Executives could be liable for cybersecurity
Effort to boost accountability online emerges
By Reuters, 3/29/2004
WASHINGTON -- Hackers, viruses, and other online threats don't just create headaches for Internet users -- they could also create prison sentences for corporate executives, experts say.
Though business groups have lobbied successfully against laws focused on cybersecurity, companies that don't make efforts to secure their networks could face civil and criminal penalties under an array of existing laws and court decisions, according to security and legal experts.
''Computer security is not solely a technology issue," said Dan Burton, a vice president at computer-security firm Entrust Inc., who serves on a private-sector board to boost accountability.
Though healthcare, banking and deceptive-business laws all create security obligations, a new accounting-reform law now being phased in is likely to have the biggest impact.
The 2002 Sarbanes-Oxley Act holds executives liable for computer security by requiring them to pledge that companies' ''internal controls" are adequate, and auditors are starting to include cybersecurity in that category, said Shannon Kellogg, director of government affairs at RSA Security Inc.
More....
Are Your Networks a Legal Minefield?
By
Art Jahnke, CIO Magazine
This week’s most bizarre plan to stop illegal peer to peer file sharing comes from the office of California attorney general Bill
Lockyer, who wants companies that make file sharing applications to warn customers about risks that could accompany the software’s use. According to an article in The New York Times, the draft of a letter, written in part by a vice president of the Motion Picture Industry of America but coming out of Lockyer’s office, describes those risks as the importation of viruses or pornography, and the liability for copyright infringement. The letter, the Times reports, advises peer to peer software companies that “a failure to prominently and adequately warn consumers could constitute, at the very least, a deceptive trade practice.” It is possible, of course, that such a warning would encourage P2P users to think twice before downloading the latest Adam Sandler movie. But as Fred von
Lohman, a lawyer for the Electronic Frontier Foundation points out to the Times, it’s also possible that a legal precedent requiring such a warning could also force car dealers to include a long list of admonitions about the ways in which cars could be used in illegal activities.
More....
Suit
Seeks Tougher Medical Privacy Rules
BY
ALISON BASS, CIO Magazine
A FEDERAL COURT JUDGE in Philadelphia is considering arguments in
a lawsuit that contends that the new HIPAA privacy regulations are
a "broad and serious" breach of Americans' right to
medical privacy. The suit, which takes on the federal Department
of Health and Human Services, criticizes the new rules for not
requiring health-care providers to obtain patients' consent before
sharing their medical information with third parties for research,
marketing, billing, law enforcement and a host of other
"routine purposes." The judge heard arguments in
December.
"If someone has received psychotherapy for an emotional
disorder or has a homosexual experience and says to their doctor,
'I really don't want this information disclosed further,' it goes
out anyway,'" says James C. Pyles, the attorney representing
the 18 plaintiffs, who include patients and doctors as well as
organizations such as the American Association of Practicing
Psychiatrists. The purpose of the suit, Pyles says, is to force
HHS to return to HIPAA wording proposed by the Clinton
administration, which required health-care entities to obtain
patients' consent before sharing their medical information with
third parties. More....
Why
You SHOULD Sweat the Small Stuff
Viruses. Spam. Software patches. Upgrades. Nuisances that nibble
at IT shops everywhere. Attacking them as a class of problems
elevates your security readiness.
BY
KIM GIRARD, CIO Magazine
IT'S NEVER A good night for the IT department when the first
person to get hit by a new virus is the CEO.
That's exactly what happened when the W32.Blaster Internet worm
slipped onto the notebook of ABM Industries chief Henrik Slipsager.
Slipsager was booting up during a business trip in Los Angeles in
August 2003 when the error message that defined the Blaster popped
up, paralyzing his machine and millions of others across the
globe. The CEO began calling cell phones of top IT staffers in San
Francisco looking for help.
"It was 5:30 on a Wednesday," recalls Sean Finley,
assistant vice president and deputy director of electronic
services at ABM, a $2.3 billion company that provides janitorial,
lighting and security services to high-rise buildings. Finley, a
15-year veteran of the company, says he called an ABM website
administrator in Los Angeles. "I said: 'Listen, you've got to
do me a big favor,'" he recalls. Slipsager left his notebook
with a hotel bellhop as the employee raced there with antivirus
software. The CEO's computer was fixed. But after that night, the
way ABM dealt with viruses changed. More....
