| eWEEK: A federal appeals court recently ruled that criminal charges could be lodged against an e-mail service provider who allegedly read customer messages. The case was brought against Bradford Councilman, former vice president of the online bookstore Interloc, under the federal wiretap statute. The ruling may foreshadow an increasing number of similar prosecutions in the future. The court found that the wiretapping statute contains no direct indication that Congress intended to exclude communications in transient storage from the definition of criminal wiretapping activity. Councilman was indicted for creating a Procmail script that allowed him to sort and read customers' e-mail with the "@interloc" address. The court's decision may also have broader applications, possibly criminalizing illegal spying on e-mail, voice mail and Voice over Internet Protocol calls. | Sponsor: VoIP Business Case Resource Kit | | Understand, Quantify and Explain the VoIP Opportunity
Save 20 hours or more of your valuable time with our background research, pro forma financial calculations, and ready-to-use PowerPoint presentation. Make the right decision on this critical technology and back it up! > Get more info. | TechWeb: Ninety-one percent of the companies assessed in July for the monthly Insider Threat Index exposed credit card numbers and 82 percent exposed employee Social Security numbers. The index is generated monthly by Reconnex, a Mountain View, Calif.-based enterprise risk management vendor. The vast majority of the exposures originated with human resources departments, according to the Reconnex report. HR often accidentally exposes employee information when it communicates with health insurance, payroll, workers compensation and other providers. In other cases, the Reconnex report contends, employees are exposing data by sending files using Web e-mail services like Hotmail and Yahoo Mail. vnunet.com: Malicious crimeware being developed by phishers is becoming increasingly adept at bypassing conventional IT security systems to steal identity information for financial crime, according to a report from the Anti-Phishing Working Group. APWG researchers found that phishers are designing systems to neutralize anti-phishing technologies being deployed by financial institutions and e-commerce sites. They reported a noticeable increase in screenscraper technology which counters graphical keyboard measures. Graphical keyboards avoid keylogging Trojans used to mine usernames and passwords directly from keyboard entries. When a user clicks on a character on the graphical keyboard, the screenscraper takes a snapshot of the screen. | | Special Offer: Free Info~Tech White Paper Learn How Encryption Can Protect Your Most Important Business Assets
Encryption is a complex technology, so there are many challenges inherent in deciding what to encrypt, selecting the right encryption method, and determining which computing environments can support that encryption. Info~Tech Research Group uses a business-case approach to clarify these issues and present them in a context business decision-makers can understand. Learn more by reading this independently produced white paper, available for a limited time courtesy of thawte. | | | | AIIM: Enterprise Content Management (ECM) technologies are increasingly viewed as core IT infrastructure as opposed to departmental applications. That was among the findings of a study released by AIIM, an industry group representing ECM vendors. Eighty-two percent of users see ECM solutions as a core element in their IT infrastructure, while 18 percent view ECM as a point solution to a particular problem. Return on investment appeared to be positive, with 72 percent of end users believing that the ROI of their ECM implementations met or exceeded expectations. The awareness of the importance of managing documents is also rising within organizations. Seventy-seven percent of end users believe that effective document management is more important now than it was two years ago. ECM technologies, including records management and e-mail management systems, are increasingly being deployed to tackle compliance issues. Sydney Morning Herald: A Microsoft executive recently visited New Zealand in an effort to convince officials there not to pass an anti-spam bill Microsoft considers too broad. The bill would prohibit companies from sending even a single e-mail to a consumer unless they could reasonably infer the recipient's consent. The original version of the bill classified unsolicited mailings as spam only if the sender sent multiple messages. Microsoft believes the bill would prevent companies from e-mail marketing. The company wants to see the bill changed to allow companies to e-mail customers about new products and services, even if they had opted out of receiving e-mails in previous purchases. Companies should be able to send marketing e-mails to people who may not have a pre-existing business relationship with the company, in Microsoft's view, as long as spams are labeled with ADV for advertisement. New Zealand's Communications Minister rejected that proposal as too weak. Banking Technology: Losses from phishing scams at automated teller and point-of-sale machines are smaller than originally feared, according to new research from TowerGroup. TowerGroup says the notion that ATM and debit card fraud from phishing is out of control is a misconception. In fact, the true effect is minimal. TowerGroup found that no more than $990 million was fraudulently lost at ATMs and POS installations in the U.S. in 2004 and, of that, less than one percent resulted from phishing. TowerGroup found that about one in every 15,600 ATM and PIN-based POS debit transactions is fraudulent, but that almost all of this comes from stolen cards and card skimming. TowerGroup said it conducted its research to counter recent findings from Gartner issued saying that ATM/POS phishing fraud in the U.S. generated losses of $2.75 billion last year. silicon.com: Men are five times more likely than women to steal sensitive corporate data or intellectual property, according to a survey of British employees released by Clearswift. Five percent of male employees admit to deliberately e-mailing sensitive data to outside parties, compared to one percent of females. Some of these leaks resulted from failing to follow established practices for handling sensitive information rather than from actual malice. Another recent study found that women are more likely to bring portable storage devices, such as digital cameras, to the office. Clearswift says the results show the necessity of training staff to handle data appropriately. | IT Marketplace | | | | Tell the IT Business Edge audience of technology decision makers about your product, service, event, or job. Click here to list it in the IT Marketplace! | | 3 QUESTIONS:
An Integrated Compliance Approach
With Luc Brandts, founder and chief technology officer of BWise. Question: How are companies approaching Sarbanes-Oxley compliance in your experience?
