29 April 2004

The Future Is Holistic Security

The Future Is Holistic Security:

from ST&D
Article ID: D144710

Management consulting firm Booz Allen Hamilton recently surveyed firms with more than $1 billion in annual revenues and found that 54 percent of those surveyed have a chief security officer in place. The rise of the C-level security position marks a dynamic change in the structure of security, which has historically been an under-managed and fragmented function in many organizations. It is evidence of a powerful trend toward a holistic approach to security, through which various elements such as information security, building systems and physical security are integrated into a single function.

Three Integral Concepts

A report released by the U.S General Accounting Office on April 25, 2002, described the importance of holistic security specifically in reference to federal buildings. The report noted that though various effective security technologies are available to address most vulnerabilities, 'the overall security of a federal building will hinge on establishing robust risk management processes and implementing the three integral concepts of a holistic security process: protection, detection, and reaction.'

Later it went on to describe these three concepts: 'Protection provides countermeasures such as policies, procedures, and technical controls to defend against attacks on the assets being protected. Detection monitors for potential breakdowns in protective mechanisms that could result in security breaches. Reaction, which requires human involvement, responds to detected breaches to thwart attacks before damage can be done. Because absolute protection is impossible to achieve, a security program that does not also incorporate detection and reaction is incomplete' (GAO Report GAO-02-687T, 'Technologies to Secure Federal Buildings').

Separation Between Information and Physical Security Prior to 1995, information security and physical security management were completely separated. Information security began as simple data center security, and then grew as the IT environment expanded to include online computers on every desk. Because the computer systems operations were managed out of the MIS department, the information security officer function remained there as well.

By contrast, the physical security officer was usually a former policeman, or someone with a military background, whose main responsibility was creating and managing a uniformed guard service, keeping track of keys and managing a visitor badging program in the front lobby. As the information and physical security functions move closer together, the historical differences between these two positions tend to cause tension. The information security officer may have little interest in maintaining physical controls such as barriers, badges and alarms, and the physical security officer may not care to delve into the technical realm of networks and IT. At this point, terminology also becomes an issue. Many security elements are given the same names by both physical and information security, but those names mean something completely different for each department. Access control in physical security means controlling how people gain physical access to a facility. Access control in information security means a software solution for controlling which network users are able to access what information. The terms 'audit trail,' 'intrusion detection,' 'security policy,' 'emergency response,' 'disaster recovery' and 'maintenance' all have a different meaning in each of the two departments.

However, the state of the nation, the changing landscape of security technology and new federal government security efforts are conspiring to bring the realms of information and physical security together, despite their historical differences.

The Need for Holistic Security


Since 9/11, security has become more and more important, and more expensive, because organizations are seeking a higher level of security than ever before. However, many organizations don't have enough money to implement every security safeguard. How does an organization decide whether to put an authentication program in place to identify network users, or to instead create a stand-off from the front of the corporate lobby? Holistic security programs can help organizations solve these problems by facilitating proper allocation of the security budget through risk analysis and prioritization."

Terrorism center wrestles technology, secrecy

Terrorism center wrestles technology, secrecy:
Reuters

WASHINGTON--As the U.S. government debates changing the intelligence structure, a fledgling center created to provide 'one-stop shopping' for terrorism information is wrestling with issues of technology and secrecy.

The Terrorist Threat Integration Center (TTIC), which hits the one-year mark on Saturday, was established to address the failure of intelligence agencies to 'connect the dots' and uncover the Sept. 11, 2001, plot.

The hijacked plane attacks in 2001 that killed nearly 3,000 people sent the government searching for ways to improve its national security apparatus to prevent another strike.

The TTIC is trying to meld the cultures, technology and secrets of various agencies so that its analysts can sift through terrorism information scattered around the government and try to piece together a coherent picture.

The center combines personnel from the CIA, FBI, and departments of defense, state and homeland security as well as other agencies. It maintains a database of known and suspected international terrorists that has more than 100,000 names in it and a top secret Web site available to 2,600 users who can search through 3.5 million documents.


'We're still in a growing stage and so one-stop shopping for everything for the U.S. government implies almost a full-up capability, we're not there yet,' John Brennan, director of TTIC, said in an interview at his office at the CIA.

TTIC will move into its own building in Virginia off the CIA campus starting in late May, and could double or triple the number of analysts from the current 76 by year-end."

28 April 2004

Banks targeted in Windows hack attack

Banks targeted in Windows hack attack:

from The Sydney Morning Herald
Article ID: D144607

Malicious attackers in Brazil, Germany and the Netherlands tried to use a vulnerability in Windows to break into some of Australia's largest financial institutions, including at least three banks, over the Anzac weekend, according to the Atlanta-based security firm, Internet Security Systems.


In a media release, ISS (Australia) managing director Kim Duffy said the attacks were picked up by ISS's Global Threat Operations Centre late on Thursday evening.

He said that by 8am on Friday the attacks had escalated significantly 'and by lunch time we became aware that hackers were trying to infiltrate many of Australia's largest financial institutions.'

He said that although many were already protected by ISS, he alerted the institutions 'and, as a courtesy, we also faxed Australia's top 500 private and top 500 public companies.'

The vulnerability which was targeted by the attackers was, coincidentally, discovered by ISS and notified to Microsoft in September last year. It was one of 14 sealed by the patch issued along with Microsoft Security Bulletin MS04-011 on April 13.

'Our X-Force research laboratory discovered the flaw in September last year when we informed Microsoft in accordance with our confidential disclosure procedures,' Duffy said in the release.

'These procedures are designed to give vendors like Microsoft as much time as possible to develop and then distribute upgrades to plug any security gaps.

'A successful attack over the weekend would enable hackers to have full remote control of important servers and have the potential, depending on the target server's configuration, to compromise an institution's most sensitive data.

'Whilst the attacks were primarily aimed at financial institutions, the reality is that they could, at any moment, switch to any entity operating with a vulnerable Microsoft SSL (Secure Socket Layer) server,' Duffy said.

