Toney Jennings, CoreTrace CEO and a former Air Force information warfare officer, recently blogged on the US DoD’s “Strategy for Operating in Cyber-Space”. The main objective of his “DoD Cyberspace Strategy: Is the DoD really ready to embrace new technologies & companies???” post was to openly challenge the US DoD to modify their procurement and evaluation processes to enable small and innovative companies to assist in cyber defense. However, Toney also made a few other key points. Most relevant to this post is that Toney highlighted that the document was extremely high level and highly prone to status quo thinking and actions, e.g.,

“Unfortunately, a significant portion of the document is simply reiterating the government’s ‘business as usual’ tactics. I’ve got to believe that for the five strategic initiatives, the DoD already has active programs in place. Therefore, the first question that comes to mind is how effective are these defenses? I suspect that the fundamental problem with the existing defenses is that the government is using traditional security solutions that don’t measure up against evolving cyber attacks. The root of this problem stems from the fact that the government continues to favor status-quo, ‘no one ever got fired for buying from’ large companies and contractors.”

Which brings me to the Australian DoD. In contrast to the high-level US cyberstrategy document, the Australian DoD’s “Strategies to Mitigate Targeted Cyber Intrusions”” plan is detailed, well-researched and supported, and focused on proactively solving security problems rather than blindly reinforcing outdated and ineffective strategies. There is a nice blend of old and new in the list of thirty-five mitigation recommendations, with a strong recommendation to implement the top four strategies. According to the DoD’s Defence Signals Directorate (DSD):

“While no single strategy can prevent this type of malicious activity, the effectiveness of implementing the top four strategies remains unchanged. Implemented as a package, these strategies would have prevented at least 70% of the intrusions that DSD analysed and responded to in 2009, and at least 85% of the intrusions responded to in 2010.”

I strongly recommend reading the whole document, but here are the four key strategies:

1. Patch applications e.g. PDF viewer, Flash Player, Microsoft Office and Java. Patch or mitigate within two days for high risk vulnerabilities. Use the latest version of applications.

2. Patch operating system vulnerabilities. Patch or mitigate within two days for high risk vulnerabilities. Use the latest operating system version.

3. Minimize the number of users with domain or local administrative privileges. Such users should use a separate unprivileged account for email and web browsing.

4. Implement application whitelisting to help prevent malicious software and other unapproved programs from running.

I sincerely hope the the US DoD will take a page from their Australian counterparts. Learn, adapt, and survive. It is a far better strategy than simply staying pat.

DoD’s cybersecurity plan creates more questions than answers

In July, the Department of Defense released its new strategy for operating in cyberspace, and how it plans to protect our nation’s computer systems and networks from cyber attacks. The plan includes a number of initiatives such as treating cyberspace as a domain it defends (with land, air, sea and space), introducing new network defenses to detect and stop malicious code, coordinating with the private sector, and working with other countries. However, in the article, “Critics: U.S. cyber security plan has holes, few new items,” the document has many analysts like Rich Mogull of Securosis wondering if the DoD can pull it off.

“Some of these things have been written about for years. The real challenge is, are they going to actually execute this?”

While Mogull is glad to see the government is finally getting serious about improving cyber defenses, he doesn’t see anything in the new plan that the DoD isn’t already working on. For example, the government has been talking about establishing partnerships with the private industry and international community for years now. Why hasn’t this already been done? But while critics may agree developing a strategy is a good first step, achieving the initiatives is paramount to securing our nation and critical infrastructure from more dangerous, harmful cyber attacks.

Shift to virtualized environments shaking up security practices

As more and more businesses move to virtualized computing environments, they’re quickly learning that the shift to server virtualization is creating a number of new security challenges. For companies that are beyond the halfway mark of operating a 100% virtualized environment, some of the top security concerns include access control, data encryption, monitoring virtual network traffic, and improving threat detection and rogue-device identification.

Along with a heightened security awareness, many organizations agree they need to re-evaluate their existing strategies and look at new security approaches that will adequately protect their virtualized environments without impacting the availability and performance of their systems. Either way you look at it, today’s infrastructures are changing fast. Organizations moving to virtualized environments need to adapt their security programs and policies to accommodate virtualization.

Will virtualization mark the end of host-based antivirus software?

In a related story, organizations are finding that traditional host-based anti-malware is not as effective as it was in the pre-virtualized era because the main problems they face are coming from Web-based malware. According to the article, “Is hosted-based antivirus software losing luster?” companies are choosing not to run antivirus software in their virtualized environments because it’s no longer useful in detecting malware and can disrupt application performance, said Johnny Hernandez, VP of information security at PrimeLending.

