When it comes to e-commerce, insurers have made a lot of progress over the past several years. They've equipped their employees with browser-based policy, claims, and customer service applications. They've developed self-service features for policyholders on their Web sites. And they've rolled out real-time transactions-such as quoting, policy issuance and inquiry-to their agents and brokers.But just as the insurance industry is embracing the Internet and increasingly harnessing its ability to improve productivity and operational efficiency, malicious attacks--which can bring down corporate networks and compromise confidential company and customer information--are growing exponentially.
A full 83% of global financial services firms have experienced some kind of security breach in the last year-up from 39% a year ago, according to New York-based Deloitte & Touche LLP.
Ranging from viruses and worms to blended threats, zombie spam and phishing attacks, many of the most prolific and destructive threats have emerged in the past year. The MyDoom and Bagle viruses and Sasser worm spread so quickly they slowed down Internet traffic and disabled e-mail servers around the world.
"This is not a problem that is going to go away," says Ted DeZabala, national leader of the security services group at Deloitte. "It's sort of like getting used to credit-card fraud. The industry builds a certain amount of fraud into its business model."
Top IT security concerns
Recognizing the problem isn't going to go away, UnumProvident Corp.-one of the largest individual and group disability insurers in North America-is building a layered network security strategy into its business model.
"We're doing more and more business on the Internet by bringing customers to our Web sites. And if we've been taken down by a virus, a worm or a hacker, obviously it doesn't bode well with our customers if they can't access their data," says Lynda Fleury, assistant vice president and chief information security officer at UnumProvident, Chattanooga, Tenn.
UnumProvident is not alone. Hacking, intrusion and viruses are the top IT security concerns among insurers who participated in a recent survey conducted by Boston-based Celent Communications Inc.
"E-mail is a critical business tool and there are more and more opportunities for viruses to spread through corporate e-mail," says Matthew Josefowicz, manager of the insurance group at Celent.
"That's a serious issue, because viruses can take down not only desktop computers, but Windows-based systems as well, which moves to the core of insurers' operations," he says. "They have the potential to disrupt enterprise systems."
Although the majority of corporations have already installed anti-virus software--99% according to the San Francisco-based Computer Security Institute--the threats keep evolving.
Viruses can now spread with or without human intervention, notes Vu Nguyen, a research analyst on the McAfee anti-virus and vulnerability emergency response team at Network Associates Inc., Santa Clara, Calif.
Newer forms of attack
As a result, even if employees know they should not open suspicious files attached to e-mail-such as .exe files-companies are still vulnerable to attack through spam (junk e-mail) designed to trick a person into launching a virus that's hidden in a more trusted file format, such as a .zip file, he says.
What's more, viruses can spread even without users opening a file attachment. An HTML exploit, for example, can automatically launch a virus through e-mail that's in HTML format containing hidden malicious code, he adds.
Not only do companies have to deal with the well-known IT security problem of viruses and worms, but newer forms of attack-such as blended threats, zombie spam and phishing-are on the rise as well, says Paris Trudeau, senior product marketing manager at SurfControl plc, a Scotts Valley, Calif.-based e-mail- and Web-filtering technology firm.
In the past year, blended threats-which combine several methods to infect a computer-have grown considerably, she says. One type of blended threat in particular, called zombie spam, is costing the corporate world millions of dollars each day in unnecessary data storage and lost productivity, according to SurfControl.
"Zombie spam is spam e-mail containing a virus that attaches itself to the PC," Trudeau explains. "The zombie virus typically sits dormant on the PC until the hacker sends it a command telling it to do something." Usually, the hacker tells the zombie to send more spam to new victims, she says. But in some cases, zombies log a user's keystrokes and send that data back to the hacker at a later point.
"From our centralized command centers where we track emerging spam threats on the Internet, we're seeing about 14.5 billion spam messages each day," Trudeau reported in June. "And 40% to 80% of those messages are sent from zombie PCs."
The threat is worrisome-because not only is spam annoying, but it can carry viruses, fraudulent solicitations for private information, and offensive content that could lead to employee lawsuits. Therefore, it's not surprising that nearly 70% of organizations have deployed anti-spam technology, according to IDC, a Framingham, Mass.-based research and consulting firm.
Even with its more destructive potential, however, the productivity losses associated with spam alone are significant. With no anti-spam solution, the average time spent by e-mail users each day on spam is 10 minutes-and 43 minutes for IT staffers, according to IDC. With an anti-spam solution, the average time spent each day drops to 5 minutes for e-mail users and 19 minutes for IT staffers.
Growing exponentially
IDC estimates that without anti-spam software, a firm with 5,000 e-mail users loses more than $4 million per year in lost productivity. And, according to SurfControl, each spam message costs its customers $1 in overhead, which includes employees' time spent sorting through spam, data storage used to archive spam, and IT managers' time dealing with spam.
