admini – Page 380 – CyberSecurity Institute

Hedging the Risk of Instant Messaging

Posted on April 29, 2004December 30, 2021 by admini

Technology Under SEC rule 17a-4, instant messages must be archived and retrievable and can’t be edited or changed.

Hedge funds are shying away from using instant messaging to send orders to their brokers because there has been a lack of technology to create an audit trail. “If I did not have the ability to archive these messages, I probably would not use it,” says Angie Kim, chief financial officer of Core Fund Solutions, a San Francisco-based company that oversees four hedge funds. Even though the onus is on the brokers to archive instant messages, “There are still certain legal exposures” for the buy side, says Kim.

In fact, to limit their own exposure, prime brokers – which clear the hedge funds’ trades – don’t want hedge fund managers to use instant messaging, adds Kim. If there is a dispute over a trade, the buy-side firm has to be able to retrieve the instant message to resolve the matter. And, because IM platforms are not as secure or as reliable as most trading systems, prime brokers are concerned that a hedge fund could send them trades that an IM platform may fail to deliver. Since hedge funds tend to outsource many functions, such as operations and trading, to third-parties, they don’t want to spend money developing IT infrastructure in-house to capture and archive IM communications.

Core Fund Solutions uses one such solution, IMTrader, a combination light-weight blotter and instant-messaging platform developed by Boston-based Pivot Solutions that interfaces with compliance systems like IM Logic and Facetime. Additionally, order-management systems are expected to integrate instant messaging into their trading applications, too. “The two greatest advantages [to using a system such as IMTrader] are the ability to see trades [filled] on a real-time basis and the ability to streamline operations by downloading the blotter and uploading trades to the prime brokers,” says Kim, who uses IMTrader to monitor trading in real time between the hedge funds’ portfolio managers and their brokers. JNK Securities, an institutional brokerage firm that uses IMTrader, utilizes an order-management system from Tradeware Systems to translate messages into FIX. Since then, Pivot has tweaked the system, so “You can just add our name to your buddy list,” says Jack Weiselberg, president of JNK Securities.

But before Weiselberg implemented IMTrader, he had to make sure the data network was secure and that it met the compliance regulations that govern brokers’ activities.

More info: http://www.storagepipeline.com/news/19205462;jsessionid=ZLEIGG40253TOQSNDBCCKHY

The New Economics of Information Security

Posted on April 13, 2004December 30, 2021 by admini

Generally, we hear about the exorbitant losses in the more spectacular cases, or about totals gleaned from the annual Computer Security Institute/FBI Computer Crime Survey.

In fact, even the CSI/FBI survey doesn’t do justice to the magnitude of business loss from cybercrimes (see “The Indirect Cost Of Cybercrime,”).

You usually don’t see information-security managers applying capital-budgeting techniques, such as the net present value (NPV) or internal rate of return (IRR), to information-security infrastructure investments.

Since information-security managers go up against other department managers for a share of the budget, it’s to their advantage to catch up with their peers who specialize in capital budgeting.

“I go to security conferences where we sit around puzzling about what kind of metrics to use for measuring the results of security programs,” says Adam Stone, a security management analyst for the financial-services industry.

He says we can learn from the methods of financial, statistical, economics and securities professionals who deal with these kinds of uncertainties all the time to predict and measure business effectiveness in a rational way.

Those who do think in economic terms are grappling with ways to use ROI and NPV to provide economic justification for investments.

The “somewhat less than $100” that you get now is the NPV of the $100 you’ve been promised in a year.

So, rather than the traditional accounting notion of ROI, economists prefer to talk in terms of NPV or IRR, the latter being a time-adjusted notion of rate of return.

http://www.banktech.com/story/BSTeNews/showArticle.jhtml?articleID=18901266

Security Updates on Tap for Server 2003

Posted on April 9, 2004December 30, 2021 by admini

One of the biggest modifications expected for the server operating system is a system known as ACI (Advanced Client Inspection), which checks the health of PCs attempting to connect to a network.

