IT Security News Articles Reviews Analysis

January 4, 2006 from New York Times – “Long-time readers know that I’m not exactly one of the privacy paranoid. I’ve accepted that we all live in thousands of databases. The state of New York knows where and when I drive, thanks to my E-ZPass (electronic toll-booth badge). Stop & Shop knows what I eat, thanks to my grocery discount card. Blockbuster knows what kinds of movies I watch. Verizon knows whom I call, MasterCard knows what I buy–it’s just hopeless.

Frankly, I consider the details of my life so boring to other people that I really couldn’t care less. I’ve got nothing to hide, so why not accept it?That attitude spilled over to a “From the Desk of David Pogue” e-column I wrote in 2004, in which I attempted to throw water on scare-tactic computer-magazine articles that said, in effect: “Ooooh! If you use your Wi-Fi laptop at public Internet hot spots, the bad guys will see everything you’re doing and rifle through your files!”I’m back again today to throw that water right back into my own face.

On this topic, my eyes have been opened.It came about like this: I recently filmed six episodes of a new TV series (”It’s All Geek to Me,” which airs in February on The Science Channel, Discovery HD and Discovery Europe). In one of them, I wanted to get to the bottom of this Wi-Fi snooping business. I wanted to see exactly what is, and is not, possible for the bad guys to intercept when you’re sitting there in Starbucks or the hotel lobby.I put a note up on my blog, seeking a guest who could appear on the show and show me the hacky ropes. I found John Baer, a technical consultant who seemed just right for the part.

We met (John, the camera crew and I) in a Manhattan Wi-Fi coffee shop. Turns out there was absolutely nothing to it. John sat a few feet away with his PowerBook; I fired up my Fujitsu laptop and began doing some e-mail and Web surfing. That’s all it took. He turned his laptop around to reveal all of this:

Every copy of every e-mail message I sent *and* received.
A list of the Web sites I visited.
Even, incredibly, the graphics that had appeared on the Web sites I had visited.
None of this took any particular effort, hacker skill or fancy software. Anyone could do it. You could do it. All John needed was a “packet sniffing” program; such software is free and widely available. (He used a Mac program called Eavesdrop.) It sniffs the airwaves and displays whatever data it finds being transmitted in the public hot spot. Now, the fact that it’s so easy to intercept your Internet signals in a public hot spot doesn’t mean that somebody is *doing* it. In fact, of course, most of the time, nobody is. Nonetheless, John’s little demonstration made clear that somebody *could* intercept your transmissions extremely easily.

So are you supposed to crawl into a hole, turn off your Wi-Fi, and go back to dial-up?Not exactly. You can take steps to protect yourself:

If you see the little padlock in the corner of your Web-browser window (or if the Web address begins with “https://” instead of “http://”), you’re connected to a secure Web site. Your transmissions are encrypted in both directions, so you have little to fear from casual packet sniffers. Banking and brokerage sites, for example, are protected in this way.
You can sign up for encrypted e-mail services or programs, too, if avoiding e-mail eavesdropping is that important to you.
You can connect to your company over a VPN (virtual private networking) connection, which encrypts *all* data to and from your laptop. This is something a network geek would have to set up for you.
Otherwise, you can just conduct your online transactions with the awareness that a stranger could be “overhearing” them. Wait to visit Web sites, or to send e-mail messages, of a delicate nature until you’re on a wired connection or a private wireless one.
Truth be known, since my eyes were opened, my Wi-Fi habits haven’t actually changed much. I still open the laptop in the hotel lobby, exchange e-mail with readers, editors and friends, and check a few news sites or blogs. None of it would really mean anything to an evil eavesdropper nearby. But at least I’m aware that I *could* be observed. And isn’t it always better to know than not to?

180 View – We have replicated the article in its entirety. We think that many people share the concern expressed in the article and this article is short, well-written and informative. The author, David Pogue, “writes a technology column that has appeared each Thursday in The Times since 2000. Each week, he also writes the Times e-mail column "From the Desk of David Pogue," creates a short, funny Web video for NYTimes.com, and posts entries to his Times blog. In his other life, David is an Emmy-winning correspondent for CBS News, a frequent contributor to NPR's "Morning Edition," creator of the Missing Manual series of computer books, and father of three.”

