In case you didn’t already know, October is National Cyber Security Awareness Month. Since its inception in 2001 by the National Cyber Security Division, the NCSAM encourages cybersecurity vigilance, education, and awareness for U.S. citizens and businesses.

This year, the White House issued a press release on October 1st proclaiming CSAM by President Obama. The release discusses how our nation’s growing dependence on cyber and information-related technologies, coupled with an increasing threat of malicious cyber attacks and loss of privacy, has given rise to the need for greater security of our digital networks and infrastructures. Therefore, during CSAM, we must “rededicate ourselves to promoting cyber security initiatives that ensure the confidentiality of sensitive information.”

Obama also reiterated how his administration is committed to treating our digital infrastructure as a strategic national asset and protecting this infrastructure is a national security priority.

The President followed up this proclamation in his weekly web address. “The lesson is clear. This cyber threat is one of the most serious economic and national security challenges we face as a nation,” citing how millions of Americans are victimized by identity theft and cybercriminals cost U.S. companies billions of dollars.

Obama proposed a joint effort by the government and private sector to ensure cybersecurity but also reminded us of individual responsibility.

It’s no wonder the president is so gung ho about cybersecurity since his own campaign servers fell victim to hackers when he was running for office.

Other than reaffirming his stance on the importance of cybersecurity and providing some obvious simple tips, the address did not contain much in the way of specific plans of actions to enhance it. Still, it was the most the president has had to say about the topic since his 16-minute speech in May when he declared he would create a new cyber security office at the White House.

This office still has no appointed coordinator. The cyber czar would coordinate with disconnected agencies that cannot pool their resources on this issue, including the CIA, the FBI, the NSA, and the Department of Defense. Maybe NCSAM is a good excuse to finally choose that cyber czar we have been hearing about for so long.

Whenever executives discuss IT and cost cutting, invariably two topics come up: Virtualization and the Cloud. Don’t even get started on the topic of the cloud, and the chance for rain. Virtualization is a good topic to discuss since some items may be unfamiliar to you (especially those in the SMB).

By now, most companies have adopted, or at least looked into, overhauling their IT infrastructure with virtualization solutions. Virtualization is said to reduce costs, simplify management and scalability, and limit the toll computing has on the environment. Since 2005, virtualization software has quickly changed the landscape of enterprise computing.

For those unfamiliar with the concept, virtualization involves abstracting computer resources by combining several physical systems into virtual machines on one powerful system. Virtualization consolidates underutilized hardware, such as servers, storage devices, and network resources, virtually partitioning it for multiple machines.

The reason virtualization has become such a favorable trend in IT computing is probably because the advantages are so easy to grasp. First of all, the physicality of managing hundreds of machines is simplified while allowing for a scalable infrastructure. Plugs and cables do not have to be rearranged every time there is a change in hardware. This reduces the workload of the system administrator. Virtualization allows hardware resources to be pooled such as sharing storage or network bandwidth, so hardware does not go underutilized. Less hardware means less energy costs, both to run and to cool. Altogether, these advantages lower the costs for infrastructure, hardware, power, and cooling.

You’ve probably had the green benefits of virtualization stressed to you. According to VMware, for every server virtualized, you can save about 7,000 kilowatt hours, or four tons of CO2 emissions, every year. Virtualization can cut the power demand of ten machines down to one and save almost 80 percent on an electricity bill. VMware even has a green calculator on their website which allows you to see your virtualization benefits in terms of energy savings, cost reduction and environmental impact. A quick calculation shows that virtualizing 200 servers is the equivalent of planting 4,000 trees.

Of course, businesses are more concerned with reducing costs than reducing the size of their carbon footprints. With this in mind, there are a few disadvantages, or at least pitfalls, that may be created with a switch to virtualization.

But there is a down side – it is likely that performance degradation will occur when switching to a virtualization infrastructure if the virtual infrastructure was not properly architected. (which seems to be the case all too many times we get involved). In most organizations there is often a lack of tools and expertise available to monitor and analyze virtual environments to find and correct issues that affect performance. A study by Aberdeen shows that enterprises that had an 85% success rate in identifying performance issues in a physical environment, now only have a 37% success rate in a virtualized one. Also, improved response time for managing business-critical applications fell from 67% in a physical environment to 39% in a virtual one.

