As I was going through the plan, what struck me first was the fact that the U.S. has publicly called out to the world that cyberspace will be added as one of the operational domains, retaliating to any attacks against it in the same way it would to attacks by land, sea, air and space. Saying that it plans to aggressively train, organize, collaborate, and strengthen relationships with global partners sends a strong message to the international community about its intentions to take full advantage of cyberspace’s potential, as well as how the government plans to deal with and respond to threats against this domain. While the plan still leaves many questions around attribution and countermeasures against any such attack, I think the clear and unambiguous addition of the domain is an important step to deter cyber attacks targeting the U.S. government and our nation’s critical assets and infrastructure.

Unfortunately, a significant portion of the document is simply reiterating the government’s “business as usual” tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, “no one ever got fired for buying from” large companies and contractors. DoD and other agencies turn to these organizations to build offensive and defensive technologies without paying much attention to smaller, more innovative companies that, in my opinion, develop far better, more effective technology. From my experience, this has historically been the case with the military (just ask the innovative arms manufacturers that couldn’t get the military to adopt new weapons in the Civil War).

I did, however, find a glimmer of hope in the plan’s Strategic Initiative No. 5: “DoD will leverage the nation’s ingenuity through an exceptional cyber workforce and rapid technological innovation.” While I’m pleased to hear the government would like to work with small, nimble companies that I believe provide the rapid technological innovation that the document calls for, the reality is what I just outlined: the DoD tradition and evaluation/purchasing structures favor large companies and contractors.

The problem with the claim is the government sets an extremely high bar that almost guarantees they can’t do business with smaller companies. Take, for example, the cost of trying to meet common criteria and update certifications. The average vendor does not have the resources to put their products through all of the regulatory requirements needed for most defense-related implementations. Small businesses generally cannot afford the quarter of a million dollar certification programs that large companies can. As a result, historical precedent has shown that the DoD primarily goes with incumbents.

I commend the government for recognizing the need to innovate technology very rapidly to keep up with evolving cyber threats. Smaller, innovative companies can play a critical role for defending our nation’s networks and systems from more sophisticated attacks. However, I cannot fully believe the DoD is serious about this claim until there is action behind it. It’s a great vision, but there still exists structural impediments that don’t allow smaller companies under normal operating procedures to fulfill that promise.

As a smaller company that provides highly innovative and effective application whitelisting-based endpoint protection solutions, CoreTrace stands ready to help the DoD and other agencies deliver on the cybersecurity vision. My challenge to the DoD is this: If you say working with innovative companies is part of the national cyberwarfare strategy, prove it by bringing companies like CoreTrace in and streamlining the evaluation/procurement bureaucracy. Let us all help make your strategy a reality.

RSA a mixed blend of cyber security approaches… and the cloud

This year’s RSA Security Conference covered everything from the more vicious attacks to the best ways to prevent them. Because today’s cyber criminals are highly motivated to take whatever they want, Bret Hartman, CTO of EMC’s RSA security devision, said in order to protect their networks from an array of attacks, organizations need to develop a next-generation cyber security solution that encompasses key elements around governance, risk management and compliance policies, with virtualization underlying tomorrow’s security approaches.

When it comes to cloud adoption, Art Coviello, executive chairman of EMC’s RSA security division, said meeting the demands of the cloud requires deploying more flexible, dynamic security.

“Achieving this means building security into virtualized components and, by extension, distributing security throughout the cloud. Also, automation will be absolutely essential in enabling security and compliance to work at the speed and scale of the cloud. Policies, regulations, and best practices will be codified into security management systems and enforced automatically, reducing the need for intervention by IT staff–a problem that’s getting away from us today.”

Because virtualization and the cloud have the power to dramatically change security in the future, our Bouncer application whitelisting solution, which uses CoreTrace’s Software Intelligence (CSI) cloud-based service of known good and bad applications, helps organizations working in the cloud to identify and block malware and other unauthorized applications with a high level of flexible application management and control.

Night Dragon attacks a threat to power grid security

They get up, go to work, and come home like the rest of us. The only difference is while at work they’re hacking and social engineering oil, gas and petrochemical companies and their executives to steal highly sensitive information and intellectual property. That’s who McAfee suggests, in a report released in February, is likely behind the infamous Night Dragon operation.

In the article, ‘Night Dragon’ attacks from China strike energy companies,” the security software vendor said there is strong evidence — from the hacking tools to the computer IP addresses — that the coordinated cyber attacks targeting energy companies could be the work of Chinese hackers, otherwise referred to in the report as “company men”, that work regular 9 to 5 jobs.

With more coordinated campaigns like Night Dragon targeting the energy industry, unsettling reports like the recent U.S. Department of Energy audit of power grid security claim there’s still plenty of work to be done. The DOE found that cyber security standards that don’t always include security controls combined with a reluctance of power plants to identify critical assets is creating challenges for risk-based security approaches.

Hackers co-opting trusted websites to launch attacks

In the past, cyber criminals spent a lot of time using free domains to create fake websites that looked legit. As these sites became known for hosting questionable content, criminals have now begun hacking and compromising legitimate sites with outstanding security reputations to launch attacks.

In the 2010 Web Security Report released in February, Blue Coat Systems found cyber criminals are taking the time to co-opt trusted sites to host malware and other malicious content.
According to the article, “Cyber-Criminals Co-Opting Trusted Sites into Attack Infrastructure: Report,” evidence of this strategy took place last October when a Kaspersky Labs‘ software download page redirected visitors to a fake antivirus software. Even though a site has an excellent security reputation rating, the report warned that relying on a reputation defense could leave users susceptible to attacks.

