Friday, February 26, 2010

Encryption of Mobile Devices

There has been much written over the past few years about the risk of data loss through mobile devices, either by losing the devices or having them hacked. Numerous stories have been published detailing the losses experienced by particular companies and the consequences. Sometimes the consequences have been severe. Accordingly, considerable emphasis has been placed on techniques to prevent or mitigate the loss of data on such devices. One of the techniques that receives the most prominence is that of encryption.

There are various was to implement encryption. The referenced article for this post outlines three software packages that can be used. Each has its own pros and cons. But it is important for companies to address this area in their security strategy. With the rapid growth in power of mobile devices, the issue is becoming more urgent. The article is at this site.

Monday, February 22, 2010

The Kneber Botnet Infects over 75000 Computers

Security researchers at Herndon, Va.-based NetWitness Corp. have unearthed a massive botnet affecting at least 75,000 computers at 2,500 companies and government agencies worldwide. It has been used to gather login credentials for systems, social networking sites, and email. This information will be worth a fortune on the black cybermarket.

The Kneber botnet appears to have originated with a virus in Asia in 1998, but the most active period in North America has been during the past 18 months. A number of major companies have been infected, including Merck & Co, Paramount Pictures and Juniper Networks.

It's the latest in the ongoing and overheated battle against viruses and hackers. More at this site.

Tuesday, February 16, 2010

Companies Finding it Difficult to Keep up with Cybercrime


The recently released 2010 CyberSecurity Watch Survey calls into question current security models and represents a wake up call and a call to action. The survey, a cooperative effort of CSO, the U.S. Secret Service, Software Engineering Institute CERT® Program at Carnegie Mellon University and Deloitte’s Center for Security & Privacy Solutions, represents the views of more than 500 security professionals. While the overall number of victims of cybercrime has declined marginally, the numbers of attacks has increased considerably, and companies are hard pressed to keep up with it. The reason is the use by the criminals of advanced technologies, making possible ever more sophisticated worms and viruses. A good report on the survey can be found here.

Thursday, February 11, 2010

Why are IT Controls Important?

This issue is tackled in an interesting chapter from the book "Information Technology Control and Audit, Third Edition by Frederick Gallegos and Sandra Senft, Auerbach Publications, 2008. The chapter traces the importance of IT since its mercantile beginnings, right up to the current emphasis on information integrity, reliability and validity. It outlines the nature and importance of such events and trends as e-commerce, 9/11, and corporate financial integrity legislation coming out of scandals like Enron. Read the chapter at this site.

Tuesday, February 9, 2010

Google and China

Google is continuing its investigation into the recent hacker attacks allegedly emanating from China. It has reportedly reached an agreement with the National Security Agency to share data and gain its help in the investigation. The pending agreement with the NSA is raising some eyebrows, as there have been concerns in some quarters about the ability of the NSA to search and obtain data without obtaining warrants and its tendency to work behind a veil of secrecy. However, it would be naive to think that the US could survive in the high tech world of international criminality and espionage without such an agency or two. Check it out.

Monday, February 8, 2010

Is Skype Safe?

Recent surveys show that as much as 12% of all business long distance calls are made on Skype. VOIP applications such as Skype are an obvious way for companies to cut their phone bills. But there is always the question - does Skype present new security and control issues. According to this article in CIO Mag, there are not really very many new issues. Most of the exposures that do exist with Skype exist with any phone/IM system, and simply need to be recognized and addressed in the company's governance procedures. The author makes special mention of the need for encryption of VOIP transmissions, which is a good idea regardless of whether Skype or some other product is being used.

Thursday, February 4, 2010

IFRS Convergence is not just an Accounting Issue

Experience of Canadian companies undergoing the transition to IFRS is showing that the convergence process is an IT issue as well as an accounting issue. IFRS requires the capture of more information than traditional GAAP systems, such as fair values of certain assets and additional disclosures in the notes and the systems need to be able to capture that information and keep track of it in a useful way. It isn't necessarily major changes that will be needed in the system, but there will be a need for changes, and IT personnel need to be involved to assess, implement and monitor those changes. There is a good article on this matter in CFO Magazine.

Wednesday, February 3, 2010

Hackers Still Exploit the Old Standard Security Weaknesses

A recent report by TrustWave finds that companies are spending so much time on trying to address the new security flaws coming up, such as mobility, they are missing the old standard. "For instance, the top three ways hackers gained initial access to corporate networks in 2009 were via remote access applications, trusted internal network connections and SQL injection attacks, Trustwave found." The report was based on an analysis of data gathered from more than 1,900 penetration tests and over 200 data breach investigations conducted on behalf of clients such as American Express, MasterCard, Discover, Visa and several large retailers.

The report is a wakeup call for security administrators - not to ignore the old vulnerabilities. But it also points to the growing complexity of systems security and control.

A write-up on the report can be found on Computerworld. The report can be downloaded from this site, after filling out a questionnaire.