Home
News
E-mail Newsletters
Blogs
Tech Dispenser
Shark Bait
Knowledge Centers
Opinion
Webcasts
Video
Podcasts
White Papers
Computerworld Reports
Zones
Case Study Library
RSS Feeds
Events
Print Subscriptions

Subscribe to our e-mail newsletters
For more info on a specific newsletter, click the title. Details will be displayed in a new window.
Finance
Security
Computerworld Daily News (First Look and Wrap-Up)
Computerworld Blogs Newsletter
The Weekly Top 10
More E-Mail Newsletters 

Computerworld 2007Subscribe to Computerworld
40 years of the most authoritative source of news and information for IT leaders.

The intersection of Sarbanes-Oxley and insider threats

Brian Contos. ArcSight   Today’s Top Stories    or  Other Security Stories  
 

Sign up to receive Security Resource Alerts

March 16, 2006 (Computerworld) -- Sarbanes-Oxley Act compliance should not be a distraction to security where the focus is on writing mountains of policies and procedures.

It should, however, be used as a business differentiator, as an enabler for risk management and as a mechanism to use frameworks and certifications to better align business goals and process with security best practices. Nowhere is this more evident than issues surrounding insider threats.

There is a growing trend for information security budgets to be shared between traditional security projects and compliance-related agendas. This makes sense because the consequences of an insider threat, for example, parallel many of the concerns around Sarbanes-Oxley: loss of confidential or intellectual property, exposed sensitive information, damaged or destroyed assets, and severed communications. This can result in legal fees, fines, diminished reputation, loss of customers and of shareholder faith and financial harm. While the focus of this article is specifically on Sarbanes-Oxley, it can also be applied to the European Union's Eighth Directive and Basel II.

A primer on the insider threat

These are threats from within, perpetrated by trusted employees, consultants, partners and temps. Theses individuals may act out of pure malice or for financial gain, and they may commit their crimes in concert with outsiders such as competitors, identity thieves, criminals or organized crime groups. In some organizations, there may even be potential ties to terrorism and nation-state threats; however, in most cases, criminal activity for profit will be the most prevalent motive.

Since these insiders already have access beyond many or all of an organization's safeguards, they can be harder to detect. As an example, it doesn't take a skilled hacker or a great deal of time to plug in an MP3 player and download 25MB of customer data from an organization's intranet.

How to address Sarbanes-Oxley and insider threat simultaneously

This approach will exclusively consider Sarbanes-Oxley and not supporting frameworks. It should be noted that it would be possible to evaluate these strategies within potential frameworks, such as COSO, Cobit, ITIL and ISO/IEC 17799:2005. There are three primary sections within Sarbanes-Oxley that are most relevant; each will be explored individually.

1. Section 302: Corporate responsibility for financial reports

The threat is that these reports may be modified by an unauthorized user. Access to this type of information may be a prime target for an insider with malicious intent. There are several ways to protect this information, including strong authentication, access controls, encryption and file-integrity systems.

However, if you thought your intrusion-prevention system and firewall was chatty, wait until you start pulling operating system, database, application and access-control logs. It can be an absolute flood of data. IT departments need to use all the information produced by these systems by constantly monitoring the various log types. This enables IT departments to filter out false positives and aggregate, correlate and prioritize information so the results can be quickly acted upon and understood. This understanding typically takes the form of graphical dashboards, reports, automated trouble tickets, alerts and real-time remediation tools.

2. Section 404: Management assessment of internal controls

This is typically the section of Sarbanes-Oxley most commonly discussed by IT and security practitioners. Essentially, the executive team and the auditors have to confirm that the internal controls for financial reporting are in place. The same types of enterprise monitoring requirements discussed in the first point apply here as well, but it gets more granular. In practice, the following areas are typically covered:

  • Separation of duties: The constant monitoring of information needs to be done by analysts who are neither the systems administrators nor those contributing content for the documents being produced. There must be a level of independent oversight by this group. Also, the enterprise monitoring system must provide for access controls, separation of duties and auditing of itself. These audit logs, like all others, also need to be reviewed. In this way, there are checks and balances regardless of who the insider happens to be, and accountability can be achieved.

  • Monitoring interaction with financial processes: This may seem like common sense, but consider all the network systems that financial data passes through, the proprietary applications that interact with it, and the applications that haven't been upgraded since bell bottoms were in style -- the first time.

    • You must truly monitor the interaction of data in the financial process. Consider an insider who pulls sensitive files from a proprietary application then uploads them to an off-site system through peer-to-peer networking. It's a pretty simple set of actions, but too few organizations have that level of monitoring to even log these actions, let alone correlate and track it back to an IP or media access control address and user. This is not only important for real-time data, but also for forensic analysis because with the discovery of an insider threat, there needs to be follow-up investigations to discover what else the perpetrator did, for how long and who else may be involved.

  • Detecting changes in controls over financial systems: This could be as simple as disabling a host firewall, turning off a server's antivirus software or just disconnecting it from the network. Savvy insiders understand many of the controls in place, so IT departments need to monitor not only to receive event feeds from point products, but also the lack of connectivity to that product or a drop in the number of events received will sound an alarm.

    Consider an insider who turns off the antivirus tool on a server, then installs a virus via a Universal Serial Bus key fob. The antivirus tool, of course, can't detect this. But what can be detected through monitoring is that a critical financial asset that is bound to Sarbanes-Oxley regulations has moved to being out of compliance because the antivirus software was turned off and a key fob was plugged in. The monitoring system at this point should have buzzers sounding and lights flashing and automatically create an investigation ticket.

