Author: admini

New Rules May Ease SOX Audits

Posted on by admini

“If it passes, it will allow companies and auditors to worry more about the things that matter when it comes to financial fraud,” says Patrick Taylor, CEO of Oversight, which makes software for analyzing the accuracy and security of financial transactions. Companies will be able to focus their attention on the more common paths to fraud, such as changes to the general ledger and revenue recognition, and not worry about unlikely paths, like backup.”

The chief problem is that the law, which is designed to keep public companies from cooking their own books, is extremely vague in its requirements, particularly with regard to IT. “For example, the current guidelines require the auditor do a walk-through of every transaction path that might result in a change to financial data,” says Davis. “In a large company, you can imagine how many transaction paths there are.”

But the PCAOB’s proposed changes to the audit standards would allow companies to perform a risk assessment of their systems and practices, and then focus their efforts on the most likely paths of financial fraud, instead of trying to close every possible loophole. “Those are going to be changes that somebody makes to the general ledger, which are relatively easy to detect. “That’s the kind of thing that could make the difference between an audit lasting two weeks or lasting two months,” Davis says.

http://www.darkreading.com/document.asp?doc_id=124538&WT.svl=news1_1

Read more

ISO 2700–Security Sleeper

Posted on by admini

Since the author’s cover story on PCI compliance ran last month, he has heard from a couple CISOs who maintain that PCI compliance was a cinch–because they already followed ISO 17799 or 2700. “This gave us the opportunity to easily adapt to other security standards such as PCI and others without much effort.”

You should be concerned about the maturity of a security practice at companies who take 2+ years to receive PCI certification. I don’t want my credit card in the hands of those companies….

Then, this morning, the author had a talk with Patrick A. Côté, information security officer of Houghton Mifflin, the venerable textbook publisher. He said, in not quite so many words, the same thing–that their PCI compliance was fairly painless because they already had the underlying processes in place.

http://blogs.csoonline.com/iso_2700_securitys_sleeper

Read more

Security: New Study IDs Top Threats

Posted on by admini

Careless behavior by employees combined with spotty security policies provide plenty of openings for scam artists.

A widely reported study by MarkMonitor, an Internet security firm specializing in brand protection, found a rise in “cybersquatting” (using trademarks on illegitimate sites), “clickfraud” (bogus clicks on ads) and “domain kiting” (illicit Web sites with similar names to well-established sites), along with phishing and other scams.

The better gauge of how CIOs truly feel about security is spending: IT security budgets are growing, and companies are plunking down cash for a broader range of technologies and services. Finding 1: IT Executives Say Security Is Adequate Despite Threats Security snafus often make news, but most CIOs aren’t rattled. As previous CIO Insight surveys have shown, very few IT executives think their companies are at high risk, and most feel their IT security measures are up to the job.

Finding 1: IT Executives Say Security Is Adequate Despite Threats

Finding 2: Online Fraud and Theft Has Hurt Few Companies

Finding 3: Careless Employees and Lost Laptops Are Danger No. 1

Finding 4: Weak Protection Policies Put Social Security Numbers at Risk

Finding 5: Companies Are Diversifying Their Security Spending

Finding 6: More Companies Are Backing Off Windows Amid Doubts About Vista Security

http://www.cioinsight.com/article2/0,1540,2134832,00.asp?kc=EWWHNEMNL052407EOAD

Read more

Traffic-Scanning Flaw Hits 90+ Vendors

Posted on by admini

An attacker could send a malicious HTTP packet to the vulnerable content scanning system

Cisco has confirmed that its Cisco Intrusion Prevention System and Cisco IOS with Firewall/IPS Feature Set products are vulnerable to the flaw. Cisco notes in its advisory that it is not aware of any malicious use of the vulnerability. Among those US-CERT lists include: 3com, Alcatel, Avaya, D-Link Systems, Debian GNU/Linux, EMC, Fedora Project, Gentoo Linux, Hitachi, IBM, Intel, Linksys (a division of Cisco), Lucent, McAfee, Microsoft, Nokia, Nortel, Novell, Red Hat, Sony, Sun and Symantec.

http://www.internetnews.com/security/article.php/3678051

Read more

OpenSEA Aims for Better Authentication

Posted on by admini

A new initiative to develop open-source security solutions was born Monday, with the announcement that six companies were jointly creating a new alliance called OpenSEA. The networking and security technology companies forming the new alliance are Symantec, Extreme Networks, Identity Engines, Infoblox, TippingPoint, and Trapeze Networks. The 802.1X supplicant is essentially the client side of a client/server authentication handshake.

The name OpenSEA refers not to a sailor’s vision of the beckoning ocean, but to Open Secure Edge Access. The group’s first project is to develop a cross-platform, open-source 802.1X supplicant using the Firefox Web browser as a model. The statement said that Xsupplicant uses a modular architecture to enable extensions, including new authentication types and integration with other security components.

The alliance is looking to help extend Xsupplicant with key functionality, including support for Windows XP, a robust GUI, and an API for extensibility. Based in the UK, JANET serves 18 million users as a network that connects education and research organizations in the UK to each other and to the rest of the planet. The United Kingdom Education and Research Networking Association, or UKERNA, manages JANET.

http://www.newsfactor.com/news/OpenSEA-Aims-To-Improve-Security/story.xhtml?story_id=101003AOKMV0

Read more