Brandts: What we see is that they are dealing with compliance issue-by-issue and year-by-year. A lot of companies are in a big mess, and they just want to it get over with and get compliant. Some companies are spending huge amounts of money looking at automated solutions to do just that. Some of those companies now want to use compliance to become a better company by improving alignment, reducing IT costs and complexity, and improving quality. But others still take a check-the-box approach. At the end, they know they're compliant, but that's it. They've incurred high costs and there's no benefit to the company. We think this is a shame. Question: What's a better approach?
Brandts: Compliance provides a wealth of information on what processes are in place, what is at risk, what IT systems are deployed, and where. This can be used for the benefit of the company. In Sarbanes-Oxley projects there is an immediate need to document a lot of stuff, and when you do that you see that it links to a lot of other things. One of the most important parts of compliance is IT governance. You need an integrated way to document where the risks are and what controls are being placed on applications and hardware. You also need to find a way to properly test that and combine it with corporate governance efforts at the CFO level. From the corporate governance perspective, you need a process approach and to be able to document process risks and controls to make sure that if something goes wrong it doesn't become a big mess. You have to link business processes to applications so that if something changes in the application, you know which processes are linked to that. Question: Can you give an example of how companies can derive business benefits from compliance processes?
Brandts: Regulators are asking companies to take a more risk-based approach to Sarbanes-Oxley compliance. In a finance department, for example, they are used to working with a lot of controls. That is the way the applications were developed, and that is the way finance people are trained. The question then becomes whether these processes are over-controlled. There may be a risk that payroll is done twice. But then you find out and correct the situation. That may cost you some money, but it costs less than changing the application or adding an additional person to do an additional check. All that does is add costs and frustration without reducing much risk. On the other hand, I know of a company that had an organization involved with submitting tenders for contracts which had poor controls. Losing three tenders a year would have cost the company 20 percent of its revenue. If not properly controlled, this company could have a different look within a year. So it's really a question of spending money and energy on improving things that can have a significant impact on revenue and not spending effort in an environment like payroll that is easy to manage. | | Also from IT Business Edge: Leveraging Open Source Leveraging Open Source gives you a comprehensive view of open source adoption in the enterprise. From Linux's growing role in the mid-tier server market to open source corporate blogging software, the open source movement is making inroads in the enterprise. Click here to sign up! | By the Numbers
10 to 20 percent Amount of corporate IT budgets allocated toward initiatives that improve business performance. (Free registration required) 90 percent Proportion of companies that regularly expose personal information, according to the Insider Threat Index. 80 percent Proportion of consumers surveyed who feel threatened by online fraud and identity theft, according to a survey released by RSA Security and LightSpeed Research. Breaking Headlines
eWEEK: The Department of Homeland Security's information systems are plagued with ongoing weaknesses, according to a recent audit. The report found that DHS has not fixed vulnerabilities — particularly access controls — that had been previously identified. Users were sometimes able to access sensitive testing and development devices with a group password or a default password. DHS also faces the challenge of implementing agency-wide patching; the department joins 22 separate IT architectures. The agency plans more training programs, among other efforts, to address the issues raised. FCW.com: The estimates issued by the Congressional Budget Office for the implementation of the Real ID Act are being dwarfed by figures being reported by the states. The Real ID Act mandates that states enhance the security and data integrity of driver's licenses and other state-issued documents. The CBO initially estimated a $100 million total cost over five years. But Washington State says the program will cost