I really like the metaphor. The simple fact is that security professionals are no longer looking for a single needle, or even a few needles, in the haystack. They’re trying to find hundreds, potentially thousands, of needles in their network, many of which are successfully evading detection or cleverly disguised as good hay.

According to a new report by Panda Security, each day there are approximately 73,000 new types of known cyber threats (read, “needles”) released, including Trojans, viruses, worms and other malware. That’s on top of the millions of existing threats already in circulation and the untold number of currently unknown ones. With so many known and unknown threats out there, how can an organization possibly distinguish all the good from the bad?

The key to detecting more sophisticated malware attacks is to build a security platform that detects both known good and known bad applications. This new mindset for combating advanced cyber attacks requires both whitelisting and blacklisting technologies. A whitelist-based approach to protecting all network endpoints across an entire enterprise sets the foundation for an effective endpoint protection platform.

Today’s leading application whitelisting solutions like Bouncer by CoreTrace provide both. In creating and enforcing an unique whitelist for each computer, Bouncer identifies and allows only approved applications (“high assurance hay”) to execute. In addition to preventing the execution of unknown and malicious applications (Neil’s “needles”) that are not on the whitelist, Bouncer also includes a cloud-based blacklist to report any known malware and meet regulatory requirements. Working together as part of an endpoint security strategy, the one-two punch of whitelisting and blacklisting detect the growing known and unknown malware attacks and variants, thereby reducing the danger of the many needles lingering undetected in the haystack.

This is what we know, but unfortunately, it’s what we don’t know that poses the real threat.

As I mentioned when Stuxnet was first discovered, it’s not the actual worm itself that poses the greatest threat, it’s copycat attacks that use the Stuxnet blueprint to take cyberweaponry to the next level. Much like Zeus, Aurora, and other successful viruses, the initial incarnations are just the beginning. As the malware evolves and more sophisticated variations are created, antivirus becomes a reactive solution that can only stop what is known at any given time. This is where, I believe, straightforward antivirus solutions are missing the point.

While signatures can remove viruses in their current forms, they are ineffective at stopping new malware or malware variants they don’t know about. Organizations today can’t afford to sit back and wait until the next incarnation surfaces to figure out how to stop it. They need a way to prevent targeted attacks from exploiting systems despite what is known and not known. Application whitelisting technology does this.

By proactively stopping any unauthorized applications from running on a system, leading application whitelisting solutions like CoreTrace’s Bouncer application whitelisting solution leverages both whitelisting and blacklist-based defenses to stop all malicious code from executing on a network.

As the security industry faces challenges around combating multi-pronged attacks like Stuxnet and Night Dragon, CoreTrace has consistently been asked to help security pros undertand the attacks and how proactive solutions like Bouncer can help combat them. As a part of that effort, we are co-hosting an upcoming webinar with the Amor Group, “Night Dragon: How to Slay the Beast (and the Others Like It).” Joel Langill, president of SCADAhacker, and CoreTrace founder and CTO, Dan Teal, will discuss how organizations can kickstart their IT readiness efforts to combat such blended attacks. Register now to attend the webinar, which takes place Tuesday, April 19th, beginning at 2:00 p.m. EDT / 11:00 a.m. PDT.

That’s the straightforward, yet disturbing message that hacker-for-hire, Marc Maiffret, made after his team, hired by a large California-based water system to probe the vulnerabilities of its computer networks, took control of the equipment to add chemical treatments to drinking water within one day, hypothetically making the water undrinkable for millions of homes.

Maiffret’s team discovered the system’s weakness when they found county employees had been logging into the network through their home computers, which left a gaping security hole. According to the LA Times article, “Virtual war a real threat,” this type of vulnerability is not uncommon. In fact, similar weaknesses in industrial control systems that run electrical grids, pipelines, chemical plants and other infrastructures exist across the country.

These types of examples underscore the urgency to secure critical U.S. infrastructure. While the Department of Homeland Security is working to help secure the country’s crucial infrastructure facilities, the reality is the companies, themselves, are the ones ultimately responsible for protecting their networks. But even with both entities striving to achieve the same goal, many experts including Scott Borg, head of the U.S. Cyber Consequences Unit, believe there’s still work to be done.

“If we don’t get our act together, the consequences could be dire.”

While vulnerabilities in these systems exist, reactive security solutions are no match for more sophisticated attacks like Night Dragon and Stuxnet, which target system controls of critical infrastructure companies.

To prevent the execution of all unauthorized applications from exploiting their computer networks, organizations need to take a proactive stance to stop malicious software from running on their system, despite their employees’ normal, but risky behavior. Application whitelisting technology prevents the execution of all applications that are not pre-approved for each computer in the infrastructure, including malicious and legitimate remote control applications used by these types of attacks to penetrate the network.

Over the past few years, cyber criminals have embraced a similar business model. Instead of playing the numbers game, which consists of randomly spamming tens of thousands of people in hopes of getting a small percentage of victims to click on their malicious code, malware attacks are now truly targeted. Acting sort of like niche malware, hackers design specific cyber attacks that target specific victims, companies and industries.

As a result, no vertical is safe today. Whether you are a federal agency, an educational institution, a retailer, or even a security company, every organization is susceptible to the myriad of targeted attacks that do everything from zero-day attack vulnerability exploits to stealing intellectual property and trade secrets.

