In the article, “Cyber attacks worry firms more than terrorism,” the “2010 State of Enterprise Security Study” conducted by Symantec Software Solutions Pvt. Ltd. found that 42% of companies representing industries such as telecom, hospitality, manufacturing, retail and technology perceive cyber attacks as the biggest threat to their enterprises.

One reason cited was the lack of adequate network security. Over the past year, 66% of companies surveyed said they had experienced cyber intrusions while 51% reported repeated attacks. The study also pointed out that deployment of enterprise security has turned into a difficult task for many organizations. Said Vishal Dhupar, managing director at Symantec:

“Enterprise security is understaffed and the most affected areas in organizations are network security, web security and data-loss prevention. To tackle the issue, companies need to secure their messaging and web environments and defending critical internal servers. They should also have the ability to back up and recover data and respond to threats rapidly.

With the rise in malicious attacks targeting sectors that can have a significant impact on India’s economy, one has to wonder if cyber attacks and terrorism weren’t one in the same. As I mentioned in a recent blog, “Are we in a cyberwar or not?” cyber threats continue to have a growing impact on our nation’s economy and global competitiveness. Although U.S. Cyber Czar, Howard Schmidt, may not think we are engaged in cyber warfare, the impacts from targeted attacks are being felt everywhere, and are top IT concerns for many organizations and nations around the world.

This says a lot about the current state of the AV industry. With so many new viruses and malware variants successfully bypassing security solutions, it is time to shift our way of thinking about how to protect our networks from new and unknown forms of malware and viruses.

With online crime losses doubling in 2009, we simply can’t afford to rely solely on AV software to protect our critical infrastructures from the countless number of malware variants out there. If these solutions are already losing the battle against highly visible malware, I can’t imagine the success rate of stopping unknown attacks would be any better.

As an example of how the industry currently looks at these problems, NSS Labs’ CTO, Vikram Phatak, said: “There are many ways to possibly exploit a vulnerability, and rather than focusing on every attack method, vendors need to focus on [shielding] the vulnerability itself.”

Vikram is correct in pointing out that you can’t defend against every attack method, but focusing on protecting against exploitation of the vulnerability is reactive, and a failure as well. This still leaves companies open to newly discovered vulnerabilities, relies on reactive patching and security system updates, and will ultimately fall on its face. We need to completely rethink our approach to endpoint security that begins with a foundation of whitelisting that would defeat new malware completely independently of the vulnerability or attack.

One comes from the former director of national intelligence, Michael McConnell, who recently testified in Congress by saying the country is already in the midst of a cyberwar — and losing it at that. This comes on the heels of growing speculation from experts that say the Chinese government was behind the recent cyberattacks targeting U.S. government Web sites, Google, and dozens of other U.S. companies. This, of course, raises the question: “If we aren’t already in a cyberwar, are we headed toward one?”

Larry Wortzel, a member of the U.S.-China Economic and Security Review Commission, said in the article, “Expert says Chinese government likely behind massive cyberattacks,” that whether the Chinese government or independent hackers in China were responsible for the recent attacks, we are seeing “persistent, systematic and sophisticated attacks” that are clearly targeting U.S. military, technical and scientific information. Similar trends released at RSA Conference and reported in the story, “Chinese hacks attacks said likely to recur,” said an increase in Internet attacks from China could double if the pace during the first two months of 2010 continues.

People often ask me, given my military background and experience fighting cyber crime, are we in a cyberwar or not? To me, whether or not we are is irrelevant. What defines cyber warfare? What’s important is that we are aware of what is going on and our government and the private sector are doing everything they can to ensure our cyber security. I commended President Obama last October when he said that cyber threats were one of the most serious economic and national security challenges we face as a nation. The fact is, cyber crime has already cost U.S. companies billions of dollars. If these trends aren’t stopped, cyber crime will continue to have a growing impact on both our economy and global competitiveness.

Ensuring our cyber security comes down to one thing — preparedness. The more we understand, and the more proactive steps the government and private sector take independently and collectively, are vital to defending our networks, national assets and critical infrastructures from any type of attack, whether we are in a cyberwar or not.

In the article, “New exploit technique nullifies major Windows defense,” some researchers worry that a proof-of-concept code published by Google security software engineer, Berend-Jan Wever, could actually lead to more successful attacks against Microsoft’s newer operating systems.

While Wever claims the proof-of-concept doesn’t do any harm because it’s wrapped around an exploit of a bug in Internet Explorer 6 (IE6) that was patched years ago, MicroTrend’s Ria Rivera wrote in the company’s malware blog that the exposure could be used to further enhance exploits, and expects to see it used within exploits soon.

“After Wever released his heap-spraying exploit codes in 2005, a lot of new exploits started using that technique. It would thus be not far-fetched that the release of this new proof-of-concept could lead to the same scenario — new exploits could start using ‘return-to-libc’ to achieve DEP bypass.”

With so many data compromises arising from the latest disclosed vulnerability it seems so clear that now is the time to completely re-evaluate the way we approach desktop security. Vulnerabilities lose their power when you address the core issue of controlling what applications are allowed to run on your system in the first place whether these applications were added by a user or by malicious code exploiting a security hole.

We are familiar with the above statement. We all know that security compliance may increase security, but not completely provide it. A great example of this occurred in the fall of 2008 within the DOD. Systems running in the DOD networks were compliant with FIPS 140-2, common criteria, and other standards. The systems and networks were operated by a staff of trained professionals. But even with all of the compliant security measures in place, Conficker still propagated throughout the DOD networks causing over $100 million in cleanup costs.

A similar problem occurred at Heartland Payment Systems. Even though Heartland was fully PCI compliant, hackers still stole information on the 100 million credit card transactions that are processed each month.

Compliance is important, but we must remember that compliance standards may take years to create and are never updated fast enough to stay current with today’s threats. Organizations must protect against the threats of the past by being compliant. They must also defend against the threats of today by being proactive. Application whitelisting is the proactive solution against today’s threats and must become the cornerstone of any security strategy.