Copyright © 2004. The Sydney Morning Herald"

Self-regulatory US organisations complete business continuity rule making

Self-regulatory US organisations complete business continuity rule making:

Earlier in April the Securities and Exchange Commission approved rules proposed by NASD and the New York Stock Exchange, which require NASD and NYSE members to develop business continuity plans that establish procedures relating to an emergency or significant business disruption.

Under the new rules, every NASD and NYSE member must develop a plan that addresses various aspects of business continuity, including data back-up and recovery, mission critical systems, and alternate communications between the firm and its employees and the firm and its customers.
In addition, a member's business continuity plan must address how the member will assure its customers' prompt access to their funds and securities in the event that the member determines that it is unable to continue its business. Every NASD and NYSE member also will be required to disclose to its customers a summary of its business continuity plan that addresses how the member intends to respond to potential disruptions of varying scope.

Commission approval of these rules represents another important step to address the risks faced by market participants in the post-September 11 environment. In September 2003, the Commission issued a policy statement setting forth its view that self-regulatory organisations operating trading markets and electronic communication networks should apply certain basic principles in their business continuity planning."

27 April 2004

Who's in Charge of Sarbox Compliance?

Who's in Charge of Sarbox Compliance?:

Larger companies are split on whether to appoint a single Sarbox compliance officer; many smaller companies hand the task to the internal-audit department.

Stephen Taub, CFO.com

Who's minding the store when it comes to corporate compliance with the Sarbanes-Oxley Act?

The answer apparently depends on the size of the company, according to a new survey from Parson Consulting. While 25 percent of larger companies favor a single Sarbox compliance officer, another 25 percent believe the task should be spread across all senior management. Among smaller companies, 40 percent say their internal-audit departments should handle compliance. Across both segment sizes, 20 percent of respondents were undecided.

The two camps are split on other compliance-related issues, according to the consulting firm. For instance, larger companies rely on software more than smaller companies do when preparing to meet Sarbanes-Oxley Section 404 compliance deadlines.

Under Section 404, CFOs and chief executive officers must sign off on the effectiveness of their companies' internal controls involving finance. After two Securities and Exchange Commission postponements, the provision is slated to go into effect in November."

26 April 2004

Managing Risk for Security Governance - A Series

By Peter L. Higgins
Managing Director
1SecureAudit

Part IV and last in the series

The 2003 Council on Competitiveness Corporate Security survey conducted by Wilson Research Strategies See Study had the following findings:

· Most business leaders now see security as a top or high priority – 86%
· Risk Management assessments are being conducted frequently – 83%
· Connections to critical infrastructure are becoming a focus for risk management
· Corporate leaders see opportunities for positive returns on security investments – 71%
· Business leaders believe that the private sector should take the lead in setting security standards- 66%
· The majority of executives believe that the public and private sectors share equal responsibility for homeland security – 57%

“Corporate Security is no longer viewed as a matter of guards, gates and guns, but of interconnectivity and interdependence of networks, “ as the survey states. “But, 9/11 was only a moment in time—and there is no accepted business model for integrated security management. The need to identify and institutionalize a set of best practices – security processes that create positive returns on investment—remains largely unmet.”

Security Governance is evolving rapidly and taps the thinking of various standards organizations including OECD, BSI, NIST, ISSA, BSA, ITAA, ASIS and dozens of other bodies of influence and knowledge. However, no matter what best practices an organization attempts to standardize on, beware of the attitudes of the employees and stakeholders.

Unless these stakeholders fully acknowledge what and why they are being asked to do things, rather than just following the rulebook, the system will fail. The organization that embraces change and introduces a Security Governance framework that not only manages the foreseen human risks, but also the unforeseen, will have a greater chance of survival. The role of culture in the risk for security governance is paramount for several reasons:

1. Any changes in risk management may require changes in the culture
2. The current culture is a dramatic influence on current and future security initiatives

Internal controls can provide reasonable assurance that an organization will meet its intended goals. At the same time, it is the people (Human Factors) who will fail the company in material errors, losses, fraud and breaches of laws and regulations. This is why the risks the organization is facing are constantly changing and therefore why a management system for security governance is necessary. The management system is there to provide resiliency to the risks it encounters and to control risk accordingly rather than eliminate it forever.

The board of directors will soon realize that managing risk for Security Governance is just as important to the success of the organization as Section 404 of Sarbanes-Oxley. In fact, without Security Governance in place, all of the rules won’t matter and the stakeholders will again be asking themselves; how could this happen?

23 April 2004

Operational Risk--The Problem Is of Poor Governance

Operational Risk--The Problem Is of Poor Governance:

RiskCenter
Gupta, Suresh

Recent media attention regarding the end of Capital One's relationship with Wipro after call center workers in India were found using unethical tactics to sign up customers for credit cards and obtaining confidential data about customers for fraudulent purposes has highlighted the potential risks of having an offshore, third party vendor manage a call center.

Offshore vendors typically do not have the years of experience managing call centers seen with onshore vendors. Common risk management techniques involve due diligence, SLAs, and strong governance, but tough internal controls at the offshore vendor site is often overlooked. Firms interested in using offshore vendors for call center should ensure that controls exist within the offshore firm to monitor the environment, risks, information, and communications processes used.

One of the first steps for risk managers is to ensure that human resources policies and procedures, as well as ethical codes and staff skills, meet the objectives of the firm, then risk managers should focus on how to identify potential risks and mitigate them. In order to determine if procedures and policies are working, warning systems should be developed including the development of performance goals and open communication between the client and the overseas vendor. Firms should also audit internal controls at offshore firms periodically to ensure that procedures and tasks are being completed on schedule and in the right manner."

Fast Company | Worker, Hack Thyself

Fast Company | Worker, Hack Thyself:

Social engineers hack the one part of IT that can't be patched: humans. The best line of defense? Learn how to do it yourself.


