CyberSecurity Institute

“As specialist insurance becomes more affordable, I expect the take up to increase,” said Oliver Brew, a technology underwriter for London-based Hiscox Plc.

Because of vaguely worded state and federal regulations and the impossibility of 100% network security, a new type of insurance claim is emerging — one that protects insured enterprises against privacy-related lawsuits under provisions of the Graham-Leach-Bliley Act, California State Bill 1386 and other regulations.

“We are seeing breach of privacy claims due to unauthorized access to or use of personal identifiable information,” said Peter Foster, senior vice president and co-leader of the information risk management practice at Marsh Inc., a leading risk and insurance services firm. “Regulatory requirements to publish the breach incident are triggering multi-party lawsuits that have cost insurers excess of $1 million per incident in some cases.”

Cyberinsurance covers a number of other areas often not available in traditional business policies, including denial-of-service attacks, damage cased by hackers, malicious insiders, worms and viruses, and electronic theft of confidential information.

http://searchsecurity.techtarget.com/originalContent/0,289142,sid14_gci1084419,00.html

It opens up the floodgates for hackers to infiltrate phone conversations and steal confidential data. And spammers can target the system with massive denial-of-service (DoS) attacks.

· Two-thirds of the Global 2000 are expected to implement VoIP by 2006, according to Deloitte Services LP (eWEEK, December 4, 2004).

· In a survey of 500 IT professionals released earlier this year, the Computing Technology Industry Association found that 73 percent of the respondents said they use or plan to use convergence hardware and software over the next 12 months (“Voice-over-IP Offers Greatest Productivity Gains,” February 9, 2005).

· Gartner Inc. expects the market for VoIP services to continue to expand at double-digit rates in 2005 (“North American Business VoIP Services Emerging,” March, 2004).

As the recently formed VoIP Security Alliance has observed, advances in information technology typically outpace the corresponding security requirements, which are often tackled only after these technologies are widely deployed. Such is the case with VoIP today.

Now that VoIP deployments are becoming more widespread, the technology is proving a more attractive target for hackers, increasing the potential for harm from cyberattacks. Moreover, the emergence of VoIP application-level attacks will likely occur as attackers become more familiar with the technology through exposure and easy access. And the consequences of an attack can be staggering. Successful attacks against a combined voice and data network can cripple an enterprise, halt communications required for productivity, and result in irate customers, lost revenue, and brand impairment.

That’s why the VoIP Security Alliance plans to disseminate knowledge of VoIP security risks through discussion lists, white papers, and research projects. The group hopes to spur adoption of VoIP by promoting best practices for companies that adopt the technology, and by warning organizations of threats to VoIP, including spam and DOS attacks.

With enterprise interest in VoIP heating up, Gartner has found that CIOs and network managers are acutely concerned about securing VoIP, so that it provides the same level of security as traditional time division multiplexing (TDM) devices and the public switched telephone network (PSTN). In a recent report (“Voice Over IP Communications Must Be Secured,” November, 2004), Gartner predicts that IP communications will continue to be less secure than TDM communications through 2006; that DoS attacks will regularly be used to disrupt VoIP communications by 2008; and that the next year will see convergence-specific viruses/worms begin to attack VoIP-specific equipment.

Issues include surrounding guaranteed bandwidth, delay, jitter, packet loss, and the timely delivery of signaling messages. It would be easy to use a combination of traditional IP security techniques, payload and signaling encryption. The holdup is that each company must justify the costs of a convergence project and judge whether the potential productivity enhancements and cost savings outweigh the costs of ripping out working telecom gear.

http://www.ebcvg.com/articles.php?id=697