U.S. Markets Competitive (again?) – SOX and company are good

Ernst and Young’s global survey released today indicated that despite popular press and political dancing (Paulson Interim Report, Bloomberg/Schumer Report) the U.S. IS, in fact, competitive. This is despite the existence of a strongly regulated market, and one where SOX, at full strength, did not, apparently, hurt the US. market prospects. The study showed that the U.S. generated the largest number of IPOs in 2006, and raised $34.1 billion dollars.

In addition to a stellar 2006, 2007 is working up to be another blockbuster year with the first quarter opening strongly. Plus massive private-equity IPOs (Blackstone, Carlyle, etc…) can only bolster the market as a whole new type of financial industry comes online.

“The fourth quarter of 2006 was the busiest for IPO activity by U.S. companies since 1999, raising $12.4 billion in 72 IPOs,” said Maria Pinelli, Americas Strategic Growth Markets Leader at Ernst & Young LLP. “In 2007, U.S.-based company activity continues to feed into the U.S. stock markets, which also attract key international IPOs, particularly in knowledge-driven sectors like technology and healthcare. Deal sizes are larger than ever and private equity is backing many of them.”

E&Y has some great additional details regarding the study, and I encourage everyone to review the data. The importance of this information is it represents a quantifiable demonstration of the impacts from a heavily regulated financial market and the preference of companies to “go public”.

The past several months have seen massive debate regarding regulations such as SOX, and their negative impacts. These papers, while supported by well researched financial data, are not consistent with the market performance and entrance of companies into the public markets.  A simple search via Google news will present the volumes of debate regarding SOX and competitiveness in the U.S.

The takeaway – Companies are going public in the U.S. with a heavily regulated environment. The U.S. markets may be more expensive to operate within as a company, but the upside from massive amounts of equity and a more transparent operational norm appears to be better for everyone.  This conclusion has also been supported by several academic studies recently highlighted at the WSJ.

A tangent from internal controls, but highly valuable as the question of regulation and controls comes under fire.

James

Prefetching Implications to forensics and policy enforcement

Prefetching is used by Google, and perhaps Yahoo!, to automatically begin downloading portions of the top pages listed on your search results. This is not available to Microsoft’s IE, but is configurable by Firefox and other Mozilla based browsers.

This is a great “speeds and feeds” feature, but begs the question of what this means to the end user and the organization as a whole. Given the dozens of times I use Google for mining for data I can attest that some results in the top 10 are not what I was looking for, and at no level appropriate for browsing. These sites may simply be spam sites grabbing the top links, “security” sites offering tools, or worse some form of attacking website.

Consider the business impacts to an organization where an end user searches for a topic and one of the ten are a malicious site. This one site may be allowed to drop cookies and code onto the system that may be attempt to compromise the system. There is evidence that indicate numerous web sites are online and designed to exploit unsuspecting visitors. The introduction of malicious code into the organization can lead to a data breach, as done via a P2P network attack at Pfizer recently. In addition, the introduction and lack of control on the system in question (every desktop in your organization that browses the internet and Google (commanding 65.26% market share) creates a lack of trust in the computing environment and increases the need for internal control validations.

There are many implications to having cache, cookies, or other website information about sites that are against policy in the organization or the law of the local region. Individuals have been fired for browsing illegal sites, teachers have been prosecuted because of pop-ups, and companies conducting forensic efforts rely on all of the data on a system to present a clear understanding of events.

While the idea of faster load times is desired, it should be strongly considered whether this is appropriate for EVERY workstation in your environment. The least difficult safeguard to apply would be to disable prefetching on workstations that have logical access to sensitive data. If this is not possible and prefetching is necessary – consider compensating controls at the perimeter and on the end-points to continually clean the cache, prevent malicious code downloads, and restrict “prefetch” header requests. These compensating controls are highlighted in the NSA’s security guide and specifically recommends setting Safari to “Private Browsing” or using a Firefox plugin that provides a more secure browsing platform.

I would be interested in other observations on this type of technology, and if it such exploits have been documented. It is possible through the browsers to restrict the code into a virtual sandbox, but that doesn’t completely remove the presence of the code only the location.

Best,

James