In recent years, many high-profiled organizations including Google, Symantec, and the U.S. military have all been victims of dangerous cyber attacks. Because nobody is immune to such attacks, it’s time companies adopted a new way of thinking about combating more targeted attacks.

For a fun, entertaining, and highly informative look at this new mindset, check out the webinar we are hosting today, “A Frest Look at the Art of Defense: Rebooting Strategic Security Thinking Using ‘The Art of War’.” Scott Crawford, managing research director at EMA, along with CoreTrace’s Toney Jennings, will talk about how we need to apply the principles of Sun Tzu’s classic book, “The Art of War,” to endpoint security if we are going to take back the initiatives and turn the tables on attackers. Register now and join the webinar, which begins at 2:00 p.m. EDT / 11:00 a.m. PDT.

Targeted malware attacks are the new norm, not the exception

Stealthier, targeted cyber attacks aren’t exclusively going after high-tech giants anymore. Research presented at last month’s Black Hat Conference said advanced persistent attacks that have hit defense agencies and high-profiled corporations like Google are also becoming the norm with medium-sized businesses.

In two separate analyzed attacks, researchers Nicolas Percoco and Jibran Ilyas of TrustWave’s Spider Labs research group said the malware didn’t discriminate between the size of the organization. The primary goal of the attack was to avoid detection and maintain a presence on the intended networks.

“Targeted malware is the norm, not the exception,” said Percoco.

Research has found that advancements in malware and anti-forensic features allow remote attackers to stay on their victims’ networks an average 156 days before they are detected. By avoiding detection, more persistent threats enable hackers to dive deeper into a mission-critical applications to steal valuable intellectual property or sensitive financial data they can resell on the black market.

Cyber crime costs businesses each $3.8 million per year

A new report by the Ponemon Institute on the cost of cyber crime revealed that midsized and large U.S. organizations from different industries and government agencies are each paying $3.8 million per year to fight weekly cyber attacks, malicious code and rogue insiders. The annual cost, which represents the direct cost of dealing with the attacks (not the antivirus software used to protect their networks), was derived from varying business reports that ranged between $1 million to a whopping $52 million per year.

The study also found it took, on average, 14 days for an organization to respond to a successful cyber attack, which cost businesses $17,696 per day. According to the report, defense, energy and financial services companies experienced higher costs than organizations in retail, services and education.

No matter if you’re working in the public or private sector, Larry Ponemon, director of the Ponemon Institute, said the study shows the impact cyber crime continues to have on businesses and their bottom line.

“The eye-popping thing we found is a lot of organizations are very disorganized in even understanding the environments they’re dealing with.”

Study finds SCADA systems security “like a ticking time bomb”

While organizations that run SCADA systems claim their networks are secure because they’re not connected to the Internet, findings from an extensive nine-year analysis of more than 120 security assessments of systems that manage power plants, oil refineries, and other critical national infrastructure found the opposite to be true.

The study, conducted by Jonathan Pollet, founder and principal consultant of Red Tiger Security, found that critical infrastructure facilities across the U.S. have been operating with tens of thousands of security vulnerabilities, outdated operating systems, and unauthorized applications. According to the report, facilities unknowingly had computers crucial to the operations running everything from Windows 95 and other unauthorized software such as peer-to-peer applications to games and pornography that contained major vulnerabilities.

“It’s kind of like a ticking time bomb. I’m hoping the message that we’re giving here can open a few eyes.”

While most systems contained common errors and were vulnerable to SQL injections, cross-site scripting and denial-of-service attacks, Pollet found that deploying a patch could take up to a year on systems that couldn’t be taken offline or were too important to risk installing a patch because it would disrupt a critical process.

Unfortunately, system vulnerabilities like these are exactly what attackers use to write malicious code around. Take, for example, the newly surfaced Stuxnet malware, which targets utility companies and exploits a zero-day vulnerability in Windows to access the Siemens WinCC SCADA systems database. Advanced knowledge of system flaws are the key to creating worms that target control systems. You can bet the energy sector is keeping a close eye on this one, and doing everything they can to work with NERC, the U.S. Department of Energy, and others to develop strategies to protect their critical infrastructures.

Are cyber spies already in your system?

It may sound a little farfetched, but some security experts believe that an increasing number of organizations are under surveillance by foreign spybots that are spying on U.S. businesses to gain competitive advantages or exploit weaknesses in their systems. While it’s difficult for researchers to pin down the magnitude of these insidious threats, they’re enough to put security professionals on high alert. Mark Lobel, advisory principal at PricewaterhouseCoopers, said the quiet nature of electronic cyber espionage can be deceiving, particularly when they are undetected by the usual security tools.

“Because the whole point is for the espionage to be stealthy, there is truly no way to know the size and scope of the issue. In conversations with people in the industry, they are confident that it is a larger problem than most people recognize or understand.”

Gartner VP of research for computer security, Neil MacDonald, takes it one step further by maintaining that as many as 75% of enterprises have been or are being infected with undetected, financially driven, targeted attacks that evaded their traditional perimeter and host defenses.

While there’s no way to completely protect an organization against increasingly sophisticated attacks, one security strategy that many experts agree can reduce the impact of such attacks is to practice defense in depth. While most companies continue to remain blissful of electronic surveillance, MacDonald added that denial never works. Taking false comfort in antivirus software and network scans that show zero infections doesn’t mean that a system hasn’t already been compromised.

Thanks for reading this monthly recap of some of the top stories within our space. Please feel free to provide feedback on any of these important topics.