31 May 2004

Common Sense and Computer Analysis

Common Sense and Computer Analysis:

By Heather Mac Donald
The Washington Post

Irrational paranoia about computer technology threatens to shut down an entire front in the war on terror.

A prestigious advisory panel has just recommended that the Defense Department get permission from a federal court any time it wants to use computer analysis on its own intelligence files. It would be acceptable, according to the panel, for a human agent to pore over millions of intelligence records looking for al Qaeda suspects who share phone numbers, say, and have traveled to terror haunts in South America. But program a computer to make that same search, declares the advisory committee, and judicial approval is needed, because computer analysis of intelligence databanks allegedly violates "privacy."

This nonsensical rule is the latest development in the escalating triumph of privacy advocacy over common sense. Unfortunately, the privacy crusade is jeopardizing national security as well.

The advisory committee's technophobia does not end with intelligence analysis. It would also require the defense secretary to give approval for, and certify the absolute necessity of, Google searches by intelligence agents. Even though any 12-year-old with a computer can freely surf the Web looking for Islamist chat rooms, defense analysts may not do so, according to the panel, without strict oversight.

The defense secretary should reject the panel's recommendations, which are based neither in logic nor in law. The government receives 126 million intelligence intercepts a day. Humans cannot possibly keep up with the intelligence tidal wave; anti-terror agents miss connections between suspects, places and events every day. Computer analysis of intelligence data is not merely optional, it is virtually required, for the government to have any hope of extracting evidence of terrorist activity from the tsunami of possibly relevant information. To demand a laborious court appeal every time the government wants to sift that data electronically would bring our intelligence efforts to a halt, and leave us vulnerable to the next terror attack.

The writer is a fellow at the Manhattan Institute.

28 May 2004

- Increase in "phishing" attacks -

- Increase in "phishing" attacks -
Oxygen3 24h-365d, by Panda Software (http://www.pandasoftware.com)

Madrid, May 27 2004 - According to a study by Anti-Phishing Working
Group(*), over the last few months there has been a dramatic increase in the
number of "phishing" attacks designed to obtain confidential user
information (credit card numbers, passwords, etc.) using fraudulent e-mails
and websites.

The report has revealed that in April 2004, there were 1,125 different
attacks using phishing techniques, an average of 37.5 a day. The financial
sector was worst hit, with Citibank the most frequent victim, suffering 475
attacks throughout the month (an average of 16 per day). This figure on its
own is greater than that suffered by all organizations in March.

eBay with 221 attacks, and Paypal with 135, were the second and third most
frequently affected companies in April, followed by US Bank (62), Barclays
(31), Fleet Bank (28), Earthlink (18), Westpac (17), and Lloyds (15), among
others.

The study of the data gathered over the last 6 months has revealed that
"phishing" attacks have increased at a rate of 110 percent per month.
Over
this period, the companies most affected were, Citibank -with an increase of
250 percent-, eBay and Paypal, with an increase of 105 percent and 85
percent, respectively.

(*)The full report is available, in PDF, at:APWG Phising Report

27 May 2004

Avamar - Setting New Standards

Avamar:

Avamar Technologies, Inc. is leading a new wave of innovative solutions that deliver increased value for secondary storage. Founded in Irvine, California, in 1999, Avamar provides enterprises with data management solutions to control the information explosion. Avamar Axion is a scalable solution for enterprise data protection that provides online accessibility, while efficiently storing and protecting valuable information assets.

Axion is the most efficient software available for enterprise data protection. Axion uses a process called commonality factoring to eliminate redundant data within systems, across systems and over time, dramatically reducing secondary storage requirements. Axion software is certified on industry standard hardware and is included in Avamar's pre-packaged hardware and software appliances.

Axion provides policy-based scheduling, intuitive administration, and secure authentication with its network-ready, centralized management application. With its intelligent client agents, Axion filters out ineffective redundancy before sending data over networks, making it possible to protect distributed systems even over congested LANs or WANs.

Through a comprehensive set of features and functionality, Axion addresses the needs of today's data driven enterprise, combining online access, storage and network efficiency, and ease of management with the lowest total cost of ownership in the industry."

COMMENT:
=========================================================================
If you have more than a terabyte (TB) of data and are looking for a complete disk-based backup and restore solution, check out Avamar. These guys are setting new standards to assist in the Information Lifecycle Management (ILM) game. ILM encompasses a set of technologies and processes that enable organizations to manage the massive amounts of corporate information they generate from creation to disposal, according to the information's changing value over time. Economic, operational and legal factors, including the Sarbanes-Oxley Act, are driving enterprise IT departments to adopt ILM approaches.

A Foreseeable Future

A Foreseeable Future:

For liability purposes, the courts have declared terrorism to be a predictable security threat. CSOs need to adapt if they want to survive.

BY WILLIAM COOK
CSO Magazine

The conventional wisdom in the weeks and months after Sept. 11th was that no one could have predicted the events of that day. The use of airplanes as weapons was roundly declared an asymmetrical threat. However, two recent court cases have altered the legal definition of a 'foreseeable event.'

In the class-action litigation brought by families of Sept. 11th victims against the airlines, airport security companies, airplane manufacturers and the owners and operators of the World Trade Center, the court examined two main elements:1. Whether the various defendants owed a duty of care to the people in the World Trade Center and on the planes that crashed; and 2. Whether the terrorist act was foreseeable. In finding that the case should go to a jury, the court stated that we impose a duty on a company when the relationship between the company and user requires the company to protect the user from the conduct of others. The court noted that we already depend on others to protect the quality of our water and the air we breathe. This duty of care extends to private companies.

But the court also made a revolutionary declaration with respect to foreseeability. The court stated that, typically, a criminal act (such as terrorism or hacking) severs the liability of the defendant, but that doctrine has no application when the terrorism or hacking is reasonably foreseeable. The court went on to note that the danger of a plane crashing if unauthorized individuals invaded the cockpit was a risk that the defendant plane manufacturer should reasonably have foreseen—indicating that terrorist acts are indeed foreseeable.

So now that threats to technology and other systems are no longer considered unforeseeable, what is a conscientious CSO to do?

Three suggestions. First, companies must have "court provable" security. They must be able to prove they use best practices with respect to policies for information management, security, implementation of those policies and disaster recovery plans. When a company gets sued as a result of a security breach, it goes a long way in court if the company can show that it established and followed nationally recognized security policies and procedures.

Second, buy cyberinsurance from a trusted broker with a national or international underwriter.

Third, consider buying antiterrorist technology. Under the Support Anti-terrorism by Fostering Effective Technologies (Safety) Act, sellers of qualified antiterrorism technology (QATT) are provided with risk and litigation protections. In a nutshell, it encourages the development of antiterrorism technology by providing liability limits for terrorism claims.

Relying on the disaster- recovery policy buried on the CEO's desk won't cut it. Security breaches have never been more highly scrutinized by the courts and regulators, and they are redefining what companies should have seen coming—be it a stolen aircraft or a computer virus. Implementing the right policies, procedures and technology now can limit your company's liability in the future.

26 May 2004

U.S. Warns Of Al Qaeda Threat This Summer

U.S. Warns Of Al Qaeda Threat This Summer (washingtonpost.com):

Agents in Country Said To Be Planning Attack

By Susan Schmidt and Dana Priest
Washington Post Staff Writers

Federal officials have information suggesting that al Qaeda has people in the United States preparing to mount a large-scale terrorist attack this summer, sources familiar with the information said yesterday.

Attorney General John D. Ashcroft and FBI Director Robert S. Mueller III intend to hold a joint news conference this afternoon to discuss the threat and to ask Americans to watch for several suspected al Qaeda operatives who may be in the country, officials said.

The concerns are driven by intelligence deemed credible that was obtained about a month ago indicating an attack may be planned between now and Labor Day.

That information dovetails with other intelligence 'chatter' suggesting that al Qaeda operatives are pleased with the change in government resulting from the March 11 terrorist bombings in Spain and may want to affect elections in the United States and other countries.

'They saw that an attack of that nature can have economic and political consequences and have some impact on the electoral process,' said one federal official with access to counterterrorism intelligence.

Intelligence and law enforcement officials are trying to strengthen security at the presidential nominating conventions this summer in Boston and New York. They are also concerned about the possible targeting of other prominent events, starting with the World War II Memorial ceremony Saturday in the District, the Group of Eight summit June 8-10 in Sea Island, Ga., and the Summer Olympic Games in August in Athens.

Federal officials have been discussing raising the national threat level between now and Jan. 21, the day after the presidential inauguration, although Homeland Security Department officials said yesterday that no such announcement is scheduled.

The Justice Department and the FBI plan to ask for the public's help today in locating several suspected terrorist sympathizers, including some whose names have not been made public before."

