According to the article, “Time for America to Get Cyber-Serious,” today’s cyber crimes go beyond draining personal bank accounts, but pose a threat to the freedoms, prosperity and security of all Americans. While the Department of Defense sees cyber attacks as a growing threat to the 3.5 million commercial computer systems they depend on to conduct military operations and protect our national security, online threats are a growing problem that’s not just limited to the public sector. Like the DoD, organizations everywhere are susceptible to malware attacks that target specific systems.

With government and private information networks increasingly under attack, a trend recognized in 2001 by the Government Accountability Office continues to hold up a decade later; the biggest difference is today’s online threats are more severe and potentially more dangerous than ever before.

Daily, DOD identifies and records thousands of “cyber events,” some of which are determined to be attacks against systems and networks. These attacks may be perpetrated by individuals inside or outside the organization, including hackers, foreign-sponsored entities, employees, former employees, and contractors or other service providers.

As the bad guys continue to come up with new ways to compromise our systems and network security, one of the ways we can get ahead of these evolving threats is to implement proactive solutions that stop the onslaught of new viruses and malware variants. Application whitelisting is one such solution that stops unapproved applications (like malware payloads) or memory attacks from running on a system, without requiring any advanced information about malicious threats.

You would expect an application whitelisting supplier to suggest the technology as a part of the new proactive defense arsenal– but what are the other ones? I would love to hear your opinions on the subject. What are the “must have” components that make up a modern, proactive security suite?

So, is it time to get “cyber-serious”? You bet it is. With new threats on the horizon, both the public and private sectors need to shed their dependencies on reactive solutions that cannot stop modern attacks. If we expect to stop the threats of tomorrow, we need to become proactive and make network endpoint security a priority today.

Cyber criminals eyeing unprotected corporate intellectual property

With their sights set on something of more monetary value, cyber criminals are shifting their focus from customer and employee data like Social Security numbers to unprotected corporate intellectual property. With many high-profile organizations being hit by more sophisticated attacks, reactive security approaches are making it difficult for organizations to keep up with the bad guys.

According to the article, “Forget Social Security numbers — cyber criminals want your intellectual property,” hackers are getting better at posing as insiders to infiltrate organizations’ networks. As a result, Scott Aken, VP for cyber operations at the Science Applications International Corporation (SAIC), said new strategies are needed to combat today’s cyber criminal techniques.

“Sophisticated attackers infiltrate a network, steal valid credentials on the network, and operate freely — just as an insider would. Having defensive strategies against these blended insider threats is essential, and organizations need insider threat tools that can predict attacks from this blended threat.”

Gartner report recommends whitelisting as a ‘complementary’ malware defense

A Gartner report released in March said that while whitelisting technology is a way to prevent malware attacks on corporate servers and PCs, it recommends whitelisting be used as a complementary security defense, not a substitute for traditional antivirus software.

According to the article, “Whitelisting on its own not a substitute for antivirus software,” because blacklist-based solutions can no longer keep up with today’s prolific attack software, enterprises should consider application control and whitelisting as a “strategic or tactical approach” to help protect their network endpoints from malicious code.

To some people’s amazement, CoreTrace actually agrees with many of Gartner’s opinions on this topic, as I wrote about in this post: Why whitelisting is not a standalone replacement for traditional antivirus…”. Please let me know your thoughts on it.

Attacks on federal government networks increased in 2010

According to a recent Congressional report, federal government networks experienced a 39% jump in the number of cyber attacks in 2010 than in the previous year, but overall incidents reported to US-CERT were down. While phishing attacks dropped, Trojans, viruses and worms were among the types of attacks that increased year-over-year.

To help government agencies protect their networks from more targeted malware attacks, the National Institute of Standards and Technology (NIST) published a report to support the Federal Information Security Management Act (FISMA).

Instead of focusing strictly on IT initiatives, NIST recommends organizations take a broader approach to federal IT security by considering risk management and security in their overall objectives and business functions. By prioritizing decisions around security, organizations can better address new security challenges facing the federal government and U.S. critical infrastructure.

Trojan-based attacks still top malware threat

Several security studies found that Trojan-based attacks remain the top malware threat, accounting for six of the top 10 threat types in February. With 1 in every 290 emails malicious, Symantec’s 2011 MessageLabs Intelligence Report said the month was one of the most prolific periods ever for the threats. The report also found that governmental organizations were the most targeted, with 1 in 41.1 emails blocked as malicious.

Based on the botnet activity patterns, it appeared that cyber criminals were working together as well-timed and highly targeted Zeus, SpyEye and Bredolab variants were distributed in alternating patterns throughout the month.

