Thursday, April 10th, 2008
Blogger LORA BENTLEY - One of the first non-profits to demonstrate voluntary compliance with the Sarbanes-Oxley Act of 2002 was the University of Pittsburg Medical Center. Representatives said they chose to do so as a means of maintaining accountability with the organization’s contributors and the public. New research reveals, however, that not all Sarbanes-Oxley-like requirements are effective in the non-profit health care environment. In particular, it seems that imposing requirements upon non-profit hospital boards of directors — such as minimum donations or term limits — don’t yield significant improvements in hospital financial management or patient care. The study, conducted by researchers from the University of Michigan, found only a weak connection between board structure and hospital function. READ MORE
Posted in General, Sarbanes Oxley | No Comments »
Thursday, April 10th, 2008
RSA panelist says the botnet problem is worse than ever, despite the FBI’s war against cybercrime
By Robert McMillan, IDG News Service - April 09, 2008
When Owen Walker was arrested for masterminding a massive international network of compromised computers last year, it seemed like a major victory in the war against botnets.
The 18-year-old New Zealander, who pleaded guilty to hacking charges last week, was arrested in the second of a series of actions, called Operation Bot Roast by the U.S. Federal Bureau of Investigation that were touted as major strikes against cybercrime.
"The operation was an attempt to smoke the botnet underground out," said Matthew Fine, the FBI special agent who worked on the case. "Did we make a dent? That is for you to determine," he told attendees during a panel discussion at the RSA Conference in San Francisco Tuesday.
[For more security coverage, see InfoWorld’s special report on the RSA Conference 2008 ]
According to one botnet hunter, not much has changed.
"I’m sorry to report this, but it did not make a dent in my workload," answered fellow panelist Joe Telafici, vice president of Avert operations with McAfee. "The problem today is many orders of magnitude worse than it was."
Telafici believes that unless it becomes more expensive to run a botnet, nothing will change. It’s simply too profitable to run these networks, and when someone like Owen Walker is arrested, there’s always another criminal ready to take his place.
Some botnets are fading. Helped by better detection on the part of Microsoft’s Malicious Software Removal Tool, which ships as part of the Windows operating system, the infamous Storm botnet has shrunk to a fraction of its former size.
On Tuesday, security vendor SecureWorks published a list of the largest botnets that are being used to send spam e-mail messages. Storm barely made the top five.
The largest and fastest-growing network is called Srizbi. With an estimated 315,000 bots, it can send as many as 60 billion messages per day. Last fall it made headlines when it sent out unauthorized spam messages promoting presidential candidate Ron Paul.
Written in part by a contract programmer from the Ukraine, Srizbi thrives using a technique known as social engineering — it sends out links to malicious files, claiming that they are pornographic videos of celebrities. When the user clicks on the files, they become infected with the malware.
Storm has long thrived on social engineering techniques, too, sending malicious e-mail that is often linked to events in the news or holidays. But it now has only about 85,000 infected machines, and less than half of them are being used to send spam.
The other top spam-spewing botnets are Bobax, also known as Kraken, which has about 185,000 machines; Rustock, with 150,000; and Cutwail: 125,000.
In total, the botnets tracked by SecureWorks can send out more than 100 billion messages per day. These networks use Web-based templates, offering infected machines to the highest bidder as an easy software-as-a-service product.
So how to stop the problem? One panelist had an idea that may not sit well with everyone: ISPs should knock users off the network unless their patches are up-to-date. Because most botnet attacks target known software bugs, having your patches up-to-date, especially for popular products like Internet Explorer, Firefox, WinZip, and QuickTime, can make a real difference.
The only drawback: A good chunk of the Internet population would be knocked offline until they patched.
Still, maybe it’s a fair thing to do because these people are harming others, according to Ira Winkler, president of the Internet Security Advisors Group, a security consultancy.
Often victims who have been infected with botnet code, don’t even realize that the malware is on their system, he said. It’s other computer users who must bear the brunt of the problem when the botnet network spams or launches a DoS attack against them.
"We need home users to be responsible," he said. "Yes, blame the users… because they present an imminent danger to others."
Posted in Information Security | No Comments »
Thursday, April 10th, 2008
Since 2000, our world has seen dramatic changes that have caused an evolution in business continuity thinking. It used to be that recovery-minded organizations focused on preventing and avoiding disasters. Today, it seems inevitable that nearly everyone will be faced with unexpected “bumps” in the terrain from time to time. The focus is changing from avoidance of threat to “landing on your feet” in spite of it.
In other words, organizations have found it necessary to become better prepared and be more proactive about risk management. While the imagined “disaster” in a disaster recovery scenario used to be an environmental one – fire, flood, or tornado – thus far in the 21st century we’ve seen likely examples of “disaster” expand to include terrorist attacks with global political implications; strings of powerful hurricanes; international power grid failure; threats such as data worms and hackers; and ordinary business events such as mergers and acquisitions, increased outsourcing of business processes, and application process failures.
The bottom line these days is that if it’s disruptive to your organization, it’s a crisis, regardless of the cause. And the pressures for risk management planning are both internal and external.
At the midpoint of the first decade of the 21st century, certain trends in business continuity thinking have been established. A consideration of them, as well as several emerging trends, may help clarify what organizations need to consider today in order to prepare themselves for tomorrow.
>>>>>>>> Click Here to Read the Entire Article <<<<<<<<<<<
Posted in Business Continuity Management, Disaster Recovery, General | No Comments »
