http://www.nipc.gov/publications/infobulletins/2002/ib02-011.htm
National Infrastructure Protection Center "Software Firm Investigation Serves as a General Information Security Reminder" Information Bulletin 02-011 December 6, 2002 NIPC Information Bulletins communicate issues that pertain to the critical national infrastructure and are for informational purposes only. The US Attorney's Office announced today that it searched the Massachusetts offices of Ptech Inc. in connection with allegations relating to an ongoing financial crime investigation. Media coverage of this issue has been strong and immediate, focused in part on the fact that Ptech software is used by a customer base that includes financial services and government market segments. News outlets questioned whether the company's software might have been tampered with for use in some nefarious purpose. In this specific regard, two things are worth noting. First, the US Attorney's announcement in no way alleges that Ptech's products present any security threat. Second, based upon information available to it, the NIPC is not aware of any information or indication that Ptech software contains viruses, malicious codes, or otherwise performs in an anomalous fashion. Media and public sensitivity to this case, however, demonstrates a greater point which is unrelated to any specific company or product. Therefore, the NIPC is taking this opportunity to remind the public that sophisticated cyberattack capabilities can be extremely difficult to detect and that nothing can guarantee the complete safety of any software. There is no substitute for the full range of information security practices within any organization including: " An assessment of the value of the information assets to be protected, " An assessment of the likely threats, natural and man-made, to these assets, " Regular analyses of the vulnerabilities of the information systems in use, including not only the technical but also the human elements of those systems, " An integrated assessment of the information security risk (threat, vulnerabilities, and asset loss) along with a cost-effect plan to mitigate those risks. The following web sites contain more information on best practices in information security http://www.nipc.gov/publications.htm http://www.cert.org/ www.sans.org www.fedcirc.gov www.nist.gov The NIPC encourages individuals to report information concerning suspicious activity to their local FBI office, http://www.fbi.gov/contact/fo/fo.htm , the NIPC, or to other appropriate authorities. Individuals may report incidents online at http://www.nipc.gov/incident/cirr.htm, and can reach the NIPC Watch and Warning Unit at (202) 323-3205, Tol1 Free at 1-888-585-9078, or by email to [EMAIL PROTECTED] IWS INFOCON Mailing List @ IWS - The Information Warfare Site http://www.iwar.org.uk