Many enterprises find that there is a tradeoff between decreased staffing and power costs and less than optimal performance. Sometimes this means that the advantages manifested by virtualization are less than expected so ensure you have adequately measured the minimum performance requirements for your infrastructure before you go run off and virtualize everything.

With the end of 2009 approaching, cybersecurity engineers as well as cybercriminals are looking to next year to see what the future of internet security holds. Where will current cybercrime trends go and what new ones will emerge? Well, here are a few of my predictions on what virtual mines the Internet landscape will have in 2010.

Emboldened Social Engineering – This should be no surprise to anyone in cybersecurity or who has read this blog before. In 2009 cybercriminals realized that social engineering is the easiest way to obtain sensitive information from users. And while social engineering was big this year, it will continue to grow exponentially next year. Expect social engineers to become more organized and bolder in their methods. There may be more incidents where social engineers visit sites physically to gain trust and information that no software can physically protect.

Social Networking Sites Will Become a Bigger Target – Social networking sites like Twitter and Facebook are only gaining popularity and no amount of security warnings are going to keep users away. Cybercriminals will use these sites to their advantage in two ways. While I believe the sites themselves will become more proactive in creating security defenses, the third party applications made for these sites will have exploitable vulnerabilities. Additionally, social networking site users will increasingly become the victims of social engineering. These sites give social engineers a terrific medium for contacting, communicating with, and taking advantage of users.

Ransomware Will Replace Scareware – Hijacking a users PC and holding it for ransom may seem outrageous, but it’s happening now and proving to be more profitable than scareware tactics that users are now growing wise to. Expect cybercriminals to go where the money is – users would rather pay a small price to regain control of their PCs than go through the trouble of manually removing malware – or nuking their PCs.

Mobile Devices Will Be Hit Hard – Mobile phones have enjoyed their short lives mostly free of threats while continuing to propagate. But now that they have increased in complexity, becoming mini notebook computers, the likelihood of vulnerabilities has also increased. 2009 saw the Sexy Space botnet and the iPhoneOS.Ikee – what awaits our precious smartphones in 2010?

Organized Cybercrime – The cybercrime underground has evolved into an elaborate economy where, in 2009, cybercriminals have begun to network, collaborate, and pool resources for mutual gain. Malware infected PCs and botnets are bought and sold like commodities. I expect this trend will continue in 2010, and it may be the most dangerous prediction. Combating such cybercrime organizations will require the same organization among security experts.

If you run an IT organization and have not had a chance to look at the new Federal IT dashboard, take sometime today and look at it. The transparency that our new Federal CIO, Vivek Kundra, built is great! We, the American People, the investors if you will, are now able to see the performance of our investments in the US government. I have always touted transparency for IT and now project by project, each CIO within the government is required to report progress on all of their projects to the public.

Amazingly, Vivek only gave the CIOs 30 days to get their information up to date and even more importantly, since the IT dashboard obtains its information from the Office of Management and Budget (OMB), the agency CIOs have to not only update the information but update it through the proper channels for it to be placed into the dashboard.

With one simple portal, Vivek has increased the use of the standardized project management frameworks in place throughout the government, increased the accuracy of information, and has helped create a sense of urgency and fiduciary responsibility for each agency CIO because their performance is now open for all to see. Similar to posting your review for all to see on the company bulletin board, we have advocated that public access to information increases the chance that an employee will “do the right thing” For example, we recommend that when you are starting to deploy change management processes internally that any person that bypasses the change management controls and introduces an outage have their picture posted on a company wiki, sharepoint portal, etc as the “wild wild west cowboy” that “caused the problems”.

A little bit of public humiliation may be just what we need to get the governments IT projects back on track! Some examples:

• 49% of the VA’s IT projects are behind schedule
• 41% of Department of Homeland Security projects have “significant concerns”
• The Smithsonian Institution receives $60M and the majority of that investment goes to IT Infrastructure Maintenance
• The DoE has had an almost 50% decrease in IT spending since 2002

Oh, and in case you were wondering…many(over 30%) of the governments IT projects are behind or in need for serious help.

Check out Tim O’Reilly’s blog post about the Federal IT dashboard for more information on how it was constructed and how it receives data.

