estimate of $26.4 billion in total U.S. Internet-security losses in 2000 as a base, Hartford, Conn.-based Conning predicts cyber crime could cost $43.6 billion in the United States by 2005; $87.2 billion worldwide.
Insurers are attractive targets, according to Conning, because-as the famous thief Willie Sutton once said when asked why he robbed banks-"That's where the money is." It's also where personal financial and health information is, making insurers vulnerable to extortion.
Companies with large footprints on the Internet-those with many URLs-are most vulnerable to random attacks, says Mark Greisinger, vice president of NetDiligence, a Philadelphia-based division of the Privacy Council, Richardson, Texas. Hackers use automated network scanning tools to look for Web sites with open ports that shouldn't be open, he says.
"If you get hacked this way, it wasn't that the hacker was focused on your company in particular, you just happened to be the weak link out there. You have something open and running that shouldn't be, or a Web server that didn't get patched as it should be. That's how the majority of incidents are coming about."
A False sense of security
Most organizations have a false sense of security, say security experts. "They think, 'We bought a firewall, so we're secure,'" notes Fred Avolio, principal of Avolio Consulting, a Lisbon, Md.-based security consulting firm.
The trouble with that approach is that a company may have the most secure firewall in the world, but if any changes have been made to the firewall, it may be vulnerable, he says. "Firewalls are designed to allow certain services through," Avolio explains. "Any time you add a new service, you raise the risk of adding vulnerabilities.
Furthermore, he says, if a company allows access to internal systems, those systems have to be protected properly. A Web server is a good example. Microsoft's Internet Information Server (ISS) has vulnerabilities, and so do CGI (Common Gateway Interface) scripts, which make forms work on a Web page.
Insurance companies, in particular, have been lulled into a false sense of security on the Internet because, until recently, their online presence has been minimal-so they've considered themselves immune to hackers. "For a long time, carriers relied on legacy mainframe and mid-range platforms," says Allan Vance, director of service provider markets for Internet Security Systems, Atlanta. "So they'd say, 'Gee, I'm not really using IP (Internet Procotol) networks, so what do I care about hackers?'" As a result, they haven't been as aggressive as banks and brokerages when it comes to Internet security.
getting up to speed
That is changing, however. The promising economics of Internet self-service and transaction processing, along with regulatory action on privacy, are forcing insurers to get up to speed. More carriers are moving customer and agent applications online, while the Health Information Portability and Account-ability Act and Gramm-Leach-Bliley require insurers to implement adequate protections for personal health and financial data. As a result, carriers are beefing up on Internet security.
In addition to what are now considered standard Internet security tools-firewalls, antivirus software, data encryption, strict e-mail usage policies and password procedures-any company with an Internet presence should be scanning its network on a regular basis for vulnerabilities, according to security experts.
"Each PC and each server has at least 65,000 logical ports," NetDiligence's Greisinger says. "That's a lot of windows that attackers can probe. And they use readily available tools looking for an open port they can get their foot in."
The tools hackers use are the same ones companies use for legitimate vulnerability assessments of their networks. Internet security vendors including Network Associates, Symantec and Internet Security Systems all offer vulnerability assessment tools. Free tools are available on Web sites such as www.npag.org and www.nessus.org.
"It's not very sexy," Avolio says. But the typical ways hackers break into systems is through guest accounts on Web servers and known vulnerabilities in software that hasn't been patched. "If companies would just do verification testing against their systems, and then keep them secured in whatever way their vendor says to secure them, the Internet would be a less vulnerable place."
"A really skilled hacker is likely to beat most systems in the world today. That's the problem. The security industry is always playing catch-up," says Ian Williams, e-security analyst at London-based Datamonitor, a business and market research firm. "But most hackers are relatively lazy," he says. "They'll go for known vulnerabilities. And every time a vulnerability emerges, typically a few hours later, a patch for that vulnerability emerges. But that doesn't mean everyone has applied the patches."
In 2000, 99% of Web defacements were carried out as a result of failure to apply patches to known vulnerabilities, Williams notes.
internet exposure
A growing area of exposure for carriers is Internet connections between their own networks and those of their business partners. Agents are integral to insurance sales, and more transactions between carriers and agents are being processed through the Internet-either through extranets or virtual private networks, the Conning study notes.
But if someone compromises an agent network, the agent's network can be used as a launchpad to break into a carrier's network.
"If I were conducting a vulnerability assessment for a closed user group (such as an agent network), I would make sure all software loaded on every client, every server, and every router was not vulnerable to common attacks," says Jerry Brady, chief technology officer at Guardent, a security and privacy firm in Waltham, Mass. "I'd be extra careful that threats in their environment wouldn't leak into mine."