25 May 2004

Grading Progress on Homeland Security: Before and After 9/11

Grading Progress on Homeland Security: Before and After 9/11:

by The Honorable Mitt Romney and Chief Sam Gonzalez

The Honorable Mitt Romney is Governor of Massachusetts.
Sam Gonzales served as Chief of Police in Oklahoma City, Oklahoma, from 1991 through 1998.

GOVERNOR MITT ROMNEY:
A former coworker of my father used to say there's nothing more vulnerable than entrenched success. He looked at companies like General Motors and IBM and noted that there tended to be changes which occurred in the environment in which they competed, which, because of their entrenched success and their self-perception of invulnerability, made them in fact vulnerable because they didn't change the way they did business. They didn't respond in a systemic, sea-change manner. Instead, they responded in a normal manner, and, as a result, they were surpassed.

The flow of history suggests the same kind of pattern in countries: broader trends where everywhere, from the Roman Empire on, various nations that seemed to be in a position of invulnerability were found to lose over time that kind of strength and that kind of position."

CHIEF SAM GONZALES:
My role was to talk about the response of government prior to 9/11. I was the chief of police in Oklahoma City from 1991 through 1998, including the time of the bombing, so I'm going to talk about the role of responding in 1995 at the time of the bombing of the Murrah Building.

First, in this day and age, when we're receiving so much money to fight terrorism, I always like to make the point that Oklahoma City was not done by foreign terrorists. Oklahoma City was done by local terrorism. So we have domestic terrorism that we need to remember as well as foreign terrorists.

The second thing is that, although I now work for the FBI, what I'm bringing you today is my lessons learned as a police chief in 1995 and may not reflect everything exactly the way the FBI would want it to be reflected.

I've been asked to talk about the assistance received in Oklahoma City or in events prior to 9/11. State and local mutual aid completely overwhelmed us. We documented 112 different mutual-aid law enforcement agencies that came to Oklahoma City. At one point, I received a teletype from a mayor in California who said, "Chief, you probably don't need the help, but I have three guys that need the experience. They're on the way."

Preparing Localities to Respond
So in my job now with the FBI, as I travel around the country and talk about how locals need to plan for events, I warn them about the fact that state and local law enforcement, firefighter, emergency management, and mutual aid agencies will overrun them unless they have a very comprehensive incident management plan that will help them manage those resources.

We tell people that in all probability, unless they live on the East Coast, they will be on their own for at least six to eight to 12 hours following a large incident. At some point, state and federal help will come, but the initial first response by the local community will be left up to whatever assets they collectively bring to the table to respond to this incident.

Conclusion
The biggest problem that I still see across the United States is the fact that we have not yet built all of the bridges, built all of the relationships, across all of the disciplines we need to in order to be able to have a truly coordinated community response in a geographical area larger than just a city to an incident that may occur.

COMMENT:
=========================================================================
Chief Gonzales is right on the mark when he says that the local community will
be on their own for hours if not days in the event of a major incident. Corporate America and the owners of critical infrastructures including commercial real estate need to remind themselves of this reality. For more information on how to establish your own Corporate Emergency Response Team (CERT), see 1SecureAudit CERT

24 May 2004

The Essence of Good Corporate Governance: Strategic Risk Management

The Essence of Good Corporate Governance: Strategic Risk Management:

From Risk International Services, Inc.
By Mark Siwik & Randall Davis

Risk management – taking deliberate action to increase the odds of good outcomes and reduce the odds of bad outcomes – is an important tool in the governance of our business and personal affairs. As Peter Bernstein wrote in his business best seller:
The ability to define what may happen in the future and to choose among alternatives lies at the heart of contemporary society. Risk management guides us over a vast range of decisionmaking, from allocating wealth to safeguarding public health, from waging war to planning a family, from paying insurance premiums to wearing a seatbelt, from planting corn to marketing cornflakes. Against the Gods: The Remarkable Story of Risk at 2 (1998).

We are still learning how to use this tool effectively as evidenced by the high mortality rate of companies. The average corporate life expectancy is less than 20 years and those companies that survive infancy generally only live another 20 to 30 years. 1

This article contains a three-part message. First, we explain why the current level of risk management thinking in many companies is less than optimal. Second, we give you a birds-eye view of what a company should strive for with regard to risk management. Third, we provide some suggestions about how to help your company improve its risk management function.

Why Corporate Boards and Senior Managers Struggle with Risk Management.

Traditionally, risk management has been an afterthought of most corporate boards and senior managers. The new wave of financial disclosure laws, most notably Sarbanes-Oxley, coming in the aftermath of the corporate scandals and the September 11 terrorist attack is causing change. Risk management is now a board priority but many boards and senior managers are unsure what to do. What exactly does risk management mean? What is the best way to go about identifying, managing and reporting material risks?

Most companies, large and small, associate risk management with insurance.

Hackers faster, harder to keep out

Hackers faster, harder to keep out:

Computer hackers are getting faster and harder to keep out of corporate and government systems, a major conference on computer crime has heard.

The Computer Crime and Security Survey, released at the AusCERT 2004 Asia Pacific IT security conference on the Gold Coast, also revealed that efforts to date had failed to reduce the risk of hacking, with harmful attacks on computer systems in Australia increasing over the past year.

The anonymous survey of more than 200 businesses and government agencies was compiled with assistance of state police forces, Federal Police, the Australian High Tech Crime Centre and the national computer emergency response team, AusCERT.

AusCERT general manager Graham Ingram said despite businesses spending more money fighting computer crime over the past year, only five per cent believed they were managing all computer security issues reasonably well.

'Corporate Australia is having problems dealing with these issues,' said Mr Ingram. 'It's telling you how difficult this issue is.
Advertisement Advertisement

'The message to the companies that are running these systems is to keep going. You can't stop. You have to continue. This is a war you can't afford not to fight.'

The most common and costliest attack on computer systems over the past year was from malicious viruses, worms or Trojans with the average loss for all types of electronic computer attacks up 20 per cent to $116,212."

21 May 2004

U.S. May Get a Privacy Czar

Wired News: U.S. May Get a Privacy Czar:

To protect the privacy and civil liberties of Americans, the federal government may get a privacy czar if two congressional representatives have their way.

Reps. Kendrick Meek (D-Florida) and Jim Turner (D-Texas), who are both members of the House Select Committee on Homeland Security, introduced a bill Thursday that would establish a federal chief privacy officer position, as well as separate positions at every federal department and agency.

Additionally, the Strengthening Homeland Innovation by Emphasizing Liberty, Democracy, and Privacy Act -- or Shield Privacy Act -- would establish a 10-member commission, appointed by various government bodies, for overseeing privacy and civil-liberty freedoms related to homeland security initiatives.

'It's important that we take into account the impact on our fundamental freedoms' when considering emerging technologies, Meek said in a phone conference. 'We're trying to be proactive in heading off major privacy violations. We don't have to see a major, major violation of privacy or civil liberties for us to act.'

The privacy czar, who would be appointed by the president and positioned in the Office of Management and Budget, would hold primary responsibility for privacy policies throughout the federal government. The czar would ensure that technologies procured by the federal government would not erode privacy protections, as designated under the Privacy Act of 1974. The czar would also evaluate legislative and regulatory proposals involving the federal government's collection and use of Americans' personal information. The czar would present an annual report to Congress about each federal agency's activities and violations related to privacy.

Peter Swire, Ohio State University law professor and former chief privacy officer in the Clinton administration, welcomed the bill.

'Right now there's no one at home at the White House when it comes to privacy,' Swire said. 'There's no political official in the White House who has privacy in their title or as part of their job description. Congress should take the lead here because this administration has not.'

Swire said in addition to establishing federal privacy oversight, the bill would help 'broaden the national debate on privacy so that it's harder to slip into a surveillance state.'

The Shield Act is modeled on the E-Government Act of 2002, which provided for a chief security officer for federal agencies, and strengthens provisions in the E-Government Act that call for privacy risk assessments of any new federal computing systems.

The Department of Homeland Security is currently the only agency with a federally mandated privacy officer. Nuala O'Connor Kelly was appointed chief privacy officer of the department in April 2003. Some individual federal agencies, such as the Internal Revenue Service and the Transportation Security Administration, have appointed privacy officers on their own. But the positions have, until now, been inconsistently implemented. Some of the officers serve only part time, and deal primarily with requests from individuals for access to their government records, rather than establishing privacy policies for their agencies."

Matrix Project


MATRIX Project - a pilot effort to increase and enhance the exchange of sensitive terrorism and other criminal activity information between local, state, and federal law enforcement agencies

For more see: Matrix Project

Last year, Seisint won a contract to run Matrix, that is focused on criminal investigations. See next post for more info on the Seisint product solution: Accurint.

