Using investigations to satisfy Sarbanes-Oxley requirements; learning from 2003's vulnerability onslaught

Companies Ill-Equipped to Conduct Internal Investigations to Satisfy Sarbanes-Oxley

Self-policing? Internal investigations? If new Sarbanes-Oxley Act of 2002 guidelines lead to head scratching, refer to a white paper from computer forensics and incident response provider Guidance Software.

"Internal Computer Investigations as a Critical Control Activity" details how internal computer investigations can be used to meet Sarbanes-Oxley requirements, which can punish corporate officers who break the law with $5 million fines and 20 years of jail time.

“The cornerstone of Sarbanes-Oxley is that companies must engage in effective self-policing in order to combat internal financial fraud,” notes John Patzakis, president and CEO of Guidance.

Doing so is a different matter. “Many companies, however, are ill-equipped to acquire the necessary electronic data that is central to identifying and responding to incidents of fraud,” according to the white paper. In addition, beyond companies’ policy work, “relatively few have implemented the IT infrastructure that will enable companies to turn anti-fraud policies into concrete results.”

The white paper spells out for executives the costs—including technology (such as forensics) and investigation procedures—of creating an internal investigation team, as well as the benefits, which include the ability to better maintain Sarbanes-Oxley-mandated corporate controls.

White paper link:

Vulnerabilities: A Look Back, A Look Ahead

How was 2003 for viruses, worms, and other malware?

While the number of incidents dropped over the past year—nine major outbreaks and 26 smaller ones for 2003 (versus 12 major and 34 minor for 2002)—“the scale and the impact they have on the Internet has increased significantly,” says anti-virus software company Kaspersky Labs, which released a round-up of 2003 virus activity.

The verdict: things are getting worse. In fact, two high-profile worms—Blaster and Slammer—rendered “2003 the year of ceaseless e-mail worm outbreaks,” and, of course, clean-up jobs. Interestingly, both Blaster and Slammer caused their devastation not by being “classic e-mail worms” but rather as “worms modified for the Internet which spread as network data packets.” This design allowed them to spread—as most remember—extremely rapidly, increasing worldwide Internet traffic by 40 to 80 percent in just minutes. Though worm researchers already had a term coined for the phenomenon in 2001 (flashworm), they just hadn’t seen one before.

While other security “firsts” were few, security administrators got to deal with the same old problems, including that old favorite, social engineering. The Swen worm spread beginning in September 2003 thanks to being attached to an e-mail purporting to be a virus fix from Microsoft. Call it a case of graphic design gone wrong: the message looked authentic, down to the font and icons, leading many users to install it.

So what can we expect in 2004? Besides the ever-popular end-run at users (such as Swen), Kaspersky says virus-writer innovation should continue. For example, last year’s Afcore was a backdoor Trojan program which, though it didn’t spread extensively, illustrates new approaches to crafting tenacious malware. Afcore “conceals itself in a system by writing its code to alternate data streams of the NTFS file system,” notes Kaspersky. What’s surprising is the code is hidden not in files but directories, which is very tricky. It’s part of a trend to watch for—viruses and worms attempting to evade or even deactivate anti-virus and firewall defenses.

For the full Kaspersky release, see:

About the Author

Mathew Schwartz is a Contributing Editor for Enterprise Systems and is its Security Strategies column, as well as being a long-time contributor to the company's print publications. Mr. Schwartz is also a security and technology freelance writer.