From: Issue 82 | April 2004, Web Exclusive By: Ryan Underwood

I know it was for demonstration purposes only. But still, when John Nunes, an information security consultant, called my cell phone and rigged the caller ID to display my office phone number (even though I was staring at my office phone at the time and Nunes placed the call from 300 miles away), it was spooky.

Spooky because it doesn't take a great leap to imagine an overworked, soon-to-be-outsourced IT grunt running a Fortune 500 company's database in San Diego getting a call from 'someone' at New York headquarters -- hey, the caller ID checks out -- asking him to shift some of the data to another server for a few hours. As it turns out, that server happens to belong to some Filipino teenager in desperate need of some fresh credit card numbers so he can score a new plasma screen TV. Or worse, it belongs to the company's fiercest competitor.

There's even a term for these kinds of human-computer shenanigans: social engineering. It's a phrase that often gets bandied about as an afterthought when talking about the hacker world of viruses and worms and all the rest. But, Nunes warns, it's the single area of hackerdom that individuals and companies have not paid nearly enough attention to.

A familiar cry among hackers these days goes something like this: There's no patch for human stupidity."

22 April 2004

Five Questions Directors Should Ask


Five Questions Directors Should Ask
:

How the Right Software Can Help Your Company Comply

by Randy Myers

Board members looking at an expenditure on Sarbanes-Oxley compliance software won’t be expected to understand all the nitty-gritty technical details of how the software works. Still, they can make sure the company gets a product that meets its needs. Here are five questions that consultants advise directors to ask a CFO or CIO who wants them to sign off on something that could cost into the millions.

1.Will this solution allow us to meet our first-year filing requirements? “Make sure nothing that’s being proposed will put your first-year certification at risk,” says Lee Dittmar, a Philadelphia-based partner with Big Four accounting firm Deloitte & Touche. “Make sure that the product is proven. You don’t want any development-type project when you’re involved in a bet-the-farm proposition.”

2. How will this software help the board get the information it needs to provide adequate oversight? Is the information the software will give you something that you can’t get in other ways? Says Craig Schiff, founder and CEO of the consulting firm BPM Partners: “Some companies already have good IT systems in place and have been buying business performance-management software even before it was called that. Don’t buy software whose capabilities overlap those of programs you already have.”

3. Will we be able to jump to a better software package if one comes along? “Make sure you buy a program that has a short-term focus for immediate purposes but that can also be adapted to more effective systems over the next five years,” says Anthony Miller, vice president of strategy, product marketing, and professional services at LRN, a Los Angeles consulting firm that is developing comprehensive compliance software.

4. What benefits will the software provide beyond compliance with Sarbanes-Oxley? “Expenditures of this magnitude can seem hefty if they’re just for compliance,” notes Schiff. He says his company’s system will not only help with Sarbanes-Oxley compliance but be of use in running the rest of a business more efficiently too. Producers of similar software make the same claim, arguing that this helps justify the capital expenditure.

5. Is the company we’re choosing going to improve the product down the line? Ask about the manufacturer’s long-term development plans and the improvements it has on the horizon, advises Rocco Tarasi, national director of the consulting firm Resources Connection Inc., which is based in Costa Mesa, California. “This will allow you to evaluate what weaknesses might exist in the product today,” says Tarasi, who works out of his company’s Pittsburgh office. “And while you’re at it, ask if you have to pay extra for those anticipated improvements or if they’re included in the price of your support and maintenance package.”

Hand Over Security

Hand Over Security:

Physical and information security have been converging, often under the control of IT. But companies are increasingly moving the role of policing security out of IT and into the hands of an independent CSO. Here's why you should consider doing the same.

BY CHRISTOPHER KOCH
CIO.com

Executive Summary

There is growing evidence that security responsibility should be independent of the IT department—survey data shows that companies with independent security functions enjoy more effective safeguards. With security reporting to IT, there is potential conflict of interest for the CIO, who might be tempted to give short shrift to security concerns in favor of getting IT projects in on time and under budget. Catching hackers requires the ability to think like a criminal, something IT employees are not trained to do. And, of course, there's the enormous IT workload that distracts from security concerns. On the other hand, even if security moves out of IT, accountability wouldn't necessarily go with it. CIOs might end up with little influence but would still have to answer when something went wrong. But at Capital IQ and Siemens Canada, responsibility for security has been successfully separated from IT. If that's not possible, security advocates say the responsible person must have the policy-based recourse to report to a higher authority than the CIO.

21 April 2004

DigitalPersona: Solutions | Finance

DigitalPersona: Solutions | Finance:

Security and privacy are one of the foundations of the banking industry. The Gramm-Leach-Bliley Act (also known as the Financial Services Modernization Act of 1999) requires financial institutions to protect data from unanticipated threats and unauthorized access.
In fact, according to the Bank Technology News Survey 2000, 84% of bank fraud is committed by in-house staff. And, the CSI/FBI Computer Crime Survey 2000 found that 71% of all unauthorized corporate break-ins are by corporate insiders.

Protecting customers' confidential information and ensuring secure transactions between a bank and its customers and from one bank to another is crucial to a bank's compliance with regulatory policy and its own operations. To protect interbank transactions, many banks use password systems in which passwords are required to change continuously. Because this requires many users to write down their passwords, the potential for security breaches are great and could involve millions of dollars. According to the Computer Emergency Response Team (CERT), 80% of the security breaches they investigate are password-related. Ensuring secure transactions is crucial to the financial viability and operation of a bank. Financial institutions today must also increase auditability of user access to all information systems.

DigitalPersona enables them to do all of this.

Benefits of DigitalPersona U.are.U Pro to the Finance Industry

DigitalPersona U.are.U Pro enables financial organizations to secure their data and safeguard their electronic processing systems, online banking processes and customer information with a convenient fingerprint authentication system.
Following a simply process to register fingerprints with U.are.U Pro, banks can ensure that customer information is safe and that only authorized customers or personnel have access to sensitive information and can conduct secure transactions.

