sarbanes-oxley requires financial auditing and internal controls

The (Cyber Security) Fuss About Sarbanes-Oxley

In the cyber security news realm, there’s been a lot of talk these days regarding Sarbanes-Oxley. To give some formal background, the Sarbanes-Oxley Act of 2002 (sometimes referred to as SOX or Sarbox) was an act passed by Congress in 2002 to keep companies from participating in dubious financial activity. The Act requires companies to provide disclosures of their internal accounting reports. This was a response to the early 2000s when we saw a lot of sketchy activity by corporations such as Enron and WorldCom. The Act was an overhaul of a system that changed the internal controls of corporations. Before SOX, companies used consultants or “auditors” for their corporate financial reports, but because the act of being an internal consultant could be so lucrative in itself… Well, I’m sure you could say that there was a conflict of interest.

Sarbanes-Oxley? Cyber Security?

Other than being difficult to pronounce, there might be some confusion about what this Act has to do with cyber security. When Senator Paul Sarbanes and Representative Mike Oxley proposed the bill, the world was still in the midst of becoming acquainted with the digital world. Although cyber security was an issue, it was not as prevalent as it is today. Therefore, back in April of 2016, Representative Jim McDermott proposed a Bill to amend SOX.

For example, let’s take a look at the original Section 302 of SOX. It states that the CEO and CFO of a company must certify that reports are correct and hence gives the final responsibility of the report to the highest executives of a company. It signifies the critical nature of financial reporting. The changes that Rep. McDermott has proposed are to include cyber-security systems into the Act and would extend Section 302 to the company’s CSO or CTO, and would add in information systems and cyber security systems as requirements for financial statements.

Other amendments have been proposed by Rep. McDermott to include more clarified and cyber-security focused issues within the sections of the act.

The Need in Government

This makes perfect sense, as a review of any information or data could be manipulated using any cyber attack or data breach. In this digital age, would you trust a database that hasn’t been encrypted? Or a company that doesn’t utilize a web application firewall? It’s not likely because we take it as a given that companies will secure our information. However, what we take as a given in everyday society, true implementation is slower to come into legislation.

It’s only been recently that more representatives and senators are starting to think that cyber security measures might be a good idea. Take for instance the recent political debacle within the presidential election regarding issues of hacking. Whether it’s left, right, Europe or North America – we’ve all started to see arguments here and there and true vulnerabilities within the government sector.

What’s Next For SOX?

So what now? The unfortunate reality is that this particular bill is probably not going to pass. Perhaps there isn’t enough tangible urgency that representatives or senators may see. However, there are tangible steps that you can take.

First, talk to your local representative or senator. Vocalize the need for cyber security to be implemented into the legislation of whatever country you live in. After all, because of the funnel system, to get your voice heard you have to go to the step right above you.

Second, push the corporations directly to follow cyber security standards, even without legislation pushing it. If enough corporations implemented proper internal controls within the enterprises, it would be less of a hassle in terms of lobbying and pushing bills for these changes to be implemented. Even the smallest company can start with a WAF or utilize encryption for their databases.

Unfortunately, sometimes legal compliance comes after the majority has already started to accept certain necessary acts – and it might be that way for cyber security. Although I sure hope I’m wrong, the best bet you can make is to secure it for yourself.


References:

Cybersecurity Systems and Risks Reporting Act, H.R. 5069, 114th Cong. (2016).

Hamilton, J., & Trautmann, T. (2002). Sarbanes-Oxley Act of 2002: Law and explanation: As signed by President George W. Bush on July 30, 2002. Chicago: CCH.

format preserving encryption data security sample vendor

Cited by Gartner in 2016 Hype Cycle for Data Security

Listed as sample vendors for FPE and Database Encryption, Penta Security receives attention for its developments

format preserving encryption data security sample vendorSeoul, Korea: Penta Security Systems Inc., a leading Web and Data security provider in the Asian-Pacific region, announced that it has been listed as a sample vendor for two technologies, Format Preserving Encryption (FPE) and Database Encryption, in the Gartner 2016 Hype Cycle for Data Security.[1] Each year, Gartner, Inc. publishes visual representations of maturity and adoption of various technologies and applications. It cites vendors that are relevant to business development in the particular field. Within the last year, numerous corporations and entities worldwide have had their data breached. This further highlights the need for data security and encryption technologies.