Consider this:  A hacker finds a security hole on your website that exposes hundreds of thousands private customer data including names, emails, and even passwords.  The hacker does not steal this information.  Instead, he quietly alerts you via email; but at the same time he makes the security vulnerability public information on his blog.

Do you: A) Thank the hacker for bringing the security vulnerability to your attention?  Or, B) seek legal action against the hacker who damaged your company’s reputation by alerting the public about your sloppy security?

This is the controversy surrounding “HackersBlog.org” – a blog where anonymous hackers alert the public about security vulnerabilities.  Each blog entry lists the site hacked, how the data was captured, and what private information is accessible.

The site made its first splash when a Romanian hacker named “Unu” hacked the databases of Kapersky – ironically, one of the leading companies in the security and antivirus market.  “Seems incredible but unfortunately, its true,” writes Unu, “Alter one of the parameters and you have access to EVERYTHING: users, activation codes, lists of bugs, admins, shop, etc.”

The next target, which occurred the very next day, was BitDefender – another antivirus software company.  Unu used an SQL injection to show how data could be easily extracted.

In an official statement, Kapersky denied the attack was successful.  BitDefender called the hack an attack and portrayed it negatively even though “the action did not intend to steal information but simply show a vulnerability.”  Usually when sites are hacked, the companies are left scrambling to put out the public relations fires.

So, alerting the website via email about the found vulnerability?  That sounds white hat enough.  So why expose the flaw to everyone publicly on the Internet and wreck the reputation of that company?  “If we just send an email, without making it public they would fix only that parameter that we announced,” says Unu, “and it is possible [for there] to be others too.”

It seems that HackersBlog owes its allegiance to the public and not to the companies who allow for these breaches in security.  “I’m not a criminal, I [am] not a burglar,” says Unu, “You do the work of a [pentesting firm] that could test the security of the site or [sic] server at the request of the owner. The difference is that the firm makes this for a big sum of money, a very big sum of money, and we do it as a hobby, for pleasure, free, and most of the times we do that much better, but we don’t even get a simple ‘Thank you.’”

Leave me a comment and let me know what you think about this Hacker Blog site!

The reality of the situation is that there is no such thing as a 100% secure place on Earth.  IT security professionals can only do what they can to make things as secure as possible.  There is no computer security defense that will succeed every time, forever, or as I say when presenting at conferences “You cannot buy your security at the local best Buy”. (NOTE: If you have an indepth udnerstanding of heypots, you can skip this post)

Because of my interaction and association with the Honeynet Project I am frequently asked what benefits honeynets can provide to the normal everyday IT security engineer. Simply put, honeypots provide us with early warning so we can be vigilant and prepare our defenses accordingly. 

Additionally, honeypot data is a great way to loosen the purse strings of corporate managers who are hesitant to dip into the company budget.  You can make a case for a larger IT security budget by showing them the attack data on the honey pot – who is attacking, how they are attacking, how often, and, most importantly, what damage they could potentially do to the enterprise if the proper defenses are not built.  Actual data speaks louder than any verbal argument.

Here’s an analogy to help you understand the importance of honeypots. 

Imagine you are tasked with defending your king’s castle from an impending enemy attack.  But you don’t know who the enemy is, where they are coming from, how many there are, or what kind of attacks they will use.  They may use spears, rifles, or just sharp rocks.  They may attack on horseback, with catapults, or maybe with tanks.

So what kind of defenses should you build?  A 30 foot tall wall surrounding the castle or a moat?  Should you put archers in the towers or build turrets?  Maybe you should just pile up a few sandbags and hope for the best. Maybe the real problem is the village idiot on the inside… =)

Without knowing anything about the impending attack, you do not know what an appropriate defense would be.  You may dig a futile trench around your castle while the enemy attacks with stealth bombers.  Or you may encapsulate your entire castle in an impenetrable crystalline dome while your five attackers sling rocks at it.  The latter defense may work, but your king might not be too happy with you for wasting his whole treasury on an unnecessarily robust defense.

A Honeypot is perhaps like a decoy paper version of your castle set up a mile before your actual king’s castle.  The paper castle has no value, but you can see what attacks your enemy uses when they attack it, and thus prepare accordingly.