Accurint - What we do

About Us: Overview:

What We Do

Accurint is another Seisint innovation that brings data to life. Seisint provides information products that allow organizations to quickly and easily extract valuable knowledge from huge amounts of data. These innovative products are made possible by integrating the Seisint Data Supercomputer ™ technology, tens of billions of data records on individuals and businesses, and patent-pending data linking methods.

Seisint's products are aimed at critical areas such as:
..... •..Debt Recovery
..... •..Due Diligence
..... •..Fraud Detection
..... •..Identity Verification
..... •..Law Enforcement
..... •..Legal Investigations
..... •..Pre-Employment Screening
..... •..Resident Screening
..... •..Data Supercomputing

Seisint Information Policy
With the power and societal benefits that come from the products and services we provide, also comes significant responsibility. Seisint maintains a stringent data use policy that governs the sale and utilization of our products. Beyond being fully compliant with federal and state statutes, we have imposed a higher standard upon ourselves and the customers we serve. By maintaining a greater level of privacy protection than we are legally obligated, we prevent the potential abuse of information."

20 May 2004


Digital Sandbox Site Profiler

Check it out: See Digital Sandbox

Rules, Rules, Rules

Rules, Rules, Rules:

Steven Marlin
InformationWeek

If Guardian Life Insurance Co. executive VP and CIO Dennis Callahan ever takes up tennis, he'll probably be thoroughly bored. Just a single ball, and only one person trying to sneak it past him? Callahan, whose main job the past 3-1/2 years has been to try to change the culture of the company's technology organization, spends a good chunk of his time -- and more than $4 million a year -- swatting back compliance balls flying in from securities regulators and California lawmakers.

Sarbanes-Oxley, the Health Insurance Portability and Accountability Act, Gramm-Leach-Bliley, the USA PATRIOT Act, the California Security Breach Law, Securities and Exchange Commission rule 17a-4 -- these are but a few of the compliance challenges he faces. That's along with his day job of managing a $150 million annual IT budget to help salespeople be more productive, simplify operations, improve customer service and diversify the lineup of insurance products.

To say regulatory compliance is a distraction for business-technology executives is an understatement. Four out of five say it's a challenge just tracking whether their organizations have met compliance goals, according to an InformationWeek Research survey of 200 business-technology professionals last month. A third say complying with government regulations has had a negative impact on productivity. And 59 percent say their spending on compliance will go up this year, while only 6 percent predict a decline. That's a bit less than in September, when InformationWeek Research conducted its first compliance study; then, 71 percent said they'd spend more and only 2 percent predicted less spending."

18 May 2004

Marsh & McLennan Agrees to Buy Kroll for $1.9 Billion in Cash

Marsh & McLennan Agrees to Buy Kroll for $1.9 Billion in Cash:

May 18 (Bloomberg) -- Marsh & McLennan Cos., the world's largest insurance brokerage, said it agreed to buy security firm Kroll Inc. for $1.9 billion in cash.

Kroll shareholders will receive $37 a share, a 32 percent premium to Kroll's closing share price on the Nasdaq Stock Exchange, the New York-based brokerage said in an e-mailed statement."

Firms fail to hire security staff with formal qualifications

Firms fail to hire security staff with formal qualifications:

by Bill Goodwin

Businesses are failing to hire IT professionals with formal security qualifications, despite an escalation in the number and cost of security incidents over the past two years.

Only 10% of UK businesses and 25% of large companies have staff with formal security qualifications, such as CISSP or CISM, on their security teams, the Department of Trade & Industry's latest Information Breaches Survey has revealed.

And only 42% of businesses have staff with formal IT qualifications of any kind on their security teams, the survey of 1,000 UK businesses showed.

The findings suggest that businesses are finding it difficult to recruit skilled security staff, potentially making it more difficult to keep their teams up to speed with rapid changes in threats and technology.

Over the past four years the proportion of businesses experiencing security incidents has risen from 24% to 68%, with the average cost of the worst breaches ranging from 50,000 to 150,000.

'I think there is a discontinuity between board level, the policy level and people doing security. There is a need for greater education and formal security qualifications,' said Andrew Beard, security advisory director at professional services firm PricewaterhouseCoopers. 'Although this will not solve the problems by itself, it will help in setting the benchmarks.'

Lack of formal education may account for an alarming level of ignorance among companies about corporate security standard BS7799. Only 12% of all businesses surveyed by the DTI, and 39% of large businesses, said they had heard of it.

Awareness of the standard was greatest among telecoms companies and government suppliers and lowest among property and construction companies, the survey revealed.

The low take up of BS7799 in the UK is disappointing, said Beard, given that it is proving increasingly popular overseas. However, it may reflect difficult business conditions over the past two years in the UK, because of the costs to companies in getting security systems and procedures up to the BS7999 standard, he added.

Among those businesses that were aware of BS7799, about 50% were partially or fully compliant, up from 40% two years ago.

Nearly 90% of those companies that had adopted BS7999 said that formal certification had improved their business continuity; 85% said it had minimised damage from security incidents; and 53% said it had led to higher return on investment."

COMMENT:
=====================================================================
BS7799-2: 2002 Information Security Management System

The organization shall develop, implement, maintain and continually improve a documented risk management system. Identify a method of risk assessment that is suited for the organizations business information to be protected, regulatory requirements and corporate goverance guidelines. Identify the assets and the owners of these assets. Identify the threats to those assets. Identify the vulnerabilities that might be exploited by the threats. Identify the impacts that losses of confidentiality, integrity and availability may have on the assets. Assess the risks. Identify and evaluate options for the treatment of risks. Select control objectives and controls for treatment of risks. Implement and operate the system. Monitor and review the system. Maintain and improve the system.

17 May 2004

Regulation Compliance Tops Companies' Security Concerns

Regulation Compliance Tops Companies' Security Concerns:

By Karen D. Schwartz

Just a few short years ago, the primary security-related concern for most IT executives was how to prevent hackers from infiltrating their companies' systems. Although that issue still is quite relevant, it's no longer the top concern of many organizations. Today, that honor goes to how to comply with the increasing number of regulatory and compliance mandates required by the U.S. government. Some of these requirements, such as Graham-Leach-Bliley and Sarbanes-Oxley, apply to virtually all corporations, while others, such as the Health Insurance Portability and Accountability Act (HIPAA) and the Basel II Accord, affect specific industries.

The unifying thread among all of these mandates is the need to adequately protect personal information—an issue that can cause significant challenge and confusion for IT managers who are unfamiliar with the available tools and methods for satisfying these requirements.

Helping organizations comply with this panoply of regulations, however, has created significant opportunity for resellers, says Ed Smith, director of security solutions at Forsythe Technology Inc., a technology infrastructure solution provider based in Skokie, Ill.

"These regulations don't require specific technology, which makes them confusing and vague. Some say you have to provide access control, for example, but they don't specify how to do it," Smith says. To solve the problem, many organizations are turning to resellers who specialize in building compliance-ready environments and stand ready to map those environments to the organization's framework, best practices and standards.

Resellers and systems integrators fulfill a real need in the compliance arena, agrees Michael Rasmussen, director of information security at Forrester Research Inc., a Cambridge, Mass., IT consultancy.

Not only is there no off-the-shelf product to deal with compliance and security issues, but creativity and ingenuity tend to be key to success, Rasmussen says. "It's about building a culture of security and governance within the organization, as well as selecting the right products and assigning the appropriate management and staffing to them."

Although not yet a requirement, the government's recent push to address cyber-security is beginning to rank nearly as high a regulatory compliance for companies trying to stay on the cutting edge of security requirements. Spearheaded by the National Cyber Security Partnership Task Force, a public-private partnership led by a variety of trade groups and the U.S. Chamber of Commerce, the goal is to develop strategies to better secure critical information infrastructure.

Slowly but surely, the push to implement better cyber-security is trickling down from government to private industry, encouraging resellers to develop solutions and methodologies for implementing these practices within their client base.

"We're encouraging the private sector to adopt what's happening in the public sector because cyber-security cuts across everything and should be part of the overall business model," says Jeff Tye, founder of GMP Networks, a Tucson, Ariz. ,security integrator.

But at least for now, compliance and cyber-security issues remain more relevant to larger companies than smaller ones. These issues, generally grouped under the term "information security," include financial integrity, regulatory compliance, privacy, intellectual property and industrial espionage. Smaller companies, on the other hand, tend to remain focused on IT security—technology that includes firewalls, disaster recovery, patch management, intrusion-detection systems, and encryption and anti-virus software.