* Increases security as mandated by federal legislation
* Productivity increases since continuously changing passwords do not have to be remembered
* Minimizes risk of security breach and financial liability by ensuring transactions are protected"

The UK's National Measurement Laboratory | Biometrics

The UK's National Measurement Laboratory | Biometrics:

Introduction


Biometric identification technologies, such as automatic face, fingerprint and iris recognition, are beginning to be used for user authentication in a variety of applications including computer login, building access control, and fast-track clearance through immigration. Current proposals for national identity cards also consider using of biometrics to help in preventing identity fraud.

Biometric technologies measure a variety of anatomical, physiological and behavioural characteristics, and use the measurements to distinguish between different people and sometimes also to check that the image or signal presented is that of a real face, fingerprint, iris, etc, rather than that of a fake.

Measurements of a living entity will vary from one occasion to the next, and are normally highly dependent on environmental conditions and user behaviour.

What we do

Our work encompasses developing and improving methodologies for evaluating the performance of biometric systems, conducting evaluations, and technical consultancy on biometric system performance for Government and industry."

20 April 2004

TCP Vulnerable, But Net Won't Go Down

TCP Vulnerable, But Net Won't Go Down:

By Gregg Keizer, TechWeb News

A flaw in the basic TCP protocol used to transmit data across the Internet quickly seized the attention of security professionals Tuesday as various government agencies and security firms posted alerts warning that an exploit could let attackers to shut down connections between servers and routers.

Experts said the vulnerability poses a serious threat, which could possibly disrupt portions of the Net, or more likely impact enterprise networks. But they also urged end users and IT security pros to remain calm.

“The Internet isn't going down tonight,” promised Chris Rouland, the vice president of Internet Security Systems' X-Force threat group. “Internet infrastructure providers have been given plenty of advance notice, and have taken additional security precautions so that not just anyone can connect to them and authenticate. That's mitigated a lot of the risk.

“But even the largest companies haven't had this advance notice, and may have some work to do tonight.”

According to advisories posted by the United Kingdom's National Infrastructure Security Co-ordination Centre (NISCC) and the U.S. Computer Emergency Readiness Team (US-CERT), TCP -- the Transmission Control Protocol -- contains “a vulnerability which allows remote attackers to terminate network sessions. Sustained exploitation of this vulnerability could lead to a denial of service condition...and portions of the Internet community may be affected.”

Both agencies called the vulnerability “critical.”

A Patriotic Day: 9/11 Commission Recognizes Importance of the Patriot Act

A Patriotic Day: 9/11 Commission Recognizes Importance of the Patriot Act:

by James Jay Carafano, Ph.D., and Paul Rosenzweig
WebMemo #480

Nothing is more important than preventing another catastrophic terrorist attack on Americans. Nothing. That is why the 9/11 Commission’s work—a comprehensive, objective review of how our law enforcement and intelligence operations can be improved to prevent a recurrence—is so vital. Whenever a team loses the game, it always reviews the videotape to see how it can improve.

During a recent public hearing of the 9/11 Commission, present and former government officials and even the Commissioners themselves emphasized the importance of one new tool adopted after September 11: the USA Patriot Act. They all agreed that the Patriot Act is an essential weapon in the nation’s global war on terrorism. Congress should take note and, as President Bush called for in the State of the Union Address, act now to reauthorize provisions in the law due to expire next year.

Confronting the Wall

The Commission is supposed to act in a nonpartisan manner, and—despite controversial testimony by former National Security Council staffer Richard Clarke that has triggered a rancorous series of hearing—recent sessions have provided an important and appropriate discussion of the underlying challenges of structure and strategy that limited both the Clinton and Bush administrations in effectively going after Bin Laden’s murderous al Qaeda network.

One key discussion point, in particular, should not be lost. Officials from both administrations acknowledged that before September 11 a “wall” of legal and regulatory policies prevented effective sharing of information between the intelligence and law enforcement communities.
For example, as Attorney General John Ashcroft noted, in 1995 the Justice Department embraced legal reasoning that “effectively excluded” prosecutors from intelligence investigations. At times, for prudential reasons, Justice Department officials even raised the “wall” higher than was required by law, to avoid any appearance of “impermissibly” mixing law enforcement and intelligence activities.

We now know that the erection of this “wall” had tragic costs. The “wall” played a large role in our pre-September 11 inability to “connect the dots” of intelligence and law enforcement information. As one frustrated FBI investigator wrote at the time, “Whatever has happened to this—someday someone will die—and wall or not—the public will not understand why we were not more effective and throwing every resource we had at certain ‘problems.”

COMMENT:
================================================================
Programatic Data Privacy and Integrity is the real issue at stake here. Enterprise Security Governance will provide the mechanisms and controls necessary for the Patriot Act to operate with the highest degree of assurance. Our civil liberties are still in force and will be there to protect everyone who is an American. What we must not waiver on is the need to modernize, to re-equip and to create "Correlation Centers". The fact is, our intelligence analysts in enforcement are under attack every day by more savvy and increasingly powerful adversaries. The establishment of a more robust, pervasive and technologically superior force to defend our homeland is still in the forming stages. What is paramount in this stage of growth is the framework for Security Governance to be injected into each stakeholder. The policies, ethics and controls must be there to guide those who are protecting our privacy while simultaneously allowing us to accelerate our countermeasures to deter, defend and defeat those who will continue to attack us. The Patriot Act will remain a powerful asset to those who wake every morning to ensure the confidentiality, integrity and availability of information in our country.

19 April 2004

Biometrics Add Security in Insecure Times

Biometrics Add Security in Insecure Times: "

Clients of Houston-based Aim Investment Services don't have to worry about remembering passwords or PIN codes when seeking information about their portfolios over the phone. That's because last year, Aim became the first mutual fund firm to adopt Nuance Verifier 3.5, a voice-recognition authentication system from Menlo Park, Calif.-based Nuance Communications.

