NEWSLETTERS
 

CIO.com updates, insights and advice on technology, management and your career.

 Advice and Opinion

 CIO Consumer IT

 CIO Leader

 CIO Enterprise

 CIO Insider

More Newsletters | Edit Profile
 

RSS Feeds »

 
 
SUBSCRIBE TO CIO
 

Are you involved in setting the direction for your company's IT budget or strategy?

Apply today for a FREE subscription to CIO Magazine!

» Subscription Services

» Reprints

 

 


Wed, Jan 30, 2008 16:24 EST

Regulatory Compliance & the Real Risk of Undetected Malware

Posted by: Ryan Sherstobitoff in Best Practices

Topic: Enterprise Management

Current Rating: 5 Comment: 1

With the emergence of regulatory laws borne out of experience from a variety of embarrassing security breaches, today’s corporate leaders face a myriad of repercussions. These range from serious fines to jail time when found not in compliance with regulations such as Sarbanes-Oxley (SOX), Health Insurance Portability and Accountability Act (HIPAA), Gramm-Leach-Bliley (GLB), and Payment Card Industry (PCI), etc.

These regulations are designed to protect the privacy of individuals and to ensure the proper internal controls are in place to maintain confidentiality and integrity of sensitive information.

For example it mandates in the Sarbanes-Oxley act section 404 that any publicly traded corporation must maintain adequate internal controls, ranging from proper financial reporting to the protection of critical assets. This includes designing controls around the premise of protecting consumer data from an information security perspective.

Normally, these controls are defined and established through a risk analysis that identifies potential threats and weaknesses. The development of a policy framework based on this audit untimely drives the definition of what would be considered “adequate” controls.

However, in 2007 the industry suffered a record-breaking loss of information stemming from data security breaches ranging from stolen laptops to hijacked advertising as seen in the Monster.com attack. It’s estimated that over 79 million records were exposed last year alone.

Despite established security policy, these breaches lead to public dismay and a loss of consumer confidence. Take for example the TJ Maxx incident that led to an exposure of 45 million credit card numbers and eventually cost the retailer over 200 million dollars in both hard costs incurred and stock value reduction.

These incidents raise several interesting questions. Were these security breaches a result of undetected malware, perhaps a targeted attack orchestrated by a foreign hacker group? Why did the internal controls, established according to company policy, fail to protect assets from being compromised? And what are the real risks and implications of undetected malware as it pertains to regulatory compliance?

These are all good questions, especially concerning the changing crimeware landscape and its evolution from curiosity to financial gain. Not surprisingly, this trend has a considerable part do with the dramatic increase in information exposure in 2007.

For example a majority of identity theft and financial fraud incidents in 2007 were related to Banker Trojans that infected individual consumers, thus, stealing credentials and other personal information that could be used to gain profit.

Furthermore, if we put this into perspective we are more at risk then we were a few years ago when the primary concern was the prevention of network worms that caused data destruction.

In that day and age, controls were designed around the need to ensure the integrity and availability of information assets. CIOs and IT Managers designed and implemented systems that had the primary goal of ensuring that their users had access to information. At that time security was a secondary concern in this scenario, because the threats were different and much less sophisticated.

Today we face a new breed of threats with different motives: financial gain through targeted attacks. In fact targeted attacks in 2007 showed a marked increase over previous years with respect to online fraud.

The mentality of CIOs and IT Managers has shifted to a security focused mind-set, especially with the advent of recent high-profile security breaches. What’s alarming is the rate at which malware is developed and released to infect victims on a daily basis. For example, PandaLabs and other major AV labs see over 4000 new strains per day.

This is mainly due to the overwhelming inability for security vendors to respond to this ever increasing rate of new malware strains. We are witnessing a literal denial

Keywords: compliance, crimeware, information security, security breach, trojan, virus
You do not have flash or javascript support.
Average (3 votes)
5
comment icon Reply
Digg this
Slashdot
Reddit
 
All Comments Comments
 
Wed, Jan 30, 2008 19:54 EST
Dynamic, Evolving Threats
Posted by: Raymond Magness
Rating:

You raise some good points that often go overlooked. The threat landscape faced by the Fortune 1000 is so dynamic that merely demonstrating compliance with a catalog of static controls is not enough. Rather, establishing a dynamic threat and incident management capability that correlates multi-source data is necessary. The library of security and risk assessment questions must be easily updated and the surveys themselves rapidly deployable in order to measure the ever-changing threat. Finally, all this data needs to be tied together to track the resolution of findings and demonstrate compliance. The CIOs/CISOs I interact with are definitely displaying a security-focused mindset...they don't want to be the next security breach on the front page.

You do not have flash or javascript support.

Start a Conversation

Click to post

Got something to say? We want to hear it! Click the Post button to get started. GO»

EXPERT ADVICE

See our roster of experts.

Advice & Opinion from more than 77 of IT's most insightful thinkers.

advertisement

TOP USERS
UserPoints
1. laith al jazi12550
2. Akshay Upadhye7650
3. Chris Moore6750
4. abdhiraj6175
5. remi5325
UserPoints
6. asengupta3750
7. tmmackay3500
8. Sureshram3125
9. Michael Kavis2950
10. mtruxaw2900
  PARTNERS       PODCASTS       WEBCASTS    
 

Enterprise Content Management: From Strategy to Solution

Enterprise content management (ECM) has become an important competence and infrastructural technology, particularly for large and medium-sized organizations. Hear about industry trends for ECM and why standardizing your ECM platform is so critical to your success during this roundtable discussion.

