We have been brainwashed... 2258

  • Do you know which is the first word that pops up in mind after the words Sarbanes-Oxley?
    The word control.
    The COSO paper repeats this word 1368 times (in 163 pages.). We have been brainwashed.
    Frequency analysis is a great tool in cryptanalysis (codebreaking), but it is also useful to feel a document. The word internal appears 846 times, about eight times the frequency of the word external (123 times). It is obvious that COSO has shifted the focus from network security and external threats to internal threats and internal fraud.
    The word objective appears in the COSO document 452 times. The word business 124 times. The words attack or defence 0 times. It is not encouraging that you will find the word hacker twice. Let’s read COSO:
    Effective access security controls can protect the system, preventing inappropriate access and unauthorized use of the system. If well designed, they can intercept hackers and other trespassers’
    Former or disgruntled employees can be more of a threat to a system than hackers; terminated employee passwords and user IDs should be revoked immediately. By preventing unauthorized use of and changes to the system, data and program integrity are protected
    If only it was that simple.

  • Some interesting thoughts as ever.
    That said I think it is right to emphasise the internal threat over the external one as generally it is greater

  • Denis, I agree. Absolutely.
    Hackers, you have lost the battle of publicity. Sophisticated internal fraud artists are much better than you. They not only hack the company, they are paid from the same company to do it as well.

  • Yes - I agree with the good comments of Denis and George. Having worked a decade in IT security (and still have an on-going interest), I had read that 80% of the security breaches occur the inside.%0ASecurity is often described as a hard ‘outter shell’ to keep the bad guys out, but the controls on the inside are ‘soft and gooey’ (meaning that authenticated users have a tremendous amount of confidential information they can freely access). Once the bad guys break past the egg shell, then they can do likewise, (and they are more apt to misuse it).%0AIt’s very easy to email sensitive items outside that ‘outter shell’ if an account exec were leaving and wanted to take a list of customers. Better yet, bring in a USB flash drive or even MP3 player and load up 2 or 4 gigabytes of data :(%0ACompanies need good policies, technological defenses, security awareness training and MOST OF ALL trustworthy professionals working for them.

Log in to reply