Michael Kaiser

Age: 53
Occupation: executive director of the National Cyber Security Alliance
College: undergraduate, College of the Atlantic
Accomplishments: Appointed in April to the U.S. Department of Commerce's National Telecommunications and Information Administration (NTIA) Online Safety and Technology Working Group

When it comes to cybersecurity we, as a society, are only as strong as our weakest link.

That's the message being promoted by Michael Kaiser and the National Cyber Security Alliance (NCSA), a nonprofit dedicated to fostering a culture of cybersecurity safety.

Just like a natural ecosystem, if one part of the digital ecosystem is polluted, it can pollute the rest, says Kaiser, director of the NCSA. Being part of a botnet, for example, could be problematic for the individual whose PC is infected, but it also has farther reaching consequences because infected bots are often used to send spam or launch attacks against others, he says.

“Everyone has a role,” Kaiser says. “All should be doing their part to secure the part of the ecosystem they are in.”

Kaiser and the NCSA work to unite government, corporate, nonprofit and academic organizations to promote the importance of cybersecurity. Since coming on as director of the alliance in September of 2008, Kaiser has strengthened partnerships with the U.S. Department of Homeland Security and other federal government agencies and fostered new ones with state and local governments, says Shannon Kellogg, director of information security policy at EMC.

“Michael has been fantastic in helping to take the work of the alliance to new levels,” says Kellogg, who is also a co-founder of the seven-year old organization.

One of Kaiser's most notable accomplishments with the alliance over the past year was helping to create the sixth annual National Cybersecurity Awareness Month, which took place this October. It was the best year of the campaign yet, Kellogg says. During the event, which was themed “our shared responsibility,” hundreds of organizations around the country held activities to promote the message that each and every American has a responsibility to protect the computers and networks they use.

Also, during October, President Obama released a video about the importance of cybersecurity, and the U.S.  House and Senate each passed resolutions supporting the cybersecurity awareness month. Numerous individuals in government attended the campaign's launch event in Washington, D.C., including Homeland Security Secretary Janet Napolitano, Deputy Secretary of Defense William Lynn III, and White House National Security Staff Acting Senior Director for Cybersecurity Chris Painter.

“[Kaiser is] very eager to work with businesses to bring them together with players in government and the academic community to continue to build this – and it helps us all,” Kellogg says.

Before joining the NCSA, Kaiser was the director of programs at the National Center for Victims of Crime, where he worked to build awareness about the risks that come with technology. There, he developed programs to help local police departments around the country improve the way they investigate crimes that involve digital evidence. He also held workshops to educate police officers, prosecutors and individuals from victims' services organizations about how technology is used in cases of domestic violence, stalking, identity theft and other crimes.

Though Kaiser has spent years getting the message out about the risks of technology and the importance of cybersecurity, there is still work to be done, he says. Eventually, he would like cybersecurity safety principles to be as ingrained as looking both ways before crossing the street.

“We live in a digital age,” Kaiser says. “Young people need messages about staying secure online long before they ever touch a computer.” – Angela Moscaritolo

MISCHEL KWON

Age: 47
Occupation: VP of public sector security solutions, worldwide professional services unit, RSA; serves as an adjunct professor at George Washington University where she runs the Cyber Defense Lab, as well as mentors students
College: B.S. and M.S. in computer science, Marymount University; M.S. certificate in information assurance, George Washington University
Accomplishments: director, Department of Homeland Security's U.S. Computer Emergency Readiness Team

While Mischel Kwon is often singled out for the recent successes at the U.S. Computer Emergency Readiness Team (US-CERT), her first order of business when interviewed is getting the facts straight: It was a team effort, she says. But there's no denying that under her leadership, the department – charged with analyzing and reducing cyberthreats and vulnerabilities in federal networks, disseminating cyberthreat warning information and coordinating national incident response activities – grew to three times the size it was when she began in the position in June 2008. In her time there, she and her team built the organization into a sound security operations center to increase the sharing of security information with government, the private sector and international partners.

“We worked well to do broad information sharing, getting good technology information out to everyone,” Kwon says.

For example, when the Conficker worm broke, the agency worked with the Conficker Working Group to make certain the right information was disseminated, created a tool to help identify the malware, and put out information bulletins on how to mitigate the problem.