IT Security Survey

January 5, 2007 from Canadian Technology News – “More than 1,600 North American IT managers (including over 1,000 Americans and 550 Canadians) were asked to rate the importance of security against seven different security threats, including security policy user compliance, internal user malfeasance, generic external threats (like viruses), random attacks (like password crackers), targeted external attacks, and protection of the physical server room or data centre.

The results, which were calibrated from the respondents' ranking of certain kinds of threats as “very” or “extremely” important, showed that Americans' and Canadians' attitudes toward IT security seem virtually identical, never straying farther than a few percentage points' difference.

The No. 1 concern was generic external threats, with more than 70 per cent of both Canadian and American IT managers calling it “very” or “extremely” important. This didn't surprise Brian Bourne, president of security consulting firm CMS Consulting and a member of the steering committee of the Toronto Area Security Klatch, an IT security user group. “Everyone gets spam and viruses, and it's a very visible problem. Its impact on security is easy to understand. But what most people don't understand is that when you do security really well, nothing happens. It's hard to understand the value of nothing happening,” he said.

Bourne has found that companies tend to get worked up over spam and viruses because it has an easily identifiable impact on productivity. Said Bourne: “When it comes to a leakage of information, which could also obviously have an effect on productivity, they really don't seem to worry that much.”

They're not blind to the data-leakage problem -- the second-most feared security threat is random attacks, which 60 per cent of Canadian IT managers and 56 per cent of American IT managers rated as “very” or “extremely” important in the battle against IT breaches (the fear of targeted attacks came in second-to-last, with half of the American respondents, and just over half of the Canadians, saying it was “very” or “extremely” important). Bourne said that this concern isn't even close to the fever pitch it should be hitting, in spite of the threat's easy understandability: “password cracking is happening on a mass basis.” He estimated that issues like server vulnerability are resulting in even small businesses getting five to 20 attacks daily, while larger companies get many more.

180 View – We think that the survey asked the wrong people. The CEO and CFO will be a lot more concerned.

2006 Csi/Fbi Computer Crime and Security Survey

The Computer Crime and Security Survey is conducted by the Computer Security Institute with the participation of the San Francisco Federal Bureau of Investigation’s Computer Intrusion Squad. The survey is now in its 11th year and is, we believe, the longest running continuous survey in the information security field. This year’s survey results are based on the responses of 616 computer security practitioners in U.S. corporations, government agencies, financial institutions, medical institutions and universities. The 2006 survey addresses the major issues considered in earlier CSI/FBI surveys, thus allowing us to analyze important computer security trends. The long-term trends considered include:

Unauthorized use of computer systems;
The number of incidents from outside, as well as inside, an organization;
Types of attacks or misuse detected, and;
Actions taken in response to computer intrusions.

This year’s survey also addresses several emerging security issues that were first probed only with the 2004 CSI/FBI survey. All of the following issues relate to the economic decisions organizations make regarding computer security and the way they manage the risk associated with security breaches:

Techniques organizations use to evaluate the performance of their computer security investments;
Security training needs of organizations;
Organizational spending on security investments;
The impact of outsourcing on computer security activities;
The use of security audits and external insurance;
The role of the Sarbanes–Oxley Act of 2002 on security activities, and;
The portion of the information technology (IT) budget organizations devote to computer security

This year’s questionnaire also included some questions being introduced for the first time. In particular, an open-ended question about the current concerns of respondents has provided insight into the relative perceived urgency of concerns about issues such as data protection and instant messaging. Some of the key findings from the participants in this year’s survey are summarized below:

