Abstract: Several sections of the Sarbanes— Oxley Act of 2002 (SOX) directly affect the governance of the information technology (IT) organization, including potential SOX certification by the chief information officer, Section 404 internal control assessments, “rapid and current” disclosures to the public of material changes, and authentic and immutable record retention. The Securities and Exchange Commission (SEC) requires publicly traded companies to comply with the Treadway Commission's Committee of Sponsoring Organizations (COSO) that defines enterprise risk and places security as a critical variable in enterprise risk assessment. Effective IT and security governance are examined in terms of SOX compliance. Motorola IT security governance demonstrates effective structures, processes, and communications; centralized security leaders participate with Motorola's Management Board to create an enabling security organization to sustain long-term change.

Abstract: A Web service is an application that can be described, published, located, and invoked over the Web. A Web service is identified by a URI, whose public interfaces and bindings are defined and described using XML in a WSDL (Web Service Description Language) document. SOAP, a W3C specification, is the most common binding used to communicate messages between the service consumers (loosely known as clients) and the service provider (the server). SOAP determines how message data should be enveloped and formatted along with metadata (headers).

Abstract: Companies continue to pay heavily for confronting hacker attacks and responding to rapidly spreading viruses, worms, and Trojans. The impact on an organization can be substantial, ranging from loss of productivity to reputation. Hackers exploit known vulnerabilities. Hybrid malcode not only piggybacks on core services for delivery, but also exploits known vulnerabilities. This article underscores the central role of vulnerability management in ensuring enterprise security. An effective vulnerability management program will not only guard against hackers, but will also assure minimal impact from hybrid malcode that exploits known vulnerabilities.

Abstract: This article provides an overview of cookies, the small files used by companies to collect information about Internet users. Although cookies were initially designed to assist users in shopping online, they have become a synonym for the invasion of privacy. The article discusses the structure of cookies, the advantages and disadvantages of cookies, legal issues, and United States and European Union (EU) laws regarding the use of cookies.

Abstract: This article discusses an anti-sniffer based on a new detection technique. The proposed technique uses mainly ARP cache poisoning attack to detect sniffing hosts in an Ethernet network, and is implemented in a tool called SupCom anti- sniffer. Four anti-sniffers — PMD, Promi- Scan, L0pht AntiSniff, and SupCom anti- sniffer — are tested and the evaluation results show that SupCom anti-sniffer succeeded in detecting more sniffing hosts than the other anti-sniffers.

Abstract: Threat Management combines all operational actions of intrusion prevention and protection into a life cycle where one component feeds the next. Effective threat management enables true, enterprisewide intrusion prevention and protection. By implementing this program, an organization will fortify its environment, reduce its exposure to threats, and attain the security intelligence it needs to continuously improve its security.

Abstract: As the casual and business use of computer systems expands, so do the chances that the security of these systems will be breached. One of the most exploitable elements in the chain of security is the password. This is the most common method of authentication and also one of the most easily broken. Numerous studies have been done on the fitness and memorability of passwords; improved password behavior benefits the security of many systems.

Abstract: With the increasing use of Web services, many new challenges concerning data security are becoming critical. Especially in mobile services, where clients are generally thin in terms of computation power and storage space, a remote server can be outsourced for the computation or can act as a data store. Unfortunately, such a data store may not always be trustworthy, and clients with sensitive data and queries may want protection from malicious attacks. This article presents a technique to hide tree-structured data from potentially malicious data stores, while allowing clients to traverse the data to locate an object of interest without leaking information to the data store. The two motivating applications for this approach are hiding (1) tree-like XML data as well as XML queries that are in the form of tree-paths, and (2) tree-structured indexes and queries executed on such data structures. We show that this task is achievable through a one-server protocol that introduces only a limited and adjust...

Abstract: Service-oriented architectures (SOAs) have become mainstream in the past year due to their ability to provide business agility and flexibility through integration, productivity, and software reuse. The Web services framework enables composite applications that leverage service- oriented architecture (SOA) design practices, creating more cost-effective distributed architectures. As enterprises adopt SOA, they open their systems, enabling greater agility and easier integration.

Abstract: While obvious security threats like fast-spreading worms have a tendency to garner news headlines, other stealthy security risks threaten businesses every day. Increasing amounts of spyware and adware programs have the ability to facilitate the disclosure of business information and risk privacy, confidentiality, integrity, and system availability. Corporations usually accumulate a vault of information that could cause serious problems if it were shared with the wrong contacts or, even worse, taken. Spyware's evolution from simple cookies to a range of sophisticated usertracking systems has left many businesses without the control over their proprietary data and operations.