“Today, we don’t run A/V in the current virtualization environment because it does have an impact on the back-end and system utilization.”

More telling is the fact that IT folks like Albert Gore, director of information technology operations at the John F. Kennedy Center for the Performing Arts in Washington, D.C., doubt that most desktop antivirus software can even stop malicious code that is being unintentionally passed from employees to contractors to partners and others over the Web.

Hackers target intelligence contractors

The recent cyber attacks against Lockheed Martin and Booz Allen have shown that hackers are actively trying to steal classified government data by way of the computer networks of U.S. defense contractors.

In the article, “Hackers target intelligence agency contractors,” cyber criminals send emails with malicious software to employees of contractors that work for U.S. government agencies. Spear phishing attacks contained person information designed to deceive the highly targeted victims to click on infected links within the corrupt email. Once the software was installed on a computer, it downloaded payloads that enabled criminals to control a victim’s computer, access sensitive data and communicate with hackers.

Because the attacks target specific government contractors, experts say they are likely distributed and carried out by foreign actors, who persistently target multiple individuals to penetrate the network. To counter such attacks, government agencies and contractors need to push security standards across all endpoints within their networks and beyond the walls of their own defenses. Otherwise, their sensitive and proprietary information is only as safe as their partners’ vulnerabilities.

FBI arrests 14 alleged Anonymous members

As part of an international effort to crack down on cybercrime, the FBI conducted more than a dozen raids across the U.S. in July that resulted in the arrests of 14 members of the notorious hacker group, Anonymous, which has claimed responsibility for multiple high-profiled online attacks including the Internal Affairs and PayPal websites.

This is the latest in a number of international arrests that have shaken up the cybercrime underworld. A handful of others have been arrested in the UK and the Netherlands for alleged related cyber attacks, including an individual connected to attacks carried out by the theoretically disbanded hacktivist organization, LulzSec.

The ongoing cybercrime investigations are part of a concerted effort by multiple international, federal and domestic law enforcement agencies who are working together to stop coordinated cyber attacks targeting major companies and organizations.

I appreciate your interest in reading our blog and encourage you to provide comments and your unique perspective on the biggest stories in the security industry.

Over the past few years, cyber criminals have embraced a similar business model. Instead of playing the numbers game, which consists of randomly spamming tens of thousands of people in hopes of getting a small percentage of victims to click on their malicious code, malware attacks are now truly targeted. Acting sort of like niche malware, hackers design specific cyber attacks that target specific victims, companies and industries.

As a result, no vertical is safe today. Whether you are a federal agency, an educational institution, a retailer, or even a security company, every organization is susceptible to the myriad of targeted attacks that do everything from zero-day attack vulnerability exploits to stealing intellectual property and trade secrets.

In recent years, many high-profiled organizations including Google, Symantec, and the U.S. military have all been victims of dangerous cyber attacks. Because nobody is immune to such attacks, it’s time companies adopted a new way of thinking about combating more targeted attacks.

For a fun, entertaining, and highly informative look at this new mindset, check out the webinar we are hosting today, “A Frest Look at the Art of Defense: Rebooting Strategic Security Thinking Using ‘The Art of War’.” Scott Crawford, managing research director at EMA, along with CoreTrace’s Toney Jennings, will talk about how we need to apply the principles of Sun Tzu’s classic book, “The Art of War,” to endpoint security if we are going to take back the initiatives and turn the tables on attackers. Register now and join the webinar, which begins at 2:00 p.m. EDT / 11:00 a.m. PDT.

I believe that January has given us a nice preview of what is to come in 2011. From attacks targeting new platforms to the increasing “commercialization” of malware business models and toolkits, the ongoing need to secure endpoints — from servers to laptops, from SCADA systems to tablets–shows no sign of abating. Here are some of the top endpoint security stories for January 2011.

Cisco predicts turning point for cybercrime

If protecting your corporate assets wasn’t challenging enough, Cisco says it could get a lot harder. In the article, “Cybercriminals new attack targets,” Cisco’s latest security report says cybercrime will hit a major turning point as hackers move away from more traditionally targeted Windows-based PCs and set their sights on other emerging platforms such as tablet computers and mobile platforms.

What’s prompting this shift? One reason cited (though I do not completely agree with it) is stronger security on Windows-based products is making it harder for scammers to exploit PC platforms. The second is the increasing use of mobile devices and emerging platforms used to access corporate networks.

