While it is good news that Congress is taking proactive steps before things explode, their solution to consolidate power within the government to legally monitor and respond to cyber threats as they occur is no way to get on top of the actual problem. Instead of proactively addressing the situation with a reactive set of solutions, they need to carry these measures through with proactive solutions that prevent the situations in the first place.

As I mentioned in a previous blog about malware that is already resident in a system but is waiting for the opportune time to launch, no matter where these attacks come from, and no matter which ATPs are involved, the vast majority of attacks have to do with malware in some way, shape, or form running on local machines. Even if organizations have taken adequate steps to protect their private networks, they need to make sure the solutions that they put in place prevent any malware from executing, no matter how they enter the system. Plans that deal with attacks after the fact will continue to keep the bad guys one step ahead and in charge.

It’s almost become a cliché to say we need be more proactive, not reactive, in the fight against cyber crime. Unfortunately, this simple message needs to be reinforced because too many companies and organizations continue to operate with a reactive mindset. If we expect to successfully protect our networks from the thousands of new cyber threats, public and private sector organizations need to follow up their proactive security talk with real proactive solutions.

New exploit resists Windows security

After months of dealing with malfunctioned security updates, Microsoft users once again found themselves vulnerable to a new tactic that bypasses the security protection of most antivirus software, leaving common Windows security software open to more attacks. The recently published technique could exploit the kernel driver hooks that most security software use to reroute Windows system calls through software to check for potential malicious code before it’s able to execute.

And the bugs keep coming for other technology leaders. After McAfee’s faulty security update led to thousands of Windows PC failures in April, Mozilla Firefox Web browser had to immediately deal with a major flaw in its Firefox 3.6.2 release. The security problem, which could potentially allow remote attackers to run commands of their choice, was addressed a week later with the release of Firefox 3.6.3.

Modern hack attacks developing a laser focus

At Symantec’s annual user conference, the company’s leading technologists said there’s been a shift in the intent of cyber-attacks on both business and government entities. Hacking attempts have progressed from being mass attacks looking to wreak havoc and steal as much data as they could, to highly targeted attacks looking for specific data from a specific organization. The challenge is how to increase visibility into all of the network and supporting activities, and at the same time, reduce the time from breach detection to mitigation, with the emphasis being on risk management and mitigation.

A prime example of these targeted attacks occurred when the U.S. Department of Treasury revealed three Web domains associated with the U.S Bureau of Engraving and Printing had been hacked to attack visitors with malicious software. The hackers targeted a handful of known bugs to redirect site visitors to a Web site in the Ukraine, which had been previously associated with similar attacks. Despite knowledge of the attacks, the sites continued to actively serve malicious software until the domains were cleaned up.

National strategy is light on cybersecurity details

Despite President Obama’s declaration to make cybersecurity a top priority last year, the U.S. government has made little progress toward securing our nation’s digital infrastructure from cyber-attacks, criminal cyber-espionage and theft. While the National Security Strategy the White House released last week emphasized the importance of government, industry and international partners working together to establish standards for combating cyber threats, James Lewis, director of the technology and public policy program at the Center for Strategic and International Studies, said the plan for defending cyberspace lacks substance.

“It says partnership, people, research, but it could have just as well said faith, hope and charity. [I see] nothing new in this, and no path forward.”

While many are encouraged that the administration has acknowledged the need to pursue new strategies to protect networks from cyber attacks, it’s not enough. The government needs to take a leadership role in laying a roadmap to address cybersecurity, then take action if we are going to make progress toward building a safer digital infrastructure.

DoD mulls protecting key private IT systems

The Pentagon raised the possibility of the Defense Department becoming engaged in safeguarding nationally critical IT systems run by business. Defense Deputy Secretary William Lynn III said the DoD is considering using the Einstein 2 intrusion detection and Einstein 3 intrusion prevention systems developed by the Department of Homeland Security to help secure critical systems such as finance and utility operated by the private sector. By creating a secure architecture that lets private parties opt-in to the protections afforded by active defenses, this could offer an important gateway to ensuring our nation’s critical infrastructure is protected from cyber attacks.

