Month: March 2005

A post-mortem of its Sarbanes-Oxley compliance effort, looking at what worked and didn’t work, found inconsistent documentation of financial controls, as well as ones that should have been automated. Among the lessons learned is that “standardization of processes minimizes the risk of misstatements on financial reports,” McWilton says. Nextel Communications Inc. found it needed to do a better job controlling employee access to sensitive data and IT systems. And United Technologies Inc. discovered that it wasn’t making full use of the financial controls built into its enterprise-resource-planning systems.

The Securities and Exchange Commission estimates that companies collectively spend nearly 5.4 million staff hours each year implementing Sarbanes-Oxley’s section 404–the part of the federal legislation that deals with financial-reporting controls. Sarbanes-Oxley, which took effect late last year, was designed to improve the quality of financial reporting and restore confidence in financial statements in the wake of the Enron and WorldCom accounting scandals.

No wonder Sun Microsystems CEO Scott McNealy in 2003 likened Sarbanes-Oxley to throwing “buckets of sand into the gears of the market economy.”

At Nextel Communications, which is merging with Sprint Corp., the compliance process “began as an administrative task but has evolved into a basis for achieving competitive advantage,” says Michael Bryan, who until leaving the company last week was Nextel’s director of IT governance. While working through the steps to comply with Sarbanes-Oxley, Nextel managers discovered they needed to pay more attention to how employees were given access to sensitive data and programs. The company installed Thor Technologies Inc.’s Xellerate Identity Manager system to automate the management of Nextel’s 90,000 user identities.

Companies are finding that beyond complying with Sarbanes-Oxley, automating access controls helps enforce information security policies, such as limiting access to sensitive data to authorized users, according to a February report from the Aberdeen Group market-research firm that examined the Sarbanes-Oxley compliance efforts of 40 companies. As information security and access control become more important, they’re being transformed from a set of ad hoc activities into coordinated business processes. The company has gained peace of mind that it had the necessary financial controls in place for complying with Sarbanes-Oxley, CFO and executive VP Frank Terence says.

But working through the compliance process also uncovered areas where business processes needed to be improved, particularly IT change-management processes and procedures used to control access to critical software programs and data.

United Technologies is another company that discovered through its compliance-assessment process that its IT systems had automated capabilities of which the company wasn’t taking advantage. The survey also has brought a sense of unity to a company that’s sprawled out over 125 countries, Howells says. And the process of developing a standard way of documenting and testing financial-reporting controls has led to standardization in other accounting processes and policies.

http://www.informationweek.com/story/showArticle.jhtml?articleID=159902183&pgno=3

In its seventh bi-annual Internet Security Threat Report, Symantec said over the past year, security researchers had discovered at least 37 serious vulnerabilities in the Mac OS X system.

According to Symantec, as Apple increases its market share–with new low cost products such as the Mac mini–its user base is likely to come under increasing attack.

“Contrary to popular belief, the Macintosh operating system has not always been a safe haven from malicious code,” Symantec said. “Out of the public eye for some time, it is now clear that the Mac OS is increasingly becoming a target for the malicious activity that is more commonly associated with Microsoft and various Unix-based operating systems,” the report said.

“Apple Computer has become a target for new attacks… The appearance of a rootkit109 called Opener in October 2004, serves to illustrate the growth in vulnerability research on the OS X platform… The various OS X vulnerabilities allow attackers to carry out information disclosure, authentication bypass, code execution, privilege escalation, and DoS attacks.”

Symantec believes that as the popularity of Apple’s new platform continues to grow, so too will the number of attacks directed at it,” the report said.

Symantec’s concerns were echoed by James Turner, security analyst at Frost & Sullivan Australia, who said many of the people who bought Apple products were not concerned about security, which left them wide open to attack.

“The iPod, PowerBooks and mini Macs are cool products,” Turner said. “The by-product is that people are buying these products for form over function. They say it looks pretty and then buy it but don’t secure it. As Apple increases its market share, it will be a legitimate target.”

Trend Micro senior systems engineer Adam Biviano said all complex operating systems had security flaws and the more popular the platform, the more likely it would be attacked. “All sophisticated platforms–Mac, Linux, Solaris or anything else — will have vulnerabilities,” Biviano said. “The only reason Windows has had mass exploits written for it is the sheer number of connected devices that are present on most networks. As soon as you start seeing mass deployment of any technology you are going to see exploits.”

According to Biviano, while there have not been any mass outbreaks of viruses targeting the Mac, the potential does exist. “You don’t see Macintosh viruses in mass outbreaks but you do see them in the labs as proof of concepts. There aren’t any outbreaks because there are simply are not enough [Macs] out there. For a virus to be successful it needs a combination of an exploit and a large target audience,” said Biviano, who nominated the mobile phone market as an example of malware writers targeting the most popular platform, not Microsoft’s platform. “Look at where mobile viruses are going and they are not targeting Microsoft–they are targeting the market leader, which is Symbian,” he said.

The Symantec report found in the second half of last year, an increasing proportion of malware was designed to expose confidential information.

The report also found that phishing attacks increased by 366 percent while the number of Windows-based worms and viruses increased by 64 percent, when compared to the first half of 2004.

http://news.zdnet.com/2100-9590_22-5628665.html

The Federal Bureau of Investigation plans to work with the National Retail Federation to use technology to fight organized retail theft. The recognition came at a hearing on organized retail theft held recently by the House Judiciary Committee’s Subcommittee on Crime, Terrorism, and Homeland Security.

The FBI’s first step in launching a formal Organized Retail Theft Initiative was the formation in 2004 of the National Retail Federation/FBI Intelligence Network, Swecker said. The network is meant to increase collaboration among the FBI, state and local law enforcement, and retail corporate security to share intelligence, discuss trends, and identify and target potential problems related to theft. “Organized retail theft isn’t petty shoplifting–it’s organized crime, and it has to be stopped.”

Also testifying at Thursday’s hearing was Chris Nelson, director of assets protection at Target Corp. NRF is a member of the Coalition Against Organized Retail Theft and arranged for Nelson to testify on behalf of the coalition.

Organized theft accounts for $30 billion in annual store-level losses, according to FBI numbers, and Nelson said items targeted for theft range from low-cost goods such as razor blades and batteries to high-end consumer electronics and designer clothing.

http://www.informationweek.com/showArticle.jhtml;jsessionid=ASHSOZUL0AZH0QSNDBNSKH0CJUMEKJVN?articleID=159902300