That's changing, but slowly, Smith notes. "You have to become a trusted adviser beyond just offering the latest technology. It's about understanding their problems and then developing an appropriate solution—whatever the need."

GLOSSARY OF TERMS

Sarbanes-Oxley Act of 2002: Mandates a comprehensive accounting framework for all public companies doing business in the United States. Companies must disclose all relevant financial performance information publicly, creating the need for more stringent digital data integrity and accountability controls.

Health Insurance Portability and Accountability Act of 1996 (HIPAA):
One part of this act deals with the standardization of health care-related information systems, establishing standardized mechanisms for electronic data interchange, security and confidentiality of all health care-related data.

Graham-Leach-Bliley Act of 1999:
To protect consumers' financial private information. It put processes in place to control the use of consumers' private information and included requirements to secure and protect the data from unauthorized use or access.

Basel II: The Basel II Accord is a regulatory framework governing risk management practices, developed by the Bank of International Settlements. Companies have until the end of 2006 to comply with it. The accord consists of minimum capital requirement, supervisory review of capital adequacy and public disclosure. And new guidelines on operational risk may cause banks to need to implement more comprehensive business continuity solutions. Once finalized, it will give banks a more standard way of evaluating risk.

Cyber-security: Simply put, cyber-security is the act of protecting all corporate information from potential harm through identification, protection and defense. The U.S. government is doing its best to encourage organizations to deal with cyber-security. The National Cyber Security Partnership Task Force, for example, recently issued a report recommending ways of reducing security vulnerabilities by adopting existing standards and best practices, using common software security configurations, developing guidelines for secure equipment deployment and network architectures, and improving the processes commonly used to develop security specifications and conduct security evaluations.

Group spurred by 9/11 on patrol

Group spurred by 9/11 on patrol:

"About four months after Sept. 11, 2001, Buck Fleming was in New York with Chris Fearnley, calling on customers of their Upper Darby-based computer consulting firm, LinuxForce Inc.

After they were done, the two went to look at Ground Zero, where the World Trade Center towers had stood before terrorists struck.

'I talked my way on to the relatives' platform, and I stood there for an hour among the relatives, and I decided I had something else to do [besides run a company],' Fleming said. 'I told Chris, 'You're promoted; you're going to be president of LinuxForce because I'm going to go contribute to how I can prevent terrorism in the United States.''

Today, Fleming is acting executive director of the Cyber Incident Detection and Data Analysis Center, a nonprofit that has developed technology for spotting and preventing attacks on computer systems, as well as catching those who launch them.

The center grew out of the Philadelphia chapter of InfraGard, a partnership between businesses, other organizations and the FBI aimed at preventing attacks to the nation's infrastructure.

It has 28 members, including such large local companies as Independence Blue Cross and Air Products and Chemicals Inc., and the University of Pennsylvania's Institute for Strategic Threat Analysis & Response. But it doesn't have the means for deploying its technology, which consist of sensors that monitor attacks on computer networks they're attached to and transmit information about the attacks to a central location.

'Technically, this is easy,' said Jeff Weisberg, an area computer consultant who serves as the center's chief technology officer. 'Experience over the past two years has suggested that we're not doing well raising money, so apparently that's not so easy.'

The center hopes to help remedy that with a fund-raiser Wednesday at the American Philosophical Society that will feature a presentation by Keith Morales, director of information security at the Federal Reserve Bank of Philadelphia, and the president of InfraGard's Philadelphia chapter.

It also wants to get organizations to sign up as paying members. Those that do will get sensors deployed on their networks and receive information on cyber-threats that the center collects.

They also will be able to pay less for insurance; the giant New York-based insurer American International Group Inc. has agreed to offer discounted rates to organizations that deploy the center's sensors on their networks.

Fleming wants the center to have its office up and running by December. He wants to locate the office in the Science Center technology park in the city's University City section because that's close to Penn and Drexel University, which have been working with the center.

The office will employ 25, Fleming said, and will benefit the region's hotels and restaurants by offering training classes that attract people from all over the country.

Other organizations, both nonprofit and for-profit, offer services similar to what the center is proposing to offer. But John Chesson, the FBI special agent who is the Philadelphia coordinator for InfraGard, said the center's system of attack detection and analysis seems to be unique.

The sensors that the center wants to deploy would do nothing other than be the target for attacks. That, Chesson said, means data from attacks wouldn't get buried in the reams of other data carried by the systems the sensors are attached to now. It also means organizations could share data from the sensors without divulging confidential information.

Also, the fact that data from the sensors would be relayed to the center in real time would enable the FBI to learn of attacks while they're occurring.

'If there were an organized [cyber]-attack against our electric-power infrastructure, we may not know in today's world until things start failing,' Chesson said."

TRIA Make Available Provision

TRIA Make Available Provision:

Issue Summary: Extending TRIA"

The Terrorism Risk Insurance Act (TRIA) expires at the end of 2005. However, the provision in TRIA which mandates that insurance companies “make available” terrorism insurance on the same terms and conditions as property and casualty insurance expires at the end of 2004. The Treasury Secretary has sole authority to extend this requirement for one year if he acts by September 1, 2004. Policyholders nationwide urge the Treasury Secretary to extend the provision in order to avoid economic slowdown and provide adequate economic protection against terrorism.

Background

TRIA was enacted in 2002 because the private insurance marketplace was failing to provide adequate terrorism insurance coverage following 9/11. TRIA was designed to provide a bridge to a time when the private insurance markets functioned again. Following TRIA's enactment, terrorism insurance coverage became readily available, thus enabling billions of dollars of transactions previously stalled to go forward. The primary reasons TRIA successfully expanded terrorism insurance capacity are: 1) the program requires that the federal government share the risk of loss from terrorist attacks with the insurance industry; and, 2) the program requires that insurers offer terrorism insurance coverage to policyholders on the same terms and conditions as other property and casualty insurance ("make available provision").

Policyholders are now increasingly concerned that terrorism insurance will again become scarce because, even though the terrorism insurance program does not technically expire until December 31, 2005, there are several facts that could result in the program expiring in fact a year earlier than its statutorily prescribed termination date. First, the law now requires that all insurance companies doing business in the U.S. must offer terrorism insurance coverage on the same terms and conditions they offer property and casualty coverage. This provision is known as the "make available" provision. This "make available" requirement expires at the end of 2004. The Secretary of Treasury has the authority to extend the "make available" date for one additional year.

At the same time, the law also has a provision that sets the amount of loss which an insurance company must absorb before the federal insurance backstop kicks in. This so-called "retention level" is set in law and was 7 percent of direct earned company premiums in 2003; 10 percent in 2004; and, increases to 15 percent in 2005.

TRIA was originally enacted as a temporary program to allow private terror insurance markets to stabilize and provide adequate capacity to meet the demand for coverage. Yet to date, there is little evidence that the private insurance markets have stabilized. Two examples of continuing private market failure are:

· There is no reinsurance available for the retained loss amounts held by private direct insurers, even though the potential loss is quantifiable as measured by the individual company retention amount.

· There is no terrorism insurance coverage being offered by private direct carriers for chemical, biological or radiological events even though the federal backstop would cover such losses if they were insured against.

Therefore, although the general terrorism insurance program remains in effect until 2006, the combination of these factors is causing policyholders to conclude that it will be increasingly difficult to obtain terrorism insurance coverage as early as later this year.

Action Requested

The Treasury Secretary should be urged to extend the “make available” date because the private insurance market has not yet stabilized. Inadequate availability of insurance coverage against terrorist attacks would leave the U.S. economy insecure.

14 May 2004

Phishing Expeditions Are Multiplying

Phishing Expeditions Are Multiplying:

SurfControl says the scams have increased nearly 500% since January--and they're getting more sophisticated, too.

By TechWeb News

More bad news about phishing attacks arrived Friday via message filtering firm SurfControl when it unveiled numbers showing the scams have increased nearly 500% since January.

Phishing attacks are spam messages that pose as legitimate mail from big-name banks, credit-card companies, and retailers. Links within the messages try to entice recipients to visit bogus Web sites, where they're told that their account information needs to be updated. Users who fall for the con divulge personal financial information, as credit-card and bank-account numbers, which is used by the attacker to siphon funds, purchase goods, or steal identities.

The number of unique scams spotted by SurfControl has grown 477%, from 33 to 155 in the first five months of this year, according to Susan Larson, SurfControl's VP of global content. In the last 12 months, she added, phishing scams have rocketed by more than 5,000%--from three in May 2003, to 155 in 2004).

Other phishing watchers have noted an even more dramatic rise in the raw numbers of phishing messages. In April, for instance, MessageLabs said it had seen phishing messages skyrocket from just 279 in September 2003, to 215,643 in March 2004.

