Slashdot is powered by your submissions, so send in your scoop

 


Forgot your password?
Close
typodupeerror
×
The Courts Government News

Cyber Insurance Between the Lines 89

Posted by timothy from the door-hit-rear-on-way-out dept.
Shackleford writes "Security Focus has an article that discusses insurance policies regarding 'computer attacks and cyber sabotage.' It discusses a case in which an administrator who set up back doors in the system with which he was trusted deleted files to which he could access after he was fired. His company had insurance against dishonest acts by employees, but not against 'acts of destruction.' Eventaully, the company won, but the case went to litigation. So the lesson to be learned here is that your company may have 'cyber insurance' without knowing it, but you need to be sure about it."
This discussion has been archived. No new comments can be posted.

Cyber Insurance Between the Lines More

Cyber Insurance Between the Lines

Comments Filter:

  • "Acts of god" (Score:5, Funny)

    by Anonymous Coward on Monday May 26, 2003 @03:30PM (#6041526)
    If you're the system god, would this violate the insurance policy?
    • "Acts of root" just doesn't have the same ring to it... sounds more like a program guide for a mini-series about emancipation.
    • Just in case anyone is curious, most insurance policies actually do cover an awful lot of so-called 'Acts of God'. Things like hailstorms, sewer backup due to intense rain, lightning, windstorms...

      What typically is *not* covered are the mass catastrophes, like floods, earthquakes, asteroids hitting the Earth, etc. Some of this for obvious reasons, some of it because governments usually provide disaster relief for it.

      Of course, YMMV, in areas that are hurricane-prone you will have a hard time getting ins
      • Just in case anyone is curious, most insurance policies actually do cover an awful lot of so-called 'Acts of God'. Things like hailstorms, sewer backup due to intense rain, lightning, windstorms...

        Boy, that God's one son of a bitch, huh? Can't he ever do anything nice for a change?

  • Heh (Score:1)

    by Gibble ( 514795 )
    If you can't trust a bloodsucking insurance company who can you trust...

  • Good God Man (Score:3, Funny)

    by Sokie ( 60732 ) <(moc.rotcafegde) (ta) (essej)> on Monday May 26, 2003 @03:30PM (#6041528)
    It discusses a case in which an administrator who set up back doors in the system with which he was trusted deleted files to which he could access after he was fired.

    What is that sentence supposed to mean? Use a freaking comma!

    Yeesh.

    • Re:Good God Man (Score:1, Offtopic)

      by cperciva ( 102828 )
      What is that sentence supposed to mean? Use a freaking comma!

      Where would you put a comma in that sentence? Commas do not exist simply for the purpose of being scattered randomly.

      The only correction necessary would be to remove the extraneous "to":
      It discusses a case in which an administrator who set up back doors in the system with which he was trusted deleted files to which he could access after he was fired.

      • Re:Good God Man (Score:1, Offtopic)

        by Gibble ( 514795 )
        Actually commas could be inserted properly.

        It discusses a case in which an administrator, who set up back doors in the system with which he was trusted, deleted files to which he could access after he was fired.
      • It discusses a case in which an administrator, who set up back doors in the system with which he was trusted, deleted files to that he could access after he was fired.
      • Actually I was just trying to make a joke but since you took the time to reply...

        Well you could make that middle clause into a drop-in with a couple of commas:

        It discusses a case in which an administrator, who set up back doors in the system with which he was trusted, deleted files which he could access after he was fired.

        Actually if I had free reign to edit that sentence I'd probably do quite a bit more than that:

        It discusses a case in which an administrator set up back doors in a system so that he cou
    • I have to admit, I could've made that sentence more understandable. But maybe somethiing good came out of it. That lack of understandability could've led readers to read the article so that they'd know what I was talking about. Anything that gets people to read the article is good, right? :)

      Anyway, I suppose I should try harder to avoid coming up with such long sentences, especially if they do not have punctuation. I must avoid writing long sentences in which I state several facts in which punctuation do

  • Do Admins leave Backdoors a lot? (Score:4, Interesting)

    by Puchku ( 615680 ) <Email@adity[ ]g.com ['ana' in gap]> on Monday May 26, 2003 @03:31PM (#6041533) Homepage
    Always wanted to know this. I am a sysadmin for a College (i'm a student there), and I always leave a backdoor or two in case of emergencies. like someome else chaniging the root passwords etc. Does anyone else do this, or is it just me?

    • Re:Do Admins leave Backdoors a lot? (Score:5, Insightful)

      by Jetson ( 176002 ) on Monday May 26, 2003 @03:41PM (#6041573) Homepage
      If you have the ability to add a back-door you will also (in most cases) have the ability to recover from a lost password without *needing* a back door.