Database Encryption

In 2016’s Hype Cycle for Data Security, Penta Security was cited as a sample vendor for Database Encryption. Database Encryption is in the early stages of mainstream in terms of maturity. Penta Security’s Head of Planning, Duk Soo Kim stated, “After research and development over the course of many years, we’re pleased to see the technology becoming increasingly prevalent in the market. As the industry continues to develop and mature, we will most certainly be keeping up with the latest in database encryption technology.”

FPE (Format Preserving Encryption)

Additionally, Penta Security was listed under Format Preserving Encryption as a sample vendor. Still largely a new field, FPE allows for encrypted data to maintain its structure with minimal modifications. While previously less utilized, its adoption has become more widespread due to NIST (National Institute of Standards and Technology) establishing secure FPE implementation standards. Regarding this listing in the Hype Cycle, Kim remarked, “Technology and security are constantly changing and being challenged. Therefore, being named as a sample vendor for a technology like FPE confirms that we are implementing technologies taken on by early adapters, not just traditionally utilized.”

Penta Security is a leading vendor for data security solutions, including its encryption solution, D’Amo. By using FPE technology, D’Amo allows for implementation of encryption technology to sensitive data fields without modification to schema in the database environment.  With businesses having their data become increasingly more complicated in their mission-critical applications (such as ERP, CRM, HRM), continued attention to data security practices is crucial.

Disclaimer:

Gartner does not endorse any vendor, product or service depicted in its research publications, and does not advise technology users to select only those vendors with the highest ratings or other designation. Gartner research publications consist of the opinions of Gartner’s research organization and should not be construed as statements of fact. Gartner disclaims all warranties, expressed or implied, with respect to this research, including any warranties of merchantability or fitness for a particular purpose.

About Penta Security:

With over 19 years of IT security expertise, Penta Security Systems Inc. (CEO/Founder Seokwoo Lee) is recognized by Frost & Sullivan as 2016’s Asian Cyber Security Vendor of the Year. For more information on Penta Security and its encryption technology, please visit www.pentasecurity.com. For partnership inquiries, please email info@pentasecurity.com.


[1] Gartner, Hype Cycle for Data Security, 2016 by Brian Lowans, July 13, 2016: https://www.gartner.com/doc/3371735/hype-cycle-data-security-

zeroes and ones with a person looking at the web security misunderstandings

Top 3 Web Security Misunderstandings by Small Businesses

Web security seems to be the buzzword in the news the past couple of years with stories of legendary hacks hitting companies like Target, Home Depot, J.P. Morgan, and Sony—just to name a few. However, because we always hear about these hacks happening to big and established companies, we often  think that these kinds of attacks will never happen to us. After all, why would a hacker want to attack a small business when they can attack the Sony’s of the world? Unfortunately, although many people think that, it couldn’t be farther from the truth. And, there are even more web security misunderstandings.

So, here are small businesses’ top 3 web security misunderstandings:

1. I already have minimum web security.

A lot of people think that their Content Management System (i.e. WordPress, Godaddy, etc) offer website protection. However, you couldn’t be farther from the truth. According to Security Week, WordPress is the most attacked Content Management System (CMS)—being hacked 24.1% more than other CMS systems.

CMS services are just created to publish and maintain your website—it isn’t created to protect it. So, just like a museum needs a security system to protect its priceless treasures, so does your website to protect all your precious data. Web protection doesn’t have to be overwhelming.

2. My business is too small to be attacked.

No website or business is too small to be attacked. In fact, according to Symantec, three out of five businesses hacked are small businesses. Hackers actually prefer to hack small businesses as they often have no web security, so their websites can be hacked in minutes. Also, small businesses have no way of fighting back. This way, they can hack dozens of websites in a few hours and probably never get caught.

3. It’s too troublesome and expensive to get web security.

You’re a busy person—you have to manage a business both online and offline. So, the last thing you want to do it figure out what the heck a SSL certificate> is or what a DDoS attack is. Also, adding another expense to your costs doesn’t sound that appealing. However, just like going to the dentist, although you don’t want to do it, it’s something that is necessary to the health of your business.