The latest dodge, which targets US Bank customers, is one of the most sophisticated SurfControl has yet seen, Larson said. The US Bank scam asks customers to verify and update their online bank accounts-- nothing out of the ordinary there--but the hackers have used Javascript code to overlay a fake address bar that shows the real US Bank URL on the browser's real address bar.

Larson said the new tactic makes the spoof more realistic than earlier phishing attacks, which exploited an Internet Explorer bug to display the URL of the spoofed company. A patch exists for the flaw, but the new technique can target even those systems that have been patched.

According to Gartner, victims of phishing attacks are three times more likely to suffer some form of identity theft than the general population."

DHS | Department of Homeland Security | Fact Sheet: Forward Challenge 04

DHS | Department of Homeland Security | Fact Sheet: Forward Challenge 04:

Press Releases


Fact Sheet: Forward Challenge 04

During May 12-13, 2004, the Department of Homeland Security (DHS) is conducting the first ever, federal-government wide continuity of operations (COOP) exercise 'Forward Challenge 04.' More than 40 federal agencies, including DHS, are testing and evaluating COOP procedures during a simulated terrorism-based scenario to ensure essential functions and responsibilities continue during an emergency or situation that may disrupt normal Federal government operations. The Federal Emergency Management Agency (FEMA), part of the Department of Homeland Security, has responsibility for oversight and management of the Federal Executive Branch COOP program.

A threat or emergency condition may require federal departments and agencies to relocate to alternative sites. Based on FEMA Federal Preparedness Circulars, all Federal agencies and departments have COOP plans that ensure capability to perform essential functions under various conditions. Federal departments and agencies must conduct tests, training and exercises to demonstrate capability of plans.

The objectives of this exercise are focused on executing the COOP at the Federal level. In an actual event, notification, communication and coordination with our state, local and private sector partners would be a top priority, but for the purposes of this exercise we are focusing on the Federal level.

Objectives for Forward Challenge 04 exercise include:

* Establishing an operation capability at an alternate facility;
* Implementing succession and delegation of authority plans;
* Demonstrating an interoperable communications capability;
* Demonstrating a redundant communication capability; and
* Demonstrate the ability to access vital records necessary to conduct normal operations from a designated alternative location.

Forward Challenge 04 provides the framework for testing interoperability and interconnectivity between Federal departments and agencies from individual COOP sites throughout the United States and will ensure compliance with a recently mandated requirement to engage in continuity of operations activities. Federal departments and agencies will be evaluating their individual response."

13 May 2004

New NYSE Rule 446

NYSE Rule 446

Corporate-Wide BCP

A subsidiary member or member organization may satisfy its obligations under Rule 446 by participation in a corporate-wide BCP that satisfies the Rule's requirements, and that covers its subsidiary (the member or member organization), regardless of whether the parent corporation is a member or member organization of the Exchange. However, inclusion in a corporate-wide BCP does not obviate the need for compliance by the member or member organization with the record-keeping and supervisory requirements of the Rule. If a member or member organization chooses to participate in a parent company's corporate-wide BCP, the record-keeping, supervision, creation, execution, or updating of that plan must comply with Rule 446. In addition, the subsidiary member or member organization must ensure that the parent and subsidiary both comply with NYSE rules on record-keeping and supervision for purposes of Rule 446. Finally, the parent corporation must grant the Exchange access to its BCP upon request. If access is not granted, the subsidiary member or member organization will be deemed not to have complied with Rule 446 requirements.

Financial and Operational Risk Assessments


Rule 446(f) defines the term "financial and operational risk assessments" to mean a "set of written procedures that allow members and member organizations to identify changes in their operational, financial and credit risk exposure."

Operational risk focuses on firms' abilities to maintain communications with customers and to retrieve key activity records through their "mission critical systems." Financial risk relates to firms' abilities to continue to generate revenue and to retain or obtain adequate financing and sufficient capital. In this regard, an eroding financial condition could be exacerbated or caused by deterioration in the value of a firm's investments due to the lack of liquidity in the broader market, which would also hinder the ability of the firm's counter-parties to fulfill their obligations. A firm would be expected to periodically assess changes in these exposures, and in the event of a significant business disruption, the firm would consult its plan and take appropriate action contemplated by its plan. Members' and member organizations' procedures should be written and implemented to reflect the interrelationship among these risks.

Emergency Contact Information

Rule 446(g) requires members and member organizations to designate and identify to the Exchange a senior officer as referenced in Rule 351(e) to approve and review BCPs, as well as an Emergency Contact Person(s). Prompt notification is to be given to the Exchange in the event of a change in such designations. Members and member organizations are required to furnish BCP contact information to the Exchange through the Exchange's Electronic Filing Platform ("EFP").3 In addition, members and member organizations can access and obtain up-to-date information concerning a disruption to normal NYSE business operations through the Exchange's notification telephone line (1-866-NYSEDIAL) and website (http://www.nyse.com/memberinfo).

Digital Sandbox

Digital Sandbox:

Company Overview


Digital Sandbox and its flagship software solution, Site Profiler, deliver the most comprehensive platform for Enterprise Risk Management (ERM), enabling real-time threat analysis and operational risk management for government agencies and commercial organizations. Digital Sandbox Technology allows customers to achieve continuity of operations and protection for physical, virtual, information and human assets within and across an enterprise. Digital Sandbox and its risk analytics represent an evolution in risk management solutions, fusing disparate data into risk management models to understand, prevent and ultimately respond to critical operational risks that threaten an organization.

Mission


Our mission is to provide our customers with the most powerful, analytic platform for risk management tools available in the market. Our enterprise-class solutions allow our customers to take control of the risks that threaten their enterprise, build accountability, and enable them to justify their risk management actions.

Background


Digital Sandbox is headquartered in Reston, Virginia and was founded in 1998. The company was started with the mission to build and implement the best Enterprise Risk Management software available. Originally funded with friends and family seed money, followed by government funded research and development, Digital Sandbox is now venture-backed and boasts a list of flagship clients. Five years later the company has succeeded in its founding mission leading growth in the emerging category of ERM.

Market/Customers

Our clients represent the organizations that are ultimately responsible for the security and protection of physical assets and lives. They are law enforcement, intelligence, national security, public safety organizations, and owners of critical assets and infrastructure who are seeking new ways to fuse information, apply analytics and deploy enterprise-class solutions.

Solutions


Digital Sandbox offers a fully integrated suite of analytic tools for assessing and managing risk. Our flagship product Site Profiler� offers an entire platform of enterprise risk management software solutions providing customers individual or fully integrated enterprise-wide solutions from software products to integration and training."

Bioterrorism expert warns of pandemic

Bioterrorism expert warns of pandemic:

By Sarah Bouchard

A bioterrorism expert testified before Congress yesterday that a deadly new influenza strain could cause the next worldwide epidemic in the near future.

David Relman, an infectious-diseases clinician and researcher who teaches at Stanford University’s medical school, said the avian flu — which kills about two-thirds of infected humans — could reach the scale of the 1918 worldwide pandemic that killed about 30 million people.

Relman added that although the disease has surfaced only in animal populations of Southeast Asia, it is likely to acquire the capability to be transferred easily among humans “fairly soon.”

Relman’s comments came at a hearing of the Senate Judiciary subcommittee on terrorism, technology and homeland security. Although memories of the lethal ricin powder found in Senate Majority Leader Bill Frist’s (R-Tenn.) office in February and the anthrax spores mailed to then-Sen. Majority Leader Tom Daschle (D-S.D.) in 2001 have not faded, Sens. Jon Kyl (R-Ariz.), who chairs the subcommittee, and Dianne Feinstein (D-Calif.), the panel’s ranking member, were the only members who attended.

To combat avian flu and other threats — including al Qaeda-produced anthrax — the four witnesses detailed a program in the works that could identify infectious agents within an hour. Diagnosing many bioterrorism agents currently takes days, weeks and sometimes years.

The effort, known as “Project Zebra,” involves collaborative research by doctors and scientists to create a genetic-profile database of infectious agents and a diagnostic test that will allow doctors to distinguish quickly between bioterror agents and routine sicknesses. "

12 May 2004

Jittery Industry Pushes for Renewal of Terrorism Insurance Law

Jittery Industry Pushes for Renewal of Terrorism Insurance Law:

COMMERCIAL REAL ESTATE

By TERRY PRISTIN
New York Times

Published: May 12, 2004

Uncertainty over whether the federal government will renew a law providing a backstop to insurance companies in the event of a terrorist attack is causing widespread concern in the commercial real estate industry, particularly among those who do business in areas that are considered potential targets.

