The increasing occurrence of data breaches bring more than headlines and negative publicity to those companies and federal agencies affected. There are also penalties from regulatory agencies, civil lawsuits and mitigation costs, not to mention an erosion of cutomer loyalty to the brand. This year-end special section examines the evolution of cybercrime, reports on new threats and honors some of the leading figures in the struggle to limit the damage perpetrated by a sometimes invisible and ever-increasing set of adversaries looking to cash in on the personal data stored on our databases. We have also gathered some of the highlights in trends and nuttiest news in the IT security marketplace.
Occupation: Principal security program manager at Microsoft
Personal: Married, two children
Accomplishments: Received the 2003 RSA Innovation Award for his book, Writing Secure Code
These days at Microsoft, when an engineer has an idea for a new piece of software and asks a colleague for their input, the first topic to be addressed is likely security threats.
“It just becomes part of getting the job done,” Michael Howard, principal security program manager in the Security Engineering and Communications Group at Microsoft, says of evaluating vulnerability risks. “If you're going to build something, you need to understand how hackers can compromise that. Once you've got that in place, you can start moving mountains.”
But building secure software has not always sat on the top of the priority list in Redmond, Wash. Not until January 2002, that is, when founder Bill Gates distributed what proved to be a monumentally game-changing memo announcing the company's Trustworthy Computing initiative, which gave rise to perhaps the largest cultural shift ever witnessed at Microsoft.
The most memorable part of the memo was one line: “We can and must do better.” Microsoft did do better, few would now dispute, and Howard arguably was the biggest reason why, at least from an information security perspective.
Gates' memo partially came out of a meeting he had with Howard, during which he gave Gates a copy of one of his books on secure software development. Gates was aware of the problem of vulnerable operating system code – insidious worms, such as Nimda and Code Red, were fresh on the minds of most Windows users – but he was interested in learning how design and coding issues happened in the first place and the extent to which Microsoft developers knew about them. As it turned out, they did not know much. So the first major project under the newly formed Trustworthy Computing Group was to train Microsoft's tens of thousands of engineers on secure coding practices.
“In those days, nobody knew about security across the whole industry,” Howard, who joined Microsoft in 1992, recalls. “We thought we'd get a lot of pushback because, all of a sudden, we were sending every Microsoft engineer to security boot camp. But we got no pushback.”
In 2004, as part of Trustworthy Computing, Microsoft launched the Security Development Lifecycle (SDL), a development process designed to increase the reliability of software. By all accounts, the undertaking – Howard was the main architect – has been a success. As an example, Windows XP, originally released in 2001, contained 119 vulnerabilities in its first year, compared to 2007's Vista, which had 66 flaws in its inaugural 12 months.Another key part of the SDL is mitigating what the Microsoft developers miss, Howard says. That means adding new defense mechanisms to Vista and Windows 7, such as randomization, which makes the platform less predictable to attack, and cross-site scripting and phishing filters in Internet Explorer, to prevent web exploits.
As the SDL has matured and a culture of security firmly has settled across the Microsoft campus, the company now is extending the resources it has developed to third parties – the individual software developers and larger vendors responsible for creating applications that run on top of Windows.
If anything, 2009 has been the year of community outreach. Howard has overseen the release of free software development tools, most recently the BinScope Binary Analyzer and MiniFuzz File Fuzzer to detect vulnerabilities. Earlier this year, Microsoft released the SDL Process Template for Visual Studio Team System, which provides a framework, including auditable requirements, for building security into applications. That was followed by a new paper, titled “Manual Integration of the SDL Process Template,” which provides a step-by-step review of how to integrate the template into existing projects. And in the past, Microsoft has distributed other free secure development tools, including Optimization Model, Pro Network and Threat Modeling.
“We've learned a heck of a lot over the last few years of what works and what doesn't,” Howard says. “I think it's important that we share that information with the industry at large because I think there's still a lot of snake oil out there. I'm very proud of the fact that Microsoft as a whole has taken that corporate responsibility. I think we have a duty to do that.”
That includes Adobe, which this year announced a code-hardening initiative on the heels of a number of high-profile bugs in its popular Reader and Acrobat products, says Brad Arkin, Adobe's director for product security and privacy.
“I think he [Howard] has been a big force for change within Microsoft, and Microsoft has been one of the biggest participants in the security community overall,” Arkin says. “He's been a huge contributor to raising the bar for software security in the industry.”In September, Howard stopped by Adobe's San Jose, Calif. headquarters to offer a lecture on buffer overflows, a common class of vulnerabilities in desktop software that can be exploited to hijack systems. Despite the subject matter, which Arkin admits can bore even the most studious engineers, the audience remained captivated.