Small businesses get alternative for SSL
By Tim
Greene
Network World, 03/29/04
Start-up enKoo is
coming out with a low-cost remote-access appliance based on Secure
Sockets Layer that might not have all the bells and
whistles of other such gear, but does offer customers practical
means for accessing important data.
The company's enKoo 1000 and 2000 appliances require remote
machines to have an SSL-enabled Web browser to gain access to
commonly used applications and files.
Other vendors, such as Aventail, NetScreen
Technologies and Whale
Communications, offer similar features with their products.
They also support stronger authentication options than enKoo does,
and verify whether remote machines are configured to meet security
rules, things enKoo cannot do. The other vendors' gear also costs
more. More....
Protected by the network gear
Some
switches and routers now can identify, prevent or at least lessen
the effect of security threats, but interoperability, performance
and management are sticking points.
By Terry
Sweeney
Network
World, 03/22/04
As you mop up after the latest worm
attack and chat with your network infrastructure vendors,
talk inevitably will turn to preventive and protective measures.
Chances are, your vendors will encourage you to secure every
switch and router, making your infrastructure gear part of the
layered security approach you are taking toward security under the
new data center.
You just never know when or where software will be
waylaid by its next vulnerability, the vendors will say. As such,
they'll argue, switches
and routers should be smart enough to be your helpmates -
able to recognize and halt buffer overflows, quarantine infected
or unknown clients or help push out patches.
That's a particularly logical gambit in
discussions of zero-day attacks, in which the hacker games begin
the same day that the software vulnerability is publicized. But
just as experienced shoppers know that you never ask a tire
salesman if you need new tires, so do enterprise network
executives understand that they must do their homework when
vendors push security frameworks.
That means, of course, pushing back - and hard - to make them
prove their claims of performance, interoperability and
management. More....
The
sophisticated adversary
News Story by Scott
Berinato
MARCH 24, 2004 (CIO)
- Darl McBride, the embattled CEO of The SCO Group Inc.,
visited our office recently and when he showed up, his eyes were
sagging. They were red-rimmed, glassy and bloodshot and, overall,
he looked worn. But it wasn't because of the litigious morass he'd
created by suing IBM Corp. and others over the alleged plagiarism
of Unix code that his company owns--at least not directly. McBride
looked haggard because of a virus called Mydoom.
The day McBride visited was the day that SCO was forced to
relocate its entire website to a new URL because the viciously
effective denial of service attack had completely leveled sco.com
and, in the process, disrupted everything around it. It's sort of
like 300,000 people showing up to protest one store at the mall.
Other stores in the mall may not be a target but certainly they're
affected.
"This is the real deal," McBride said that day,
sounding somewhat surprised. It had only been hours since the
company had removed its original URL from DNS servers for the next
two weeks. People argue with McBride about virtually everything,
but when he used the word sophisticated no fewer than three times
to describe Mydoom, there was no arguing with him on that point.
Mydoom was the third in a series of increasingly intelligent,
targeted marquee attacks; it followed Blaster, which was aimed at
Microsoft Corp., and Mimail, which was aimed at anti-spam
companies.
More....
Security product flaws attract attackers
News Story by Jaikumar Vijayan
MARCH 26, 2004 (COMPUTERWORLD)
- The software vulnerability exploited by this week's Witty worm
is only the latest in a growing list of flaws being discovered in
the very products users invest in to safeguard their systems.
"This is a new realm of risk that users must confront: the
security of security [products],"said Andrew Plato, president
of Anitian Enterprise Security, a systems integration and
consulting firm in Beaverton, Ore. The Witty worm, which was
reported to have damaged 15,000 to 20,000 computers worldwide,
took advantage of a flaw involving the BlackIce and RealSecure
intrusion-prevention products from Atlanta-based Internet Security
Systems Inc. (ISS) (see story). The worm wrote random data onto
the hard disks of vulnerable systems, causing the drives to fail
and making it impossible for users to start up the systems. The
flaw was the result of a buffer-overflow condition in a function
used to detect peer-to-peer traffic, said Chris Rouland, director
of the X-Force security team at ISS. The company worked to
"very quickly mitigate the risk" after being informed of
the problem by eEye Digital Security Inc., Rouland added. But
Witty was released "almost immediately" after the fix
became available and before many users had time to respond, he
said. Rouland noted that the number of major flaws that have been
discovered in ISS products over the past five years has been
limited to two. More....
