Friday, May 23rd, 2008
Two lawsuits filed by former employees against Fidelity Investments may resolve a simmering dispute in the securities industry: Whether mutual fund employees are protected by a whistle-blower law adopted in the wake of corporate accounting scandals. The Sarbanes-Oxley Act does not specifically apply to the Fidelity Investments chairman’s firm and other privately held companies.
Congress gave whistle-blowers at public companies strong protections against retaliations when it passed the Sarbanes-Oxley Act in 2002 after the collapse of Enron Corp. and WorldCom. But the law does not specifically extend to privately held firms such as Fidelity that invest in public companies.
Posted in Sarbanes Oxley | No Comments »
Tuesday, May 20th, 2008
Gartner has published a new report ‘A Risk Hierarchy for Enterprise and IT Risk Managers’ in which it claims that risk management practices in many enterprises are in a poor state. Many enterprises continue to take a narrow ‘siloed’ approach to risk assessment and management, often developing risk practices that are not effective or appropriate to their specific needs.
Gartner says that in many enterprises, specialists with functional areas of responsibility for risk management operate independently from one another, use different definitions of risk, record information inconsistently and fail to share information beyond the boundaries of their specific business or support areas. As a result, there is little transparency across processes and no holistic view of risk, which is necessary for enterprise-level analysis of exposure and mitigation decisions.
"An enterprise that wishes to better understand and manage the risks to which it is exposed should begin with enterprise-specific risk definitions and an organizational risk hierarchy to which all risk-related specialists can align," said Paul Proctor, vice president and distinguished analyst at Gartner. "Although no single definition will work for all enterprises, it is important to start from a common, overarching framework to eliminate overlap, avoid gaps in coverage and ensure good governance."
In the report Gartner details seven key steps which enable IT managers to understand and manage the risks facing them and allow them to quickly contribute to an enterprise-level risk management effort as their enterprises evolve in that direction:
* Implement a framework for risk assessment and mapping.
* Establish the responsibilities of risk managers with their areas of responsibility.
* Identify and define the risks to which the business is exposed and what constitutes a risk event or "near miss" so that incidents can be mapped to specific risks.
* Determine the threat level, and focus on those risks with the highest impact on performance.
* Establish levels of controls for processes commensurate with the perceived threat.
* Record and retain risk incident and near-miss information.
* Conduct periodic risk assessments to determine changes in the operation’s risk profile and assess control performance.
The report is available here (payment required).
Posted in Risk Management | No Comments »
Wednesday, May 14th, 2008
May 13, 2008 By Jaikumar Vijayan (Computerworld) In the third data theft incident of its kind to come to light since March, Dallas-based restaurant chain Dave & Buster’s Inc. today disclosed that credit and debit card numbers were stolen last year from the computer systems at 11 of its locations during the card verification process.
The thefts at Dave & Buster’s took place during a four-month period from May through August of last year and have resulted in fraudulent payment card transactions worth at least $600,000 using data stolen from one of the restaurants alone, according to a federal grand jury indictment of three individuals that was unsealed yesterday at U.S. District Court in Central Islip, N.Y.
The U.S. Department of Justice said in a statement (download PDF) that the three alleged perpetrators — two of whom are listed as living in Eastern Europe — have all been arrested in connection with the case and that they are charged with various crimes as part of the indictment.
The DOJ identified the arrested individuals as Maksym Yastremskiy, a resident of Ukraine, and Aleksandr Suvorov, of Estonia. The 27-count indictment against the two includes charges of computer fraud, wire fraud, aggravated identity theft and interception of electronic communications.
Yastremskiy, who also goes by the name Maksik, was arrested last July in Turkey, the DOJ said, adding that the U.S. government has made a formal request to have him extradited. Suvorov, who uses the online handle JohnnyHell, was arrested in March in Germany at the request of U.S. officials and remains in jail there while the German government acts on a formal extradition request, the DOJ said.
The third individual charged in the Dave & Buster’s case was identified as Albert Gonzalez, a Miami resident who faces one count of wire fraud. The DOJ said that Gonzalez, who uses the alias Segvec, was arrested this month by the U.S. Secret Service.