“He's such a passionate speaker on the topic,” Arkin says. “He's really able to fill a room and keep people engaged.”
A dynamic speaker and prolific blogger and author, Howard is also something else: a realist. It is the kind of characteristic that keeps a man humble in an industry battling so many enemies. The good guys can never rest on their laurels. There always is more work to be done.“There's a lot of progress that we've made,” Howard says. “But as long as the hackers are drawing breath, we'll never get perfection.” – Dan Kaplan
That's the message being promoted by Michael Kaiser and the National Cyber Security Alliance (NCSA), a nonprofit dedicated to fostering a culture of cybersecurity safety.
Just like a natural ecosystem, if one part of the digital ecosystem is polluted, it can pollute the rest, says Kaiser, director of the NCSA. Being part of a botnet, for example, could be problematic for the individual whose PC is infected, but it also has farther reaching consequences because infected bots are often used to send spam or launch attacks against others, he says.“Everyone has a role,” Kaiser says. “All should be doing their part to secure the part of the ecosystem they are in.”
Kaiser and the NCSA work to unite government, corporate, nonprofit and academic organizations to promote the importance of cybersecurity. Since coming on as director of the alliance in September of 2008, Kaiser has strengthened partnerships with the U.S. Department of Homeland Security and other federal government agencies and fostered new ones with state and local governments, says Shannon Kellogg, director of information security policy at EMC.“Michael has been fantastic in helping to take the work of the alliance to new levels,” says Kellogg, who is also a co-founder of the seven-year old organization.
One of Kaiser's most notable accomplishments with the alliance over the past year was helping to create the sixth annual National Cybersecurity Awareness Month, which took place this October. It was the best year of the campaign yet, Kellogg says. During the event, which was themed “our shared responsibility,” hundreds of organizations around the country held activities to promote the message that each and every American has a responsibility to protect the computers and networks they use.Also, during October, President Obama released a video about the importance of cybersecurity, and the U.S. House and Senate each passed resolutions supporting the cybersecurity awareness month. Numerous individuals in government attended the campaign's launch event in Washington, D.C., including Homeland Security Secretary Janet Napolitano, Deputy Secretary of Defense William Lynn III, and White House National Security Staff Acting Senior Director for Cybersecurity Chris Painter.
“[Kaiser is] very eager to work with businesses to bring them together with players in government and the academic community to continue to build this – and it helps us all,” Kellogg says.Before joining the NCSA, Kaiser was the director of programs at the National Center for Victims of Crime, where he worked to build awareness about the risks that come with technology. There, he developed programs to help local police departments around the country improve the way they investigate crimes that involve digital evidence. He also held workshops to educate police officers, prosecutors and individuals from victims' services organizations about how technology is used in cases of domestic violence, stalking, identity theft and other crimes.
Though Kaiser has spent years getting the message out about the risks of technology and the importance of cybersecurity, there is still work to be done, he says. Eventually, he would like cybersecurity safety principles to be as ingrained as looking both ways before crossing the street.“We live in a digital age,” Kaiser says. “Young people need messages about staying secure online long before they ever touch a computer.” – Angela Moscaritolo
“We worked well to do broad information sharing, getting good technology information out to everyone,” Kwon says.For example, when the Conficker worm broke, the agency worked with the Conficker Working Group to make certain the right information was disseminated, created a tool to help identify the malware, and put out information bulletins on how to mitigate the problem.
Another success Kwon points to was a series of meetings she initiated called the Joint Agency Cyber Knowledge Exchange. This brought a number of federal agencies together to discuss and share specific information on threats and attacks. Over the year, there was a robust exchange of information among three-initial agencies, which continue still (she wouldn't say which agencies other than DoJ and DHS, citing the secret nature of the meetings. “It's a wonderful legacy for me,” she says.One of the most important projects while at US-CERT she singles out was updating its Con Ops [concept of operations], instructions on how the department worked with private and public entities, as well as consumers, to provide the cybersecurity and incident response community with the core components of an incident management plan. “We rewrote it based on the ‘Five Pillars of Cybersecurity,' she says. “We looked at how to address the internet differently and the millions of vulnerabilities.”
Sometimes, Kwon admits, her team was overwhelmed with how to prioritize those vulnerabilities. So they began a thorough assessment of the threat vectors being used by cybercriminals to understand how they work. Her team needed to know what data cyberthieves were going after. Only then could they offer remediation. “Technology is not enough, so we added process and methodology,” she says. “We looked at the Federal Information Security Management Act (FISMA) and saw that the compliance piece was missing in regards to what was happening to the networks. This was the major project we worked on.” The policy was very successful, she says. It has been presented at industry gatherings, and is now being reviewed by the DHS.