3. Section 409: Real-time issuers disclose

This requires an organization to quickly communicate material changes in its financial state with supporting data to the public. If this information isn't available because the server grew legs and walked away or backups were not part of the data-resilience policy, then it may be difficult for an organization to prove in court that it cares about protecting investors by improving the accuracy and reliability of corporate disclosures.

In addition to having a solid backup strategy as part of the control framework that will make passing an audit much easier, security controls have to go beyond the traditional IT model. Many organizations use multifactor authentication systems that generate logs, and they are pushing these logs into enterprise monitoring systems along with telephony logs and traditional IT logs. Now tracking and correlating who accessed the server room at 4:00 a.m. on Sunday, the abrupt stop in logs from a critical server in that room at 4:05 a.m., and the realization that the server is gone on Monday morning can all be done from the same, centralized, enterprise monitoring system with the same ease that a brute-force log-in attempt could be detected and investigated.

Summary

The strategic solutions for compliance and insider threats take a common approach with several areas of overlap. By monitoring the data related to external security issues, insider threats and compliance from across enterprise devices, the information can then be used cross-departmentally to ensure better compliance, higher levels of security and reduced risk. Finally, it can act as a mechanism to align security with organizational business objectives and process while providing valuable insight to internal controls, assisting with risk management and making better use of security best practices.

Brian Contos, CISSP, is the chief security officer at ArcSight Inc., where he assists government organizations and Fortune 500 and Global 2000 companies with security strategy related to enterprise security management systems. He also held security management/engineering positions at Riptech Inc., Lucent Bell Labs, Compaq Computer Corp. and the Defense Information Systems Agency. He has written for several publications and has given numerous presentations in the field of security.




Print this Story Send Us Feedback E-mail this Story Digg! Digg this Story Slashdot this Story

Blogs

"A couple of weeks ago at..." Read more...
"Most security companies tend to take a horizontal approach looking to capitalize on the finance, service provider, and federal government..." Read more...
Read more Security posts or See all Blogs

Elgan: You can be Batman, too
Study: IT jobs will drop in 2009
RIM fixes critical BlackBerry Enterprise Server bug
More top stories...
Apple's recall demand would probably kill Psystar, says IP attorney
DNS flaw discoverer says more permanent fixes will be needed
AT&T muffs free iPhone Wi-Fi offer again

11 cool new apps for the iPhone
With the opening of Apple's App Store, the iPhone takes a revolutionary leap from cool mobile phone to hot mobile platform. See our list of apps you should definitely check out for yourself.
Google is doing WHAT?
Its motto is "Don't be evil" — but it looks like anything and everything else imaginable is pretty much fair game — not to mention some wildly rumored projects that we asked the company to confirm or deny.
The new face of R&D: What's cooking at IBM, HP and Microsoft
The talk at three big research houses is all about "open innovation." Is that a feel-good catchphrase or the R&D strategy of the future?
Review: The iPhone 3G was worth the wait
After months of waiting for a 3G-based iPhone — and hours waiting in line to actually buy one — Ryan Faas says it "packs quite a punch, both in its design and in the 3G and GPS capabilities" it offers.

FROM THE BLOGOSPHERE

Windows Vista A to Z
Reviews, analyses, how-tos, visual tours, hot issues and predictions about Microsoft's new OS.
IT Careers 2010
Four years from now, the IT field will be a vastly different place. Will you be ready?
All Zones
Application Performance Zone
Business Continuity Zone
Data Center Management Zone
Enterprise-Class Security Zone
The File Data Management Zone
Grid Computing on Windows Zone
Security Management Zone
ITIL Best Practices Zone
The SAS Zone
Storage Virtualization Zone
Business Intelligence and Analytics Zone


Ads by TechWords

See your link here
Why SaaS is Vital to Email and Web Security
Why SaaS is Vital to Email and Web Security
Download this webcast, free, compilments of Webroot Software
Go to the webcast 
Computerworld Executive Bulletin: Building a Robust Antivirus Defense
Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs.
(Source: MessageLabs) Antivirus software alone isn't enough to prevent today's speedy, sophisticated virus attacks. Security managers should consider multitiered approaches that include behavior scanning, appliances that check e-mail for worms, and restricting user access to dangerous Web sites. Download this Executive Bulletin (a $49.95 value) for free, compliments of MessageLabs, to learn more.
Download this executive briefing download
Eliminate SPAM, Gain Productivity
Get this white paper now!
(Source: MessageLabs) Learn all about the dangers and the costs of spam in all its forms - from stock-touting to spreadsheet. Also, understand the drawbacks of traditional hardware- and software-based defenses - and the unique benefits of MessageLabs multi-layered, managed Anti-Spam solution; as illustrated by a real-world case study where MessageLabs stopped spam cold.
Download this white paper go
White Papers
Read up on the latest ideas and technologies from companies that sell hardware, software and services.
New Fujitsu High-End Itanium Windows- and Linux-Based PRIMEQUEST Servers Offer the Utmost in High Availability
New Fujitsu High-End Itanium-Based PRIMEQUEST Servers Offer Industry-Leading System Management for Linux and Windows
Web Security SaaS: The Next Generation of Web Security
View more whitepapers 

About Us Advertise Contacts Editorial Calendar Help Desk Jobs at IDG Privacy Policy Reprints Site Map
CIO Computerworld CSO DEMO GamePro Games.net IDG Connect IDG World Expo Infoworld
The Industry Standard ITworld JavaWorld LinuxWorld MacUser Macworld Network World PC World Playlist
Copyright © 2008 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.