In a statement sent via e-mail in response to a request for comment, Dave & Buster’s said that the alleged thieves stole the so-called Track 2 data from the magnetic stripes on the back of credit and debit cards, including the card numbers and expiration dates. The company said that the information hadn’t been stored on its systems and was taken while the data was being transmitted to authorize transactions. It noted that the thieves didn’t get any other personal data, such as names, addresses, PINs, or bank account and Social Security numbers.
In the statement, which was posted on the Restaurant News Resource Web site, Dave & Buster’s said that it "was alerted to the potential data intrusion" late last August and that it "immediately" notified Secret Service officials. The company added that it notified the credit card companies of affected cardholders last September. But the data thefts weren’t publicly disclosed until after the unsealing of the grand jury indictment.
Dave & Buster’s, which operates 49 restaurants, said data was stolen from outlets in New York, Illinois, Michigan, Florida, Ohio, Colorado and Texas. Following the discovery of the data thefts, the chain "implemented additional security measures to prevent any such incident from occurring in the future," it said. But the company didn’t elaborate on what those additional measures were.
According to a description of the heist in the grand jury’s indictment, Yastremskiy and Suvorov allegedly managed to gain remote access to point of sale (POS) servers at the affected Dave & Buster’s locations — apparently by falsely representing that they were authorized to access the systems. The two then allegedly installed packet-sniffing software designed to capture Track 2 data as it was transferred from compromised POS servers to a central system for transmission to the chain’s payment processor.
The software stored the captured data in a log file, from which it was later collected by Yastremskiy and Suvorov, according to the indictment. The document says that a defect in the packet sniffer caused it to deactivate each time an infected server was booted up. But each time that happened, Yastremskiy and Suvorov allegedly went back into the compromised systems and reactivated the malware.
As an example of the thefts, the indictment says that a log file retrieved from one store contained data on about 5,000 credit and debit cards. The stolen data allegedly was later sold to other individuals, who used the information or resold it themselves — eventually causing losses of $600,000 or more to the financial institutions that issued the affected cards.
The disclosure by Dave & Buster’s follows similar ones in March by Hannaford Bros. Co. and Okemo Mountain Resort. In Hannaford’s case, the Scarborough, Maine-based supermarket chain said that up to 4.2 million credit and debit card numbers and their expiration dates were stolen by a packet-sniffing tool while the information was being transmitted to its external payment processor to authorize transactions. The malware was planted on servers at nearly 300 grocery stores in New England, New York and Florida, Hannaford said.
The Hannaford breach was one of the first confirmed data thefts in which such a large amount of information was stolen while it was in transit, as opposed to being stored on a company’s systems. Hannaford also said it was fully compliant with the requirements of the Payment Card Industry Data Security Standard, which is known informally as PCI. That claim has raised questions about how useful the security standard is in protecting companies against such thefts, although PCI officials in turn have questioned whether Hannaford really was compliant.
Two weeks after Hannaford made its disclosure, Ludlow, Vt.-based Okemo reported a breach involving the theft of data as payment cards were being swiped at the ski area’s cash registers. An Okemo spokeswoman said law enforcement authorities who were investigating the breach told the resort that they were are looking into about 50 reported incidents of the same sort in the Northeast alone.
The disclosure by Dave & Buster’s is another indication that data thieves are increasingly targeting retail POS systems, said Rosen Sharma, chief technology officer at Solidcore Systems Inc., a vendor of change management software in Cupertino, Calif.
The focus of efforts such as PCI has been on strengthening security at the network perimeter and at the points where payment card data is centrally pooled by retailers and then forwarded to payment processors, Sharma said. He added that in contrast, a lower priority has been placed on securing POS systems, making them a relatively soft target for attackers to go after.
At many retail locations, there are few restrictions on access to POS servers, Sharma claimed. "You can walk right up to these machines and stick a USB device into them," he said. The POS servers may not yield a large volume of payment card data at one time, he noted — but over a longer period, they can prove extremely valuable to data thieves.
Posted in Industry News, Information Security | No Comments »