Virus attacks continue to be the source of the greatest financial losses. Unauthorized access continues to be the second-greatest source of financial loss. Financial losses related to laptops (or mobile hardware) and theft of proprietary information (i.e., intellectual property) are third and fourth. These four categories account for more than 74 percent of financial losses.
Unauthorized use of computer systems slightly decreased this year, according to respondents.
The total dollar amount of financial losses resulting from security breaches had a substantial decrease this year, according to respondents. Although a large part of this drop was due to a decrease in the number of respondents able and willing to provide estimates of losses, the average amount of financial losses per respondent also decreased substantially this year.
Despite talk of increasing outsourcing, the survey results related to outsourcing are similar to those reported in the last two years and indicate very little outsourcing of information security activities. In fact, 61 percent of the respondents indicated that their organizations do not outsource any computer security functions. Among those organizations that do outsource some computer security activities, the percentage of security activities outsourced is rather low.
Use of cyber insurance remains low, but may be on the rise.
The percentage of organizations reporting computer intrusions to law enforcement has reversed its multi-year decline, standing at 25 percent as compared with 20 percent in the previous two years. However, negative publicity from reporting intrusions to law enforcement is still a major concern for most organizations.
Most organizations conduct some form of economic evaluation of their security expenditures, with 42 percent using Return on Investment (ROI), 21 percent using Internal Rate of Return (IRR), and 19 percent using Net Present Value (NPV). These percentages are all up from last year’s reported numbers. Moreover, in open-ended comments, respondents frequently identified economic and management issues such as capital budgeting and risk management as among the most critical security issues they face.
Over 80 percent of the organizations conduct security audits.
The impact of the Sarbanes–Oxley Act on information security continues to be substantial. In fact, in open-ended comments, respondents noted that regulatory compliance related to information security is among the most critical security issues they face.
Once again, the vast majority of the organizations view security awareness training as important. In fact, there is a substantial increase in the respondents’ perception of the importance of security awareness training. On average, respondents from most sectors do not believe their organization invests enough in this area.
posted by 180 Systems at 9:55 PM 0 comments

Security: Don't Spring a Data Leak

July 12, 2006 from Baseline – “The most notorious snafu: The U.S. Department of Veterans Affairs disclosed in May that it lost data on 26.5 million veterans and their spouses plus 2.2 million active military members when a worker's computer was stolen out of his home. Other organizations that have reported thefts of computers with sensitive data include Aetna, American International Group, Ernst & Young, Equifax, Union Pacific and the YMCA.

Even the Federal Trade Commission, responsible for enforcing privacy laws, disclosed in June that a laptop with unencrypted private data on 110 people was stolen from a car used by its attorneys.

From February 2005 to mid-June 2006, such security breaches have exposed information on more than 88 million individuals, according to the Privacy Rights Clearinghouse, a San Diego privacy advocacy group.

"Everyone spends a lot of time focusing on external threats," says Gartner analyst Avivah Litan, "but most of the threats are either from insiders or employees who take data home. It has nothing to do with criminals hacking into your databases."

Litan says many organizations are unprepared for accidental or deliberate data breaches: She estimates that businesses today encrypt less than 10% of all sensitive customer data. A survey this year by research firm Ponemon Institute, sponsored by encryption vendor PGP, found that 4.2% of companies use encryption across their entire enterprise (as opposed to only in select departments).

Litan predicts that companies will be fast-tracking security projects to prevent information assets from leaking out, including deploying software that stops any sensitive data from being e-mailed or copied to any outside party or device.

"Pretty soon, there's not going to be any employee privacy—everything is going to be monitored," she says.

Regions Financial, for one, has taken steps to seal the cracks. The 25,000-employee company, which operates 1,300 bank branches in 16 states, encrypts the entire hard drives of its thousands of laptops. (Zimmerman wouldn't name the encryption software Regions is using or say exactly how many laptops it maintains.)

Is scrambling every bit of data on every laptop overkill? Not to Zimmerman. "I can guarantee you that there would be confidential information on almost every laptop in the organization," he says.

But the danger of data leaks obviously extends beyond portable computers. Regions also uses software from Vericept to monitor all outgoing e-mail to make sure it doesn't include confidential information. The software uses statistical analysis on text in messages and attachments to find content that violates the company's policies. Most often, transgressions are accidental, Zimmerman notes: "People don't realize they've hit 'reply to all.'"

Some I.T. executives say portable storage devices—namely, thumb-size USB drives—scare them more than the possibility of a laptop vanishing. "If you were stealing something, why would you carry a laptop out the door when you could throw data on a 60-gigabyte USB drive?" asks Jim Brockett, chief information officer at Washington Trust Bank in Spokane, Wash.

Washington Trust this year plans to deploy software from security vendor NextSentry that will prevent any of its 900 employees' computers from using USB storage devices, and will provide other monitoring functions like flagging e-mail for certain keywords and phrases (say, "account number").

"We're not informing users about [the project]," Brockett says, "but we've let them know we have the right to monitor them."

Another lesson from the rash of data losses in the headlines is that "user education" is only effective to a point. It's certainly true that employees should be regularly updated on good data-handling hygiene. But no amount of education will eliminate careless mistakes or stop a disgruntled employee from violating a policy. Security technologies like encryption and digital rights management software, which controls access to specific pieces of content, can act like seat-belt laws—to help computer users from hurting themselves.