At UnumProvident, where Surf-Control's e-mail filtering technology went into production in January, the amount of spam the insurer blocked in the first six months grew exponentially.
In January, the company halted 2.6 million spam messages before they entered employees' mailboxes. In April, it filtered 3.9 million out of its system. And by June, UnumProvident stopped 4.6 million spam e-mail messages from ever entering its network.
What's more, spam isn't the only Internet threat UnumProvident has seen increasing over the past six months. More viruses also are lurking at its electronic gates as well. With enterprise anti-virus software from Symantec Corp., Cupertino, Calif., scanning the insurer's incoming e-mail, 8,000 viruses were prevented from infecting UnumProvident's network in January and 42,000 were stopped in June. "That gives you an idea of how the problem is growing," Fleury says.
Prior to installing enterprise virus protection several years ago, Unum-Provident relied solely on software on the desktop and exchange servers to catch malicious e-mail and attachments, says Fleury.
Now, however, an enterprise e-mail gateway sits in front of the company's exchange environment scanning every e-mail and stripping off virus-infected and potentially malicious attachments before they ever get delivered to the company's exchange environment.
"We're trying to create that depth of security to make sure we have enough defense mechanisms in place so a virus never hits our production environment," Fleury says. "We're trying to stay ahead of the game-to provide as many layers as we can to protect our infrastructure."
To that end, UnumProvident has another layer of security protection on its network: intrusion detection. In 2002, the company installed sensors on its Internet-facing devices, and this past January it switched to Symantec as its intrusion detection service provider. Symantec now monitors and manages 11 sensors for malicious activity around the clock, and provides UnumProvident with analysis and response to hacking attempts.
"If somebody is trying to exploit a Microsoft vulnerability in our system, our intrusion detection sensors can pick that up," Fleury says. "And we can begin taking proactive measures to prevent that particular vulnerability from being exploited in our organization, whether that involves setting up control lists on routers or shutting down Internet ports on the firewall."
For the month of June, UnumProvident's intrusion detection sensors logged 97 million attempts to intrude on the company's network. "These were the typical probes--knocking on the door--to see if there were any known vulnerabilities on our system," Fleury says. That number may sound astounding, but "the good news is . . . at least now we know what's happening on our perimeter," she says.
UnumProvident also knows what is happening with Web surfing in its organization. Using SurfControl's Web filtering technology, the company blocks employees from visiting malicious or potentially harmful Web sites including adult sites, hacking sites, spyware sites, hate sites, criminal sites and drug and alcohol sites.
The Web filtering technology also blocks streaming video and audio to prevent employees from watching movies or listening to the radio via the Internet during working hours when available bandwidth is crucial.
The technology also can control the types of files employees download from the Internet and prevent them from retrieving personal Web-based e-mail, which bypasses a company's anti-virus protection.
The weakest link
Indeed, the weakest point in IT security is often between the keyboard and the chair, notes Celent's Josefowicz. "You have to make sure you have the right policies and practices in place to avoid vulnerabilities created by people--knowingly or unknowingly."
Those policies and practices include regularly changing passwords, authenticating new users to make sure they are who they say they are, tracking users once they're in the system, and implementing tighter role-based security. "You don't want a customer service representative or agent to get into your underwriting system," he says.
But even people who have reason to be probing the heart of a corporate network can compromise security if granular role-based control is not in place, sources say.
In fact, according to the Computer Security Institute, cybersecurity breaches are fairly evenly split between those originating on the outside and those originating within organizations.
"If you think about the people who have the most power in your company, it's your system administrators," says Vance Loiselle, vice president of marketing at BladeLogic Inc., a Bedford, Mass.-based provider of data center automation software.
"These people have access to your underlying applications and databases. And today, most organizations have administrators who have wide-open access to servers-because that's the way technologies have been implemented over the past 30 years," he says.
Basically, people on applications teams, Windows teams, Unix teams, and database teams-all share passwords to gain access to servers to install updates and patches, Loiselle explains.
"Usually, there is no fine-grained access control in the IT group. Organizations are blocking people out with perimeter firewall solutions, but they have all these people inside who are sharing all this hardcore access to their servers."
To control the potential abuse of corporate networks by inside IT staff, BladeLogic provides what it calls a closed loop compliance management system, which enables companies to establish corporate data center security policies, including fine-grained IT access control.
San Antonio-based USAA is one insurer using BladeLogic software to automate application updates, patches and configuration repair across its servers. (USAA did not respond to requests for an interview.)
"Most companies we work with have no automated approach to compliance," Loiselle says. "They are just in the process of putting their policies in place in Word documents or Excel spreadsheets. When they begin using our solution to automatically build the policies, they are usually about 30% in compliance with what their policies stipulate. After we've worked with them for a period of about three months, they are closer to 95%," he claims.