Honeypots allow you to understand what kind of attacks you can expect.  With this knowledge you can allocate resources to defenses appropriately, without under or overspending. Now, with all that said not everyone can run out and install a honeypot and solve their problems. Honeypots require a lot of maintenance, watching, and i fnot properly installed you can actually decrease the security of your network.

If you don’t want to take the chance of hurting your own security posture, there are services that will configure and run honeypots for you and provide you with their data. Symantec and McAfee offer such services.

The ramifications of the billion dollar fraud at Satyam in India are far-reaching indeed.  Not only is the future of Satyam in jeopardy, but the ripples from this incident will spread over all IT outsourcing in India and, to some extent, all outsourcing in foreign countries.

The Satyam chairman’s confession that he falsely inflated the firm’s revenue is really India’s first scandal of global significance.  But the financial service firms that relied upon Satyam for integral business operations have been burned badly. 

And these lingering burns will cause additional hesitation when considering outsourcing to foreign countries.  The country of India itself will have to work hard to maintain its clean image in light of this scandal of Enron-esque proportions.  The enticing shimmer of inexpensive IT services overseas has lost some of its luster.

With 600 customers in over 60 countries, the global impact of the scandal is sure to be echoed throughout the world.  Even the international football federation FIFA enlisted Satyam to develop an event management system for $200 million.

The future of Satyam does not look good.  Usually when we see a breach in customer trust of this magnitude in American firms customers flock to competitors the first chance they get.

What better time to remind companies about the importance of performing due diligence on their outsourcing partners?  I recently saw a study that said that fewer than 43% of financial services companies undertake any form of due diligence when considering outsourcing partners, even though 46% of them believe that outsourcing is a way to achieve business transformation and a competitive edge.  I wonder how these numbers will change post-Satyam.

Often companies attempt to mitigate the risks of outsourcing by using larger vendors.  The fall of Satyam, one of the largest vendors out there, should teach us that this is not an effective strategy.  An effective due diligence procedure is the best way to mitigate the risks of outsourcing.

One of my favorite activities we perform for clients is Social Engineering so I thought that a recent trend, disinformation, would be an interesting topic to discuss:

In 1943, British Intelligence dressed up a corpse, equipped it with fake operation plans, and floated it out to sea where Axis troops would eventually recover it.  The ruse was designed to make the Germans believe that the Allies planned to invade Greece and Sardinia, instead of Sicily, their actual target.

“Operation Mincemeat” was a successful disinformation campaign.  Also called “Black Propaganda,” Disinformation is the intention is to spread false or inaccurate information to damage or gain an upper-hand against an opponent.  While it was often used in wartime throughout history, the new battleground for disinformation is cyberspace where hackers spread disinformation about a company through their own systems.

According to a study on hacking incidents and trends for the first quarter of 2009, “Disinformation” is now the second most common attack outcome by hacking (losing to “Information Leakage” by only 3%).  This is a major jump since Disinformation was not even on the list in the previous study, falling somewhere below Phishing (3%).  Defacement, which can be distinguished from Disinformation because it spreads obviously false information, is third on this list.

And if you don’t think Disinformation can cost your company money, just ask Steve Jobs who recently shared sentiments with Mark Twain – “reports of my death have been greatly exaggerated.” 

A hacker that broke into the live Mac Rumors Feed to announce – in all capital letters –“STEVE JOBS JUST DIED.”  It took three minutes before a retraction was given, “Steve did not die.”  In another incident, someone uploaded photos to Wired magazine’s website with a detailed story describing Steve having a cardiac arrest.  In this case, it wasn’t even a code flaw that allowed the disinformation to be publicized, but an obvious application design flaw.  Wired’s public image viewing utility allows anyone to upload whatever images they wish which are then viewable on their public website.
 
Harmless pranks?  The incidents caused Apple stock to plummet from the disinformation campaign.  Considering Steve’s recent health problems made the disinformation so plausible and the same disinformation was used on multiple occasions, you can’t help but wonder if the culprit has a vested interest in seeing Apple stock drop.

Disinformation isn’t going away.  Consider the rise of social network trends like Twitter.  Social networks are very susceptible to hacking in the first place.  Twitter allows news to be sent directly to thousands of users.  This makes it a very powerful platform for information or disinformation.