Rather than typing ID numbers and passwords on a telephone keypad, an end-user of this voice biometrics technology simply speaks into the phone and the system confirms his or her identity by examining voice patterns.

'It's kind of cutting edge technology, using somebody's voice print,' explains Jesse Dean, an assistant vice president of Aim Investment Services. 'It's more secure than a PIN and easier to use.'

To sign up for voice authentication, investors call into the integrated voice-response system and are prompted through a series of phrases, after which the system creates a voiceprint. When investors call back in the future, they simply provide their Social Security number, and the system compares the voice with the information on file to determine a match.

An Eye to Customer Service and Security


'People really like it,' Dean says of the voice-authentication system, which is deployed through DST Systems' IVR platform. It has resulted in a 20 percent reduction in call duration and a 15 percent increase in the automation rate, according to Dean. And, from a security standpoint, he says, 'We feel very comfortable with voiceprint.'

In an age when investment firms must constantly fight hackers and protect their clients from activities like identity theft, the security benefits of voice authentication are not small concerns. Last year, the Federal Trade Commission received 500,000 complaints about fraud and identity theft. Losses exceeded $437 million."

New Clients Barred From Ernst & Young

New Clients Barred From Ernst & Young:

(Associated Press) -- Found to be auditing the books of a company it had a profitable consulting business with, the large accounting firm Ernst & Young has been barred from taking on new corporate clients for six months.

The New York-based firm, which said Friday it did not plan to appeal the ruling by an administrative law judge at the Securities and Exchange Commission, was also ordered to pay $1.7 million in restitution, plus interest for violating rules on auditor independence.

The judge found the firm had improperly marketed consulting and tax services with PeopleSoft Inc., a maker of computer software.

It was the first time the SEC had sought the suspension of a major accounting firm since 1975.

Ernst & Young, the nation's third-largest accounting firm, had previously argued its conduct was appropriate and met professional standards. The company said it is 'fully committed' to working with the SEC-approved independent consultant it must hire under the judge's order to oversee its policies and internal controls.

SEC enforcement attorneys had been seeking since 2002 to have Ernst & Young temporarily barred from taking on any publicly traded companies as new audit clients.

The issue of auditor independence was among those at the heart of the Enron scandal, which raised questions about Enron's longtime accountant, Arthur Andersen LLP, having done both auditing and consulting work for the energy trading company.

Andersen was convicted in June 2002 of obstruction of justice for destroying Enron audit documents.

In her ruling Friday, administrative law judge Brenda Murray said the evidence showed that Ernst & Young 'has an utter disdain' for the SEC's regulations on auditors' independence.

Murray also said it was evident that the firm does not have and was not putting in place 'policies and procedures that can reasonably be expected to ensure compliance with independence rules in business dealings with audit clients.'

In the administrative proceeding, the SEC said Ernst & Young was auditing PeopleSoft's books at the same time it was developing and marketing a software product in tandem with the company. Ernst & Young engaged in the dual activities from 1993 through 2000, according to the SEC."

About the National Cyber Security Partnership

About the National Cyber Security Partnership:

The National Cyber Security Partnership (NCSP) is led by the Business Software Alliance (BSA), the Information Technology Association of America (ITAA), TechNet and the U.S. Chamber of Commerce in voluntary partnership with academicians, CEOs, federal government agencies and industry experts.

Following the release of the 2003 White House National Strategy to Secure Cyberspace and the National Cyber Security Summit, this public-private partnership was established to develop shared strategies and programs to better secure and enhance America's critical information infrastructure.

The partnership established five task forces comprised of cyber security experts from industry, academia and government. Each task force is led by two or more co-chairs. The NCSP-sponsoring trade associations act as secretariats in managing task force work flow and logistics. The task forces include:

* Awareness for Home Users and Small Businesses
* Cyber Security Early Warning
* Corporate Governance
* Security Across the Software Development Life Cycle
* Technical Standards and Common Criteria


The task forces will be releasing separate work products beginning in March 2004 and ending in April 2004."

16 April 2004

Identity Theft, Fraud So Easy 'It's Absurd'

Identity Theft, Fraud So Easy 'It's Absurd':

(Kennebec Journal) -- KeyBank Maine President Kathyrn Underwood warned that the guest speaker's talk would leave the audience 'scared to death,' and she was right.

Over the next two hours, white-collar crime expert and former scammer Frank W. Abagnale told the 250 people at the Sable Oaks Marriott on Tuesday exactly how easy it is these days for criminals to steal their identities, forge their checks or otherwise defraud them. It's even easier today than when he was a globe-trotting flimflam man 40 years ago, Abagnale said.

'The fact is that what I did 40 years ago is 2,000 times easier to do today,' he said.

Abagnale is the best-selling author of 'Catch Me If You Can,' and was portrayed by actor Leonardo DiCaprio in the recent hit movie by the same name. It's the story of how Abagnale cashed more than $2.5 million in bad checks in every state and 25 foreign countries between the ages of 16 and 21, impersonating an airline pilot, an attorney, a college professor and a pediatrician.

Police caught him when he was 21, and Abagnale served five years in prison. He was released on the condition that he would help the government by providing advice to law-enforcement agencies. Today, more than 14,000 businesses and law-enforcement agencies use Abagnale's services to prevent fraud.

He doesn't look much like DiCaprio, but his speaking voice has the cadence of a master salesman, giving a hint of the skills he used to fool bank tellers and police alike.

Abagnale described various types of white-collar crime, but spent a majority of the KeyBank talk focused on identity theft and check fraud. When Abagnale forged checks 40 years ago, he said, he needed a $1 million printing press. Today, $6,000 will buy highly portable, top-of-the-line computer equipment that can perfectly duplicate checks and other documents that don't have special defenses built into them, he said.

'Technology is only going to make crime easier -- always has, always will,' said Abagnale.

In 2002, he said, there were 9.9 million victims of identity theft in the United States. Identity theft is when a criminal uses someone else's vital data (birth date, Social Security number and other information) to apply for such things as credit cards, home mortgages and car loans. Identity theft cost defrauded businesses $47.6 billion that year
.