Proponents of extending the 2002 Terrorism Risk Insurance Act - which is due to expire at the end of 2005 - say that it is needed to prevent a return of conditions after the attacks of Sept. 11, 2001, when many lenders refused to cover terrorist acts or charged prohibitively high rates for the coverage.

Ending the federal program, said Douglas Durst, the New York developer who has two projects under construction in Manhattan, including the 51-story Bank of America tower on 42nd Street and the Avenue of the Americas, 'would seriously impact our ability to go forward with our new buildings.'

Although the program has bipartisan support in Congress, officials of the Department of the Treasury have expressed some reservations about whether it should continue. And opposition has come from the Consumer Federation of America, which says that the insurance industry can well afford to assume the risk of terrorism on its own.

The terrorism insurance law requires the federal government to cover 90 percent of combined damages in excess of $12.5 billion this year (rising to $15 billion next year) up to $100 billion. It covers only acts that occur within the United States that are committed by people acting on behalf of a foreign person or cause.

The statute has another 18 months to run, but a more immediate deadline is looming. By Sept. 1, the Treasury secretary must decide whether to extend a provision that requires insurance companies to make terrorism coverage available. If the Treasury Department does not grant the extension, the provision will expire on Dec. 31. Anne Womack Kolton, a department spokeswoman, could not say whether the department would act before the deadline. 'We want to make a very thorough examination of the issue before making a decision,' she said.

The Sept. 1 deadline is too late for many insurance companies, according to a recent General Accounting Office report. 'Insurers,' the report said, 'need to make underwriting, price and coverage decisions for these policies in mid-2004.' Gail Davis Cardwell, a senior vice president at the Mortgage Bankers Association, a trade group, said that some insurance policies that expire in June are being renewed only through the end of the year.

Testifying before two House of Representatives subcommittees on April 28, Gregory V. Serio, superintendent of the New York State Insurance Department, urged that the decision be made sooner. He called the insurance measure 'a key factor in stabilizing and re-energizing New York's economy.'

At the hearing, Wayne A. Abernathy, assistant Treasury secretary for financial institutions, said the department would not decide whether to support the renewal of the terrorism insurance law itself until June 2005, when it completes a mandatory report on whether the measure, which was intended to be temporary, is still needed.

Under questioning, he said that if the federal government continued to provide a backstop, the insurance industry might be discouraged from developing methods for assessing and pricing the risk from terrorism.

But Robert J. Hartwig, the chief economist for the Insurance Industry Institute, a trade association, said that unless the terrorism insurance coverage was reauthorized this year, negotiations for next year's property insurance renewals would become more complicated. Not knowing whether the backstop will be available would be bad not just for owners, but also for investors, Mr. Hartwig said.

Until Sept. 11, 2001, insurers had considered the risk of terrorism so low that it was included in property and casualty coverage without being priced separately. After the attack, however, many insurance companies stopped providing terrorism coverage or made it extremely costly.

In a survey conducted in 2002, the Mortgage Bankers Association found that nearly $8 billion worth of transactions in the first half of the year were either halted or delayed because of a lack of terrorism insurance coverage, Ms. Davis Cardwell said. The ratings agencies downgraded about $7.5 billion in commercial real estate securities because of concerns about inadequate terrorism insurance, the mortgage bankers' group said."

COMMENT:
============================================================================
The use of terrorism insurance by property owners, landlords and Real Estate Investment Trusts places a false sense of security in the minds of executive risk managers. One specific problem lies in an overall lack of comprehensive emergency management and risk mitigation programs being sponsored by commercial real estate owners for their tenants. This is an area that is under more scrutiny now that the NASD and NYSE have introduced new rules regarding continuity of business operations. A new form of liability may be emerging on the risk management horizon: the failure of commercial property infrastructure owners to adequately plan and test scenarios for diasters, both natural and man-made. Most importantly, having the ability to respond to a crisis effectively - without increasing the risk of additional harm- may be the most valuable benefit of having such plans in place. For more on this see CERT Briefing

Fairfax County International Urban Search & Rescue

Fairfax County International Urban Search & Rescue:

ABOUT THE TEAM

The Fairfax County International Urban Search & Rescue resource, sponsored by the Fairfax County, Virginia Fire and Rescue Department is capable of both domestic and international disaster response.

The Task Force has extensive international (USAID SAR Team 1) and domestic (Virginia Task Force 1) disaster response experience. It is also recognized throughout the United States and the world, as a premier leader in for the provision of training in catastrophic event mitigation, readiness, and response and recovery techniques.

The Department realizes the importance of supporting the Task Force in its mission of delivering capacity assessments, mitigation planning, and readiness training throughout the world. By assisting in the development and enhancement of other search and rescue resources, the Task Force lessens the probability and necessity of it being deployed.

The Task Force began its humanitarian response relationship with the US Agency for International Development – Office of US Foreign Disaster Assistance (USAID-OFDA) in 1986 following a tragic 1985 seismic event in Mexico City. Realizing the void of qualified search and rescue resources in the Americas Region, USAID-OFDA joined in a strategic partnership with Fairfax County and the Miami-Dade Fire and Rescue Departments to develop a self-sustainable response resource. Its first deployment was to the former Soviet Armenia in 1988 in the aftermath of a large earthquake.

As the threats related to the Cold War began to diminish in the early 1990’s, the Federal Emergency Management Agency (FEMA) transitioned its strategic planning initiatives from those of Civil Defense to concepts similar to those begun by USAID-OFDA; domestic mitigation, response, and recovery. When FEMA announced plans to develop a domestic National US&R Response System, Fairfax County was one of the original respondents. Accepted into the domestic system in 1991, the resource was then deemed “operational” by both FEMA and USAID-OFDA. The Task Force is proud to be one of only 28 domestic resources qualified by FEMA to assist with Homeland Security, and one of two resources utilized by USAID-OFDA for international response.

In total, there are approximately 200 trained and equipped-members on the Task Force.

11 May 2004

1SecureAudit LLC - United States - Managing Risk for Security Governance - Mondaq

1SecureAudit LLC - United States - Managing Risk for Security Governance - Mondaq:

Article by Peter L. Higgins

In the converging world of information and physical security emerges a new risk element: managing "Security Governance."

The 2003 Council on Competitiveness Corporate Security survey conducted by Wilson Research Strategies found that:

* Most business leaders see security as a top or high priority – 86%;
* Risk management assessments are conducted frequently – 83%;
* Connections to critical infrastructure are becoming a focus for risk management;
* Corporate leaders see opportunities for positive returns on security investments – 71%;
* Business leaders believe that the private sector should take the lead in setting security standards-- 66%, and
* The majority of executives believe that the public and private sectors share equal responsibility for homeland security – 57%.

"Corporate Security is no longer viewed as a matter of guards, gates and guns, but of interconnectivity and interdependence of networks, the survey states". "But 9/11 was only a moment in time—and there is no accepted business model for integrated security management. The need to identify and institutionalize a set of best practices--security processes that create positive returns on investment—remains largely unmet."1

The ethics and issues surrounding the business world of Corporate Governance since Enron and WorldCom command center stage. Now, the ethics and human behavior of the security and intelligence community are snaring headlines in the wake of recent memoirs by former and current White House officials.

When poor business governance spills into Security Governance, it’s time to wave a red flag. These events demand that we revisit and rededicate ourselves to the discipline of Security Governance, which is the means for directing and controlling corporations or governments, and refuse to compromise for any reason the policies and codes we stand by. Established frameworks must not only hold managers accountable but also empower stakeholders to intervene if they witness violations of security ethics or policies. Security Governance, like Corporate Governance, requires oversight by key individuals on the board of directors. In the public sector, people from the executive, judicial and legislative branches may compose the board.

In watching Richard Clarke’s testimony in front of the 9/11 commission, I was struck by our former counterterrorism tsar’s ability to deliver precise salvos of devastating sound bites. Witnesses may or may not back up his statements. If anyone can uphold the foundational policies of Security Governance, it is Mr. Clarke. And you have to admire a person who stands up for their beliefs, except when those beliefs begin to erode the management system for Security Governance.

The basic responsibility of management, in government or a corporation, is to protect assets. Risk and the enterprise are inseparable. Therefore, Security Governance requires a robust management system approach. For a corporation to survive and prosper, it must take security risks. A nation is no different. When management systems lack the correct controls to monitor and audit enterprise security risk, they expose precious assets to the threats that seek to undermine, damage or destroy our livelihood.

More...Risk for Security Governance

10 May 2004

In Case of Emergency

In Case of Emergency:

New technology, and new threats, have businesses reexamining how they cope with disaster.

John Goff
CFO Magazine

By almost any yardstick, Prairie State Bank is not what you'd call a major financial institution. With a handful of branches scattered in south-central Kansas, the bank maintains a small retail business in the GWMA (Greater Wichita Metropolitan Area). How small is small? On its corporate Website, the company's management proudly proclaims that Prairie State 'is the 24th largest bank in the state of Kansas.'

