“Attacks have evolved from simple scams to highly sophisticated espionage campaigns targeting some of the world’s largest corporations and government entities. The scale of these attacks and the fact that they originate from across the world, makes this a truly international problem requiring the cooperation of both the private sector and world governments.”

The report highlighted the year’s two biggest cyber attacks — Conficker and Hydraq — which continue to wreck havoc on enterprises across the globe well into 2010. The report also pointed out other trends that both the private and public sectors should be aware of, including:

• More targeted threats on corporate enterprises:
  Given the potential for monetary gain from compromised corporate intellectual property, the report found that cybercriminals are using personal information on social networking sites to create socially engineered attacks on key individuals within targeted organizations. The tricky thing about defending an enterprise from targeted attacks is that these threats may never be on a blacklist because they are not widespread. This is where application whitelisting fits right in as it stops the execution of any unauthorized application from running in the system.
• Malware toolkits:
  Cybercrime toolkits such as the Zeus botnet are making it easier for hackers with varying skill sets to create customized malware to compromise computers and steal information. This is also playing a large part in the growing number of hackers who are creating millions of new malicious code variants in an effort to evade detection by antivirus security software. In order to better protect our networks from evolving malware writers, anti-malware defenses need to evolve, too.
• Unabated web-based attacks:
  Cybercriminals are using social engineering techniques to trick unsuspecting users to visit malicious websites. Once there, these websites attack the victim’s Web browser and vulnerable plug-ins that are normally used to view video or document files. Since organizations realistically can’t control what websites people go on or what they download, the key is to stop the payload, not the user.
• Applying patches continues to be a challenge:
  The report also found that maintaining a secure, patched system is becoming more challenging than ever. Moreover, many users are failing to patch old vulnerabilities despite having the fixes to do so. The sheer volume of new patches and the time and resources it takes to make security updates is making it nearly impossible to protect a network from every new malware variant out there. As I mentioned in previous posts, the key is to stop the payload in the first place, even if you can’t stop the vulnerability in time.

We are familiar with the above statement. We all know that security compliance may increase security, but not completely provide it. A great example of this occurred in the fall of 2008 within the DOD. Systems running in the DOD networks were compliant with FIPS 140-2, common criteria, and other standards. The systems and networks were operated by a staff of trained professionals. But even with all of the compliant security measures in place, Conficker still propagated throughout the DOD networks causing over $100 million in cleanup costs.

A similar problem occurred at Heartland Payment Systems. Even though Heartland was fully PCI compliant, hackers still stole information on the 100 million credit card transactions that are processed each month.

Compliance is important, but we must remember that compliance standards may take years to create and are never updated fast enough to stay current with today’s threats. Organizations must protect against the threats of the past by being compliant. They must also defend against the threats of today by being proactive. Application whitelisting is the proactive solution against today’s threats and must become the cornerstone of any security strategy.

In the article, “Conficker Expects to Dominate Botnets and Malware in 2010″, some of the industry’s top security experts say that perpetrators will continue to use Conficker to collapse PCs, block users from accessing certain websites, cause hazardous security breaches, and spread its infection in 2010. And as Conficker continues to evolve and gets more sophisticated, there may be nothing security managers can do to completely stop it.

While understanding the way cyber criminals work is good advice, stopping them at the outset like Neustar senior technologist, Rodney Joffe, suggests will not effectively stop criminals from taking new approaches to spreading the virus. Where there’s a will, there’s a way. And fraudsters are becoming more innovative every day.

With many anti-virus technologies still focused on detecting new forms of malware from entering their networks, as the article suggests, more complex Web-based malware is making it harder to do so. Instead of trying to keep up with cyber criminals who continue to re-invent the game, organizations need to focus on strengthening their own systems. They need to build a security defense that’s not based on criminals making the rules, but making their own rules to better protect their IT infrastructures. Application whitelisting is one such solution that puts organizations in control of their own network security by simply not allowing any unauthorized software to run on their network.

The culprit? Unauthorized code on their servers resulted in the exposure of the credit card data. Despite the protections employed to protect the card data on servers, they were done in by simple malware on a system in their infrastructure.

The exposure experienced by Network Solutions is not unique. One of the greatest threats to any company connected to the Internet is the prevalence of malware and the number of systems that belong to botnets. We recently blogged about two botnets formed by the new clampi trojan and the older conficker malware. Unfortunately, traditional blacklist antivirus technology is no longer capable of preventing infection and standards that target the protection of critical assets ought to take that into account.

To that extent, I would like to contrast the two requirements mandating system security in PCI DSS relative to those in NERC CIP. NERC CIP requirements calls for security that can detect, prevent, deter, and mitigate malware. The actual R4 requirement from NERC-CIP 007 is shown here:

• R4. Malicious Software Prevention – The Responsible Entity shall use antivirus software and other malicious software (“malware”) prevention tools, where technically feasible, to detect, prevent, deter, and mitigate the introduction, exposure, and propagation of malware on all Cyber Assets within the Electronic Security Perimeter(s).
• R4.1. The Responsible Entity shall document and implement antivirus and malware prevention tools. In the case where antivirus software and malware prevention tools are not installed, the Responsible Entity shall document compensating measure(s) applied to mitigate risk exposure or an acceptance of risk.
• R4.2. The Responsible Entity shall document and implement a process for the update of antivirus and malware prevention “signatures.” The process must address testing and installing the signatures.

PCI on the other hand does not have this granularity and focuses instead solely on the use of antivirus. Here is the relevant PCI requirement mandating the use of antivirus:

• 5.1. Deploy antivirus software on all systems commonly affected by malicious software (particularly personal computers and servers).
• 5.1.1. Ensure that all antivirus programs are capable of detecting, removing, and protecting against all known types of malicious software.
• 5.2. Ensure that all antivirus mechanisms are current, actively running, and capable of generating audit logs.

The security of the systems in an organization’s IT infrastructure remains one of the greatest challenges to providing strong security. Application whitelisting’s purpose in life is to prevent unauthorized code from residing on critical assets. It’s time for organizations to start thinking about how they can proactively protect these devices instead of simply providing a checkbox for antivirus. Let us know what you think in the poll above.

Conficker is highly sophisticated and exhibits a strong potential for future malice. Here are some characteristics of the botnet pointed out in the article:

• Propagation via USB despite protection against USB autoruns
• Bypassing and blocking of security vendor’s IP addresses to prevent remediation of the threat
• Shutting down of new tools used to identify and respond to attacks like wireshark

Botnets are so dangerous because they can be used for other forms of internet crime like identity theft. For example, in April, Conficker was leased to distribute spam for the Waldac worm targeting users identities. Since then however, the botnet itself has been dormant. Despite the control millions of PCs and a very large black market profit potential, the authors of the malware haven’t leased it out and it appears to be running independently churning out infections and waiting for control. The latest version includes peer-to-peer code that allows infected nodes pass instructions to each other. For the time being it isn’t active but researchers continue to monitor it for signs of control.

Just another case of unauthorized software making its way onto PCs despite significant investment in security. The potential for damage from these threats continues to grow and adds to the argument for a complete overhaul in the way we address desktop and laptop security.