Is patch mgmt. the best protection against vulnerabilities? Yes
By Eric Schultze
Network World, 03/29/04
Patch management is the optimal solution to protect computers against known software flaws for which vendor patches exist. Third-party products that attempt to correct these flaws solely through firewalls, anti-virus software or intrusion-prevention systems alone are not reliable, for several reasons. An operating system or application vendor that releases a patch is the only organization that truly understands the nature and extent of the flaw; thus, it is best suited to supply the solution. Many times the patch corrects more items and avenues for attack than are known outside of the vendor, including knowledge supplied by the
person(s) who originally found and reported the flaw. Because the vendor has access to the source code, it can identify each component of the operating system or application that might be affected, and it can update the relevant bits of code to prevent the flaw in each instance.
More....
Is patch management the best protection against
vulterabilities? No
By Steven Hofmeyr
Network World, 03/29/04
Currently, the most widespread means of preventing intrusions is patching, and it's failing miserably. The number of security incidents reported to CERT has grown exponentially over the past six years, reaching an all-time high of 137,529 in 2003, which was also the year that the Blaster and MS-SQL Slammer worms caused widespread devastation. Patch management seeks to address these issues through automation that lets patches be installed rapidly and without Herculean human effort. But patch management is of limited benefit. Consider the following:
• Faulty patches can bring down critical servers and cost more to an organization than a security breach. This is an all-too-common scenario: An analysis by WireX Communications and Zero Knowledge Systems indicates that one-fifth of all new patches are revised. Hence, it is very risky to immediately deploy a patch without thorough regression testing to make sure the patch will not cause damage.
More....
Whose Site is it Anyway?
by Richard Moulds - nCipher - Monday, 29 March 2004.
Despite the rapid increase in online commerce, it is estimated that some 85% of transactions are still cancelled at the final 'confirm and buy' page. While some of these aborted purchases are simply down to people changing their minds, many are due to concerns about security and a reluctance to dispatch credit card details and other personal information across the unknown Internet. Maybe this is not surprising given the amount of publicity generated by new cases of Internet hacking and fraud.
People who buy things online may be familiar with the closed-lock padlock in the bottom right hand corner of their screens. While this is meant to provide a sense of security, how many Internet shoppers actually know what it refers to? In fact the padlock is there to show that at that particular time i.e. on the current web page communications with that site will be secured using encryption based on a protocol called SSL - or Secure Socket Layer (see explanation). In an ecommerce transaction, SSL achieves two things. It authenticates to the user the identity of the organisation responsible for the site in question and ensures that any information transmitted between the purchaser's web browser and the merchant's web site is protected from potential eavesdroppers or hackers listening in from anywhere on the Internet.
But sometimes all is not what it appears to be. 'Spoofing' or 'phishing' is the latest type of Internet fraud, where fake websites are set up that mimic well-established companies and persuade those who visit them to part with credit card details and other valuable financial information.
More....
The Layered Approach to Security is Dead... Long Live Layered Security
by Susan Morrow - Director of Product Marketing for Avoco Secure - Monday, 29 March 2004.
Net
Security
Life isn't the same as it used to be, the good old days of leaving your door unlocked are gone, never to return. Business isn't the same either. IT has brought into the workplace, organisational and cultural challenges. One of the positive consequences of this is the ability to collaborate remotely. Successful collaboration can bring about substantial cost savings, removing the need for paper and decreasing travel costs. But with this positive aspect comes a worrying issue - can you to trust the collaborators to keep the information within the shared documents confidential?
In a digitised world you can't just apply trust to your closest work colleagues, you have to extend that trust outwards into the wider internal organisation and as the digital workplace matures we have an additional new sphere to trust - the outside world.
Our electronic business is moving outwards and onwards. More....
Vulnerabilities
