Night Dragon is a fascinating attack, with all sorts of international intrigue including links to entities in China (for a great primer on purported Chinese involvement in cyberattacks, check out Richard Stiennon’s blog). However, the multi-pronged attack is easily prevented by any good application whitelisting solution–just like Stuxnet.

Night Dragon utilizes multiple remotely controlled applications on servers and PCs. Application whitelisting solutions like CoreTrace Bouncer stop Night Dragon and Stuxnet type attacks by preventing the execution of all applications that are not on the whitelist for each computer in the infrastructure — including both malicious and legitimate remote control applications used in these attacks.

I think it is worth noting that the same week Night Dragon was unveiled, both the UK and US governments raised alerts about cyber attacks.

First, UK foreign secretary, William Hague, disclosed at a security conference how cyber criminals are trying to infiltrate the UK government and defense contractors. He also pointed out that the threats aren’t unique to his government.

In the article, “UK foreign secretary: ‘We’re under attack’,” Mr. Hague said malware, social engineering and targeted phishing are gaining momentum against government organizations and businesses all over the world. He added that the attackers had infected government computers with the Zeus trojan, similar to the Zeus malware attacks seen by the U.S. Department of Homeland Security last year.

Second, a recent Pentagon Cyber Crime Center report that said computer-related crime, intrusions and data theft rose 37% in the volume of material it studied last year. The U.S. Defense Department agency, which conducts forensic analysis of cyber crimes involving military personnel, said it processed 372 terabytes of customer data last year, a 100 terabyte increase (37% jump) over 2009.

Once again, most of the attacks would have been thwarted by simply stopping the execution of unauthorized applications, no matter how they entered the system.

Anyone else notice more than a few themes repeating themselves???

69% of respondents said their organizations have seen an increase in Zeus-style attacks against customer accounts over the past year. The report noted that these types of attacks hit online banking services that 1-in-3 respondents said are either “extremely” or “very” vulnerable to attacks — online Automated Clearing House (ACH) and wire transfers.

To protect their banks and customers, 90% of respondents said they use online authentication via questions asked for security purposes, and more than 60% use some type of one-time password method through hardware tokens. The report mentioned several anti-fraud methods banks use to protect and detect Trojan-based attacks that compromise a victim’s machine to make unauthorized funds transfers.

While these methods help address malware concerns, the survey added that banks are also considering additional security measures. Another preventative solution banks should consider is application whitelisting. Today’s industry-leading whitelisting solutions such as BOUNCER by CoreTrace not only prevent targeted malware attacks from gaining access to a bank’s critical financial systems, but also ensure the security of confidential customer information to help meet Sarbanes-Oxley standards and other regulatory requirements.

In the article, “88 percent of firms show Zeus botnet activity,” RSA’s FraudAction Anti-Trojan services analyzed data stolen by Zeus from infected computers that included IP addresses and emails that belonged to the corporations. Among the stolen data found on the sites where infected computers drop the stolen data was compromised email addresses from about 60% of the firms.

With such a high percentage of botnet activity hitting Fortune 500 companies, it just goes to show that even the biggest, theoretically most advanced companies from a security standpoint are not immune to being hit by infectious malware.

It all circles back to a recent posting on what we’re doing today to improve our cyber defenses. In the blog, “Repercussions, not legislation, key to improving nation’s cyber defenses,” I mentioned that we need to get out of the status quo network security practices and techniques that are flawed, and start thinking in a more proactive manner. Until we do, our systems will remain at risk of hidden malicious code and malware attacks designed to snoop and steal our sensitive data, whether we know it or not.

Faulty updates and new exploit techniques cause more problems for Microsoft

March was another rough month for Microsoft. New exploit techniques and faulty security updates continued to create operating problems and cause frustration with Windows users.

Even the publicity for IE zero-day vulnerabilities has created more problems. A recent McAfee blog post helped a hacker create working exploit code that slips through the backdoor to perform various functions on the compromised system. The most alarming part was it took the hacker all but 10 minutes to de-obfuscate the exploit and pinpoint the underlying vulnerability. He said in an email exchange:

“It just took a few minutes of digging in that host to find the exploit. I did some basic debugging to the vulnerability and found the vulnerable code within iepeers.dll.”

Antivirus failures say a lot about current state of AV industry

A study by NSS Labs revealed just how ineffective some of today’s top anti-virus software solutions are at stopping one of the most highly profiled and successful cyber attacks of 2010. In a test to see how many AV products could catch variants of the Operation Aurora attack, only one out of seven correctly thwarted multiple exploits and malicious code payloads.

Unfortunately, this says a lot about the current state of the AV industry. With so many new viruses and malware variants successfully bypassing security solutions, we need to shift our way of thinking about how to protect our networks. It’s time to rethink our approach to endpoint security that begins with a foundation of whitelisting that would defeat new malware completely independent of the vulnerability or attack.

Cyberwar or not, preparation is the real issue

There’s been a lot of debate lately about whether or not we are in a cyberwar. Our friend and White House Cyber Czar, Howard Schmidt, says we aren’t. The highly publicized targeted Aurora attacks that have created international tensions between Google and China say otherwise. To me, whether or not we are in a cyberwar is irrelevant.

What’s important is that we are continually re-evaluating our existing security strategies and doing everything we can to defend our networks and critical infrastructures from harmful botnets and malware, and working together to help stop cyber criminals from perpetrating more attacks.

Security experts at RSA wrestle with ways to better protect cardholder data

Finally, this year’s RSA Security Conference discussed how ever-changing malware variants continue to find new ways to evade detection. In particular, the highly customizable and easily obtainable Zeus Trojan kit has been successful by laying dormant on a victim’s computer before springing to life when they visit a banking site. Said Michael Barrett, CISO at PayPal:

“There’s no question the technology capability of malware is getting nastier and nastier. … Man-in-the-browser gives a criminal a way to piggyback a transaction.”

Experts at the annual event went back and forth on what fundamental changes are needed to protect credit card data. While end-to-end encryption helps, most agreed that it’s just a piece of a defense-in-depth approach to protect cardholder data. Said Steven Elefant, CIO of Heartland Payment Systems:

“It’s a part of your DNA and we’ve gone on now to look at multiple technologies to make sure that in the worst case scenario — people do get in — that the data is unusable. I agree that end-to-end encryption isn’t end all be all.”

I appreciate you stopping by to read this blog. As I continue to highlight and comment on some of the industry’s hottest topics, I encourage any feedback you may have. Come back soon.