On the surface, this week’s breach of 90,000 military e-mails and password hashes may look the same. After all, the hackers claiming responsibility for the break-in did so through an unsecured server in a network that basically had no security measures in place. What’s different about this attack, however, is the exploited server was not the military’s. The server belonged to government contractor, Booz Allen Hamilton. In other words, this criminal strategy went beyond the walls of an organization’s own network defenses.

In the case of the Epsilon security breach, where millions of customer email addresses were compromised, hackers targeted a single entity to steal private data on many of the marketing giant’s big-name customers like Chase, Citi and Target. The Booz Allen hack reverses that scenario. Instead of going after one to get to many, cyber criminals targeted multiple entities to get to one.

Much like the supply chains of the 1990s that tied systems together, today’s business enterprises are built on the same idea. Unfortunately, with a number of different partners connecting in real-time to a central network, an organization’s security is only as good as its partners’ security practices. If even a single partner does not adhere to today’s best practice security standards, what will result is a weakest link of the chain. Cyber criminals know this, and this week’s military breach is a prime example of what happens when hackers exploit a business partner to get to another business.

In today’s world, the epicenter of a cyber attack isn’t necessarily at the core of your network anymore. With so many endpoints connecting to your enterprise, how can you protect yourself when you can’t control the assets people use to get to your network? The fact is, organizations and people are getting hit in and between companies. The fight against cyber crime is becoming more about the weakest link in the entire value chain, not the organization, itself.

Insisting on best practice security standards from all of your partners can be a first step to protecting your endpoints from attacks that start outside of your network. However, relying on your partners to maintain updates to ensure your corporate policies are enforced can potentially leave your network vulnerable to outside attacks. That’s why when pushing security standards, we recommend mandating a proactive security posture for your own endpoints and those of all of your partners. Naturally, we feel strongly that deploying an application whitelisting solution like CoreTrace Bouncer is a key component of that proactive strategy.

In the article, “Malware Authors Relying on Poor User Updating Practices,” cyber criminals understand this, and are taking advantage of users’ negligence around installing the latest security updates on their PCs. According to Ralf Benzmüller, head of G Data SecurityLabs, cyber crooks are not just targeting current security gaps, they also have their eye on unclosed vulnerabilities that for one reason or another have been disregarded by users.

“Even though an enormous number of program updates are being provided, users should not be fooled into deactivating automatic update functions. Not only does this apply to Java, but it should also apply in general to all browser plug-ins used and all applications installed on the PC.”

Ironically, experts at G Data SecurityLabs also said there has been an increase in the installation of unwanted software such as fake antivirus programs, known as scareware, that trick users into downloading what they believe is extra protection against malware but is really malicious code designed to steal personal data.

The dangerous combination of poor security updating practices and users getting fooled into downloading malware programs on their computers is giving hackers an edge in the cyber crime fight. While security vendors are working on creating more secure applications, I sadly believe that there will always be vulnerable applications in our networks. Because of this, businesses should focus on stopping the payload that is deposited. Once the payload is executed, that’s when the damage is done.

This is another reason to consider application whitelisting solutions. With application whitelisting, it doesn’t matter how the malicious code gets deposited — whether through opening a bad attachment, a drive-by from hitting a bogus website, or a vulnerability — because all unauthorized applications are prevented from running. If you can’t change user behavior, stop the payload.

The one thing that these types of events bring to light is the importance of security with cloud providers. According to the recent article, “Symantec executives caution customers on cloud provider security,” as more and more businesses turn to cloud services, they need to hold their providers to the same security standards that they adhere to because they can still be liable if their data is breached.

Whether an organization’s business assets are on-premise or reside in the cloud, securing critical data needs to be the No. 1 priority. The top challenge is finding an anti-malware solution that protects data without compromising the productivity of their systems. Unfortunately, using traditional antivirus products alone is not the answer. For many companies that continue to rely on antivirus solutions to protect their networks, the challenge remains because of two significant factors.

First, antivirus can’t keep up with the tens of thousands of new malicious software that surfaces every day. With about 55,000 new viruses popping up daily, catching all the “known” malware coming through is impossible with reactive antivirus products. Second, as blacklist-based solutions try to keep up, the constant scanning for threats and downloading signature updates are eroding the overall performance of their systems.

As a result, organizations need a solution that provides maximum endpoint security without reducing system performance. Bouncer by CoreTrace does both. Using application whitelisting technology that doesn’t require file and system scanning or frequent signature updates, Bouncer stops the execution of any unauthorized applications without slowing down the system–in physical or virtual environments. Don’t just take my word for it, check out the Citrix Security Challenge page where the short video, “Maximizing Security & Performance of Citrix XenDesktops with CoreTrace Bouncer” received the most community votes. Even in the cloud, you can have security and performance at the same time.

Sony PlayStation suffers massive data breach

Last month’s Sony PlayStation Network data breach was one of the largest compromises of Internet security ever. With 77 million PSN subscribers’ personal and financial account information exposed to intruders between April 17-19, the incident has the potential to create the greatest credit card fraud to ever hit U.S. consumers and businesses.