But there is good news– web protection isn’t actually that hard to figure out or expensive.  Cloudbric is a cloud-based web app firewall (WAF) that blocks malicious web traffic coming to your website and is free to websites with less than 4 GB of monthly web traffic. We take care of all your web protection, so all you have to do is register your domain.

So, take control of your business and fight those web security misunderstandings! Because a cyber-attack can actually happen to anyone, so it’s better to protect yourself before it’s too late.

cyber security movies and popcorn with ticket stubs red and white

Top 5 Cyber Security Movies

With the rise in cyber security-related occurrences in the general media, it only makes sense that it would spill over into entertainment. For example, the 2016 releases of “Jason Bourne” or “Now You See Me 2” both deal with the issues of privacy in the cyber realm in some form or another. But this isn’t new, by any means. The possibilities are endless on film. In fact, cyber security movies have been around ever since the very beginning of the digital era.

Screenwriters and directors have constantly been exploring the “What if” moments of privacy. What if the government is watching us? What if there’s a chip that can unlock all devices? What if, what if, what if? And although it might seem like the directors are being unrealistic, what’s surprising is that many of the films that have been made in the past contain technologies that now in the present we utilize!

So today on the blog, let’s take a look at some general and industry-favorites to compare the past and future:

The Top 5 Cyber Security Movies that you need to see right now!

1. Sneakers (1992)

No, the title does not refer to a type of athletic shoes. A movie about a group of nerds that are spies, they are chased by government men after discovering a cyber attack program that can penetrate any security system. Nowadays, we can imagine such things but back in the early 90s, a software like that was unthinkable.

This movie is worth watching, especially as it stars Robert Redford, Sidney Poitier and Dan Aykroyd, it contains mixed genres of action, drama, and even some comedy (I mean, after all, it is a Dan Aykroyd movie). It’s underrated but a favorite among the IT-enthusiasts.

2. The Net (1995)

Sometimes you’re a spy out to expose the government, and sometimes it’s the other way around. This 1995 Sandra Bullock film is centered on the main character, Angela Bennett. A low-key computer geek, Angela is the unfortunate victim of government-aided identity theft, just because she happened upon a floppy disk (remember those?) containing government-surveillance plans.

Again, identity theft was a topic that was still strange and foreign back in the mid-90s, but nowadays we hear on the news daily about which company had their data breached.

3. Hackers (1995)

This next film can be a bit hit or miss with a techno soundtrack and bizarre plot and graphics, but somehow the movie is endearing. The main character is Dade Murphy, a hacking prodigy who at 11 is arrested and charged for causing a 7-point drop in the NYSE. He is barred by the state from using the Internet until his 18th birthday. The day he hits 18, of course he goes online and finds a new group of hacker friends. Of course situations go awry as they mess with the wrong crowd.

As far as cyber security movies go, this one is a bit on the comically quirky side. However, it’s worth a watch as it portrays these situations in a rather facetious light.

4. WarGames (1983)

The earliest film in our top 5 list, this classic was a game changer in the industry. Starring Matthew Broderick as a genius kid who hacks into the NORAD (North American Aerospace Defense Command) system to impress his girl.

While it’s a simple plot, this was the 80s and the Cold War tensions were in full force. It’s said that after watching the movie President Reagan was actually concerned to see if this was really possible. The response? Yes, it was. The movie actually directed the government to secure its computer technology, even in the times of modem dial-up Internet.

5. Enemy of the State (1998)

Probably the most action-filled movie in the list, this Will Smith flick is about a lawyer who stumbles upon some NSA information. The movie shows surveillance technology being used in any and every way imaginable. Again, the technologies seen in the movie are making or already have made their way onto the scene. It definitely gives a taste of how technology can have a detrimental effect on privacy (or the lack of it).

Now quite honestly, the cyber security movies on this list vary. Some are a bit on the fantastical side while others are more realistic. But all in all, you can see through the plots and responses to these films that security has no boundaries. Not in terms of time or even industry is cyber security limited.

Movies will continue to be made in the future. It’s easy to dismiss plots as unrealistic and mere creation of a director or writer’s mind. But when we take a look at these movies from the past, we can see that perhaps it’s not that much of a stretch after all.