Sentencing Rules Pressure CIOs
Accused CEOs could fire IS execs to avoid Sarbox
punishment
Proposed sentencing guidelines for Sarbanes-Oxley Act violations, scheduled to take effect Nov. 1, bring risks for
CIOs. While it's unlikely any CIOs would go to jail under the proposal, which awaits congressional approval, legal experts say the guidelines could set up CIOs to be the fall guys if another C-level executive faces conviction.
The proposed guidelines, published by the U.S. Sentencing Commission in its May 1 report to Congress, attempt to spread accountability for unethical or illegal behavior throughout a corporation. If any C-level executive, not just the CEO or the CFO, is responsible for such behavior, he can now go to jail. This isn't a big deal for
CIOs—unless they're engaged in Enron-style fraud or they're charged with their company's Sarbanes-Oxley compliance efforts. Most CIOs aren't in charge of compliance
(see "The Sarbox Conspiracy").
More....
The Sarbox Conspiracy
Sarbanes-Oxley compliance efforts are eating up CIO time and budgets. Worse, CIOs are being relegated to a purely tactical role. And that may be the CFO's plan.
BY CHRISTOPHER KOCH
When CIOs began installing ERP systems in the '80s and '90s, they unwittingly took something that used to belong to CFOs: financial controls. The things that accountants used to monitor manually—such as making sure that two signatures from the right people went on every check, or reconciling purchase orders against invoices—all became automated inside ERP systems. The meticulous audit trail that controllers and accountants had established over generations for demonstrating that money was being handled properly (think of black, leather-bound ledgers and long ribbons of adding machine paper) disappeared into those ERP systems without a trace—or at least without being properly documented, and certainly not to the extent now required by the 2002 Sarbanes-Oxley Act, a.k.a.
Sarbox.
Today, CFOs want those controls back. If they don't get them, they believe they could go to jail. Section 404 of the Sarbanes-Oxley Act mandates that CFOs have to do more than simply pledge that the company's finances are correct; they have to vouch for the processes used to add up the numbers.
More....
Locking Down Endpoints to Prevent Virus Resurgence
Verifying PC security compliance before granting network access
by Mathew Schwartz
Nesky.D and Bugbear.B are readily recognized by security as past threats, discovered months or over a year ago. Yet each appeared on Symantec’s Top 10 Malicious Threats for May 2004. In reality, despite rapidly updated signatures for antivirus engines whenever a new threat breaks, and the wide use of antivirus software on servers and desktops, many viruses and worms aren’t eradicated; they just fade away.
Laptops are one culprit, say experts. Mobile workers may use their PC at home or on the road, cancel antivirus or other important software updates, or just not be available to install them. When such PCs reconnect to the corporate LAN, they can restart an infection. Of course, it’s up to security managers to clean up the mess, perhaps again. “Back in the virus [attacks] of last fall, one behavior we saw is you’d have this initial bump in vulnerability, followed by infections, followed by a smaller bump two weeks later from people who hadn’t been updated,” notes Rick
Bilodeau, director of corporate marketing for iPass. More....
Hackers Are Discovering a New
Frontier: Internet Telephone Service
By KEN BELSON, NY
Times
Most new technology comes with risks, no matter how great the
advantages. Computers, for instance, can store huge amounts of
information, but they can also freeze, crash and melt down.
The challenge is no different with Internet phones, which more and
more consumers and businesses are using. The phones break voice
conversations into data packets and route them over the Internet,
a cheap and more flexible alternative to traditional phone calls
that travel over copper wires.
But Internet phones and the routers and servers that steer and
store the digitized calls are susceptible to the bugs, viruses and
worms that have plagued computer data systems for years. Already,
a few malicious attacks have shut down corporate Internet phone
networks, disrupting business at a cost of millions of dollars.
With Internet phones, hackers or disgruntled employees with access
to a company's phone server can eavesdrop on conversations by
surreptitiously installing software that can track voice packets. More....
Internet's 'white pages' allow data attacks
By Robert Lemos
Staff Writer, CNET News.com
LAS VEGAS--The same technology that allows Web surfers to locate and connect to computers on the Internet can be used to create covert communications channels, bypass security measures and store distributed content, a security researcher said Saturday.
The security hack essentially uses data transferred by domain name service (DNS) servers to hide additional information in the network communications. DNS servers act as the white pages of the Internet, invisibly transforming easy-to-remember domain names--such as
www.cnet.com--into the numerical network addresses used by computers. Moreover, corporate security measures, such as firewalls, tend to ignore DNS data because they assume it's harmless, said Dan
Kaminsky, a security researcher for telecommunications firm Avaya and a speaker at the Defcon hacking conference here.
"DNS is everywhere--you cannot communicate over the global Internet without knowing where to go," he said. "No one notices DNS. No one monitors it."
More....
Hackers plan global game of 'capture the
flag'
By Robert
Lemos Staff Writer, CNET News.com
LAS VEGAS--If everything goes as planned, for 72 hours next
February hackers from all over the United States will hit targets
across the Internet in the largest mass attack to date. But the
affected systems won't be corporate Web servers or networks,
they'll be computers set up and maintained by other hackers as
part of a capture-the-flag game. When the digital dust clears, the
team from either the East Coast or the West Coast will be named
winner.
"We have people take over someone's box and play the game
from there," said "D.D.," a member of the
Seattle-based security group Ghetto Hackers, which kicked off a
smaller version of the game, Root Fu, at the Defcon hacking
convention here on Friday. "In terms of our machines, we are
pretty confident that we can contain it." The Ghetto Hackers
have run the smaller capture-the-flag-type game, where eight teams
hack each other on a closed network, for three years at the
convention.
Next year, the group of hacking hobbyists hopes to take the
game global. Dubbed Mega Root Fu, the new game will be the first
large-scale hacking contest played over the public Internet. The
group is allowing teams throughout the United States to sign up at
its Web site and hopes to have a thousand players come February. More....
Google a favorite among hackers, too
By Robert Lemos
Staff Writer, CNET News.com
LAS VEGAS--The world's most popular search engine is one of the handiest tools for hackers, a security expert said Thursday.
Google's ability to record Internet sites' content can be used to pinpoint those with weak security, Johnny Long, a security researcher and computer scientist for Computer Sciences, told attendees at the Black Hat Security Briefings here. Though the technique is not new, well-crafted searches turned up so many sites with vulnerabilities that even jaded researchers laughed during the session.
"It is an old dog with new tricks," Long said. "It never ceases to amaze people, all the vulnerabilities out there."
By searching for default server page titles, for example, an attacker can find easily exploitable servers. Applications left in default modes can also be found by searching for error pages generated by the software. And searching for specific file names can pinpoint vulnerable servers connected to the Internet.
More....
Vulnerabilities