As Mac OS X gains market share, so does Mac malware

As more and more security experts warn that cybercrime is turning away from targeting traditional Windows-based PCs and focusing on emerging platforms like tablet computers and mobile platforms, Sophos researchers have discovered a new Trojan horse online that is written exclusively for the Mac.

In the article, “Hacker writes easy-to-use Mac Trojan,” Sophos said the BlackHole RAT (Remote Access Trojan) program, which can be found on online hacking forums, may still be in beta mode. However, if someone were to figure out how to get it installed in a Mac computer, it would give the criminals remote control of the compromised machine.

As Mac OS X continues to gain market share on Windows, Chet Wisniewski, a researcher with Sophos, says cyber criminals are taking note. He’s also come across another Mac Trojan, HellRTS, which is circulating on file-sharing websites for pirated Mac software. Either way you look at it, with more Mac malware popping up and enterprises scaling beyond Windows, the ability to protect all network endpoints across all major platforms is becoming essential to any endpoint security strategy.

I appreciate you checking in and reading our top endpoint security stories for February.

Rather than continuing with the current approach of adding layer upon layer of security to defend endpoints against expected attacks, Jeff Green, senior vice president of McAfee Labs and product development, said the security industry needs to get more aggressive if it expects to get a leg up on the tens of thousands of malware variants that surface every day.

“The tools and techniques of cybercrime continue to grow in number and sophistication at alarming rates. The cybercriminals prosper as they never have before because they have very little reason to fear the consequences. Maybe this is because we have really never given them a reason to fear. This must change. We must adapt our industry at its core and at all levels. It is time to send the security industry on the offensive.”

This statement comes at a time when testing continues to reinforce how much cybercriminals still have the upper hand. A recent independent study by NSS Labs found that a majority of antivirus security software suites still fail to detect malware attacks on PCs, with average protective scores of 76% even when exploits have been publicly available for months, or in some cases, years. The report concluded:

“Based on market share, between 70 to 75 percent of the market is under protected. Keeping AV software up-to-date does not yield adequate protection against exploits, as evidence by coverage gaps for vulnerabilities several years old.”

Even with the security industry in such dire straits, we all know surrender is never an option. What security professionals need to do is re-evaluate their current approaches and implement more proactive strategies for combating cybercrime. Instead of waving a white flag, the industry needs to consider other options such as application whitelisting. At a time when organizations desperately need to stay one step ahead of hackers, whitelisting solutions such as BOUNCER by CoreTrace can prevent the execution of the growing number of malware attacks that continue to slip passed even the most trusted antivirus security software on the market.

Historically, legislation has proven to be woefully inadequate in preparing the U.S. for cyberwar. Why? Because there are no consequences. Until there are repercussions or someone is going to lose their job for not being secure, this will continue to be problematic. This is where the government is missing the boat. Trying to legislate cyber security without holding organizations accountable seems to be the crux of the problem.

Unfortunately, our friend and newly appointed U.S. Cyber Security Czar, Howard Schmidt, is in a tough spot. With no budget or real authority to levy consequences, there’s not going to be much change. Although many believe the government can and should be leading the way to improve the nation’s cyber defenses, Mr. Schmidt believes the best defense remains in the hands of the private sector.

It all comes down to holding people accountable. Without repercussions, there’s no incentive for companies to spend money to get out of the status quo in terms of what security best practices are, and start thinking in a more proactive manner.

It’s only when people’s jobs are on the line that things truly get done. Only then will we start to move beyond our reactive mindset and get ahead of the problem by implementing proactive solutions such as application whitelisting that adequately prepare ourselves for cyberwar.

One comes from the former director of national intelligence, Michael McConnell, who recently testified in Congress by saying the country is already in the midst of a cyberwar — and losing it at that. This comes on the heels of growing speculation from experts that say the Chinese government was behind the recent cyberattacks targeting U.S. government Web sites, Google, and dozens of other U.S. companies. This, of course, raises the question: “If we aren’t already in a cyberwar, are we headed toward one?”

Larry Wortzel, a member of the U.S.-China Economic and Security Review Commission, said in the article, “Expert says Chinese government likely behind massive cyberattacks,” that whether the Chinese government or independent hackers in China were responsible for the recent attacks, we are seeing “persistent, systematic and sophisticated attacks” that are clearly targeting U.S. military, technical and scientific information. Similar trends released at RSA Conference and reported in the story, “Chinese hacks attacks said likely to recur,” said an increase in Internet attacks from China could double if the pace during the first two months of 2010 continues.

People often ask me, given my military background and experience fighting cyber crime, are we in a cyberwar or not? To me, whether or not we are is irrelevant. What defines cyber warfare? What’s important is that we are aware of what is going on and our government and the private sector are doing everything they can to ensure our cyber security. I commended President Obama last October when he said that cyber threats were one of the most serious economic and national security challenges we face as a nation. The fact is, cyber crime has already cost U.S. companies billions of dollars. If these trends aren’t stopped, cyber crime will continue to have a growing impact on both our economy and global competitiveness.

Ensuring our cyber security comes down to one thing — preparedness. The more we understand, and the more proactive steps the government and private sector take independently and collectively, are vital to defending our networks, national assets and critical infrastructures from any type of attack, whether we are in a cyberwar or not.