it $97 million, Pennsylvania estimates $100 million, and Virginia claims the program would cost $232 million. The largest part of these estimates is for staffing and document verification. States are waiting for the Department of Homeland Security to identify standards and procedures, while privacy advocates continue to express concerns about the program. FCW.com: The U.S. government wants to change judges in a lawsuit brought by a group of American Indians against the Department of the Interior. Judge Royce Lamberth has presided for 12 years over a lawsuit that claims the Interior Department did not adequately protect databases related to American Indian trust funds. One of Lamberth's rulings called Interior a "dinosaur" and found the government's papers in the case to be disrespectful. He has ordered Interior three times to disconnect from the Internet departmental computers that could access trust fund data, but was overruled by an appeals court each time. Lamberth also ordered the Bureau of Indian Affairs to disconnect its networks for two months in the spring of 2005 after the departmental inspector general found them vulnerable to cyberattack. Emerging Trends
GCN: Many e-mail recipients are fooled by phishing scams that appear to have been sent from within their organizations. Security exercises conducted by the U.S. Military Academy and the New York State chief information security officer resulted in these findings. The exercises were carried out to test the effectiveness of awareness programs. Educating e-mail users has had only limited success, according to a West Point faculty member. The first test e-mail, sent to 400 West Point cadets, received an 80 percent clickthrough rate. Subsequent exercises with as many as 3,000 cadets produced lower, but not sharply lower, response rates. The New York CISO reported similar findings in tests of 10,000 state employees. E-mail bearing the names of officials within an organization appeared to enjoy a high level of credibility. silicon.com: A public-private educational program on online security will likely not adequately address the problems of consumer Internet safety, in the opinion of this writer. The Get Safe Online public-private partnership program is a last-ditch effort to turn back a tidal wave, he says, which was foreseen by everyone except the government. The British government was slow to respond to online consumer issues, but it was finally galvanized by reports showing that 25 percent of the world's zombie computers are located in the UK. The situation is comparable to the terrorist threat in which the government response is too little, too late. SecurityFocus: Should security researchers be allowed to decompile software to expose vulnerabilities? The case of Michael Lynn, who resigned from Internet Security Systems to give a presentation on flaws in Cisco software, has re-opened the debate. Cisco and ISS filed an injunction against Lynn, claiming he violated Cisco's copyrights and End User License Agreement when he decompiled code as an ISS employee after signing a Non-Disclosure Agreement. Courts have come down on both sides of the issue. In Atari Games Corp. vs. Nintendo of America Inc. and in Sega Enterprises vs. Accolade Inc., courts held that reverse engineering of software falls under the fair use provisions of copyright law and is therefore not actionable. But in 2003, another court, in Bowers vs. Baystate Technologies Inc., decided that consumers waive those fair use rights when accepting a software's End User License Agreement. One solution is for licensing agreements to authorize decompiling of software and at the same time act as a non-disclosure agreement which defines procedures for the disclosure of flaws discovered in this manner. IT Business Edge: Managing Compliance Standards
| Issue 35, Vol. 2 | | DISCLAIMER: At the time of publication, all links in this e-mail functioned properly. However, since many links point to sites other than itbusinessedge.com, some links may become invalid as time passes. | | This e-mail is sent by: NarrowCast Group, LLC, 124 N.First St., Louisville, KY 40202 | Copyright ©2003-2005 NarrowCast Group, LLC. All Rights Reserved.
| | 
| Find Related Technology Solutions | | 
About the Editor
Peter Buxbaum has been writing about business, technology, and law for 12 years. He has published over 1,000 articles in publications such as Fortune, Forbes, Chief Executive, Computerworld, InformationWeek, and dozens of others. He earned a law degree from Temple University, studied economics at Columbia University, and taught seminars in international business at Penn State University. He can be reached at editorial@
itbusinessedge.com.
| | |
0 Comments:
Post a Comment
<< Home