Still, the concerns of the top executives at tiny Prairie State are probably not unlike those of high-powered bankers who run global banking giants. High on that list: how to keep computer systems up and running in case of an emergency. While it's not especially likely that terrorists will strike Augusta, Kansas (site of the bank's home office), the Sunflower State does get its fair share of tornadoes. And in 1999, an overflowing Whitewater River swelled clear up to the steps of the main office. 'We had to sandbag the front doors,' recalls Chip DuFriend, network administrator at the bank.

Until recently, Prairie State backed up its 16 servers to individual, onsite tape drives. But last year, the bank's Microsoft Exchange server went down and DuFriend was unable to restore the system with a tape backup. Unsettled by the experience, management at Prairie State decided to try something different, eventually signing up for a subscription service provided by StorServer Inc., in Colorado Springs, Colorado. The service enables the bank to store the data from its servers on one server at an offsite location. DuFriend says he can go online and easily recover lost or deleted data files — a revelation for managers used to working straight from tape backups. Says DuFriend: 'This system is a paradigm shift for us.'

Paradigm shift aptly describes what's going on in the world of disaster recovery these days. Spurred on initially by Y2K and, more recently, 9/11 and the great blackout of 2003, corporate executives are focusing on data protection like never before. According to Stamford, Connecticut-based research firm Meta Group Inc., companies spent just 3.2 percent of their IT budgets on security (employee education, business continuity, and disaster recovery) in 2001. Last year, the outlay was more like 8.2 percent — a dramatic increase."

07 May 2004

CIO Report: Phishing Scam Hits 57 Million Users

CIO Report: Phishing Scam Hits 57 Million Users:

By Erika Morphy
NewsFactor Network

Phishing is one of the most economical fraud schemes around, because it entails a low risk of getting caught while offering a high reward, says Naftali Bennet of Cyota. And as e-mail marketers will tell you, contacting people via mass e-mail is about the cheapest form of communication around.

An estimated 57 million American adults have received e-mails from "phishers" –- cyberthieves who pretend to be service providers, such as banks, to steal account information -- according to a new survey by Gartner.

More than 30 million people were "absolutely sure" they were victims of a phishing attack and another 27 million thought they had received what "looked like" a phishing ploy, says Gartner. Just 49 million of the 141 million online consumers have not experienced one, Gartner estimates.

Gartner extrapolated these figures from a survey of 5,000 online adults. Based on the sample, the analyst firm believes nearly 11 million online adults, or 19 percent of those attacked, have clicked on a phishing link. It also believes that at least one million more people have fallen for such schemes without realizing it.

The most tangible evidence of phishing activities, though, is measured in actual loss: Last year, identity theft fraud from phishing attacks cost U.S. banks and credit card issuers US$1.2 billion, Gartner says.

Sarbanes-Oxley's compliance conundrum

Sarbanes-Oxley's compliance conundrum:

(United Press International) -- It's been nearly two years since passage of the Sarbanes-Oxley Act, aimed at mitigating investor fears after the Enron and WorldCom corporate collapses. While the act is meant to better inform stockholders of what publicly-traded companies are doing, some secondary consequences include extra regulatory costs, not necessarily better management, and diverting staff away from running the business, discussion participants noted at the American Enterprise Institute on Wednesday.

Sarbanes-Oxley is wide-ranging in its scope. In addition to creating stiff new penalties, it establishes a new Public Accounting Oversight Board, restricts the various services an audit firm can offer to its clients, and limits the time audit firm partners can serve a single client. For corporations, the greater effect is on complying with stringent new compliance and disclosure rules.

For the 12,000 public companies that file financial reports with the Securities and Exchange Commission, compliance dates for Sarbanes-Oxley (SOX) are fast approaching. Companies with market caps of $75 million or more have to file 'section 404-compliant' reports along with their annual reports for the fiscal year that ends on or after Nov. 15, 2004. For those companies with market caps of less than $75 million, the compliance date is April 15, 2005. Section 404 of SOX requires detailed examination of a company's financial and information control policies and practices -- which translates into extra expenses for public companies or those which aspire to go public.

A January 2004 survey of 321 public companies by Financial Executives International showed that of 321 companies surveyed, on average they expected to expend 12,000 hours of internal work, 3,000 hours of external work, spend an additional $590,000 in auditor's fees (an average increase of 38 percent), and an additional $700,000 in software and IT consulting, for a total of $1.9 million in first-year compliance costs. For the largest companies, the time and expense was two to three times these averages.

The costs are daunting for private companies with plans to go public, and are causing some public companies to delist, and some private companies to try and sell the company so as to not have to pay the extra costs to become SOX compliant, according to accounting firm Grant Thornton. The firm reported that since the enactment of SOX, the number of companies seeking to go private has increased by 30 percent and the number of proposed management buyouts has increased 80 percent.

Greg Bentley, co-owner of software company Bentley Systems, noted that SOX will cause public companies to be responsible for the compliance of companies they acquire after SOX goes fully into effect, which means that companies that haven't taken steps to be 404 compliant will be considered untouchable for buyout by a public company.

'We cannot afford to be public with 120 percent increases in costs,' said one respondent to a survey by law firm Foley and Lardner on the costs of being a public company. The poll of 450 publicly-traded companies showed that on average, the costs of being public increased 90.4 percent to $2,481,000 -- nearly twice what they were before SOX. And while the largest companies will see the largest cost increases, they will be best able to absorb them, the survey said, while small and mid-cap companies may face 'crippling' cost increases to go or stay public.

Bentley, who co-owns Bentley Systems with his four siblings, described how the company withdrew its IPO bid in spring of 2002 after SOX was passed, mostly because of the SOX requirement for a majority independent board.

Some say that on the one hand, having more independent boards and directors doesn't necessarily result in better management -- but on the other hand, it forces companies to make better choices about who's leading them."

06 May 2004

Australian government publishes terrorism advice leaflet

Australian government publishes terrorism advice leaflet:

The Australian government has published ‘Let’s look out for Australia: protecting our way of life from the terrorist threat,’ a document aimed at helping businesses and individuals protect themselves and the country from terrorist attack.

The advice goes hand-in-hand with a public information campaign encouraging Australians to ‘be alert but not alarmed’, and to report suspicious activity to the National Security Hotline on 1800 123 400.

The document includes:

* Advice from some of Australia’s foremost experts in counter-terrorism, including the Director-General of ASIO and the Commissioner of the Australian Federal Police;

* Guidance from the Director-General of Emergency Management Australia and the Commonwealth’s Chief Medical Officer; and

* Information about what to look out for and possible signs of terrorist activity.

05 May 2004

2004 Real Estate Investment Trust Road Show

1SecureAudit 2004 Road Show Brochure

The threat of terrorist attack will continue to pose a major risk to the insurance and real estate industry for years to come.

The U.S. Terrorism Risk Model is changing, because the threats and tactics are changing. The model addresses attack modes at potential terrorist targets across America. It also includes the potential for multiple attacks simultaneously - an Al Qaeda trademark.

One industry segment is especially at risk, the Real Estate Investment Trust (REIT). As significant owners of commercial real estate, they own critical office, industrial and retail property. All soft targets in major metropolitan areas.

REIT's need to plan for every type of business disruption from blackouts and hardware and communication failures to human error, natural disasters and unexpected act of terrorism. During times of crisis, every second counts. Preventive strategies to mitigate your losses will play a key role in your success and business survival.

At the 2004 1SecureAudit Real Estate Investment Road Show, you will learn more about:

> Crisis Communications

> Terrorism Risk Management

> Critical Success Factors in Infrastructure Protection

> Emergency Preparedness


Is your organization ready for the next interruption to business operations?

Washington, DC - May 20
Manhattan, NY - June 17
Chicago, IL - July 15
Dallas, TX - September 23
Denver, CO - October 21
Los Angeles, CA - November 18
San Francisco, CA - December 16

What will you receive? Each company who attends will receive our latest White Paper on Terrorism Risk Management and Business Crisis Communications. You will also have the opportunity to network with other executives in your industry to exchange ideas, best practices and other valuable information on securing your enterprise.

RSVP
800 321 0706 or 703 245 3020
You must register in advance, as space is limited!

Ask for me personally, Peter L. Higgins - Managing Director, 1SecureAudit

04 May 2004

Intrusion Prevention - TippingPoint - Three Pillars of Intrusion Prevention

Intrusion Prevention - TippingPoint - Three Pillars of Intrusion Prevention:

The UnityOne provides the most comprehensive intrusion prevention protection in the world, extending far beyond traditional IPS capabilities. TippingPoint defines three pillars of intrusion prevention:

1. Application Protection

2. Infrastructure Protection

3. Performance Protection

These pillars afford our customers the strongest and most complete protection against all forms of cyber attacks (including viruses, worms, DoS, and illegal access) as well as misuse and abuse of IT resources."