A couple weeks ago I wrote a Tech Insider Report for Dark Reading regarding Rotten Apples: How To Detect And Stop Malicious Insiders In Your Organization
 that discusses the data breaches that occur from the inside. Last week, I wrote an article for DarkReading.com that is an excerpt from that report regarding How To Protect Your Organization From Malicious Insiders. Go give it a read!

I will be speaking on the professional development trends in malware at the annual NetSecure conference put on by IIT. Hopefully some of the readers can make it out. It is a great event. The info is below:

IT Security and Forensics Conference and Expo

http://www.cpd.iit.edu/netsecure08

Wednesday, March 26, 2008
Illinois Institute of Technology in Wheaton, Illinois

Join us for NETSECURE’08: The 6th Annual IT Security and Forensics Conference and Expo. This multi-track technical conference is attended by 200+ IT professionals and will promote the open exchange of IT security and forensics information. Register now at http://www.cpd.iit.edu/netsecure08

Current Conference Presentations Include:

* “Annual CompTIA security research: Trends and strategies for information security” Carol Balkcom – CompTIA

* “Cellular Wireless Key Managament” Alec Brusilovsky – Alcatel-Lucent

* “Microsoft Security – Growing up and Enterprise Ready” Cordell Crane – Microsoft

* “Microsoft Security – Hands on approach with tools for Threat Modeling, Code Review and Discovery” Ken Anderson – Microsoft

* “Professional Development Trends within Malware” Michael Davis – Savid Technologies

* “Network Security: What You and Your Skills Are Worth” Bob Fanelli – Robert Half Technology

* “Securing Windows – A Monumental Task?” Mike Fekety – Performance Technologies

* “Building a Secure Storage Internet” Chris Gladwin – CleverSafe

* “Do the Work Once: Harmonizing Compliance and Security Objectives” Bonnie Goins

* “The Role of Penetration Testing in Security Audits” Jeff Groman – Akibia

* “Penetration Testing: Let me probe your ports” David Kennedy – SecureState

* “Combating Insider Threats on Databases” Carl Kettler – Application Security, Inc.

* “Computer Security at Fermilab” Frank Nagy and Tim Rupp – Fermi Lab

* “Building a Linux Custom Firewall” Venkat Nandam

* “Security and Control Issues within Relational Databases” David Ogbolumani – SunGard

* “Data: How much is there, and where is it at?” John Pascoe – FBI Regional Computer Forensics Laboratory

* “Best security practices for Voice Wireless LANs” John Poust – IEEE ComSoc

* “Virtualization Security and Best Practices” Rob Randell – VMware

* “Out-Of-Band authentication using a real-time, multi-factor service model” Andy Rolfe – Authentify

* “Fighting Spam: Tools, Tips, and Techniques” Brian Sebby – Argonne National Laboratory

* “SSH” Hemant Shah

* “Multi-Factor Authentication Solutions: An Overview of Regulations, Vulnerabilities, and the Latest and Best Authentication Options” Bob Thompson – Catalyst

* “A New Model for Business Contingency Operations” Raymond Trygstad – Illinois Institute of Technology

* “Identity and Access Management” Kevin Wang – Crowe

Details:

Date – Wednesday, March 26, 2008

Attend – $95 (includes breakfast, lunch, cocktail party, and conference tote bag and materials)

Exhibit – $325 (includes 2 free attendees)

Sponsor – $300-750 (includes 1-2 free attendees)

Register – www.cpd.iit.edu/netsecure08

Location – Illinois Institute of Technology’s Rice Campus in Wheaton, Illinois

Sponsors Include:

High Tech Crime Network (HTCN), Authentify, Inc., Microsoft, onShore Networks / Fortinet, SunGard Availability Services, IBM Rational, Project Leadership Associates, Robert Half Technology, Other World Computing, SecureState, CTH Technologies, Inc., Security Services & Technologies, Catalyst Technology Group, Inc., Equivus, W.W. Grainger, Inc., CIMCO Communications, CIMCOR, Inc., Hegemony Consulting, Neohapsis, Inc., X-Ways Forensics, CompTIA Security+ Certification Program, Savid Technologies, Inc., ChicagoCon / The Ethical Hacker Network, UniForum, IEEE, and CPD.