That can be accomplished with more due diligence, he says, such as stronger access controls, firewalls, router filtering and virtual private networks. But for even further protection, he recommends intrusion detection and monitoring as the only reasonable countermeasure against malicious activity that might occur at the junctures between an insurance company's production network and agent networks.
Stronger authentication
When dealing with remote network users who are accessing sensitive customer information, insurers may also install stronger methods of authentication, says Brady-a former enterprise information security officer at the Prudential Insurance Co. of America, Newark, N.J. Issuing agents or health care providers cryptographic tokens, for example, is a way for insurers to install stronger authentication.
Tokens, including those available from RSA Security Inc., Bedford, Mass., and Secure Computing Corp., San Jose, Calif., are devices such as key fobs that display a numerical password. The password changes every 60 seconds and is synchronized to a centralized server. When agents or health care providers sign on, they use the password they have (on the token) with a password they know-a scheme known as two-factor authentication.
Insurers can consider even more sophisticated public key infrastructure (PKI) or smart cards in applications that require legal proof of authentication. But non-PKI methods are easier to deploy, Brady says. PKI and smart cards require insurers to become much more "intimate" with an agent's or health care provider's computer, he says. "And in the agent network, you've got to be careful that you don't create a security infrastructure that is so onerous that it drives agents away or reduces productivity."
Similarly, biometrics devices, such as fingerprint or iris-scan devices, add a stronger authentication factor, but agents and other "outsiders" may find them too intrusive. "Independent agents don't really feel like part of your company, and they may not be willing to subject themselves to that kind of invasiveness," Brady says.
Currently, biometric technologies are proving to reduce costs inside an organization, security experts say. Typically, up to 25% of an IT group's activity and cost are associated with forgotten and lost passwords, says Internet Security Systems' Vance. "It's less likely that people will lose their thumb than forget their password," Guardent's Brady notes. "So it's a nice model for reducing administration costs for internal users."
A case in point
Some companies are considering a stratified authentication model for various users of their online applications. For example, an insurer might authenticate "garden-variety" users with a lower level of access control, whereas people who are accessing very sensitive information, or signing legally binding agreements, would be required to use stronger access control, Brady says.
Blue Cross Blue Shield of Michigan provides a case in point. The Detroit-based health insurance provider is implementing self-service applications, including private personal health records for members to view and amend, and secure channels for members, doctors, caregivers and the company to exchange claims data and other records online.
In this scenario, proper authentication is crucial to ensure member privacy and security. But the company is designing the process to be flexible, as well as secure. "Depending on the task, not everything needs to be strongly authenticated," says Fran Brown, director of internal communication and e-business development for the Michigan Blues plans. "We're trying to set it up so it will be worth the trouble." If a member needs to do something simple, such as order an ID card, that action may not need to be strongly authenticated.
Blue Cross Blue Shield of Michigan developed its platform with PersonalPath Systems Inc., Upper Saddle River, N.J. The solution includes roaming digital certificate technology from Entrust Inc., Addison, Texas, for future applications that will enable Blue Cross Blue Shield of Michigan members to enroll online and agents to sign up new business via the Internet.
In an effort to make the authentication process as easy as possible, the insurer has replaced a 26-character alphanumeric password with a set of questions that can be customized by the user. "We encourage people to use early lifetime memories that aren't readily available to anyone else," says Joanne Rusch, director of enterprise architecture at the company. "For example, most people don't know the name of my first cat. I remember it, but it's very unlikely somebody else can come (to the Web site) knowing that information."
The company calls this a "password elimination process." It enables even infrequent users-who aren't likely to remember their password-to sign on to the site quickly and securely. "We've blended a high level of security and privacy with as much useability as we can," Rusch says.
Single sign-on
The company is also working with its business partners to establish a single sign-on process for members, which is also easier and more secure than having multiple IDs and passwords for partner sites, according to Rusch. "Having too many IDs and passwords encourages people to write them down, which is like putting the door key under the doormat of your house," she says.
With single-sign on, members register and authenticate their identity on the Michigan Blues' Web site to access information and applications the insurer offers, as well applications and information offered by its partners on their Web sites-mail-ordering drugs, for instance.
Blue Cross Blue Shield of Michigan has taken other steps to limit online fraud. For instance, the company does not display sensitive data in the same frame as identity information. "If anybody is trying to scrape the frame, it would be hard for them to put together enough pieces of information-and break the 128-bit encryption we require to access our Web site," Rusch says.
The company also has established an online registration process to stop identify theft. The company has pre-assigned every member a Web ID, which is delivered by postal mail. When members log on to the company's site, they enter their pre-assigned ID, along with personal information to confirm their identity. After registering for the first time on the site, they receive a second letter from the company, also by mail, which contains a separate verification code required for their next login.
Registration is a very important step in online security, Guardent's Brady says. "If you get that right, a lot of things down the road are a lot easier."