"We can do training, we can do policies, but unless we monitor every laptop every single day, there's no way we can control what people put on their laptops," says Jacob Mays, assistant vice president of information technologies at Stillwater National Bank and Trust in Stillwater, Okla.

To make sure no data can be read on a lost or stolen computer, the bank fully encrypts all of its 80 laptops with PGP software, a measure it initiated last year. Employees must enter a password before Windows even boots up.

Like seat belts, security mechanisms have to be easy to use. "You can talk until you're blue in the face about the need for it, but unless it's practical, people aren't going to use it," says Jason Elizaitis, director of information technology at Fairfield Greenwich Group, a New York-based asset management firm.

Fairfield Greenwich Group, which manages $10 billion in assets for high-net-worth individuals and institutional investors, uses Liquid Machines' Document Control digital rights management software at six offices worldwide. The software lets employees encrypt and assign privileges to documents (such as flagging them for "internal use only" or "do not print"), using a drop-down menu that is installed in the menu bar of Microsoft Office applications.

Why hasn't every company on the planet put in similar safeguards?

Cost may be one issue. A sophisticated digital rights management system, for example, can run to $500 per employee, while content-filtering packages start at around $25,000. Encryption products have entry prices of $125 to $300 per employee; vendors in this market include PGP, Pointsec Mobile Technologies, Utimaco Safeware and WinMagic.

Microsoft promises to bring encryption to the masses in the forthcoming Windows Vista operating system, which includes a feature called BitLocker that can automatically encrypt a PC's entire disk.

Meanwhile, some I.T. managers still have a perception that deploying and managing encryption products is extremely complicated, says Andrew Krcik, vice president of marketing at PGP. "There's still a hangover from people having looked at encryption seriously five years ago and said, 'It's way too complex,'" he says.

Stillwater National Bank's Mays found setting up and managing laptop encryption straightforward, requiring employees to leave their laptops overnight to perform the initial full-disk encryption. He was at first concerned that the PGP encryption software would slow down the machines, but found that on any laptop less than three years old, "there's not a noticeable performance hit."

To Zimmerman of Regions Financial, the justification for encryption and content-monitoring measures boils down to this: What's the company's reputation worth? As Zimmerman puts it: "Whether we lost one record or 1 million records, our credibility with customers would be shot."

5 Steps to Prevent Data Loss

1. Guard against human error. Use security technologies, such as data encryption, as a safety net for honest mistakes.

2. When in doubt, encrypt. All laptop hard drives should be encrypted.

3. Monitor outgoing messages. Use software to block e-mail messages or file transfers with confidential data.

4. Ensure security is easy to use. Otherwise, employees will find ways to get around it.

5. Audit security practices regularly. Experts say such reviews should happen at least monthly.

180 View – We replicated most of this interesting article. Good policy, training and the right tools can go a long way to mitigate the risks.

Safe Driving? Is Your Lap Strapped In?

September 1, 2006 from webCPA – “If you think this article doesn't pertain to you, your firm, or your clients-either because your business is too small, too big, or because it's the perfect size for guarding against IT security threats-think again.

Security woes even hit computer security software company McAfee, which in February had to warn some 9,000 current and former employees that their names and Social Security numbers were on an unencrypted CD that was lost after being left on a plane by an employee of auditor, Deloitte & Touche.

That same month, Ernst & Young confessed to some of its clients that their Social Security numbers and other personal data were lost on a laptop stolen from a locked car belonging to one of the firm's employees.

And closer to home, in May the American Institute of CPAs had to tell its approximately 330,000 members that a hard drive containing their Social Security numbers and other data-sent out for repair in direct violation of the AICPA's internal control procedures-was lost in transit by FedEx.

That faux pas was particularly galling since this year's rendition of the AICPA's Top Ten Technology list ranked information security as the No. 1 technology issue.

"From the standpoint that every AICPA member was affected, if that doesn't serve as a wake-up call for CPAs, I don't know what will," says Susan Bradley, a recognized IT security expert who is a CPA and partner at Fresno, Calif.-based Tamiyasu, Smith, Horn and Braun Accountancy Corp., where she is the network administrator.”