While Trojan-based attacks led the way, Symantec and GFI Software researchers said PDF exploits accounted for a growing number of document types used in cyber attacks. Looking at the current trends, by the middle of this year 76% of targeted malware could be used for PDF exploits, which concerns Paul Wood, MessageLabs Intelligence senior analyst.

“PDF-based targeted attacks are here to stay and are predicted to worsen as malware authors continue to innovate in the delivery, construction and obfuscation of the techniques necessary for this type of malware.”

While Panda Security researchers reported Trojans were responsible for 61% of malware infections, the only silver-lining was that infection rates dropped from 50% in January to 39% in February.

Thanks for reading this month’s wrap-up security blog. Be sure to regularly stop by to read and provide your thoughts on the biggest stories in the security industry.

In this week’s release of the McAfee Threats Report: Third Quarter 2010, the security software maker claims that malware reached an all-time high, averaging 60,000 new threats each day in the third quarter. That number has nearly quadrupled since 2007. And for the year, McAfee has discovered 14 million unique pieces of malware, which is a million more than the same time last year.

As cybercriminals continue to become more savvy and their attacks more severe, Mike Gallagher, senior VP and CTO of Global Threat Intelligence for McAfee, said:

“Cybercriminals are doing their homework, and are aware of what’s popular, and what’s insecure. They are attacking mobile devices and social-networking sites, so education about user activity online, as well as incorporating the proper security technologies are of utmost importance.”

Incorporating the proper security technologies is the key. We can no longer afford to rely solely on “status quo” antivirus products that are becoming increasingly ineffective in detecting more sophisticated threats and are slowing our systems. For organizations that want to effectively and efficiently stop growing malware threats, the time has come for a new approach.

From both a security and performance standpoint, application whitelisting automatically stops any unauthorized applications from executing without impacting performance like traditional antivirus products do. CoreTrace’s BOUNCER improves security and endpoint performance by combining application whitelisting solutions for real-time malware protection and cloud-based blacklists for detection and reporting. Yes, incorporating the proper security technologies is of the utmost importance. The time has come for a new approach, and that time is now.

First, while Siemens says these security solutions can detect the Trojan, then why wasn’t it stopped by customers using such antivirus software in the first place? Since there has not been an example of malware targeting control systems to this point, in all likelihood even if the antivirus was fully updated the Trojan would have got there anyway.

Second, if their customers weren’t using such security solutions, then why in the world not? In our interactions with customers in the energy space, the answer is that many process control systems — which this particular malware targets — can’t handle the weight of antivirus solutions or be online to get regular signature updates because of the impact they have on system performance. This point was reiterated by our friend, Dale Peterson, who recently wrote in his article, “Trojan Targeting Siemens and APT Thoughts,” that:

“… many control systems today have little patching, minimal security configuration, shared and default user accounts, … So it is likely that the attacker has compromised multiple systems in multiple ways if they wanted persistence.

This begs the question that once targeted malware has been detected and removed, how do we know that an attacker’s presence has been entirely eradicated from the system? With antivirus software, we don’t. As I mentioned in the recent post, “U.S. proactive cybersecurity measures lack proactive solutions,” reactive solutions cannot stop persistent attacks. Unfortunately, this is yet another example of a reactive approach to a proactive problem.

The bottom line is the recommended virus scan programs are the same ones that have caused the problem either by missing it in the first place, or the fact that control systems simply can’t use it to protect their environments. Either way, antivirus is not a viable solution for stopping exploits that can maintain a stealth-like presence in a system. Until a network can completely stop the payload from executing, malware variants will continue to penetrate systems and gather information that is of the most value to them.

While it is good news that Congress is taking proactive steps before things explode, their solution to consolidate power within the government to legally monitor and respond to cyber threats as they occur is no way to get on top of the actual problem. Instead of proactively addressing the situation with a reactive set of solutions, they need to carry these measures through with proactive solutions that prevent the situations in the first place.

As I mentioned in a previous blog about malware that is already resident in a system but is waiting for the opportune time to launch, no matter where these attacks come from, and no matter which ATPs are involved, the vast majority of attacks have to do with malware in some way, shape, or form running on local machines. Even if organizations have taken adequate steps to protect their private networks, they need to make sure the solutions that they put in place prevent any malware from executing, no matter how they enter the system. Plans that deal with attacks after the fact will continue to keep the bad guys one step ahead and in charge.

It’s almost become a cliché to say we need be more proactive, not reactive, in the fight against cyber crime. Unfortunately, this simple message needs to be reinforced because too many companies and organizations continue to operate with a reactive mindset. If we expect to successfully protect our networks from the thousands of new cyber threats, public and private sector organizations need to follow up their proactive security talk with real proactive solutions.