NEWS

January 2010 Computer Fraud & Security5

information security controls to manage risk in technology environments.

The certification will identify and measure skills related to risk identifica-tion, response, and monitoring, said ISACA. It will also evaluate profession-als’ ability to design, implement, moni-tor and maintain information security controls.

CRISC is designed to help employers identify experts in this field, explained ISACA. “We conducted an extensive amount of research globally and found that enterprises are becoming more risk-aware and are looking to identify professionals who possess the skills to help them protect their assets and enhance their businesses,” said Urs Fischer, the chair of the CRISC task force within ISACA. “CRISC fills a gap that currently exists in the market-place.”

“We conducted an exten-sive amount of research globally and found that enterprises are becoming more risk-aware and are looking to identify profes-sionals who possess the skills to help them protect their users and enhance their businesses”

ISACA, which focuses on audit, risk, and governance disciplines, will admin-ister the first CRISC examination next year, although it will be possible for professionals to be ‘grandfathered in’ without passing an exam. The indus-try body will announce details of that scheme in April.

This is the fourth certification launched by ISACA. It also offers the Certified Information Systems Auditor (CISA), Certified Information Security Manager (CISM), and the Certified in the Governance of Enterprise IT (CGEIT), which is its most recent cer-tification, launched in 2006.

ISACA is also the publisher of the Risk IT standard for managing risk in IT, and the COBIT standard for IT governance.

Targeted attacks against military contractors discoveredEvidence of further targeted attacks surfaced last month, just days after Google and other technology companies announced that they had been the victims of a concerted cam-paign. This time, the attacks targeted PDFs of those in the US defence community, and occurred more recently.

Anti-malware company F-Secure found the attack, embedded in a PDF document purporting to come from the US Air Force. “The document talks about a real conference to be held in Las Vegas in March”, said Mikko Hyppönen, chief research officer at F-Secure.

The PDF document advertises the Mission Planning Users Conference (MPUC 2010), taking place in March. When opened, the PDF exploits the CVE-2009-4234 vulnerability, which lies in the doc.media.newPlayer func-tion within Adobe Reader.

While Adobe patched this vulnerabili-ty on January 12, it has not yet switched on the silent auto update functionality for Acrobat or Reader’s user base. This means that anyone not expressly agreeing to implement a patch will still be vulner-able to this attack.

“While the ‘Aurora’ attacks against Google and oth-ers happened in December 2009, this happened just last week”

According to F-Secure’s analysis, the exploit drops a file called Updater.exe, which connects to an IP address in Taiwan, and bypasses any local web proxies in the process.

“While the ‘Aurora’ attacks against Google and others happened in December 2009, this happened just last week,” Hyppönen said.

Employees downloading more illegal filesSoftware as a service company ScanSafe has found a 55% increase in illegal

download attempts over corporate net-works.

The number of attempts to down-load illegal MP3s and software has increased by more than half over the last three months, according to ScanSafe, which regularly monitors network traffic on behalf of its clients. The data comes from network traffic monitored across more than 100 coun-tries, ScanSafe said.

The company pointed to US student Joel Tenenbaum as the recipient of a $675 000 (£421 000) fine for illegal music downloads. The fine covered just 30 tracks, and amounted to $22 500 per song.

“Employees mistakenly assume they can use the internet at work in exactly the same way as they use it at home, and this is potentially one of the reasons for this steady increase in illegal download attempts over recent months,” said Spencer Parker, director of product management at ScanSafe. “Inappropriate internet use in the workplace can put the employer at risk for legal liabilities.”

He warned that employers can be held legally responsible for wrong-ful acts committed by employees on corporate networks. Even if the employer expressly forbids the action, it may still be held responsible under a principle known as ‘vicarious liabil-ity’, ScanSafe warned. It added that aside from the legal risk, corporate networks can be made vulnerable to malware from infected systems shar-ing software.

“Employees mistakenly assume that they can use the internet at work in exactly the same way as they use it at home”

ScanSafe advised employers to cre-ate concrete policies defining allowable uses of the internet while at work. The policies should also outline the conse-quences of non-compliance, and staff should be made to acknowledge that they understand these rules.