ZDNews notes that “the price of the [cyberinsurance] policies vary widely, from a couple of thousand dollars for a small business policy to as much as $1 million per $25 million worth of coverage.” However, more than price alone needs to be considered. Most policies exclude as much if not more than they include, requiring careful attention to what is and is not covered. More importantly, before writing a policy, insurers require a complete assessment of existing information security practices, as well as implementation of new, expensive security practices (i.e. intrusion detection systems and penetration testing) to insure that significant steps are being taken by the applicant to protect information assets from hackers. The cost of these requirements alone put many insurance policies out of reach for most.

In a December 23 article, “Microsoft Users Upset With Security Updates“, eWeek states that “although Microsoft has agreed as part of its consent decree with the Department of Justice to continue to provide support and updates for its older products, [users] say the company seems to be penalizing customers who use legacy applications by making it difficult for them to obtain patches.” The article notes that some third party tools designed to assist in the managment of security updates can no longer download some of the hot fixes made available by Microsoft.

Tests run by the National Security Agency demonstrate that by applying security configuration benchmarks, specifically the Center for Internet Security/NSA/GSA/NIST Windows 2000 Consensus Security Baseline Settings, “eliminated more than 95% of high priority vulnerabilities (as determined by a popular commercial scanner) and 91% of all vulnerabilities.” Read the entire report in the US Department of Defense Information Assurance Newsletter Security Benchmarks: A Gold Standard. The Center for Internet Security has available, free of charge, Benchmarks and Security Tools that scan systems and compare them against these non-proprietary security-enhancing benchmarks that reflect best practices on how systems should be configured and operated. (Note: Center for Internet Security is “a not-for-profit cooperative organization assisting network users and operators, and their insurers and auditors, to reduce the risk of significant disruptions of electronic commerce and business operations due to technical failures or deliberate attacks.”)

Patch as Patch Can. Dennis Fisher of eWeek once again highlights the time honored concept of hardening publicly accessible machines. “Administrators and security specialists are relying less on the band-aid approach of patches and are moving to a philosophy that encourages locking down servers and removing as many threat vectors as possible from the outset. The idea is to anticipate the most common types of vulnerabilities and take away those avenues into the network before an attacker finds them.”

One of the lead articles in the December issue of CSO Magazine states “ROI for security is difficult. But it’s also the key to selling your budget.” (Source: Calculated Risk: Return on Security Investment). Yes ROSI - Return On Security Investment- is difficult, nearly impossible, very subjective, somewhat arbitrary etc. etc. ROSI is supposed to enable you to make decisions based upon the numbers (i.e. facts) but the article concludes “ROSI is empirical, but in many ways it’s emotional, believe it or not.” What? If I am CEO or CFO I am not going to buy into a security budget based upon the fuzzy math that goes into these ROSI calculations. More on point is a statement in a second article in the same issue titled The Art of Uncertainty. In an interview, Frank Barnhard of Omni Consulting Group, states that security should be considered “not as an ROI problem but as an economic value discussion.” “I don’t think people have a hard time understanding that security is something we have to offer because, if we don’t, we’re open to liability. That’s a secondary outcome. And if we’re open to liability, we may get sued. So we want to do those things that are obvious within man’s control. That’s the litmus test?that it’s within a reasonable person’s control to mitigate risk and ensure that they’re not liable…..What results are you trying to achieve and, in this case, what risks are you willing to mitigate, to bring it back to a cost basis?”