CyberSecurity Institute

MSBlast hit the Net August 11, 2003, just 26 days after Microsoft released a fix for the vulnerability the worm exploited.

Even though users had nearly a month to get ready — and were warned ahead of time by security experts to expect a major attack — MSBlast found plenty of victims.

“MSBlast was definitely a wake-up call,” said Michael Cherry, an analyst with Directions On Microsoft, a research firm that specializes in topics concerning the Redmond, Wash.-based developer. Oliver Friedrichs, the senior manager of Symantec’s security response teams, agreed with Cherry that MSBlast was a Big Deal, but for a different reason. “MSBlast was unique in that it targeted both consumer and enterprise computers connected to the Internet, and didn’t need human interaction to infect machines,” said Friedrichs. “MSBlast continued this real sea change where worms search out vulnerabilities, find one to use to attack, and spread.”

The wake-up call that MSBlast gave everyone is behind a whole host of changes in how enterprises approach security, and what Microsoft itself has put on the front burner. While some analysts denied that there was a direct correlation between MSBlast and the appearance last week of Windows XP Service Pack 2, a long-touted security upgrade to Microsoft’s flagship OS, Pescatore had no such hesitation. To stymie this kind of infection vector, enterprises have demanded, and vendors have crafted, technologies that check systems before they’re allowed to access the network.

http://www.techweb.com/wire/story/TWB20040813S0009

The provision, which goes into effect Nov. 15, will cost public companies 63 percent on average more than they had previously thought, according to a new survey by Financial Executives International (FEI).

The increase in Section 404 compliance costs stems from unexpected burdens experienced in connection with the two major requirements of the provisions.

First, each company’s annual report must contain a statement of management’s responsibility for an adequate internal-controls structure and procedures for financial reporting and management’s assessment of the effectiveness of those procedures. Second, the provision requires the company’s auditor to report and sign off on that assessment of the effectiveness, in accordance with standards set up by the Public Company Accounting Oversight Board (PCAOB).

For the first requirement, many companies are documenting internal controls for 92 percent of total revenue, the survey showed.

In January, survey respondents estimated an average $590,100 in fees to their auditors to attest their internal controls. In July, the average projection for attestation fees was $823,200 — on top of annual audit fees.

Another reason for the revised compliance costs is a 42-percent jump in other external costs, such as an average added $1.037 million for software and IT consulting.

http://www.cfo.com/article.cfm/3084035/c_3084056?f=home_todayinfinance

The summit was requested by the E-mail Service Provider Coalition (ESPC), an industry group formed primarily of e-mail marketing firms who are trying to get ahead of the spam curve.

“The biggest thing is the groundswell of support for the Sender ID framework,” said Craig Spiezle, the director of industry and partner relations for Microsoft’s Safety Technology and Strategy Team, in a statement.

Tumbleweed, for instance, which already supports both Caller ID and SPF, said Thursday it would add support for Sender ID to its Email Firewall when it revs to 6.1 in the near future.

Sender authentication schemes could also put a stop to most phishing attacks, the e-mail generated scams that purport to be messages from legitimate companies, but are actually attempts to trick consumers into divulging confidential information such as bank and credit card account numbers.

http://www.techweb.com/wire/story/TWB20040812S0004