The article gives some suggestions to improve security:

"Most firms think they have a good firewall, so they think they're not at risk," he says. "But many are using consumer-grade firewalls that are not updated or not strong enough to protect their networks."

Higher levels of protection are available from companies like Sunnyvale, Calif.-based SonicWall and WatchGuard Technologies of Seattle, Johnston and others say.

SonicWall's "unified threat management" technology features solid-state firewalls and VPN appliances that incorporate anti-virus, anti-spyware, and network-intrusion prevention features for both wired and wireless networks. It also provides constant monitoring of firewall performance, Johnston says. Similar features are available through WatchGuard's firewalls.

IT managers also need to ensure proper installation of firewalls, and that all crucial network ports are properly protected.

"Many times firms pay extra fees for a firewall installer, and [do] not realize that firewalls weren't installed correctly," Johnston says. "Installers will leave ports open, making a network vulnerable to attack-for example, file transfer port 21, Internet browser port 80, or mail port 25. They all need firewalls."

The growing popularity of wireless networks, along with the growth of Microsoft's Mobile 5 wireless devices, is coinciding with more options for securing wireless operations. For one thing, users should make sure they're using the security pack that is available with Mobile 5 devices, experts say.

Accounting firm Abalos & Associates in Phoenix uses the Sentinel S3 USB key from Mesa, Ariz.-based Sweet Spot to control access to laptops and other mobile computing devices, says Cheryl Folkerth, a CPA and technology manager at Abalos.

The S3 key, which a user must insert into a computing device to access the firm's wireless network, incorporates two-factor authentication that involves 128-bit encryption along with a user-defined PIN. It also integrates a secure virtual private network, or VPN, tunnel to encrypt critical data being transferred between client and host computers.

"No one has been able to get onto the wireless network without the USB key," Folkerth says.

SonicWall also provides a SonicPoints system of securing multiple access points throughout a wireless network, which Johnston says he has used successfully. A SonicPoints system can be configured, managed, and updated through a centrally managed SonicWall security application.

Another tool for protecting laptops is Palo Alto, Calif.-based PGP Corp.'s PGP Desktop, which encrypts an entire hard drive. "If the laptop is stolen, it has no data value," Johnston says.

But technology applications alone aren't sufficient to protect wireless networks, experts say. At Tamiyasu, Smith, IT security chief Bradley enforces a multi-part policy that dictates how employees can access the firm's network. Employees working remotely must not use a public kiosk or any other computing device other than their own anti-virus-software-loaded machine.

Her accounting firm also has remote employees access the Remote Web Workplace, a feature built within Microsoft's Small Business Server 2003, which ensures that sensitive data can't be downloaded to computers outside the office. "They can view but not download the data," she says.

While e-mail has done wonders for improving the service that accounting firms can offer their clients, it also presents huge risks for stolen data when e-mailed client communications are not encrypted.

"Not encrypting e-mail is a glaring error among businesses," Johnston says. If a hacker knows a CPA firm's URL and corresponding IP address, he can figure out how to receive a copy of all e-mail traffic a firm sends its clients, he adds. "A firm's e-mail might reach the right client address," Johnston says, "but the firm won't know if it also reached another destination."

Technology such as AMPLock encryption from Madison, Wis.-based SmartSoftKey, can ensure that only intended recipients can receive and unlock e-mail messages and files, Johnston says. AMPLock integrates with Microsoft Outlook.”

180 View – This article includes the following point - “The realm of security technology is still like the Wild West to most people, with hucksterism and snake oil vying side by side with really well throughout security software and hardware-based tools” Huge investments are being made or will be made to improve security by organizations across the country. Hopefully, you’re not being sucked in by the hype, but investing in practical solutions that are justified based on the risks.

Web services may threaten enterprise security

Februaury 22, 2006 from ComputerWorld - "Clear text messages used in transferring applications via Web services can potentially slip through existing security hardware allowing malformed code to run rampant within organizations. Typically malicious code such as Trojans and worms are detected at the gateway; however, current XML and SOAP attachments (Simple Object Access Protocol) can potentially allow threats to enter the network, as well as information leakage. "Adding to the problem is security controls built into Web services applications, which offer a compromise in performance and as a result are systematically being turned off," Dierickx said." For the rest of the article, click here.

