Security Standards Improve Compliance, yet Security Protection Remains Elusive

The FISSO recently developed a new set of security standards for the banking industry. In other news, a new virulent security worm has been found in computer networks, while a bug in the Firefox browser may allow hackers to get user passwords.

Focal Points:

• The Financial Information Systems Security Organization (FISSO) approved a new set of security and compliance standards at its annual meeting. FISSO started in 2003 in order to establish a set of security standards for the banking industry to follow. The Standards of Security (SOS) that FISSO developed will be available to any member for the next 18 months.
• Security researchers have recently reported on a worm that is designed to interact with Internet chat protocols. Researchers have been aware of the Nugache Worm for approximately two years. However, it is now being associated with a criminal network, which has added encryption and rootkit capabilities, significantly increasing its ability to spread across the Internet. Every version that is generated also is slightly modified, making it very difficult to detect. Additionally, it is controlled via peer-to-peer mechanisms, making it hard to stop once it has infected machines.
• Security personnel have discovered a problem in how Firefox handles logons. The fault could possibly be used by hackers to trick people into giving up their passwords. This security flaw is found in Firefox version 2.0.0.11. The flaw allows the authentication header’s Realm value to be modified, which lets hackers pretend their packets are coming from authorized sites. Mozilla officials are investigating the vulnerability.

Experton Group believes IT executives need to focus on improving security policy and process to get in front of ever-increasing security threats. While emerging technology will continue to be developed to bring awareness to new threats, the threat environment is likely to develop new exploits faster than the security community can mitigate the threats. For this reason, the best way for companies to protect themselves is to have policies in place that make it more difficult to exploit any weaknesses that may exist. These policies can only be effective if all members of the business community understand these policies and security and IT personnel and involved in education and rigorous enforcement.