The total loss to individual victims was $5 billion, and they spent 297 million hours trying to resolve the tangled financial mess left by the thief."

15 April 2004

Cyber Risk Insurance Today

By Thomas Glaessner, Tom Kellermsnn and Valerie McNevin
The World Bank

Electronic Safety and Soundness: Securing Finance in a New Age

Today in spite of formidable reportage problems inherent in establishing a benchmark to
actuarially measure the risk of hack attacks, electronic identity theft, and other forms of related erisk, insurance companies are writing coverage for such risk. The development of e-risk policies first occurred in the mid-1990s. Insurers developed stand-alone e-risk policies rather than adding coverage to existing property and liability insurance. Market participants have also used employee liability coverage as a model for pricing and issuing this insurance.

In underwriting this risk, insurers combined information security standards, such as the BS7799, with principles of risk management that included analysis, avoidance, control, and risk transfer. Today, insurers recognize the ISO 17799 information security standard, which addresses these issues in the following 10 major sections:

1. Business continuity planning
2. System access control
3. System development and maintenance
4. Physical and environmental security
5. Statutory, regulatory, or contractual obligation compliance
6. Personnel security
7. Security management for third-party access or outsourcing to a third-party service
provider
8. Computer and network management to safeguard information assets
9. Asset classification and control
10. Security policy management support

As part of the e-risk application process, several major insurers, including AIG, Zurich, Chubb, St. Paul, Progressive, and Lloyd’s, have incorporated the ISO 17799 standards into a baseline security questionnaire that becomes part of the insurance application in e-risk policies they underwrite. In order to bind coverage, the insured must meet a certain security threshold for insurability, and the precise nature of such thresholds has not been completely standardized within and across countries. In part, this reflects the very dynamic impact of technology in this area. Despite these developments, the use of e-risk policies is still nascent.

In the case of first-party coverage, such policies are being explicitly designed to provide
coverage against network extortion, computer theft, damage to digital assets and information as intellectual property, and business or dependent business losses. In the case of third-partycoverage, such policies are designed to cover network security or loss event liability andelectronic publishing and multimedia liability.

In underwriting these special e-risk policies, insurers are increasingly assessing the extent to which specific providers of financial or other services are in compliance with appropriate standards in each of the 10 areas specified under ISO 17799.

Old weapons, new terror worries

Old weapons, new terror worries

Russian and US experts meet this month to assess terror tactics, from hacking into systems to seizing a weapon.


By Scott Peterson | Staff writer of The Christian Science Monitor

MOSCOW – Imagine this scenario: Computer hackers working for Al Qaeda break into Russia's nuclear weapons network, and "spoof" the system into believing it is under attack, setting off a chain reaction, and a real nuclear counterattack.

Another doomsday possibility made headlines when Ayman al-Zawahiri, Osama bin Laden's No. 2, was quoted last month boasting that Al Qaeda had already acquired "some suitcase bombs" - radioactive material packed with conventional explosives. Mr. Zawahiri said that anything was available for $30 million on the Central Asian black market or from disgruntled Soviet scientists. Russia immediately rejected the claim.

But such what-ifs are among the nuclear terrorism threats that analysts are reexamining, as the learning curve of terror groups today comes closer to intersecting the vulnerabilities of atomic arsenals.

A handful of Russian and American nuclear experts, both military and civilian, are quietly convening a first meeting in Moscow later this month, to launch a year-long modeling exercise to specify the new dangers.

"These are future threats, but we must be ready for them today," says Pavel Zolotarev, a former major general in Russia's Strategic Rocket Forces, which inherited the vast Soviet nuclear arsenal. "There should be no chance that wrong signals get into the system, to provoke a presidential decision [to launch]."

14 April 2004

U.S. Treasury - Executive Office for Terrorist Financing and Financial Crime

U.S. Treasury - Executive Office for Terrorist Financing and Financial Crime: "

Mission

EOTF/FC develops and implements U.S. government strategies to combat terrorist financing domestically and internationally, develops and implements the National Money Laundering Strategy as well as other policies and programs to fight financial crimes, participates in the Department’s development and implementation of U.S. government policies and regulations in support of the Bank Secrecy Act and the USA PATRIOT Act, represents the United States at focused international bodies dedicated to fighting terrorist financing and financial crimes; and develops U.S. government policies relating to financial crimes. The Deputy Assistant Secretary for EOTF/FC is Juan Zarate.

How can you stop terrorist financing?
See REWARDS

13 April 2004

Privacy advocates on the case

Privacy advocates on the case:

BILLS ON I.D. THEFT, E-MAIL AND CREDIT CARDS DESERVE BIPARTISAN SUPPORT IN LEGISLATURE


Mercury News Editorial

California's tenacity in the fight to protect consumer privacy has earned it a well-deserved reputation for leadership. It made headlines across the nation with the three-year crusade by Sen. Jackie Speier to curb the abuse of personal information by the financial services industry.

No single piece of legislation in this year's session matches that battle in scope or controversy. But plenty of bills would advance the privacy rights of California residents and take a bite out of identity theft, one of the fastest-growing forms of crime. They deserve broad bipartisan support.

If you're snooping on workers, they ought to know. SB 1841 would require employers to notify workers if they intend to monitor their e-mail and other activities. Under current law, employers are not allowed to listen in on workers' phone conversations without notifying them. In the digital age, it's only natural to extend the same protections to e-mail.

The bill, SB 1841, does not bar employers from snooping on your in-box. It simply forces them to let you know if they plan to do so. Next time you're writing your doctor over a sensitive medical issue or contacting your accountant to tweak your tax returns, you can decide whether you need to do it from your home account. The bill, authored by Sen. Debra Bowen, D-Marina del Rey, will be heard today in the Senate Judiciary Committee.