E-commerce fraud will cost businesses $2.8B this year

November 10, 2005 from ComputerWorld - "Merchants are set to lose $2.8 billion this year because of online fraud, according to a survey released by CyberSource Corp., a provider of electronic payment and risk management products in Mountain View, Calif. The $2.8 billion figure is 8% higher than last year, CyberSource said. The survey, conducted by Austin-based Mindwave Research Inc., found that companies with online revenues of between $5 million and $25 million annually are being hit the hardest. Those companies saw online fraud losses rise from 1.5% of their revenue in 2004 to 1.8% of their revenue this year...

Part of the problem is that while merchants are reviewing more orders manually this year to catch fraudulent orders, they’re doing so without hiring more employees, according to CyberSource spokesman Bruce Frymire. In fact, midsize merchants said they reviewed one quarter of their orders this year, up from 21% of orders in 2004, he said. Most merchants are so far relying on two basic means of fighting fraud: address verification systems, which compare the address on file at the card issuer to the billing address provided by the card holder, and checks of the card verification number -- the additional digits printed on the credit cards, according to the survey. Over half the merchants who took part in the survey said that they are currently using or intend to use MasterCard’s SecureCode or Visa’s Verified by Visa payer authentication systems before the end of 2006, Frymire said." For the article, click here.

Security in a web services world

2005 from Evaluation Centre - "Industry is now on the edge of a transformation, where web services will change the way companies do e-business, allowing easy, efficient, automatic web-based transactions between buyers and sellers. But for IT security people, this represents a real headache. Web services will expose the core business systems that most companies have spent the last 20 years or so trying to keep behind high walls. Also, the traditional firewalls that have served organisations well up until now will no longer be able to filter out the rogue transactions from the good ones.

As companies wrestle with this real security problem, they are finding that web services standards are only just being agreed and established. As a result, there is a danger of getting confused by different views of the security requirements, and the different terminology used to describe the new security solutions that are arriving on the market. So what is the real security requirement – and what’s the best approach for those developing web services solutions and evaluating the solutions that are coming onto the market?" For the article, click here.

Microsoft Buys Antivirus Company

February 8, 2005 from CIO Today - "The move is a direct threat to McAfee and Symantec , because Sybari has alliances with such vendors as Computer Associates , IMlogic, Kaspersky Labs, NetIQ and Sophos, all of which are major rivals to the two companies, said Morgan Stanley analyst Peter Kuper. "The purchase of Sybari brings this threat sooner and in a more significant manner than we had anticipated," he said. "Given this swift and decisive move by Microsoft we think our warnings not to ignore Microsoft in the security market are well founded -- look for more to come next week," he said." Click here for the article.

How long will it take before Norton Anti Virus is as well known as WordPerfect?

Spending too much on virus protection?

January 2005 from PC World - "But while leading antivirus software vendors Symantec and McAfee have been hiking annual subscription fees for stand-alone products, they've kept those charges flat for product suites that bundle antivirus utilities with firewall, intrusion-detection, and spam-control software. The idea is to encourage customers to move over to these suites... Competition may eventually drive down antivirus prices. Microsoft bought antivirus technology from Romanian company GeCad Software SRL in June 2003 and has said it intends to enter the market."

In the meantime, there are good alternatives. The article links to a review of other anti virus programs that are available. In the linked article, you will find "We awarded our antivirus Best Buy to Trend Micro PC-cillin Internet Security 2004. Besides offering competent scanning at a moderate price, PC-cillin has an exceptionally clean and intuitive interface. Best of all, PC-cillin was the only software product in our review to provide no-cost telephone technical support--and via a toll-free number, too."

Click here for the article.

IT Audit

June 15, 2004 from CFO Magazine. This article says that "These days, audits are rarely a source of solace, but finance executives who find IT daunting may actually be relieved to know that IT audits are suddenly in vogue, and provide exactly the sort of big-picture view that most CFOs need. IT audits are not, as you may have guessed, a matter of pure accounting. The term covers a lot of ground, but in general it can be thought of as the processes by which organizations evaluate virtually any aspect of their technology controls, capabilities, and performance. While IT audits have been conducted by some companies for years, they're moving into the mainstream as regulatory compliance, risk management, and information security become higher corporate priorities.

