Hackers Keep On Trying To Breach Insurers Security

Washington, D.C.

While the insurance industry seems to have dodged a bullet in not having major Web sites or networks successfully broken into by hackers, security managers at Mutual of Omaha report that the companys network has been the target of numerous attempted attacks.

“Imagine the eyebrows of our CEO when I reported to him that in one weeks time we had 190 Code Red worm attempts on our network,” said Steven J. Clauson, director of system security for the Omaha, Neb.-based insurer.

Code Red is a virus that is said to have infected more than 250,000 systems worldwide in a 9-hour time span in July of this year. The “worm” installs a “backdoor” in infected systems that leaves the systems open to invasion by hackers.

“Every day, we see between 10 and 20 serious-risk hacker attacks against our network,” Clauson added. His comments came during a session on Information Security in the Financial Services Industry at the LOMA Emerging Technology Conference held here.

Clauson cited a survey of 500 companiesdone by the Computer Security Institute and the FBIwhich stated that viruses alone had cost these companies $150 million over the course of a year.

The tools and technologies used to fight such attacks, said Clauson, include biometrics, encrypting files, antivirus software, firewalls, encrypting log-ins, physical security and intrusion detection.

The use of encryption–the encoding of files so that they can only be read by authorized individuals–is growing in insurance circles, said Clauson. “Theres a lot of information sitting on legacy systems,” he noted. “People are going to break into your systems, whether they be hackers or internal employees.”

Intrusion detection–a technology that senses unauthorized system intrusions and sends out a warning–”is really starting to explode,” Clauson reported. In the past, intrusion detection meant simply monitoring and reporting on activity on a networks firewall. Today, however, “thats not good enough,” he said. Intrusion detection also extends within the organization to detect potentially threatening activities.

When it comes to sources of attacks, “it used to be that everyone would tell you that your greatest threat comes from inside [your company],” Clauson observed. This year, for the first time, that is no longer the case, he said. The most prevalent threat is the independent hacker.

The primary avenue of attack, he added, is via the Internet.

Clauson asserted that “the biggest impact” on the insurance industry of such attacks, if successful, would be “loss of trust.” It would take only one such “hack,” he said, to compromise that trust. “People are depending on us to protect their information, to secure it and to make sure it doesnt become public.”

Why do hackers do what they do? Clauson played part of a 60 Minutes interview with alleged high-profile hacker Kevin Mitnick, who was said to have broken into the systems of more than 35 major corporations and other organizations, causing an estimated $300 million in damages. Mitnick, who was eventually caught and convicted, was recently released from prison. In the interview, he described his hacking activities as “a hobby.”

Clauson said he had also sent two of his employees to the Defcon Hackers Conference in Las Vegas last July to gain information about activity in the hacker community. Among the 5,000 attendees, he noted, one-third to one-half were “white hats”–individuals like his colleagues who were there to learn.

The highest threats, he added, come from the “cracker/hackers”–people who are seeking to learn more about hacking and to prove themselves among the hacker community. “Their mission is to cause damage and to do it anonymously,” said Clauson.

At the convention, participants would set up networks and try to defend them, while other participants tried to hack into them. “Our guys set up a network and got broken into,” he admitted.

“Frankly,” stated Clauson, “[the insurance industry] is pretty lacking in security. The best thing we can do is network together.”

At Mutual of Omaha, Clauson said, the security plan involves prevention of attacks, detection of intrusions, response and, where necessary, recovery. A “crucial” part of the security plan is to establish a security policy, he added.

With the growing movement toward electronic signatures, insurers systems must also provide for authentication of the signer, authorization of the transaction and “non-repudiation,” said Clauson. Biometrics–technology that uses biological characteristics such as fingerprints or retina scans to identify an individual–may play a part in signature validation.

The non-repudiation issue, Clauson explained, means being able to prove that a person did actually authorize the electronically signed document, especially if he or she later denies it.

According to Bill Oldenburg, co-presenter in the Information Security session, legislation is one of the primary drivers behind the move toward increased security in the industry. This includes the Health Insurance Portability and Accountability Act (HIPAA) and the Gramm-Leach-Bliley Act on financial security, he noted.

In addition, said Oldenburg, the e-business environment itself is fueling the need for security. “Even if youre not a major player, you have to have some e-business out there to survive,” said Oldenburg, information services manager, I/S security control, for Mutual of Omaha. “You need a Web site and that brings up security issues.”

When it comes to customers personal data, said Oldenburg, integrity (assurance that the data hasnt been changed since it was entered into the system, unless authorized), availability and confidentiality are critical. He stressed the importance of putting electronic communications policies in place in order to keep data safe.

Measuring the risk from outside attacks involves a combination of the value of assets, threats against those assets, and vulnerabilities to attack, Oldenburg explained. While this risk is mitigated by any safeguards a company puts in place, it can also change with changes in any of the components. “The risk dictates the precautions,” he noted.

It is essentially an organizations business requirements that drive the need for security, said Oldenburg.


Reproduced from National Underwriter Life & Health/Financial Services Edition, September 17, 2001. Copyright 2001 by The National Underwriter Company in the serial publication. All rights reserved.Copyright in this article as an independent work may be held by the author.


Copyright 2001 by The National Underwriter Company. All rights reserved. Contact Webmaster