To compound the problem, Sony’s decision not to notify customers about the breach for six days after it shut down the hugely popular PSN not only put consumers at a greater risk, but has already resulted in the first of what could be many lawsuits against the electronics giant for alleging negligent security practices, privacy violations and breach of warranty.

In the article, “Suit charges Sony breach caused by poor security,” Sony is accused of violating the Payment Card Industry (PCI) Data Security Standard for failing to implement a proper firewall and to encrypt card holder data. The suit also charges Sony for not informing their customers fast enough about the exposure of their personal account and credit card information, which increased the risk that the compromised data would be misused.

End-user ignorance weakest link in Epsilon security breach

Social engineering attacks are something we are all aware of. We understand cyber criminals target company employees through a number of different social networking sites to exploit vulnerabilities in the corporate system. Despite this knowledge and several warnings about a concerted phishing and hacking attack on the mailing list industry, an ITNews report said it was end-user ignorance that led to last month’s Epsilon security breach.

The big question is did Epsilon take the warnings serious enough to alert and educate end-users about such an attack? Could they have been better prepared to avoid an attack that resulted in millions of customer email addresses of big-name companies like Chase, Citi, Hilton, Eddie Bauer and Target to get in the hands of cyber crooks?

As evolving criminals concoct new schemes to exploit network endpoints, taking proper precautions to ensure every level of your enterprise is educated and adequately trained to avoid being victimized is critical for protecting your business, and the sensitive data of your customers and partners.

U.S. lags in working together to harden civilian infrastructure against cyber attacks

A global survey released in April found that as large-scale denial of service (DoS) attacks increase, the U.S. government lags significantly behind in working closely with private industry on cybersecurity issues compared to other countries.

In the article, “Cyber Threats to Critical Infrastructure Spike,” McAfee and the Center for Strategic and International Studies reported that while cyber threats and vulnerabilities for critical infrastructure have increased, more than 40% of U.S.-based critical infrastructure companies still have no interaction with the federal government on cyber-defense matters. That’s compared to the 5% of Chinese executives who said they had not worked with their government on network security.

“If there is a race among governments to harden their civilian infrastructure against cyberattack, Europe and the United States are falling behind Asia.”

The survey also found that 80% of critical infrastructure companies faced a DoS attack last year, which is a sharp increase from 2009, where almost half of all companies surveyed experienced no DoS attack. Of those that did in 2010, nearly 40% said they saw them monthly.

Survey finds enterprises lack ability to measure security effectiveness

While more organizations are planning and coordinating their security efforts across their security, IT operations and risk management teams, a recent security vendor survey found that improvements in measuring the amount of process coordination that is in place is minuscule, at best.

In the article, “(Slightly) More Organizations Proactively Managing Security Efforts,” a data analysis report by SenSage found that companies that planned and documented process coordination between security, operations and risk managers rose by 5%, from 42% in 2010 to 47% this year. However, despite the year-over-year increases, 53% of organizations are still left with everything from no coordination at all to “reactive triage across teams.”

While these are certainly steps in the right direction, author George Hulme says there’s still work to be done. Additional findings of the report included:

• 65% of enterprises say they have no measurement to benchmark the effectiveness of their security processes, or that this measurement is inconsistent

• 34% of respondents said they have no proactive efforts in place to improve their security processes, or that their improvement efforts have been inconsistent

• As a result of this absence of coordination, measurement, and proactivity, 57% of organizations perceive core areas of security management to be ineffective or “somewhat effective” at best

Thanks for taking the time to read this blog. Each week, I comment on the top stories from the security industry. I encourage your feedback and hope you come back soon.

While companies can educate and train end-users to be more mindful of dangerous phishing and social engineering attacks, the truth of the matter is people are people, and they are going to make mistakes. According to the InfoWorld article, “Report: End-user ignorance at Epsilon let hackers steal customer data,” in this particular case, a mistake made by one end-user in an email-based phishing attack effected many others simply because the user was connected to a larger network that stored millions of customer email addresses of big-name companies including Chase, Citi, Walgreens, Target, Disney Vacations, Fry’s and Eddie Bauer, to name a few.

Once the user opened a bogus email link, they unintentionally downloaded three malware programs that disabled their machine’s antivirus software, ran a Trojan keylogger for stealing passwords, and gave hackers remote administration rights to the infected machine.

With new malware up 26% in 2011 compared to the first quarter of last year, a recent study by PandaLabs found that targeted Trojans account for approximately 70% of all new malware attacks. While it is recommended that organizations keep end-users up to date of evolving online threats, for all intents and purposes, it won’t stop hackers from successfully exploiting their networks.

Because of the human factor, security professionals know you can’t restrict what websites people go to or what emails they download. User behavior is simply out of their control. Along with other safeguards like encryption and segregated networks, the primary objective should be stopping the payload that enters via user actions. By blocking malicious software from executing on a machine, no matter how it got there, organizations can stop targeted cyber attacks from penetrating their networks, which is where the trouble begins. This is where CoreTrace’s Bouncer application whitelisting solution stops any unauthorized applications from exploiting a network without having to unrealistically control end-user behavior.