• You have a right to know if your personal information has been compromised. A law that went into effect last July forces businesses and government agencies to notify customers if they suspect that hackers gained unauthorized access to Social Security numbers and personal information. SB 1279 would expand the law so that consumers must be notified anytime their personal information is released inadvertently.

This year, Bank of America mailed 3,800 tax forms to the wrong customers. Bank of America reacted swiftly, notifying customers and providing them with a free service to monitor their credit rating so they could spot whether they were victims of identity theft. Not all businesses would choose to behave so responsibly. The bill ensures that it's not a matter of choice. It was authored by Bowen and will also be heard today in the Senate Judiciary Committee.

• No more credit card numbers in the mail. AB 3013 would bar financial firms from printing more than five digits of a credit card number in letters to customers.
Similar restrictions, intended to keep credit card numbers from identity thieves, already apply to credit card receipts. Yet studies show that nearly 5 percent of identity theft starts with the theft of mail. The bill, by Assembly member Fran Pavley, D-Woodland Hills, will be heard April 19 in the Assembly Banking and Finance Committee.

Phishing scam targets Citibank customers

Phishing scam targets Citibank customers:

By Online Staff
smh.com.au

A phishing scam targeting Citibank is circulating by email, attempting to lure users to a domain which was registered just a day ago. The scam will work only if one is using Internet Explorer; browsers which have a Netscape heritage will not display the site.

The scam is similar to the numerous ones that arrive in inboxes around Australia every day, with one difference - it contains elaborate advice about scams, apparently in an attempt to convince people that it is the genuine article.

The normal bit of social engineering is used: 'As a part of our ongoing commitment to provide the 'Best Possible' service to all our Members, we are now requiring each Member to validate their accounts once per month.'

A link is provided for this 'validation' and clicking on it takes one to appleo.biz. The domain was registered on April 12.

The email apparently itself comes from someone who is a regular in the business - some of the the images used in the email are ones which are on the genuine Westpac site and the person who has created the email has confidently linked to them!

Though there are a few cases of incorrect capitalisation here and there, the real carelessness shows through only at the end of the email - a link to apparently allow the user to learn how to protect his or her PC from viruses actually brings up a page from the Westpac site. What would such a link be doing in an email supposedly from Citibank?"

Homeland Security: Fire and Explosion Planning Matrix

Homeland Security: Fire and Explosion Planning Matrix:

Recent terrorist events in the United States underscore the importance of fire prevention and workplace emergency planning efforts. Fires or explosions created by arson or an explosive device can be the quickest way for a terrorist to affect a targeted business. Consequently, OSHA developed this Fire and Explosion Planning Matrix to provide employers with planning considerations and on-line resources that may help employers reduce their vulnerability to, or the consequences of, a terrorist's explosive device or act of arson. A terrorist's explosive device or act of arson are not workplace fire hazards or ignition sources that OSHA expects an employer to reasonably identify and attempt to control. However, an effective fire prevention plan that includes these fire hazards/ignition sources may increase workplace safety and security, and ensure that employees know how to respond to threats and incidents safely and effectively.

Since terrorism can impact employers and workers, OSHA is committed to strengthening workplace planning and preparedness so that employers and workers may better protect themselves and reduce the likelihood that they may be harmed in the event of a terrorist incident. OSHA continues to work with other Federal response agencies, including the Federal Emergency Management Agency (FEMA), the Environmental Protection Agency (EPA), the U.S. Army Soldier and Biological Chemical Command (SBCCOM), the Centers for Disease Control and Prevention (CDC), and, within CDC, the National Institute for Occupational Safety and Health (NIOSH), to provide accurate, current information in this rapidly developing area of occupational safety and health.

Assessing the Risk of a Terrorist Incident


Within this document, OSHA draws on the FBI definition of terrorism and defines terrorist act/incident as a premeditated, unlawful act dangerous to human life that is intended to further political or social objectives. The Fire and Explosion Matrix addresses terrorist acts/incidents that involve arson or an explosive device to achieve political or social objectives."

12 April 2004

Senior Execs Must Tackle Cyber-Security, U.S. Report Says

Senior Execs Must Tackle Cyber-Security, U.S. Report Says:

"WASHINGTON (Reuters) - Corporate chieftains must take responsibility for their computer networks to secure them from viruses, worms and other online attacks, an industry task force said on Monday.

Long the domain of network administrators, computer security must command the attention of those in the boardroom as well, said the task force, which developed its report under the guidance of the Department of Homeland Security.

'Executives must make information security an integral part of core business operations,' the task force said. 'There is no better way to accomplish this goal than to highlight it as part of the existing internal controls and policies that constitute corporate governance.'

Online attacks can clog computer networks, knock vital Web sites offline and expose customer records to prying eyes. Viruses and worms like SoBig and Slammer have cost businesses billions of dollars in lost productivity.

The U.S. government released a strategy last year to improve the security of the nation's computer networks, but it contained few hard-and-fast rules for the private companies that control 85 percent of the Internet.

Instead, industry officials working with the Department of Homeland Security have released a flurry of reports this spring outlining voluntary ways that companies can improve security.

The task force, led by security companies Entrust Inc. (ENTU.O: Quote, Profile, Research) and RSA Security Inc. (RSAS.O: Quote, Profile, Research) , presented a framework that executives could use to assess the state of their computer networks, based on internal U.S. government methods and an international quality-assessment standard.

Chief executives need to examine their networks annually and present their findings to the board of directors, the report said.

That process could hold executives accountable for their efforts under a 2002 accounting reform law, the Sarbanes-Oxley Act. "

BIS issues recommendations for managing securities settlement

BIS issues recommendations for managing securities settlement:

"The Bank for International Settlements (BIS) has released recommendations for managing operational risk for central counterparties (CCPs). The guidance, published in the form of a consultation paper, addresses issues crucial to ensuring reliability, including system security, business continuity, and outsourcing for securities settlement.