"Mischel Kwon's contribution to the security community was and remains very impressive," says Amit Yoran, CEO, NetWitness, and also a former director of the US-CERT. "She substantively enhanced the defense of the Department of Justice's systems. During her tenure as the director of US-CERT, she introduced operating discipline, improved the CERT's contribution to protecting the U.S. government and actively worked numerous security issues directly with the private sector and critical infrastructure operators. She has an uncanny ability to work strategic exective issues, dive directly into nuanced technical details and most importantly bridge these two communities."Despite what the Washington Post reported, it was not frustration that led Kwon to resign the position at US-CERT in August 2009. And, she says, her departure had nothing to do with Melissa Hathaway and Rod Beckstrom leaving their high-level cybersecurity posts around the same time. “I felt I needed to make a lifestyle change, “ she says, explaining that working seven days a week, 16-hour days for a year and a half was keeping her away too much from her family.
While she says she wished she could have hired and trained more people and moved faster, she has little regret of her time there. “It was one of the best and most fulfilling jobs I ever had in my life. I worked with really great people. I have a lof of respect for [DHS] Secretary [Janet] Napolitano.” Kwon also singles out for praise former colleagues within the DHS – Rand Beers, the undersecretary at the National Protection and Programs Directorate (NPPD), and Phil Reitinger, deputy secretary of the NPPD and director of the NCSC.Her position at US-CERT sits unfilled, but she remains hopeful about its prospects. As far as the still vacant cyber coordinator position, a slot President Obama had pledged to appoint earlier this year, Kwon says it would be great to have someone in the position, but it's not crtitical. “I don't see us putting a lot of significance in the position. This is a team effort and the DHS, departments and agencies are proactively working on cybersecurity problems.”
The CIO and CTO in the White House are also actively working on the problem, she adds. “Agencies are moving forward and being proactive. It will be great when they add the cyber coordinator to the mix, but I don't see it as critical. It never relies on one person. The government is not waiting to move.”After nearly 30 years in the technology arena, Kwon is still in the fight, she says, referring to her new position at RSA as vice president of public sector security solutions within its worldwide professional services unit. “With my role at RSA, I still have an opportunity to help with the problem,” she says. “I'm focused on the public sector. I am opening a security consultancy geared to this.”
According to a release, at RSA, Kwon will advise organizations seeking strategic technical and policy assistance in building, defending, identifying and remediating their critical infrastructures against cyberthreats. She adds that she hopes to be one of the people on the ground fixing these problems. – Greg Masters
Maxim Weinstein majored in quantitative economics while studying as an undergraduate at Tufts University in Massachusetts. A few years later, he took a job as technology director at a Boston nonprofit that trains low-income young adults in technical and professional skills.Weinstein finds himself in a useful position nowadays in his role as manager of StopBadware.org, a nonprofit based at Harvard University's Berkman Center for Internet & Society, where he can draw from his experiences in education and behavioral economic theory to help rid the internet of malware, StopBadware's ultimate goal.
“A lot of my background before coming to Berkman was in IT and the intersection of IT and education,” Weinstein says. “For me, it was really neat to dive down deep on a specific area of technology and to be able to say, ‘OK, let's take everything we know about the actual technology problem and figure out how we change people's behavior.'”In revamping the four-year-old StopBadware from its original purpose as a clearinghouse for adware and spyware applications to its current focus – raising awareness about the potent and widespread threat of web malware with the help of IT thought leaders, academics and volunteers – Weinstein and his team view their mission as an economic problem.
“We know there are people, organizations and entities that could be doing more,” he says. “But they don't have the incentive. How can we find ways to get people to do what they need to do? I think some of the efforts we've done provide that incentive. We're finding new levers to influence people's actions.”
That never has been more evident than in 2009. Arguably the group's biggest success story this year was the launch of BadwareBusters.org, a growing, popular volunteer-driven destination to spread information about internet threats and for website owners to receive assistance on how to clean malware from their sites.“We get something like 20,000 unique visits per month, and we have thousands of messages posted there at this point,” Weinstein says. The goal, he says, was to create a “vibrant, safe place.”