But for now, Homeland Security is hesitant to endorse such a program. In an email message, a DHS official said:

“DHS and DoD are working together to secure our respective portions of government networks, and we are relying on private sector and government technical expertise to address those requirements. We expect that experience will provide valuable lessons on ways in which critical infrastructure can be protected.”

In the meantime, to reduce the time to deploy IT security systems and increase the use of sophisticated technology tools to defend its own systems, Lynn said the DoD must rely on incremental development and testing, and make use of established standards and open modular platforms.

As always, thanks for reading this blog. Please feel free to provide any comments or feedback on these industry-related topics.

This says a lot about the current state of the AV industry. With so many new viruses and malware variants successfully bypassing security solutions, it is time to shift our way of thinking about how to protect our networks from new and unknown forms of malware and viruses.

With online crime losses doubling in 2009, we simply can’t afford to rely solely on AV software to protect our critical infrastructures from the countless number of malware variants out there. If these solutions are already losing the battle against highly visible malware, I can’t imagine the success rate of stopping unknown attacks would be any better.

As an example of how the industry currently looks at these problems, NSS Labs’ CTO, Vikram Phatak, said: “There are many ways to possibly exploit a vulnerability, and rather than focusing on every attack method, vendors need to focus on [shielding] the vulnerability itself.”

Vikram is correct in pointing out that you can’t defend against every attack method, but focusing on protecting against exploitation of the vulnerability is reactive, and a failure as well. This still leaves companies open to newly discovered vulnerabilities, relies on reactive patching and security system updates, and will ultimately fall on its face. We need to completely rethink our approach to endpoint security that begins with a foundation of whitelisting that would defeat new malware completely independently of the vulnerability or attack.

In this week’s TechJournal South article, “Industrialized hacking tops five data security trends for 2010″, Mr. Shulman’s data security firm listed its top five security predictions for 2010:

1. The hacking community will form a supply chain resembling that of drug cartels. Their weapons of choice? Automated malware distributed via botnets.
2. Cybercriminals will continue to focus on new ways to bypass existing security measures.
3. Increased attacks on social networking sites susceptible to phishing attacks and malware.
4. An increase in email password theft/grabbing attacks to apply to other applications such as online banking accounts.
5. A move from reactive to proactive security as organizations actively seek holes and plugging them.

This list is a good one and makes sense. The threats that Mr. Shulman enumerates are serious and can do tremendous damage to an organization. Where I disagree is in what the trend will be for organizations to address these threats. Proactive security sounds good, but really is nothing new. Seeking holes and plugging them is the combined vulnerability scanning and patching strategy that burns company resources, results in fire drills and ultimately is ineffective at providing comprehensive protection against new attacks.

Companies more than ever need real protection not just proactive security. That is why application whitelisting is gaining such mindshare and traction. Protection means that the urgency of finding holes and filling them is lessened because despite the flawed nature of software development, endpoints are protected in spite of these flaws. It’s time to move beyond software and processes that rely upon finding either vulnerabilities or creating signatures for malware that has already been created. That is security for yesterday’s threats. We need protection against all the threats yet to come.

The spotlight on this need continued last week when President Obama issued a statement saying December was Critical Infrastructure Protection (CIP) Month. Proclamations like these won’t change the world. Our systems won’t magically become secure, and most of the people responsible for these systems are already working hard to defend them.

That said, this proclamation adds to the increased awareness of the need for infrastructure protection against all attacks including cyber attacks. The key shift, especially when it comes to endpoint protection is the need for systems that can prevent attacks, not just detect them and remove them from affected systems.

The simple fact is that blacklist antivirus is no longer effective at preventing system compromise. Because of this, more sophisticated malware infections and viruses continue to exploit network vulnerabilities, undermining defenses that have protected networks through the years.

The combined urgent need for protection of our critical infrastructure combined with the diminishing effectiveness of patching and antivirus is driving increased awareness and acceptance of whitelisting in the energy industry. By strictly defining approved applications, whitelisting gives peace of mind and reduces the need for fire drill patching that is so commonplace across all organizations.