February 2004 – Page 6 – CyberSecurity Institute

The attack began Saturday night and by Sunday morning the software firm’s site was completely flooded with requests, Utah-based SCO said.

While infected PCs were supposed to start inundating the main SCO Web site with data starting at 4:09 pm GMT (8:09 am PST), the site had been nearly inaccessible for a 16-hour period prior to the scheduled start of the attack, according to Internet performance measurement firm Netcraft. The outage could have been due to a large number of infected computers having their clocks set to the wrong time.

“This is the biggest single (denial of service) attack ever,” Mikko Hypponen, director of antivirus research at F-Secure, wrote in an update on the security company’s Web site. In its statement on Sunday, SCO it still “had a series of contingency plans to deal with this problem,” but would wait until Monday–at about 5 a.m. PST–to communicate them.

The attack aimed at Microsoft by computers infected with the B variant of MyDoom is not expected to have as much effect because that version hasn’t spread as widely, said Vincent Weafer, a senior director at computer-security company Symantec.

More info: [url=http://zdnet.com.com/2100-1105_2-5151572.html]http://zdnet.com.com/2100-1105_2-5151572.html[/url]

The Banking Industry Technology Secretariat (BITS) in Washington released the security guidelines as an addendum to an existing framework for managing business relationships with IT services providers. The group’s goal is to help financial services firms streamline the outsourcing evaluation process and better manage the risks of handing over control of key corporate systems to vendors.

The guidelines are based on the International Standards Organization’s ISO 17799 code of practice for information security management, which covers categories such as documenting corporate security policies and classifying assets. They also include best practices gathered from BITS members and input from vendors, government agencies and third-party IT auditors, said Faith Boettger, a senior consultant at BITS.

Bob Cedergren, second vice president of information security and business continuity planning at Fortis Inc., a financial services firm with U.S. operations in New York, said security concerns related to outsourcing are getting more attention in corporate boardrooms. “Each time there’s a virus outbreak, this gets discussion within our CIO group here at Fortis as well as with the CEOs” of individual business units, Cedergren said.

Many of the financial services industry’s certification standards, including Statement on Auditing Standards No. 70, SysTrust and WebTrust, don’t fully cover what companies have been looking for in a best-practices matrix, according to Boettger.

More info: [url=http://www.bankinfosecurity.com/?q=node/view/543]http://www.bankinfosecurity.com/?q=node/view/543[/url]

Month: February 2004

MyDoom downs SCO site

BANK GROUP OFFERS GUIDELINES ON OUTSOURCING SECURITY RISKS