Abstract: The degree of success of operating within the rules of Title II of the Healthcare Insurance Portability and Accountability Act of 1996 (HIPAA) depends upon the ability of the organization to establish a program that ensures thoughtful and consistent execution of the requirements of HIPAA.

Abstract: This article addresses the primary threats to computer networks that a small business might encounter and also provides strategies to counter these threats. It emphasizes the key characteristics associated with each category of security threat and provides approaches to eliminate or alleviate these threats. The article also presents a case study of a small insurance company for which the authors helped design, implement and secure computer networks. This case study further clarifies the concepts and strategies presented in the paper.

Abstract: Privacy and trust are essential to maintaining good relationships with customers, employees, and business partners. It is also necessary to address privacy issues to comply with a growing number of privacy regulations worldwide. Privacy encompasses how business must be conducted, the communications made with customers and consumers, and the technology that enables business processes. Addressing privacy touches all facets of an organization, including business operations, Web sites and services, back-end systems and databases, communications with third parties, customers, and service providers, and legacy systems. An effective privacy governance program will not only make your customers happier, but it will also mitigate your exposure to regulatory noncompliance, lawsuits, bad publicity, and government investigations. This article discusses the issues to address when building a privacy governance program.

Abstract: This article focuses on risks to information technology (IT) systems. Technically speaking, risk to an IT system is a function of the likelihood that some threat will attack, or exploit, some vulnerability in the system and a calculation of the potential impact resulting from these attacks or exploitations.

Abstract: Customer satisfaction. It is what we all want, but it can be difficult to ensure, even under the best conditions. Especially when your information work- place is under attack. The Radicati Group estimates that threats to the information workplace will cost companies over $54 billion by 2006. The writers of new viruses are much better at infiltrating corporate networks; they exploit system vulnerabilities, use sophisticated programming techniques, and constantly change subject lines and attachment names.

Abstract: A real need exists to use the benefits of modern technology intelligently to reduce the court backlogs. Cyber courts are a viable alternative to the endless delays that plague court dockets, but only if they succeed in making courts more efficient.

Abstract: The “market” for digital attacks is growing rapidly as the number of networked devices and software vulnerabilities continues to increase. Organizations are already so deluged with attacks that the current strategy of responding to intrusions no longer works because the alarms are turning into a new source of organizational white noise.

Abstract: Wireless computing has become increasingly popular and inexpensive in the past few years. As this new field of computing continues to grow at a very fast rate, do the threats against wireless networks concurrently increase? What are the real threats facing wireless networks today, and what can be done to mitigate such threats? This column reviews the wireless worries and common points of abuse and wisdom to counter such threats.

Abstract: The movie Terminator features a classic plot: man against machine. The concept of a powerful robot machine that can become more powerful than man is a frightening one that has lit up the screens of Hollywood for several decades. Today that fear has become a real threat in the eyes of some system administrators who have had to deal with something known as a bot.

Abstract: Information systems security designers are always looking for ways to increase both risk mitigation and reliability in their system designs. Hence, the use of multiple firewalls in security and reliability enhancing topologies is a natural evolution and is rapidly gaining in popularity.

Abstract: Congress and the courts have had to address an inevitable result of the new technology — the erosion of personal privacy. While our economy depends on the free flow of information, the individual's right to maintain privacy, personal dignity, and anonymity must be maintained. Courts have long recognized that the law must protect private matters and personal data against governmental and business intrusion.

Abstract: This article represents a comprehensive review of California Senate Bill 1386 (SB1386) and its implications to businesses from both a legal and information security perspective. Technical requirements to comply with this legislation are set forth, including numerous proactive steps that can be taken by an organization to avoid the significant ramifications of non- compliance. This consumer protection legislation is precedent setting and not limited to California, as evidenced by the recent bill introduced in the U.S. Senate by Senator Diane Feinstein. SB1386 may become the benchmark for customer privacy information protection for the entire United States.