Sponsored by IBM  View This Webcast »

 

Get Rich or Get Thin: The Secure Client Webcast

Malcolm Harkins, General Manager of Intel's Information Risk and Security group, looks at the increasing sophistication of attacks. He also talks about he pros and cons of thin and rich clients in fending off those attacks.

Sponsored by Intel
  View This Webcast »

 

The Greening of the Data Center

This report outlines a four-part strategy companies can employ to achieve an energy-efficient infrastructure.

Sponsored by Sepaton  Read this White Paper »

More Partners »

Resource Alerts

Get instant email notifications by topic when white papers, webcasts, and case studies are added to our library.

Podcast: Accenture's View on Software as a Service

Publisher Emeritus at CIO magazine, Gary Beach, talks to Accenture Chief Architect, Paul Daugherty, about where software is going, and in particular about the emerging concept of software as a service and its contribution to high performance.   Read More »

 

Business Service Management: Delivering Value Throughout the Service Lifecycle

Business and IT alignment is as much a priority among CIOs, as it is a challenge...  Read More »

 

Talking Innovation with a Hall of Famer

Bill Walsh, lauded for his innovative thinking on the football field, talks techniques for applying innovation to every job.  Read More »

More Podcasts »

Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

Crossing The Data Divide: The Case For Complex Data Exchange Technology

Hear the results of a new study conducted by IDG examining how to maximize the value of your enterprise information assets by automating the data exchange process. Join now and learn how technology can help you Cross The Data Divide.   Read More »

 

Collaborative Resiliency: A Unified Approach to Risk Management

Climate change, oil price shock, pandemic and acts of terrorism are true risks that cannot be ignored...  Read More »

 

The Great Escape: Contact Center Applications Are Moving into the Enterprise

With resulting benefits such as tighter integration with back-office applications, administrative control, and improved communications, contact center applications are moving into the enterprise. In this webcast...  Read More »

More Webcasts »

Resource Alerts

Get instant email notification when white papers, webcasts, and case studies are added to our library. Don't just be up-to-date—be up to the minute with our new Resource Alerts.

 
NEWSLETTER

Sign-up for the Advice & Opinion Newsletter

 
FEATURED SPONSORS
 
 
 
SPONSORED LINKS
 

A CIO's View of Server Virtualization

Survival of the Fittest: Disaster Recovery Design for the Data Center

Windows Server 2008: To Upgrade or Not to Upgrade?

How Office 2007 Exposed Bill Gates

How to simplify mobility and reduce the cost of supporting mobile workers

Helping IT Become a Service Provider White Paper

Extending PCI Compliance to the Mobile Workforce

A proven approach to WAN optimization

Wireless Vulnerability Management: What It Means for Your Enterprise

Green IT: Reducing Your Carbon Footprint with Citrix

Wide-area data services enable todays global enterprise

Discover PMI's credentials and career path tools

Symantec State of the Data Center Report

Getting the Most from your Data Protection Solution

Tripwire PCI DSS Solutions: Automated, Continuous Compliance

ITCi White Paper: Challenges and Opportunities of PCI

TDWI Research report clears confusion about automating data governance

White Paper: Unlocking the Potential of B2B

See why 93 of the Fortune Global 100 depend on Blue Coat.

Taking Document Automation to the Next Level

Video Series: IT Leaders discuss how IT is becoming part of the innovation cycle.

How Plug-in Integration with Global Suppliers Quickly Multiplies the Value of SAP Investments

White Paper: WebMethods Business Process Management Suite

Webcast: A look at the increasing sophistication of attacks

Model, Execute, and Optimize: Oracle Fusion Middleware and the BPM Lifecycle

Enterprise Service Bus: A Definition

Let's Get Virtual: A Look at Today's Server Virtualization Architectures

Increase conversions on your site with the help of EV SSL.

Get Control of Mobile Data (and More)

Data Loss Prevention Starts at the Endpoint

Building a Foundation for Pragmatic Service Management White Paper

Performance Brief: Mobile Application Acceleration

Strategies for centralizing data backup

Citrix XenServer FREE trial

Nothing Short of Revolutionary: Four Steps toward More Effective Enterprise Finance

The Best IT Strategy for a Company with Global Operations

Speed, agility, flexibility - The HP BladeSystem c-Class

The Business Value of Symantec Data Center Foundation Solutions

Webcast: Why standardizing your ECM platform is so critical to your success

The PCI Data Security Standard

White Paper: Assess Your SOA

The Universal Wireless Client: Simplify mobility and reduce the cost of supporting mobile workers

Tuning ERP and the Supply Chain for Profitable Growth

Compliance by the numbers- addressing requirements with online document management and collaboration technology

Webcast: Learn how to Simplify and Standardize Architecture

Research about the efficiencies created by different operating systems.

Shift your ERP investments into high gear and join the leaders!

White Paper: Intel IT testing of select multi-core processors results

IDC VP Carl Olofson Reviews Technology Advances and How to Handle Reporting and Querying

People, Processes, and SOA: Oracle Fusion Middleware and the Responsive Enterprise