Thursday, December 29, 2011

ISC Listing of Information Security Resources

The International Information Systems Security Certification Consortium, Inc.has compiled a listing of links to useful resources in information security which is one of the most comprehensive available. It can be found on the ISC website using this link.

Monday, December 19, 2011

Endpoint Security is Changing Fast

Sophisticated social engineering techniques for hacking are becoming the norm. And it is moving fast, such that traditional tools don't do the job any more. Advanced Persistent Threat (APT) is one of the manifestations of this trend. It involves sending malware to people disguised in something that is likely to appear to them and to fool them. APT messages are very customized, based on knowledge of a person that is obtained from information available in the internet, through such social media as Facebook and perhaps other sources.They can even follow shortly after a person performs some action, such as paying bills on their bank website. In such a case, they might receive a message that their transaction has failed, or that their account has gone into an overdraft and they should log in (to a bogus account) and verify it. There are countless variations.

Most of us are aware of many of these messages and don't get fooled by them. However, there is a possibility that one variation might be sufficiently relevant that we are fooled, and it might only take once to cause a lot of damage.

Companies are exposed because all of their employees are exposed, and might inadvertently expose corporate assets to theft or damage.

Various solutions are available, many cloud based, that are particularly designed to keep up with the rapidly changing trends in this area. It is imperative to keep up with these tools. Such knee jerk reactions as prohibiting employees from using Facebook and the like just won't work. But some clearly defined and carefully designed policies around the use of corporate computers, resources and IDs are badly needed.

For more, check out this article.

Friday, December 16, 2011

IS Security Compliance with SOX

[Excerpted from "Security Via SOX Compliance," a new, free report posted this week on Dark Reading's Compliance Tech Center.]

Achieving compliance with Sarbanes-Oxley requirements remains a chief chore for all publicly traded companies—and a chief budget driver for IT compliance and security initiatives. Yet SOX’s computer security requirements remain vague, and auditors’ evaluations continue to be subjective.
IT managers often think of SOX as a technology mandate, but it is primarily an accounting and financial reporting mandate. Nowhere in the Sarbanes-Oxley Act will you see a reference to encryption, network security, password complexity or logging capabilities. Indeed, a SOX compliance effort should be driven by the business side, with IT playing the role of key facilitator.
So how do you approach compliance purely from an IT perspective? To pass a SOX audit, your company must implement security best practices for any system that touches anything and everything related to financial reporting and accounting systems. To achieve that goal, there are several elements you must put in place.
1. For Web-enabled applications, ensure that all sensitive data, along with authentication credentials, are Secure Sockets Layer (SSL)-encrypted. Most SSL implementations use RSA public/private key exchange for session setup and encryption. When an SSL session is set up, the Web server sends its public key to the client, and the client uses that public key to create a session key with the Web server.
2. Deploy all the common end-point protection tools that would be required in any secure environment. This applies primarily to end-point antivirus, malware protection, host intrusion prevention systems and client firewalls.
3. Reduce the operating attack surface on all clients and servers accessing critical financial systems. Most companies think they’re doing a good job here, but if employees are going to access critical financial and accounting applications from a fat client PC, there’s a whole lot more that needs to be done than simply performing Windows updates.
4. Consider application streaming or desktop virtualization for accessing critical financial and accounting applications. Most companies use streaming applications via Citrix XenApp or VMWare ThinApp to solve problems with performance, mobility and remote access. However, app streaming also is a terrific way to protect key applications from intruders.
5. Wrap your databases with activity monitoring and auditing software. SOX auditors are concerned primarily with the accuracy and integrity of your financial data. Simply stated, you should be auditing all activity on all tables that contain sensitive information.
To get the full details on these five tips -- and five additional recommendations on staying SOX-compliant, download the full report on security and SOX compliance.

Monday, December 12, 2011

Smaller Businesses Are Investing in More Powerful Technology

A recent survey by PWC revealed that smaller companies are placing emphasis on such technologies as social media and mobile computing. Both are rapidly becoming critical to effective business operations.

The study also found that they are particularly interested in cloud computing because it makes possible investing in advanced data management solutions such as ERP, which so far have been too big and complicated for many organizations. In the cloud, they can be obtained on a rental basis, which makes them financially viable. For more on this insightful survey, go to this link.

This means that some of the security and control implications of cloud computing and mobility will be increasingly prevalent in smaller businesses.

Wednesday, December 7, 2011

Audit Committees Concerned About IT Risk

The 2011 Public Company Audit Committee Member Survey - just released by KPMG's Audit Committee Institute - provides timely insights into the challenges, priorities, and expectations of today's audit committees.
Among other key findings, many of the 250 audit committee members responding to the survey said:
  • They are not satisfied that their oversight of various IT risks is effective, or that the company's strategic planning process deals effectively with the pace of technology change and innovation.
  • The one person they would most like to hear from more frequently is the CIO.
  • They want to spend more time with the CRO and mid-level management/business-unit leaders; and few are satisfied that they hear dissenting views about the company's risks and control environment, or rate their company's crisis response plan as "robust and ready to go."
  • The audit committee is devoting significant agenda time to legal/regulatory compliance risk, with the Foreign Corrupt Practices Act (FCPA), UK Bribery Act, and impact of the SEC's whistleblower "bounty" program of particular concern.

  • Read KPMG's 2011 Public Company Audit Committee Member Survey