One comes from the former director of national intelligence, Michael McConnell, who recently testified in Congress by saying the country is already in the midst of a cyberwar — and losing it at that. This comes on the heels of growing speculation from experts that say the Chinese government was behind the recent cyberattacks targeting U.S. government Web sites, Google, and dozens of other U.S. companies. This, of course, raises the question: “If we aren’t already in a cyberwar, are we headed toward one?”

Larry Wortzel, a member of the U.S.-China Economic and Security Review Commission, said in the article, “Expert says Chinese government likely behind massive cyberattacks,” that whether the Chinese government or independent hackers in China were responsible for the recent attacks, we are seeing “persistent, systematic and sophisticated attacks” that are clearly targeting U.S. military, technical and scientific information. Similar trends released at RSA Conference and reported in the story, “Chinese hacks attacks said likely to recur,” said an increase in Internet attacks from China could double if the pace during the first two months of 2010 continues.

People often ask me, given my military background and experience fighting cyber crime, are we in a cyberwar or not? To me, whether or not we are is irrelevant. What defines cyber warfare? What’s important is that we are aware of what is going on and our government and the private sector are doing everything they can to ensure our cyber security. I commended President Obama last October when he said that cyber threats were one of the most serious economic and national security challenges we face as a nation. The fact is, cyber crime has already cost U.S. companies billions of dollars. If these trends aren’t stopped, cyber crime will continue to have a growing impact on both our economy and global competitiveness.

Ensuring our cyber security comes down to one thing — preparedness. The more we understand, and the more proactive steps the government and private sector take independently and collectively, are vital to defending our networks, national assets and critical infrastructures from any type of attack, whether we are in a cyberwar or not.

In the article, “New exploit technique nullifies major Windows defense,” some researchers worry that a proof-of-concept code published by Google security software engineer, Berend-Jan Wever, could actually lead to more successful attacks against Microsoft’s newer operating systems.

While Wever claims the proof-of-concept doesn’t do any harm because it’s wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago, MicroTrend’s Ria Rivera wrote in the company’s malware blog that the exposure could be used to further enhance exploits, and expects to see it used within exploits soon.

“After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not far-fetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”

With so many data compromises arising from the latest disclosed vulnerability it seems so clear that now is the time to completely re-evaluate the way we approach desktop security. Vulnerabilities lose their power when you address the core issue of controlling what applications are allowed to run on your system in the first place whether these applications were added by a user or by malicious code exploiting a security hole.

We are familiar with the above statement. We all know that security compliance may increase security, but not completely provide it. A great example of this occurred in the fall of 2008 within the DOD. Systems running in the DOD networks were compliant with FIPS 140-2, common criteria, and other standards. The systems and networks were operated by a staff of trained professionals. But even with all of the compliant security measures in place, Conficker still propagated throughout the DOD networks causing over $100 million in cleanup costs.

A similar problem occurred at Heartland Payment Systems. Even though Heartland was fully PCI compliant, hackers still stole information on the 100 million credit card transactions that are processed each month.

Compliance is important, but we must remember that compliance standards may take years to create and are never updated fast enough to stay current with today’s threats. Organizations must protect against the threats of the past by being compliant. They must also defend against the threats of today by being proactive. Application whitelisting is the proactive solution against today’s threats and must become the cornerstone of any security strategy.

Security patches cripple Windows XP computers

Windows customers were up in arms over a Microsoft security patch that left their PCs locked down with the notorious Blue Screen of Death. This was yet another glaring example of the problems organizations experience when rolling out patches quickly.

In a follow-up article to Microsoft’s patching problems, evidence suggested that a rootkit infection was behind problems Windows users experienced after installing several security updates. According to the computer expert who discovered the infection:

“This particular rootkit can be very difficult to detect. Atapi.sys is an important driver for all Windows systems and it loads very early during the boot process, so infecting this file can make it very hard to detect or remove the rootkit before it loads.”