Strategic view
Companies such as USAA are ahead of the curve in addressing the issue of managing security consistently in a heterogeneous systems environment, according to sources.
And UnumProvident is ahead of the curve in building a strategic, layered approach to protecting its infrastructure from malicious and costly attacks.
Most insurers have a hodge-podge of platforms, operating systems versions, and patches across their infrastructures," says Celent's Josefowicz. "Trying to keep track of all these and make sure that each has the most up-to-date security features enabled is a serious challenge for most insurers.
"USAA has turned to more automated approach to infrastructure management-by centralizing patch management and operating system upgrade management-as opposed to having one guy in IT keeping up with all that and making sure the company's systems are updated and adequately protected," he adds.
Furthermore, insurers are now devoting more resources to their overall IT security strategy.
"They're taking a holistic assessment of their IT environment," says Josefowicz. "They're taking a network inventory. They're looking for the holes in their network. They're asking, 'Where are we exposing ourselves? And are we consistently managing security?'
"Insurers are taking a top-level view-not a piecemeal approach," he adds. "That's unusual for the insurance industry-and I'm glad to see it finally happening."
A Wireless Nightmare Waiting To Happen
When it comes to wireless technology, concern about security is well-founded, according to Nicholas Miller, president of Cirond Corp., a San Jose, Calif.-based wireless security provider.
That's because two major security risks associated with wireless laptops have the potential to severely compromise wired networks, he says. "One is people buying their own access points and plugging them into the corporate network, and the other is people plugging laptops into the corporate network while accidentally leaving the wireless access on."
Wireless bay stations are so inexpensive now-as little as $40 apiece-people are buying their own access points and bringing them to work, Miller says. The problem is: "When they plug them into the network port in their cubicle, they've just blown a hole in the side of the network," he says. "That access point is now broadcasting the network connection out into the parking lot where it can be accessed by anybody driving by with a laptop computer."
Even more alarming, however, is the possibility that employees will compromise the security of the corporate network with no idea that they've done so -by accidentally leaving a wireless computer on in "ad hoc" mode, he says.
People can establish peer-to-peer networks without using a bay station by selecting the "ad hoc" setting on their wireless laptops, Miller explains. It's a useful feature, because it enables employees to meet in an airline lounge, for example, and work on a proposal together. "They just turn on their wireless laptops, put them in 'ad hoc' mode, and they instantly have a network where they can work collaboratively," he says.
But imagine if those employees forget to turn off the wireless connection, he says. "When they go into the office and plug the laptop into the network, and enter their user name and password, they've just established a freeway for anyone in the vicinity into the heart of the corporate network."
To protect themselves, insurers should adopt clear policies that prohibit employees from plugging their own access points into the corporate network, as well as requiring them to turn off the wireless 'ad hoc' feature before connecting to the network, according to Miller. In addition, he says, insurers should implement technology that detects and locates rogue wireless devices.
Today, there are about 60 million wireless devices in use and about 2.5 million more are shipped every month, Miller notes. Eventually, every laptop will have wireless built into it-a growing challenge to the security of conventional networks, he says.
"This technology will literally take a wide Ethernet port and broadcast it out into the parking lot. If you're a network administrator or a chief security officer, that has to make your hair stand up."
Phishing Threatens E-Commerce Infrastructure Of Financial Industry
Although junk e-mail, also known as "spam," may seem like a relatively harmless if annoying productivity killer, one form of spam is actually treacherous to corporations, especially those in the financial services industry.
Called "phishing" spam or fraud spam, it emerged this year as a major vehicle for identity theft and a primary threat to the trust that online providers have established with online consumers.
"We have so quickly moved into an e-commerce generation," says Paris Trudeau, senior product marketing manager at SurfControl plc, a Scotts Valley, Calif.-based provider of e-mail- and Web filtering software. "We have banking online and services that are based on a lot of trust between consumers and vendors."
Phishing is causing a lot of credibility loss in the industry, she says. "We're seeing that consumers are beginning to be less likely to support e-commerce systems-because they don't know how to distinguish a legitimate e-mail from a fraudulent one.
Specifically, phishing refers to e-mail that pretends to be from a well-known or trusted company. The spammer, posing as a customer service representative or a security professional, directs the e-mail recipient to a phony Web site and requests confidential information, such as Social Security numbers, user names and passwords, and account numbers.
"We have seen phishing attacks grow by 500% between January and May this year as one of the main types of spam attacks," says Trudeau. "And about 70% of phishing attacks originate outside the United States, which makes it difficult to track them down."
Citibank's brand name has been the most hijacked by phishers, according to the Anti-Phishing Working Group, a Redwood City, Calif.-based industry association. Between January through May this year, Citibank experienced 1,035 unique phishing attacks in its name. Online auctioneer eBay is the second-most attacked brand name, and U.S. Bank is third.