    • Re:Do Admins leave Backdoors a lot? (Score:4, Informative)

      by James Littiebrant ( 622596 ) on Monday May 26, 2003 @03:42PM (#6041576)
      That would sound like a good idea, but it is not the best idea. I know how a hacker can get into computers (because I am one) and installing a backdoor on your server/computers is a deadly mistake. A simple scan from a hacker in theory could uncover that backdoor, then you are screwed. Instead I would recommend that you get a physical switch that resets the root password to a prespecified number or character. Where you can get these? I am sorry to say that I do not know where. I do know that they have been made bacause one of my friends has built one for his computer, with some programming and mod experiance you could build one too. I for one will never install a backdoor on MY servers.

    • Always wanted to know this. I am a sysadmin for a College (i'm a student there), and I always leave a backdoor or two in case of emergencies. like someome else chaniging the root passwords etc. Does anyone else do this, or is it just me?

      The console should be logged in as root. If your console is physically secure, then you can get back into the system without a reboot. Even works if the password file gets trashed.

      Never leave anything open that can be done remotely. If you can use it from home, so cou

  • No wonder insurance is so expensive. (Score:4, Insightful)

    by Sheetrock ( 152993 ) on Monday May 26, 2003 @03:33PM (#6041535) Homepage Journal
    I don't know how much hand-holding people need, but this kind of thing goes a bit far. If you've got a troublesome ex-employee, I'd think they should be able to handle something like this with a civil suit. Instead, it's pulled out of insurance, which drives up all our premiums.

    Fantastic. And with litigation costs to boot.

    • Re:No wonder insurance is so expensive. (Score:4, Insightful)

      by mlyle ( 148697 ) on Monday May 26, 2003 @03:39PM (#6041566)
      Assuming the ex-employee has the resources to pay damages, and that you can collect them.

      Insurance companies in most contracts are allowed to subrogate; that is, when they pay damages to you, they inherit all of your rights regarding that claim-- and can choose to go and sue the employee themselves if they think it's worthwhile.

      This is what insurance is for, really.
    • They should have better worded the policy.

      I wouldn't be surprised if this kind of thing happens a lot over the next little while, until insurance companies (and in particular, the actuaries) can get their heads around the liability associated with network security.

      As a developer in the security industry, I look on this as great news. I've been saying for a long time that what data security companies really need is for the insurance companies to start tying premiums to security infrastructure. When tha

    • If you've got a troublesome ex-employee, I'd think they should be able to handle something like this with a civil suit.

      How is a disgruntled (and probably unemployed) ex-employee going to pay a hypothetical $20 million settlement? The company is still out-of-pocket that amount. Somebody has to pay to rebuild lost files. Also, insurance pays relatively quickly (in most cases) compared to a lawsuit. If you need to do data recovery to stay in business, you don't want to have to wait through several years'

  • BOFH (Score:3, Interesting)

    by RobertTaylor ( 444958 ) <roberttaylor1234 AT gmail DOT com> on Monday May 26, 2003 @03:33PM (#6041537) Homepage Journal
    Obligatory link to The Bastard Operator from Hell [ntk.net] page.

  • Note to self.. (Score:2, Funny)

    by grub ( 11606 )

    Don't leave backdoors in the system, burn the place down. It's harder to trace back..
  • I'm sure this is an over simplification, but if the insurance was for dishonest acts by employees, how could the company win? This act was comitted by someone who was no longer an employee...

    • Re:dishonest acts by employees? (Score:4, Insightful)

      by The Jonas ( 623192 ) on Monday May 26, 2003 @03:43PM (#6041582)
      IANAL, however I think the case may have been won by the fact that the "backdoors" were put in place while the offender was employed with the company. Therefore, they might have been able to prove malicious intent or something like that.
      • Did you even read the article? If he had not been considered an employee it would have been a much easier and clear cut decision. Instead we get a questionable verdict where intellectual property is in effect equated to physical property.

    • IANAL, but I would imagine their contract would have provisions that include former employees (up to a certain time after termination) and would possibly be bound by clauses set out in NDA and employment agreement.

      The fact that the insurance company nitpicked between dishonest and destructive acts doesn't surprise me in the least.

  • Insurance... (Score:4, Insightful)

    by NickisGod.com ( 453769 ) on Monday May 26, 2003 @03:45PM (#6041589)
    Insurance is one of the biggest vains the U.S. is facing today. You name it, car insurance, workman's comp, homeowners, cyber, etc.

    Beside's it being legalized gambling, whenever something does happen, these companies try to get out of paying and point fingers at fraud.

    There has to be a better way.

    P.S. Is it this bad in other parts of the world, or are there "better systems" in place?
    • car insurance is the worst offender, imo. First, it's illegal to drive without car insurance, and then when you acutally need it, they try to get out of paying for it.
      • And a 23 year-old male with a clean driving record pays two to three times what a 26-year-old female with 3 accidents on her record pays. No matter WHO you get insurance through. Statistical analysis sucks.
    • Besides the fact that gambling hasn't been illegal in many places for decades, this comparison really irks.

      Insurance is about the *spread of risk*. If one in every 100 houses burns down every year, then everyone pays 1/100 of the cost of a new house annually. No single homeowner is burdened with the cost of a new house, but everyone pays a little to protect their investment.