If done properly, experts say, IT audits not only reveal weaknesses in compliance, security, and other areas but also help companies save money by finding ways to use IT hardware and software more efficiently and get a better handle on technology assets. Organizations can use IT audits to ensure that their technology initiatives are in sync with business goals and practices... internal system resources are used effectively and efficiently"

We agree with the article that IT audits are useful in evaluating controls, compliance and security, but don't think that an IT audit will do justice to efficiency and effectiveness. The people that do the IT audits are typically strong on technology and controls, but lack expertise on evaluating business processes in terms of efficiency and effectiveness. Business process reviews also requires a very different methodology compared to conducting an IT audit.

For the article from CFO Magazine, click here. The CICA has just published "IT Control Assessments in the context of CEO/CFO Certification". This white paper is a good source of information on conducting an IT audit. For the CICA white paper, click here.

The impact of Sarbanes-Oxley on private companies

July 26, 2004 from CFO.com - "Public companies are facing dramatic changes in disclosure and corporate governance requirements under the Sarbanes-Oxley Act, and under new and proposed rules from the SEC, NASDAQ and the NYSE. While these new rules and regulations do not generally cover private companies, their influence on private companies is being felt in the following ways:

The Sarbanes-Oxley Act may result in increased scrutiny of a private company being considered for acquisition by a public company.
A private company will become subject to the Sarbanes-Oxley Act upon filing a registration statement with the SEC in anticipation of an IPO.
The boards of directors and management of many private companies are embracing various aspects of the Sarbanes-Oxley Act as “best practices.”

Familiarity with these new rules will help private companies avoid pitfalls that could interfere with important future milestones, such as an acquisition or an IPO, and will contribute to the foundation of a company culture of fiscal and corporate responsibility." For more, click here.

The shaky state of enterprise security

July 23, 2004 from InfoWorld - "Faced with a seemingly endless onslaught of virulent Internet worms, spam, and e-mail scams, less than half of IT professionals report strong confidence in the security of their enterprise networks, according to the results of the 2004 InfoWorld Security Survey. The picture that emerged from a poll of more than 600 IT professionals in our June online survey was one of wariness in the face of a wide range of threats, from insecure operating systems to online “spoofing” attacks. Only 38 percent of IT professionals said they are “very confident” in their enterprise security, and a mere 8 percent said they are “extremely confident” in it." For more, click here.

IT audits are suddenly in vogue

June 15, 2004 from CFO Magazine - "These days, audits are rarely a source of solace, but finance executives who find IT daunting may actually be relieved to know that IT audits are suddenly in vogue, and provide exactly the sort of big-picture view that most CFOs need. IT audits are not, as you may have guessed, a matter of pure accounting. The term covers a lot of ground, but in general it can be thought of as the processes by which organizations evaluate virtually any aspect of their technology controls, capabilities, and performance. While IT audits have been conducted by some companies for years, they're moving into the mainstream as regulatory compliance, risk management, and information security become higher corporate priorities.

Antivirus security article published in the April 2004 edition of CAmagazine

One person’s misfortune is another’s golden opportunity, says the cliché. So goes it with computer security. Whenever a new virus hits, business is brisk for the market leaders in antivirus protection – Symantec’s Norton AntiVirus and McAfee’s VirusScan. Every year, 30 million Symantec customers renew their Norton AntiVirus subscription. Sure, the hackers might have some fun, but it’s Symantec and McAfee, as well as other antivirus developers and security consultants who get the most out of each new virus attack. For the article, click here.

Are cookies bad for you?

From PC Magazine - "Contrary to popular belief, cookies were not created to invade users' privacy. These small text files are used to overcome the "statelessness" of HTTP transactions, and they are a powerful tool for Webmasters, because they allow a site to remember things about its visitors." For the article, click here.

But not all cookies are good for you. McAfee Security says "Some websites use cookies for other reasons such as advertising. Online advertising companies use cookies to determine which sites you commonly visit so they can post ads you might find interesting on your favorite web sites. This may seem harmless to many people, but some users consider this an invasion of privacy. Someone surfing the web will not know a cookie is being sent to his or her computer unless a program, such as Privacy Service, tells the person a cookie is being sent to the computer. Using cookies to this end can be as bad as a credit card company selling a customer’s information to a company who sends unsolicited ads in the mail without his or her consent."

March Comes in Like a Worm

March 1, 2004 from PC World - "Conventional wisdom claims March comes in like a lion and goes out like a lamb. But with new versions of the Bagle e-mail worm and a virulent new form of Netsky virus, March's arrival is looking more like a worm. Five new versions of Bagle appeared over the weekend, as did a new version of Netsky that is spreading rapidly on the Internet and generating a huge volume of virus-infected e-mail messages... Some new variants also hide in password protected ZIP files to slip past antivirus filters and into users' e-mail boxes." For more about this conference, click here.