“We want to make the site feel comfortable as a place for someone to come and ask for help,” he says. “There are a lot of places where you can get assistance online, but a lot of them feel technical.”User-generated content is one incentive toward meeting StopBadware's mission. Another that Weinstein finds to be particularly effective is embarrassment. The organization this year began releasing a daily list of the top 50 autonomous systems, ranked by the number of badware sites they are hosting based on data from Google and Sunbelt Software, two StopBadware partners (Weinstein's group, which is funded by companies, such as Google, PayPal and VeriSign, defines badware as software over which the user is not in control).
Weinstein says offering lists such as these can shame companies into action. “We might even blog about it if we see a particular company which consistently shows up on the list and isn't being responsive,” he says. So far this year, the group's blog has touched on a number of important trends impacting websites, such as stolen FTP credentials and WordPress vulnerabilities.Also this year, StopBadware unveiled Chain of Trust, an ambitious initiative which seeks to bring together all of the parties that influence the web – security firms, researchers, government agencies, internet companies, network providers, advocacy groups and academia – to document how they interact with each other, and then recommend how they can better work together.
“It's the idea of community and really building an active group of people who are tied together by a common hatred of malware, people who really have a personal stake in getting rid of badware,” Weinstein says. “And we want these people to talk to each other and to build a sense of ‘Hey, you know what? There are a lot of good guys out there."Despite the many endeavors underway at StopBadware, the site will continue to serve some of its traditional functions. These include offering an archive so people can search through incidents of badware site infections. So far, StopBadware partners have reported around 350,000 instances.
In addition, the site serves as a neutral party to evaluate infections reported by Google.
Many websites rely on Google rankings to generate traffic. So when the search giant flashes a warning that a particular site may be hosting malware, business can plummet in a hurry.“If a user believes their site is flagged inappropriately, they can come to us and we can look at it and say, ‘Yep, there's malware there. Or, no, Google is wrong and we're going to go ask them about it,'” Weinstein says.
Going forward, StopBadware will play even more of a role as the hub of communication and collaboration among organizations committed to fighting badware. Weinstein, part technologist, part educator, appears to be the right man for the job.“He is very into sharing ideas and he's something that is very rare in this space,” says Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology and a StopBadware advisory board member. “He does not have the same kind of ego and he's not interested in self-promotion like a lot of people in the security space. He's extremely altruistic in his motives and it comes across in everything he does.” – Dan Kaplan
Ask Gregory Wilshusen how long he's been married and he can tell you without hesitation: As of October 30, it had been, 21 years, 10 months and nine days. “I'm an auditor,” he explains. “I keep track.”In his professional life, Wilshusen oversees information security-related audits of the federal government for the U.S. Government Accountability Office, an independent watchdog agency whose mission is to help Congress improve the performance of the federal government.
The audits Wilshusen and his team conduct come at the request of congressional committees and members or are mandated by public laws. The audits examine the effectiveness of information security controls for specific systems, agencies or the federal government as a whole.“Our greatest benefit is to inform Congress with fact-based objective analysis and studies so they can use that information in the discharge of their responsibilities,” Wilshusen says. “It's an honor and pleasure to inform Congress.”
One report released this May, for example, studied how agencies were responding to regulations described in the Federal Information Security Management Act of 2002 (FISMA). The study revealed that 23 of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure.In a recommendation in the report, the GAO said the federal Office of Management and Budget should better describe the effectiveness of information security programs so that Congress can more effectively “monitor and assist federal agencies in improving the state of federal information security.”
This year alone, Wilshusen's unit has produced 16 reports related to information security issues at federal government agencies, which have included about 350 specific recommendations that agencies should make to improve their information security postures.One internal performance measure kept at the GAO is the percentage of recommendations that were implemented over the past four years, Wilshusen says. In 2005, nearly 194 recommendations were made in reports about information security and since then agencies have implemented 88 percent of those recommendations.
As director of information security issues at GAO, one of Wilshusen's primary responsibilities is to testify before congressional staff about audit findings and to convey technical issues in a manner that can be easily understood. Those members in Congress depend on the GAO's independent assessments and Wilshusen's testimony to help form legislation and policies for securing federal government systems.“My colleagues and I rely on GAO to look at issues that are very complex, like cybersecurity, and to tell us what our options are,” says Sen. Tom Carper, D-Del., who is chairman of the subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security.
Carper says his subcommittee has previously asked Wilshusen to examine whether agencies are spending money wisely with respect to cybersecurity.“With Greg's help, we learned that not only were taxpayers paying over a billion dollars for ineffective paperwork, but agency information was still vulnerable to threats like identify theft,” Carper says. “So with Greg's help, we will be teaming up with the new administration to focus on this issue and make sure we are spending the money wisely.”
