Month: February 2004

With the announcement that conformance to the Basel II Capital Accord must be achieved by 2006, the banking industry now has a defined timeline for regulatory compliance.

Once it infects target machines the worm attempts to search and destroy any traces of MyDoom infection – before downloading patches for the Microsoft vulnerability it used to infect the system in the first place.

As if that little lot wasn’t enough, today also saw the arrival of a Trojan, called Mitglieder-H, with the ability to spread to computers infected with the MyDoom-A worm.

http://www.it-analysis.com/article.php?articleid=11669

Though these devices support standard security options and protocols useful to thwart common attacks (ciphering, authentication, etc), many kinds of attacks are still possible but are dependant on the real level of security present and the skill of the attacker.

Sometimes, even in companies, blackhat people find open networks with poor or no security in place. Threats come through the external physical barriers (from a parking lot, walking down the street, through windows) or inside your own environment (via zealous network seekers with PDAs or laptops, wireless cards and scanning software).

1.0 Introduction to wireless honeypots
The Internet is full of excellent resources that describe wireless technologies, wireless threats, wireless security offerings and honeypot technologies.

http://www.securityfocus.com/infocus/1761

Careful analysis of the nature of the attack or incident can lead to the implementation of effective and widespread preventative measures and the avoidance of similar events. This ability to respond quickly and effectively to a computer security threat is a critical element in providing a secure computing environment. One way to provide such a response is through the establishment of a formal incident response capability. This response capability can be in the form of comprehensive policies and procedures for reporting, analyzing, and responding to computer security incidents. It can also be in the form of an established or designated group that is given the responsibility for handling computer security events. This type of group is generally called a Computer Security Incident Response Team (CSIRT).

Focusing a team on incident handling activities allows them to further develop expertise in understanding intruder trends and attacks, along with acquiring knowledge in incident response methodologies. Depending on the services provided, the team can be composed of full-time or part-time staff. A CSIRT provides a single point of contact for reporting computer security incidents and problems. This enables the team to serve as a repository for incident information, a center for incident analysis, and a coordinator of incident response across an organization. This coordination can extend even outside the organization to include collaboration with other teams, security experts, and law enforcement agencies. The team’s relationships with other CSIRTs and security organizations can facilitate sharing of response strategies and provide early alerts to potential problems.

As a focal point for incident information, a CSIRT can gather information from across their organization, gaining insight into threats against the constituency that might not have been apparent when looking at individual reports. Based on this information, they can propose strategies to prevent intruder activity from escalating or occurring at all. They also can be a key player in providing risk data and business intelligence to the organization, based on the actual incident data and threat reports received by the CSIRT. This information can then be used in any risk analysis or evaluation. Having an experienced team established, with defined incident handling procedures in place, can jump start the response process.

There is no need to determine who in an organization does what, as there is a team already in place knowing what to look for, who to contact, and how to affect the response as quickly as possible. CSIRTs located at constituency sites may also have familiarity with the compromised systems and therefore be more readily able to coordinate the recovery and propose mitigation and response strategies. Depending on its mission and goals, a CSIRT can be structured and organized to provide a range of services in a variety of ways. Of key importance in deciding what types of services to offer will be the type of expertise available and the type of incident handling capability already in place in an organization.

Environmental variables, such as organization and constituency size, available funding, and geographic distribution, can also affect the range and level of services provided by a CSIRT. A small, centrally located organization will require a CSIRT that is different from that required by a large, geographically dispersed organization. Others act as that central repository and also disseminate any information on new vulnerabilities and intruder trends.

A CSIRT can also be organized as a coordinating CSIRT or coordination center rather than a one-on-one incident response service. In either case, the coordinating CSIRT synthesizes reports and information from all areas to determine the accurate picture of incident activity across the constituency and its vulnerability to attack.

This document attempts to illustrate the various issues regarding each option and highlight the decisions that organizations will face when choosing a model. This document does not address these other views, but they are interesting topics for future discussion and publication.

Regarding the decision-making capability and authority of a CSIRT, this document does not discuss how the CSIRT will interact with the business management side of any organization.

Once you have identified a model that best suites your situation, we highly recommend that you follow the guidelines presented in the Handbook for CSIRTs [West-Brown 03] to identify the next steps necessary to implement the decision. By being informed and prepared, the management team can focus their energy and resources appropriately and minimize the time and effort associated with building a solid foundation for an effective CSIRT within the organization.

http://www.bankinfosecurity.com/feed.php?target=http://www.sei.cmu.edu/publications/documents/03.reports/03hb001/03hb001chap01.html

In a letter to William Donaldson, the chairman of the Securities and Exchange Commission, 11 organizations of companies – saying they represented 100,000 European companies including more than 100 whose securities are traded in the United States, asked for changes that would make it easier for them to stop being registered with the SEC.

While some European companies are “quite satisfied with their experience in the U.S. market,” others have concluded that the costs are not worth the benefits, said the letter, signed by business leaders including Alain Joly, the president of the European Association for Listed Companies and the chairman of the supervisory board of Air Liquide.

The rule he referred to, whose implementation was delayed until 2005 for foreign companies, requires corporate executives to certify that internal financial controls are adequate, and requires outside auditors to certify that the management’s conclusions are accurate.

Greene, a former SEC general counsel, said many companies were also concerned about bars on company loans to executives. A company that no longer values a U.S. listing can easily delist from the exchange, Greene said.

A company remains subject to the securities laws unless it can show that it has fewer than 300 American investors. To do that, it must conduct research to determine its actual shareholders, regardless of whether those holders bought the shares in America or overseas.

The European companies’ proposal would not apply to Japanese or other overseas companies because it assumes the European companies would follow new International Accounting standards, as they are expected to do beginning in 2005, although some European companies are resisting the international rule on accounting for derivatives. But many have found that American institutional investors are willing to buy shares overseas, wherever the most liquidity is. And companies that are not listed in the United States can sell securities there in private offerings, under an SEC rule known as 144A, so long as the buyers are institutional investors.

http://www.srimedia.com/artman/publish/article_753.shtml