      Insurance, simply, is putting in something small on the off chance something bad happens that would otherwise cost you money. Gamb
    • Canada is just the same. I'm paying CDN$6,000/yr. with driver's ed certificate, as a 21-year-old, had my learners license when I was 17, full license at 19, driving a Nissan Sentra (economy car, not the SE-R model or anything). That's the best rate I could get. It's more than my car payments!

      It's extortion, as far as I'm concerned. There's no way for a new driver to prove himself except by not having accidents -- but only once you're already paying the inflated new driver rate for 3-6 years! Ridiculous. An

  • If you are about to be fired... (Score:3, Informative)

    by hillct ( 230132 ) on Monday May 26, 2003 @03:53PM (#6041627) Homepage Journal
    There are many sighns you are about to be fired, but most of them relate to steps your employer has taken to prevent you from doing damage to their systems in retaliation, like, say, changing the root password, deleting your personal userid, removing you from the company directory, and then there are these:
    The point is, do what you need to do long before you are fired so as to make your exit as painless as possible. If your employer is not competent enough to take the nessecery steps, and so requires anti-employee insurance, then that's their problem, and it probably indicates they're too stupid to deserver to have you working for them anyway. If they havn't earned the respect of their employees, again, this is the mark of a bad employer and it's time to move on anyway.

    It's simple, if any of the above events have occurred, plan to move on and if your company has purchased anti-employee insurance, it's time to het the hell out anyway.

    --CTH
    • Yeah. The first sign that I had been laid off from Deere & Co. was that my ID badge would no longer open the door to let me out of the building. Some nice guy used his badge to let me out, and then used it again to let himself out. I heard later he'd gotten in trouble for doing that, too, since the security system flagged him as having left twice. I guess the Proper Action would have been to leave me cooped up in the building overnight until someone got around to telling me I didn't work there anymore.
      • Of course, then the proper action would be for you to go to a lawyer and get them on unlawful imprisonment. :)
      • Jesus. Scan to get out? Glad there wasn't a fire! (Yeah, sure, it'll fail open. We think.)

        • Jesus. Scan to get out? Glad there wasn't a fire! (Yeah, sure, it'll fail open. We think.)

          IIRC, it's fire code that buildings with those sort of doors automatically unlock when the fire alarm is going off. Of course, if someone was plotting corporate espionage, don't be too surprised when your building suddenly bursts into flames..

        • It would not have made much difference... it was a motorized revolving door, with room for only one person at a time. Even if the badge scanner was turned off and the door solenoid held closed, that's still only one person per second or so going out that door, and that's assuming it's a nice neat line and not a mob of panicking employees. I'm not sure what their fire plan was.

  • Hey.. you behind da keyboard. You need protection.. Things happen. Hard disks crash, software breaks, monitors get shot.. err.. dey break too.
  • 1. Start a shell company that does computer consulting
    2. Buy computer equipment
    3. Buy lots of computer sabotage insurance
    4. Hire a lot of /. hackers
    5. Sit back and wait to collect.


    It sounded like a good idea at the time, all except for the orange pajama part.

  • Read the fine print (Score:3, Interesting)

    by batobin ( 10158 ) on Monday May 26, 2003 @03:59PM (#6041653) Homepage
    I guess the lesson here is to read the fine print. The important thing to look for here is when the "dishonest employee" commits their dishonesty. From a logical standpoint, any malicious acts committed through the back-door should be covered by the insurance, merely because the back-door only existed because of dishonesty. But I'm sure the insurance company tried to argue, and support with the fine print, that the actual exploitation was the dishonest act, and occurred only after the employee was fired.

    Here's something to make you think: what would happen if the dishonest employee created the backdoor, quit, and someone else from outside the company exploited the back door? Then who would have won? I'd love to examine the actual insurance policy to find out.

  • His company had insurance against dishonest acts by employees

    They should have bought insurance against dishonest acts by the insurance company.

  • It's worth asking your insurance company whether they'll pay for losses from destruction of data. The bits on the media are almost certainly more valuable than the physical media. "Computers and media" coverage might not necessarily cover data erasures or alterations. A restore from backup could cost serious money even with no physical damage.
  • If you have a really good cyber insurance policy, and you do the minimum required to not be found negelgent, is it enough to buy insurance and not "Secure" your computer assets? This assumes your insurance covers lost profits or reputitioon damadge and all taht other stuff that happens? Is it cheaper?

  • I'm frankly surprised that the insurance company actually agreed to pay. Keep in mind that the whole idea of an insurance company is NOT to pay.

    Just like they did after 9/11, companies will probably start writing exclusions for this type of loss into their policies. If they don't, the price of the insurance will go sky high to the point that companies will simply go bare [nwsource.com] as the insurance costs more than the asset it's protecting.

  • Should we have to pay for cyber insurance? Is protection from cyber fraud a right or a privelage? I'd like to say that it is owed to every internet user, but thats probably a little unrealistic....

Slashdot Top Deals

The use of money is all the advantage there is to having money. -- B. Franklin

Close