COMMENT:
==================================================
We don't make it a habit of advocating vendors or products except when we feel like there is a reason. The reason is that one of the brightest people we know has made a decision to work for Tippingpoint. He could work anywhere and has selected them. Former NSA. A real malicious code whiz. I would say these guys are worth looking into if you haven't already.

Internet virus causes global havoc

Internet virus causes global havoc:

Neil McIntosh
The Guardian

A computer virus was spreading rapidly across the internet last night, causing disruption in homes and businesses from London to Sydney.

The internet worm, called Sasser, was discovered on the internet on Friday night and has already caused disruption in railways and coastguard operations as well as computer reservation systems and bank networks. A computerised mapping system at Britain's Maritime and Coastguard Agency was brought down by the worm, forcing the organisation to continue its work using pen and paper.

In Taiwan, the postal service reported that around a third of its branch offices' computer systems had been knocked out by Sasser, while government departments and hospitals in Hong Kong were also affected. Reuters reported that, in Germany, the virus struck 300,000 post office computers, preventing staff from issuing cash. In Australia, the worm was thought to be behind computer problems which left 300,000 train passengers stranded at the weekend after radio communications were cut between train drivers and signal boxes in Sydney.

Virus experts say a Russian programming team calling itself the Skynet Anti-virus Group has claimed responsibility for the worm. The group is thought to have been behind a number of online attacks.

Graham Cluley, senior technology consultant at anti-virus company Sophos, said the Skynet group was taking advantage of the confusion created by Sasser by circulating emails claiming to offer an antidote to the worm. When users open a file attached to the email, they are being infected with another virus, called Netsky."

The changing face of business continuity

The changing face of business continuity:

David Honour overviews the new generation technologies that will influence business continuity planning in the future.

Approaches to business continuity have changed dramatically over the past few years. High availability techniques, coupled with real-time data replication and system failover, have meant that many business continuity planners have built these elements into their plans as a first response to downtime, with disaster recovery being down-graded to a mechanism of last-resort. However, various new technologies could create a revolution in business continuity planning which will dwarf the impact of the above methods.

The first major change that is taking place is actually one of approach, rather than technology, but it is important to examine it in the context of this article, since it will set the foundation for the way business continuity is implemented throughout an organisation’s IT and communications networks. The change is question is the move towards holistic business continuity management.

In tomorrow’s organisation business continuity will no longer sit in its own ‘silo’, separated from IT disciplines; information security management; operational risk management; crisis communications; emergency planning etc (delete as appropriate for your organisation!) A movement is underway to bring all business protection issues under one umbrella, ensuring effective oversight of all mission critical processes, giving transparent insight into all areas of the organisation and allowing effective continuity management. This approach is driven by two main factors. Firstly: it makes sense from a management and resource allocation point of view - in too many organisations vital mission critical risks go unmitigated because separate departments all think that the threat is being handled by someone else. Secondly the convergence of information and communications technologies means that it is really the only practical way forward.

03 May 2004

iDEFENSE : Focused Intelligence

iDEFENSE : Power Of Intelligence : Intelligence Modules : Focused Intelligence:

"iDEFENSE Focused Intelligence allows customers to direct iDEFENSE research in order to augment their current cyber and geopolitical threat intelligence capabilities. iDEFENSE maintains a pool of highly-skilled, multi-lingual analysts and sector experts from a variety of government and private sector backgrounds. From threat assessments to country studies to directed research, iDEFENSE is a trusted intelligence partner.

Focused Intelligence allows customers to direct iDEFENSE research in the pursuit of short-term, timely intelligence requirements to meet their immediate needs. With a razor-sharp focus on the cyber and geopolitical threats to our customers' environment and assets, Focused Intelligence serves to expand or augment our customers' capabilities. Past engagements have produced research reports that focus on geopolitical as well as technical threats and customer-directed research that investigates and reports on specific threats to our customers' assets.

No amount of technological resources can replace the security of having experienced cyber-intelligence professionals keeping a watchful eye on your interests on a global scale. From Arabic to Urdu, iDEFENSE Focused Intelligence partnerships are dedicated to providing customers with that level of trusted vigilance.

Buffett praises Google corporate governance

Buffett praises Google corporate governance:

By Dan Roberts in Omaha

Warren Buffett has heaped praise on Google for adopting his unconventional corporate governance style but stopped short of recommending the search engine's initial public offering to his own shareholders.

Addressing the annual meeting of his Berkshire Hathaway investment company, the world's second-richest man made little secret of his delight that such a high profile newcomer was endorsing an approach often dismissed as too quirky for other companies to follow.

'I am very pleased that the fellows at Google said they were influenced by the [Berkshire] owners manual,' he told a record crowd of 19,500 shareholders who made the annual pilgrimage to his home town of Omaha, Nebraska.

Larry Page and Sergei Brin, Google's founders, last week outlined plans for an unusual public auction of their shares using a corporate structure which deliberately challenges traditional Wall Street orthodoxy. Like Berkshire Hathaway, they will refuse to give earnings guidance or aim for stable profits growth, and will create two classes of shareholders to protect management independence.

'I liked their prose,' said Mr Buffett. 'It pleases us enormously that other people think it is a good idea to talk to their owners in a very straight-forward manner. I think more companies ought to do it.'"

Disaster Mitigation Checklist for Business Managers

Disaster Mitigation Checklist for Business Managers:

The following are basic guidelines for business managers concerned about the security of their people, plant, property, and equipment.
For more information, please contact the Federal Emergency Management Agency (FEMA) at (202) 646-4600.

1. Develop an emergency response policy. Elements include:

_____ An employee and next of kin emergency contact system

_____ An automated emergency information notification system (e.g., Web site, phone, and/or radio)

_____ Development of an emergency policy and procedures manual

_____ Safety orientation for all employees and periodic safety drills

_____ Accessible first aid kits, water, tool kits and other emergency supplies

_____ Make sure that all essential records are backed up and stored in remote locations.

2. Implement basic safeguards for plant, property and equipment:

_____ Periodically review insurance coverage

_____ Periodically review and update fire and gas detectors, extinguishing systems

_____ Develop inventory safeguards

_____ Conduct periodic building and property inspections

_____ Develop access policies and procedures

3. Know your emergency service providers and critical infrastructure service providers:

_____ Law enforcement

_____ Fire

_____ Health Services

_____ Search and Rescue

_____ Other Emergency Services

_____ Utilities

4. Protect your cybersecurity

_____ Change system passwords every six months

_____ Delete obsolete addresses from the corporate network

_____ Implement security policies for hardware, software, and network assets

5. Know your vendors

_____ Due diligence should include security background checks

_____ Vendor contracts should include security requirements and safeguards

6. Recovery and Reconstitution

_____ Implement redundancy for critical systems, preferably at remote locations

_____ Lay aside a reasonable cash reserve

_____ Develop a recovery plan

_____ Know your government resources: Small Business Administration for recovery loans, FEMA for other emergency assistance. "

02 May 2004

NFPA1600

NFPA1600:

NFPA standard recommended to 9-11 Commission for use as the national preparedness standard


The American National Standards Institute (ANSI) yesterday recommended to the 9-11 Commission that a National Fire Protection Association standard, NFPA 1600 Standard on Disaster/Emergency Management and Business Continuity Programs, be recognized as the national preparedness standard.

NFPA 1600, available free online in PDF format (PDF*, 864) Click Here establishes a common set of criteria for disaster management, emergency management and business continuity programs. In addition, it identifies methodologies for exercising those plans and provides a listing of resource organizations within the fields of disaster recovery, emergency management and business continuity planning.

The recommendation, presented by ANSI President and CEO Dr. Mark W. Hurwitz, on behalf of ANSI's Homeland Security Standards Panel at a reception in Falls Church, Va., will be considered by the Commission as it readies its final report to the President and Congress, expected sometime this summer.

"NFPA is pleased that the Homeland Security Standards Panel of ANSI is making this recommendation to the Commission," said James M. Shannon, president and CEO of NFPA. "We know that 1600 will provide much guidance to businesses and jurisdictions that seek to protect and assist their employees and residents should a disaster occur."

The 9-11 Commission, also known as the National Commission on Terrorist Attacks Upon the United States, is an independent, bipartisan panel, created by Congress in late 2002, and is charged with preparing a full account of the circumstances surrounding the 9-11 terrorist attacks, including recommendations designed to guard against future attacks.