OASIS Mailing List ArchivesView the OASIS mailing list archive below
or browse/search using MarkMail.


Help: OASIS Mailing Lists Help | MarkMail Help

pki-tc message

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]

Subject: [Fwd: Comment on SOX Section 404 - Management Assessment of InternalControls]

I'm not sure, but I believe I've hit upon the mother lode of business
drivers for PKI - SOX Section 404 compliance!

I raised this issue with two CSO's of major financial companies (who
have spent many millions of dollars on getting themselves ready, to
certify their internal controls by end of this year) and their only
response was "That is a very good question!".

I believe this issue completely missed their radar.

If you believe this issue has merit, I would recommend that OASIS
put out a press release highlighting this issue and mentioning how
digital certificates with external cryptographic tokens can provide
a measure of control that allows them to be SOX compliant.  Every
publicly traded company has to certify to these controls by June 2005.

Arshad Noor
StrongAuth, Inc.

P.S. I would also recommend forwarding this to the people in your
own company who're responsible for SOX compliance to see if they're
aware of this.  I believe the deadline for certifying Section 404
controls is November 15th, to the best of my knowledge.

-------- Original Message --------
Subject: Comment on Section 404 - Management Assessment of Internal Controls
Date: Mon, 07 Jun 2004 10:43:38 -0700
From: Arshad Noor <arshad.noor@strongauth.com>
Organization: StrongAuth, Inc.
To: rule-comments@sec.gov

Ladies & Gentlemen,

I'm not certain if the SEC is entertaining further comments on Section 404
of the Sarbanes-Oxley Act of 2002, but I thought that you should know of an
important facet of controls that may have a significant impact on financial

Section 404, as you're aware, requires company management to assess the
effectiveness of their internal controls with respect to financial
reporting and for public accounting firms to certify this assessment.
Since many companies that report to the SEC use computerized systems to
manage their financial data, there is a major vulnerability in current
controls of computer systems that can jeopardize the information.  This
is the User ID and Password - the mechanism used in, probably, 99.9% of
all computer systems to authenticate and authorize users of computer
systems and software.

User IDs and Passwords are a form of authenticators known as Single-Factor
Authentication, where supplying just the password to a legitimate User ID,
gives you access to all capabilties authorized for that User ID, on the
computer system.

What is little understood is that an authentication system based on User
ID and Passwords is INCAPABLE of distinguishing between an authorized
user, who has legitimately logged in to perform a business function, and
an unauthorized user who has logged in to attack the system using the
compromised ID and Password of a legitimate user.  The computer logs will
indicate that an authorized user logged in at such-and-such time and
performed such-and-such actions.  While systems performing this level of
logging will keep track of what this user does, there is no indication
at all, that these actions were performed by an unauthorized user.

As such, any financial reporting system that uses User IDs and Passwords
as its sole authenticator, does not provide adequate internal control to
assure stockholders of the integrity of its data.

For example, if I'm an employee in the Sales Division of a company, who
is responsible for entering Sales Orders into an application that feeds
the Financial systems, my User ID and Password could be compromised in any
number of ways without my knowledge - through a virus attack, keyboard-
sniffers, dictionary attacks, phishing, social engineering, etc. - even
though I might comply with all computer use policies of the company,
allowing an unauthorized user to log into my account and change Sales
Order information, thus affecting financial statements.  The attacks can
come from internal or external entities.

Secret-key based, single-factor authenticators have been a major
vulnerability of computer systems ever since the Internet changed how
companies do business.  However, few experts have recognized this
fundamental vulnerability and have called for the replacement of this
mechanism of Access Control, mandatorily.

Solutions to address this problem have existed for more than a decade,
vis-a-vis public-key cryptography and two-factor authenticators. You may
want to consider highlighting this issue to public accounting companies
who certify internal control assessments, as well as the companies that
are regulated by the SEC.


Arshad Noor
President & CEO
StrongAuth, Inc.
10846 Via San Marino
Cupertino CA 95014-6333
(408) 331-2001

[Date Prev] | [Thread Prev] | [Thread Next] | [Date Next] -- [Date Index] | [Thread Index] | [List Home]