Whatever the case, it’s time organizations that are expanding beyond Windows to other platforms re-evaluated their existing security strategies to ensure their network endpoints are protected.

Malware toolkits lowering the bar for cyber criminals

Thanks to more complex malware toolkits, cyber criminals no longer have to be highly skilled coders to launch malicious attacks. Designed to exploit known vulnerabilities and automatically launch massive attacks to install tools on people’s computers, today’s toolkits do all the work for aspiring criminals looking to steal sensitive information, spread spam, or commit any number of malicious activities.

According to the article, “Malware Toolkits Generate Majority Of Online Attacks,” toolkits are so successful at freeing people from their financial information that Symantec estimates they make up 61% of all online attacks today. In fact, the kits are so good at making a profit that prices for the popular Zeus toolkit can sell for up to $8,000, said Marc Fossi, executive editor of a recent Symantec report.

“It’s like legitimate software in a lot of ways. Because they’re making a profit, they’re putting more work into them, so that my kit sells over your kit. And because the guys who buy the kits can turn around and generate a profit, people are willing to pay money for them.”

With more sophisticated toolkits out there, I wouldn’t expect this trend to slow down anytime soon.

Cybercrime black market using familiar purchasing models

Panda Security said in January that it uncovered just how complex — and similar — the thriving cybercrime black market is compared to any other legitimate business market. In the article, “Botnets, Hacked Credit Cards Selling at Bargain Prices,” Panda Security said the underground environment promotes entrepreneurialism, offers bulk discounts for high-volume buyers, and allows buyers to add services to online shopping carts and pay via Western Union and WebMoney.

While the various purchasing processes resemble legitimate online business models, with offerings such as credit card details starting at $2 per card, $15 botnets rentals to launch spam campaigns, and “guaranteed” credit lines or bank balances ranging from $80 to $700 to access accounts, they’re anything but legit.

One way cyber criminals entice buyers is through competitive pricing, said Luis Corrons, technical director of Panda Security.

“Since there is a great deal of competition in this industry, the rule of supply and demand ensures that prices are competitive, and operators even offer bulk discounts to higher-volume buyers. They will offer free ‘trial’ access to stolen bank or credit card details, as well as money-back guarantees and free exchanges.”

While Panda researchers posed as cybercrime customers to access the black market, understanding who’s behind the operations is challenging. To maintain anonymity, Corrons said contact is always made via instant messaging or through free, generic email accounts.

SMBs not off-limits to cyber attacks

Just because a smaller to midsize business doesn’t trade state secrets doesn’t mean they’re not targeted by hackers. According to Blue Coat Security, the bad guys are lurking everywhere, and no company is off-limits to their dirty tricks.

In a recent message, Chris Larsen, head of Blue Coat Security’s research lab, said:

“If I were an SMB, I would be more concerned about what I call mass-market malware. Those are the sort of attacks that are launched fairly indiscriminately by the bad guys just trying to infect whoever they can, and then they will sift through the list of computers they’ve infected and try to sort out higher value targets.”

In fact, because SMBs don’t have the level of budget or security personnel that larger organizations do, their problems could magnify as they expand. Larson added that as SMBs add smartphones and other mobile devices to their network, systems administrators are increasing the number of platforms they need to protect. Along with raising awareness of attacks, Larsen recommended that security professionals at SMBs should consider the kinds of attacks they could face to improved their defenses against them.

Thanks again for taking the time to read about some of this month’s top endpoint security stories.

According to PandaLabs, 2010 set a record for new online threats, with cybercriminals creating one-third of all malware in existence last year alone. The report found that throughout 2010 the average number of new threats created every day rose from 55,000 to 63,000.

With financial gain being the prime motivator behind the creation of new malware, the study also found that banking Trojans were the most prevalent type of attacks in 2010 at 56%, along with viruses (22%) and worms (10%). Despite all these findings, the one that struck me the most was that 52% of new malware created last year exists for only 24 hours. Then it’s gone. According to PandaLabs:

“as antiviruses become able to detect new malware, hackers modify them to create new ones so as to evade detection.”

Is it me, or does it seem counterproductive for IT security professionals to dedicate so much time and effort using blacklists to catch and create signatures for malware that is so quickly disposed of? After all, once the malware is gone, the signature is essentially worthless. This reminds me of my days at WholeSecurity, when we created behavioral detection of phishing sites because the sites were up and down too fast for a blacklist to be even marginally effective. Today’s short-lived malware just further reinforces the case for application whitelisting. With application whitelisting, new malware — no matter how long or short the lifespan — is stopped from running on a machine, and doesn’t impact system performance in the process.