Wilshusen has spent more than 28 years as an auditor and information systems professional and has worked at a variety of organizations. Before joining GAO in 1997, he was a senior systems analyst with the U.S. Department of Education, controller at the North Carolina Department of Environment, Health and Natural Resources, and held senior auditing positions at professional services firm Irving Burton Associates and the U.S. Army Audit Agency. – Angela Moscaritolo
Koobface: Arguably the first widespread social networking threat, this worm initially targeted MySpace. This year, however, it exploded in its number of variants and set its sights on Facebook and Twitter. It leverages thousands of IP addresses to host social engineering ploys that infect victims with data-stealing and DNS-changing malware.
Rogueware: Perhaps the most persistent and well-organized threat on the internet today, families of “scareware” try to dupe users into believing their computer is infected with viruses. Typically, the bogus programs run a fake scan – with phony results – and then ask victims to pay up for protection. In the process, they install a trojan.
Clampi: Another devastating banking trojan, this one is worrisome because of how quickly it can spread. The malware steals login details at some 4,600 bill-paying sites and leverages PSExec, a Microsoft tool to execute processes on remote Windows systems, to propagate across a victim company's network.
Gumblar: This botnet spreads by compromising legitimate, but vulnerable, websites and then seeds the victim site with malicious code from a Chinese distribution domain, gumblar.cn. Unpatched user machines that visit the sites can be infected and their users' Google search results can be redirected to other malware-hosting sites.
Conficker: One of the most talked about worms of the decade, it remains the most prevalent individual threat family overall. Infected machines still sit dormant waiting for instruction.
Taterf: First detected last year, this malware jumped in frequency in 2009. It is designed to steal usernames and passwords for role-playing games, such as World of Warcraft.
Sality: This virus tries to infect .exe and .scr files on a user's local network and on removable drives by overwriting code in the original file.
Waledac: It remains a prolific botnet responsible for a number of spam campaigns that leverage big holidays and other popular events.
Virtumundo: Some things never die. This longtime spyware/adware trojan, also known as Vundo, causes pop-up ads and can modify an infected user's Google search results.
Malware trading network: Researchers at Finjan discovered a one-stop-shop for hackers. Called Golden Cash, the network enables cybercrooks to buy and sell control of compromised computers, as well as trade stolen FTP credentials and other botnet tools.
SSL signing weakness: Fresh off his appearance at the 2008 Black Hat show, Dan Kaminsky's encore took the form of an SSL vulnerability that could allow an attacker to dupe a certificate authority to issue a malicious cert that browsers will accept as legitimate.
Month of Twitter bugs: Researcher Aviv Raff spent July publishing a bug a day in popularly used third-party Twitter services, such as TwitPic and TweetDeck. The project was an attempt to call attention to the insecurity of many sites that use the microblogging site's API.
Peer-to-peer leaks: At a Congressional hearing called to highlight the risks of file-sharing networks, P2P monitoring firm Tiversa revealed that its researchers found documents listing U.S. nuclear fuel locations, directions to the safe house for former First Lady Laura Bush, and Social Security numbers of U.S. soldiers.
End-to-end encryption: Popularized by the massive hack of Heartland, this technology is designed to cloak credit card numbers from point-of-sale through the handover to the issuing bank.Private cloud: This service offers lower costs, increased storage and automation without having to lose control of data.
Out-of-band authentication: A fraud-prevention technique, usually in the form of a phone call, used by banks to ensure that customers making transactions are who they say they are. That means that cybercrooks would have to compromise both the internet channel and telephone network to be successful.
2 This June, after promoting his Social Security number in an ad campaign that dared anyone to crack his account, someone used the identity of Todd Davis, CEO of identity theft prevention company LifeLock, to take out a $500 loan.
3 A group of Los Angeles-area hospital workers couldn't contain their curiosity about one patient -- Nadia Suleman (below), aka “OctoMom,” and peeked at her records without authorization. In March, 15 of them were fired for the privacy violation.
The Critical Electric Infrastructure Protection Act, introduced in April by federal lawmakers, aims to create standards for protecting the nation's power grid.
Cybersecurity Research and Development Amendments Act of 2009, passed in late September by the U.S. House Research and Science Education Subcommittee, would require federal agencies to submit a long-term research and development plan.
Informed P2P User Act, passed by the U.S. House Energy and Commerce Committee in October, is designed to prevent inadvertent file sharing by requiring P2P programs to provide notice and acquire consent from users prior to installation.
Fair Credit Reporting Act Amendment, passed by the U.S. House of Representatives in October, would exempt certain small organizations from complying with the Red Flags Rule.