Zeus Trojan found on 74,000 PCs in global botnet

It was reported that over 74,000 computers at nearly 2,500 organizations around the world were compromised over the past year and a half in a botnet infestation designed to steal login credentials to bank sites, social networks and email systems. While Operation Aurora had its own success with popular networks internationally, the number of corporate and government systems infected paled in comparison to the Zeus Trojan.

The Wall Street Journal reported that Merck, Cardinal Health, Paramount Pictures and Juniper Networks were among the targets in the attack.

To make matters worse, a competing crimeware toolkit called SpyEye is waging a turf war against the mighty Zeus bot. For $500, aspiring rival cybercriminals can use the tool to uninstall Zeus from an infected system and keep SpyEye running on the system to steal credit cards and email accounts. Talk about cyber gang warfare.

Malicious PDF files comprised 80% of all exploits in 2009

In the often-seen case where hackers gravitate to the most popular Internet applications, it was reported that rogue PDFs accounted for 80% of all exploits by the end of 2009. And much like other leading technology companies, Adobe continues to patch several critical vulnerabilities in Adobe Reader and Adobe Acrobat for Windows, Mac and Linux.

Google teams up with NSA to fight cybercrime

As a result of Operation Aurora, The Washington Post reported that Google has teamed up with the National Security Agency (NSA) to help the Internet research firm defend itself and its users from future attacks. The Director of National Intelligence call the Google attacks a “wake-up call,” and that cyberspace cannot be protected without a “collaborative effort that incorporates both the U.S. private sector and our international partners.”

Unfortunately, what we are continuing to see in early 2010 is that patching and other traditional antivirus software are failing to adequately defend our systems. In fact, if anything they appear to be causing more problems. Organizations are better off focusing on ways to effectively stop Web-malware and malicious code from executing in the first place. This is where a solution such as application whitelisting can defend even flawed networks from running malware within their operation systems. If it’s not an authorized application, it does not run in the system. It’s that simple.

As always, I thank you for stopping by to read this blog. I hope it continues to bring to light some of the important issues we all face as security professionals. Come back soon.

The US government relies on commercial industry to safeguard the Internet, telecommunications, power, water, and other critical infrastructure that underpin our national economy. Elements of this infrastructure also directly support our ability to project military power worldwide.

Industry works closely with the government to advance the ‘state of the possible’ in cyber defense. As a former CIO and military systems analyst, I have witnessed several generational cycles of defensive technology developments in the cyber arena. In the mid-90s, for example, system administrators configured firewalls (from standard computer systems) by hand, and reviewed log files (either manually or through then-clever application of scripts) to detect, characterize, assess, and potentially contain cyber intrusions. Today, automated intrusion prevention systems are available as commercial-off-the-shelf (COTS) products, integrated with firewalls and incident management solutions to allow very rapid detection and blocking of cyber attacks. This is just one example of how industry has worked closely with the government to deliver significant advances in cyber defense technologies.

Unfortunately, our cyber adversaries today have proven relentless and highly flexible in their endless pursuit of effective attacks (for an entertaining perspective on the topic, please read Toney Jenning’s “Caddyshack & The Defense of Cyberspace: No More “Wack-a-Mole”” post on GlobalSCAPE’s blog site). Those of us in the information security industry understand that the next major terrorist strike very well may come from the cyber domain or, at a minimum, include cyber attacks as part of a broader operation. From a traditional national security perspective, it is a near certainty that future adversaries will continue to develop their cyber attack capabilities. Such asymmetric warfare capabilities are increasingly attractive, given the overwhelming superiority of US forces in conventional, force-on-force combat.

As a result, GlobalSCAPE, our partners and many others in the industry are working tirelessly to deliver next-generation cyber defense capabilities and stay one step ahead of our adversaries. Our continued development in this area is a national imperative. We are excited by the prospects for transformational solutions like application whitelisting to allow more assured defense of the cyber frontier. We’ll be addressing a variety of cyber defense topics in future posts. Stay tuned!