Abstract: he Internet ushered in a new era of economic and social frameworks that have forever changed the value of data and its value to the criminals that want it. The Internet... connected to a global network means being connected to an unfathomable number of potential threats. In the beginning, it was the intellectual curiosity of capable computer geeks that began to test the limits of systems on the Internet, looking around to see what could be found, used, or exploited for personal status or a feeling of achievement. As the use of the Internet grew, early hackers began to find interesting and sometimes valuable data and systems. During this time, the once floppybound viruses began to wreak havoc in the now highly decentralized environment, while the growing hacker community found more holes to crawl through and take over systems. It was referred to as the Wild West — an untamed mess of lawless activity in a burgeoning economic and social infrastructure. Much like the old West, the Internet was a new frontier and as people moved in to build, expand, and seek new opportunities, they brought valuables as seeds for the new adventure. And like the old West, opportunistic criminals sought to take advantage of unsuspecting pioneers. As traditional social constructs mature, they do so to criminals as well, allowing them to combine forces and share in the benefits of social agreement. This is nothing new for criminals. Gangs and tribes have been around since the dawn of man and organized crime for millennia. However, the Internet has accelerated development of E-society and, furthermore, it promotes the coalition of disparate criminally inclined persons who in the physical world would never seek partnership. Of course, and as expected, the Internet has put a new twist on criminal collaboration. The criminal mind has converged with the ingenuity of hackers and their craft creating an amalgamation of fearsome proportions. What used to be tools for script kiddies are now weapons employed to threaten people and businesses, manipulate systems, and obtain valuable data. Groups of hackers are banding together, worm writers are creating hooks for others, and Internet zombies are taking on a new role in crime. Internet zombies used as distributed denial of service (DDoS) attack points were at one time a big issue for the security industry. While the threat of DDoS has not subsided, the concept’s logic pales in comparison to the sophistication of distributed data manipulation necessary to act as nodes in a global illicit commodities trading system. Cyber criminals are stealing, buying and selling credit card numbers, people’s identities and other illegal products utilizing the Internet. Hackers from all over the world will, if only for a short time, work together to attack a specific target, steal information, and sell it on the Internet. The Internet offers a unique platform for groups to form T E E D I T O R

Abstract: To fully understand and appreciate the current environment one will be working in, it is important to look back a few years to gain some insight into the dynamics of network security and how it has evolved to meet the maturing threats present when connecting any private network to the public Internet.

Abstract: There is no such thing as a free lunch. According to the Columbia World of Quotations, 1 the root of this quotation is as follows: An axiom from economics popular in the 1960s, the words have no known source, though have been dated to the 1840s, when they were used in saloons where snacks were offered to customers. Ascribed to an Italian immigrant outside Grand Central Station, New York, in Alistair Cooke's America (epilogue, 1973), the expression appears in Robert A. Heinlein's The Moon Is a Harsh Mistress, ch. 11 (1966), but has become most closely associated with economist Milton Friedman, who made it the title of a book in 1975.

Abstract: Dot.com companies began to collapse early in 2000. Before the crash, investors would purchase stock in new technical companies without even looking at a business plan. Companies established in a programmer's family room were offering stock within months and investors were buying, creating thousands of “paper millionaires.” Financiers never bothered to investigate, for example, how long the company would have to remain in business before they could expect to make a profit. When the bubble burst, investors lost huge amounts of money. Between March 2000 and October 2002, the NASDAQ Composite lost 78 percent of its value as it fell from 5046.86 to 1114.11. Law firms specializing in bankruptcy were busier than ever before.

Abstract: Consumer instant messaging (CIM) services (aka public IM) such as AOL Messenger, Yahoo? Messenger, and MSN Messenger have achieved critical mass appeal and usage as a convenient and informal method of communication supporting real-time messaging and presence awareness.1,2 Unfortunately, these services are highly vulnerable from a security standpoint. Some of these security problems include threats from viruses and worms, Trojan horses, identity theft, impersonation, eavesdropping, data loss, and denial-of-service attacks.

Abstract: Biometrics can be defined as science by which an individual is identified through analyses of physical data and behavioral characteristics.1 The measurement of an individual's characteristics quantifies his or her physical, behavioral characteristics. The physically unique characteristics include, but are not limited to, fingerprints, hand or palm geometry, retina or iris scans, voice or facial characteristics, keystroke patterns, and gait. These presumably unique characteristics are used, in turn, to recognize (identify), authenticate, deny, or grant access based on the individual's characteristics.

Abstract: In recent years, the press has reported many high-profile corporate frauds, leading in turn to major bankruptcies. Congressional committees have investigated widespread financial misstatements in some of America's most trusted organizations. Employees saw their pension funds and life savings evaporate after unscrupulous executives pocketed the last remaining assets. The fall of Arthur Andersen, Enron, Tyco, Healthsouth, Global Crossing, World- Com, and others have cost investors and taxpayers billions.