The system is similar to Cisco Systems Inc.’s Network Admission Control project but is done strictly through Windows.

When a client machine tries to log on to a network, Windows Server 2003 checks the security posture of the PC and compares it against a predetermined corporate policy.

Microsoft plans to ship a set of security policy templates for ACI, but customers can design their own as well.

The system also will allow administrators to set group policies for departments that have differing security requirements.

“The notion of one size fitting all in terms of security just isn’t the case,” said Mike Nash, vice president of the Security and Technology Business Unit at Microsoft, in an interview during the Microsoft Security Summit here last week.

While Microsoft plans to release a service pack for Windows Server 2003 in the second half of this year, it’s unclear whether ACI will be included in that or delivered in some other form, Nash said.

This technology, along with some behavior-blocking and intrusion prevention features, is part of a second set of security tools that the company has planned for Windows XP but that likely won’t be ready in time for SP2 (Server Pack 2), which is in beta.

Nash said SP2 will include a tool that gives customers the ability to specify which wireless LANs users are allowed to connect to, thereby eliminating the risk that can arise from connecting to unknown and potentially hostile networks.

http://www.eweek.com/article2/0,4149,1565334,00.asp?kc=EWRSS03119TX1K0000594

RogueWatch does the watching for you

Posted on April 8, 2004December 30, 2021 by admini

Programs such as Netstumbler and WaveRunner survey the airwaves to feel out rogue access points.

Testing with them, however, requires a human (most likely you) to seek out problems in the wireless coverage area by walking around the trouble spots looking for an anomaly.

AirDefense, a wireless LAN security company, has one product designed just for the busy IT professional who has better things to do than walk around testing for rogue access points.

RogueWatch centrally monitors a wireless LAN for rogue access points, using distributed sensors and a server appliance tailored to monitoring this activity.

http://techrepublic.com.com/5100-6263_11-5176405-1-1.html

Major security breaches usually due to human error

Posted on April 7, 2004December 30, 2021 by admini

Major security breaches, defined by a survey “as one that caused real harm, resulted in confidential information taken or interrupted business,” are slowly increasing and are most often attributed to human error (47%), rather than technical problems.

IT directors welcome Big Four’s corporate security initiative

Posted on April 7, 2004December 30, 2021 by admini

The consortium, which includes the Big Four accounting firms and insurance giant AIG international, aims to agree a cyber-risk model that can be used by companies in all industries.

Auditors and insurers could also use the “risk preparedness index” to help decide whether a company has adequate IT security arrangements.

Although details of the framework have yet to be finalised, security experts believe it will focus on an organisation’s IT security safeguards, such as its firewalls and anti-virus software, and compare this against the security threats it faces.

“IT infrastructure risk management is of critical importance to the industry and Barclays broadly welcomes the principles behind this initiative,” said Barclays group chief technology officer Kevin Lloyd. “We will continue to monitor the development of this framework with interest and potentially inclusion in the shaping of the framework.”

Nick Leake, director of operations and infrastructure at ITV, said, “I think the real value of this approach is in sorting out the companies with dreadful levels of non compliance/operation from those with high levels – it won’t be much use in distinguishing the better of two already very compliant operations. And as with all these things, it will have to be kept up to date.”

Industry experts said that an accepted model for measuring security risk would be a breakthrough if widely adopted and would also help IT departments justify security spending.

“The new security standard looks promising, although a lot of the devil will be in the detail,” said Graham Titterington, principal analyst at Ovum. “It will make it easier for people to justify spending on IT security because of the backers of the standard are blue chip companies, which gives it credibility with the board.”

Neil Barrett, technical director of security consultancy information risk management, said the proposed security standard would allow IT directors to measure their organisation’s security arrangements against a benchmark.

http://www.computerweekly.com/articles/article.asp?liArticleID=129789&liArticleTypeID=1&liCategoryID=2&liChannelID=22&liFlavourID=1&sSearch=&nPage=1