Is there a security problem with wireless at home?

January 20, 2004, PC Magazine. You have probably heard the stories of drive buy hackers that break into someone's home computer system via wireless. The problem is not so much in the lack of privacy functionality but in not activating the security that is available. Many wireless systems don't have security turned on as a default. There is something called WEP (Wired Equivalent Privacy) that should solve the problem. The PC Magazine article provides some recommendations to improve your wireless network. For the article, click here.

Annoyed by random pop-ups on your Windows Desktop?

June 9, 2003 - From Bell Sympatico, "Windows XP, 2000 and NT have a built in Messenger Service that can be used by some Windows programs (and system administrators in a corporate setting) to display text-only alerts about your computer. Some people have found a way to remotely activate this Messenger Service, via Web sites you visit, to display messages, usually of an annoying and commercial nature." For instructions on how to eliminate this form of Spam, click here.

Stolen laptop

One of our readers writes us that "They swiped it right out of my office when I was downstairs grabbing a bite to eat at lunch - while someone was 2 offices down the hall! We are now locking our main office door." Can you imagine this happening to you? We suggest you take some precautions such as a security lock. And of course, you have a very recent back-up of your data - right?

Had enough Spam?

January 30, 2003 — In an article in The New York Times, the author laments about wading through countless unwanted messages advertising pornographic web sites, offers for loans, credit cards, inkjet cartridges, miniature race cars and opportunities to enlarge body parts. (Hopefully email from 180 Systems is not considered Spam - if it is, please unsubscribe). The article reviews three anti-spam products - iHateSpam by Sunbelt Software, Spam Inspector by Giant Company and SpamKiller by McAfee Security. For a link to the article, click here. Another anti-spam program that just won an award from PC Magazine is Cloudmark (http://www.cloudmark.com/).

Still paranoid about your backup?

Unfortunately many companies still learn the hard way about the importance of backup. In a recent article in PC World, CD's were rated the best bet for small systems and external hard drives for larger systems. The article contained some good advice for "foolproof" backup. Click here for this article.

Still not sure which personal anti-virus program to use?

There's no guarantee in life but you can minimize the risks. Click here for a hot-off-the-press article from PC Magazine showing Norton Antivirus as editor's choice.

Are you just a little worried that your data is not backed up properly?

It seems most people learn the hard way when it comes to back up. For some, the network is backed up, but the local files are exposed to the elements. There are many options available to you. For example, you could keep all your data files together and use a compression tool to back up to your network or a CD. You might also consider using a tool such as SmartBackup 1.5 that compares your data files and only backs up those that have changed. An assortment of back up utilities can be obtained from Tucows by clicking here.

So you're backing up your network on a regular basis - great. But have you verified that you can actually restore what you backed up? Do you have a network company that is entrusted to verify that the restore works properly? What do you think would happen if they claim to be doing this on a regular basis, but for some reason, when you need to restore your data, you can't? Your contract with them probably says that they shall not be responsible for any damages including loss of data... So have your network company prove that you can actually restore all your data.

Do you need a firewall at home, or do you want to know more about firewalls?

You probably have protection at the office, but what about at home? With DSL and Cable Modem technology, your PC is permanently connected to the Internet and can be more easily attacked by hackers. HowStuffWorks is one source of firewall information that can be linked by clicking here and PC Magazine recently published a good article that can be obtained by clicking here.

Have you been attacked by a computer virus yet?

Some say that 2001 was the Year of the Virus. Unfortunately Microsoft Outlook is the target of choice and seems to be easy prey to malicious and creative hackers despite the fact that Microsoft has introduced draconian measures to block out potential threats. You may notice that a wide variety of files are blocked that you may want to receive from trusted sources. It is easy to bypass Outlook’s protection by changing the file extension or by WinZiping it. Although there are no guarantees for protection, follow a few guidelines and reduce the risks. Click here for Microsoft’s guidelines.

Do you argue with your kids about how long they are playing games on the computer? Do you want to know whether your employees are surfing to inappropriate web sites? Click here for more.

Web Site optimized by Toronto Search Engine Optimization | resources