The consultation paper and its emphasis on operational risks are part of a global effort to enhance the resilience of wholesale banking services, such as payments, clearance and settlement. The 9/11 attacks hastened development of programmes to improve infrastructure resilience. However, in this consultation paper, as in similar papers published in the past year, banking leaders are increasingly pointing to significant risks resulting from automating business functions. Automation, they conclude, may result in operational failures even without malicious activity.

The consultation paper recommends specific risk management and mitigation precautions. Portions of the securities settlement process are heavily dependent on electronic communications. As a result, many of the paper's recommendations focus on information security risks, including failure to set governance expectations, identify sources of risk, and establish adequate controls.

Infrastructure operators should address each of the following to manage operational risks to CCPs:

1. Systems and transactions security:
operators should secure all key systems and ensure that they are sufficiently reliable, scalable, and able to handle large volumes of transactions. Achieving information assurance requires infrastructure operators to identify sources of cyber-related risk and establish sound internal controls. The consultation paper proposes not only sufficient forensic capabilities, but also subjecting key systems to 'periodic independent audit and external audits.'

2. Business continuity: operators should have robust business continuity plans that are supported by senior management. The consultation paper indirectly supports the two-hour time standard recognised by the Federal Reserve Board of Governors and other Federal regulators for critical infrastructure assets. Specifically, the BIS recommends establishing minimum 'recovery of operations and data' requirements, which 'should occur in a manner and time period that enables a CCP to meet its obligations on time.' In addition to regularly reviewing and testing plans, the recommendations require companies to adequately fund business continuity objectives.

3. Outsourcing assessment: CCPs can inadvertently increase their operational risk by transferring critical functions to third parties. The consultation paper states that operators should ensure that outsourced operations meet the same standards as if they were provided directly.

The Committee on Payment and Settlement Systems and the Technical Committee of the International Organization of Securities Commissions collaborated in finalizing the paper, Recommendations for Central Counterparties. The Authors are seeking comment by June 9th, 2004.

What is a Central Counterparty?
Central counterparties function within derivatives and securities exchanges, acting essentially as a 'buyer to every seller, and a seller to every buyer.' The CCP guarantees that if one party to a transaction defaults, the transaction can still be completed. This effectively eliminates a substantial source of risk. In this way, CCPs have greatly improved the functioning of financial markets such as the New York Stock Exchange and the NASDAQ Stock Market. However, global banking leaders have become increasingly concerned with new risks associated with central counterparty functions. These include automation, reliance on information technology, and infrastructure resilience. The consultation focuses on these infrastructure risks and proposes management and mitigation activities that institutions should undertake."

10 April 2004

Cybersecurity task force sparks debate

Cybersecurity task force sparks debate:

Cybersecurity task force sparks debate
Rift develops over who decides standards

By Grant Gross, IDG News Service

WASHINGTON - A cybersecurity task force convened by a U.S. House subcommittee chairman released a series of recommendations this week, but some of the results created rifts between IT vendors and security advocates, including a request to allow IT purchasers to band together to dictate security standards to vendors.

"Among the recommendations of the Corporate Information Security Working Group (CISWG), released this week by Representative Adam Putnam, was a proposal to change U.S. antitrust law to allow IT industry groups to agree on security specifications for software and hardware they purchase. The Information Technology Association of America (ITAA), which participated in CISWG, objected to that proposal, saying it amounts to a call for group boycotts.

'The proposal is that a larger group (of customers) would be able to form what amounts to a buyer's cartel to enforce a security standard the buyers' group endorsed,' said Joe Tasker, senior vice president for government affairs at ITAA. 'I don't see evidence that the marketplace has failed here.'

Tasker objected to the antitrust exemption because a buyers' group could hamper innovation in IT products by having customers, not vendors, setting the standards. Buyers' cartels are illegal under antitrust law, and most enterprises haven't demanded security-certified IT products, he added.

'If the buyer sets the standard, who knows if they're right?' Tasker said. 'That's a prescription for a go-slow approach among vendors. (A buyers' group) changes the marketplace, and it's a killer on innovation.'

In October, Putnam, a Florida Republican and chairman of the House Government Reform Committee's Subcommittee on Technology, Information Policy, Intergovernmental Relations and the Census, floated a draft copy of legislation that would have required publicly traded companies to report their cybersecurity efforts to the U.S. Securities and Exchange Commission. Putnam decided not to introduce the Corporate Information Security Accountability Act of 2003 after loud objections from IT vendors, but he called on vendors and buyers to come up with alternatives to federal legislation."

09 April 2004

Managing Risk for Security Governance - A Series

By Peter L. Higgins
Managing Director
1SecureAudit

Part III

An enterprise is subject to a category of risk that can’t be foreseen with any degree of certainty. These risks are based upon events that “Might Happen”, but haven’t been considered by the organization. Stakeholders can’t be expected to be told about these risks because there is not enough information to validate or invalidate them. However, what the stakeholders can demand, is a management system for Security Governance that is comprehensive, proactive and relevant. The management system includes organizational structure, policies, planning activities, responsibilities, practices, procedures, processes, and resources.

It is this Security Governance management system that which we all should be concerned and which we seek from our executives, board members and oversight committees to provide. There should be a top management strategic policy to focus on managing risk for security governance.

This risk management system should establish the foundation for ensuring that all strategic risks are identified and effectively managed. The policy should reflect the characteristics of the organization, enterprise or entity; it’s location, assets and purpose. The policy should:

1. Include a framework for governance and objectives
2. Take into account the legal, regulatory and contractual obligations
3. Establish the context for maintenance of the management system
4. Establish the criteria against what risk will be evaluated and risk assessment will be defined

A process should be established for risk assessment that takes into consideration:

· Impact, should the risk event be realized
· Exposure to the risk on a spectrum from rare to continuous
· Probability based upon the current state of management controls in place

The strategic security risks that the organization encounters will be dynamic. The management system is the mechanism by which the executives identify and assess these risks and the strategy for dealing with them. It is this system which we are concerned about and which we seek to provide in order to achieve our Security Governance.

More in this series over the next few weeks.