Another success Kwon points to was a series of meetings she initiated called the Joint Agency Cyber Knowledge Exchange. This brought a number of federal agencies together to discuss and share specific information on threats and attacks. Over the year, there was a robust exchange of information among three-initial agencies, which continue still (she wouldn't say which agencies other than DoJ and DHS, citing the secret nature of the meetings. “It's a wonderful legacy for me,” she says.

One of the most important projects while at US-CERT she singles out was updating its Con Ops [concept of operations], instructions on how the department worked with private and public entities, as well as consumers, to provide the cybersecurity and incident response community with the core components of an incident management plan. “We rewrote it based on the ‘Five Pillars of Cybersecurity,' she says. “We looked at how to address the internet differently and the millions of vulnerabilities.”

Sometimes, Kwon admits, her team was overwhelmed with how to prioritize those vulnerabilities. So they began a thorough assessment of the threat vectors being used by cybercriminals to understand how they work. Her team needed to know what data cyberthieves were going after. Only then could they offer remediation. “Technology is not enough, so we added process and methodology,” she says. “We looked at the Federal Information Security Management Act (FISMA) and saw that the compliance piece was missing in regards to what was happening to the networks. This was the major project we worked on.” The policy was very successful, she says. It has been presented at industry gatherings, and is now being reviewed by the DHS.

"Mischel Kwon's contribution to the security community was and remains very impressive," says Amit Yoran, CEO, NetWitness, and also a former director of the US-CERT. "She substantively enhanced the defense of the Department of Justice's systems. During her tenure as the director of US-CERT, she introduced operating discipline, improved the CERT's contribution to protecting the U.S. government and actively worked numerous security issues directly with the private sector and critical infrastructure operators. She has an uncanny ability to work strategic exective issues, dive directly into nuanced technical details and most importantly bridge these two communities."

Despite what the Washington Post reported, it was not frustration that led Kwon to resign the position at US-CERT in August 2009. And, she says, her departure had nothing to do with Melissa Hathaway and Rod Beckstrom leaving their high-level cybersecurity posts around the same time. “I felt I needed to make a lifestyle change, “ she says, explaining that working seven days a week, 16-hour days for a year and a half was keeping her away too much from her family.

While she says she wished she could have hired and trained more people and moved faster, she has little regret of her time there. “It was one of the best and most fulfilling jobs I ever had in my life. I worked with really great people. I have a lof of respect for [DHS] Secretary [Janet] Napolitano.” Kwon also singles out for praise former colleagues within the DHS – Rand Beers, the undersecretary at the National Protection and Programs Directorate (NPPD), and Phil Reitinger, deputy secretary of the NPPD and director of the NCSC.

Her position at US-CERT sits unfilled, but she remains hopeful about its prospects. As far as the still vacant cyber coordinator position, a slot President Obama had pledged to appoint earlier this year, Kwon says it would be great to have someone in the position, but it's not crtitical. “I don't see us putting a lot of significance in the position. This is a team effort and the DHS, departments and agencies are proactively working on cybersecurity problems.”

The CIO and CTO in the White House are also actively working on the problem, she adds. “Agencies are moving forward and being proactive. It will be great when they add the cyber coordinator to the mix, but I don't see it as critical. It never relies on one person. The government is not waiting to move.”

After nearly 30 years in the technology arena, Kwon is still in the fight, she says, referring to her new position at RSA as vice president of public sector security solutions within its worldwide professional services unit. “With my role at RSA, I still have an opportunity to help with the problem,” she says. “I'm focused on the public sector. I am opening a security consultancy geared to this.”

According to a release, at RSA, Kwon will advise organizations seeking strategic technical and policy assistance in building, defending, identifying and remediating their critical infrastructures against cyberthreats. She adds that she hopes to be one of the people on the ground fixing these problems. – Greg Masters

Maxim Weinstein

Age: 35
Occupation: manager, StopBadware.org
Personal: Married
College: Tufts University
Accomplishments: Serves on the Massachusetts Educational Technology Advisory Council and the advisory board of the Anti Malware Testing
Standards Organization

Maxim Weinstein majored in quantitative economics while studying as an undergraduate at Tufts University in Massachusetts. A few years later, he took a job as technology director at a Boston nonprofit that trains low-income young adults in technical and professional skills.

Weinstein finds himself in a useful position nowadays in his role as manager of StopBadware.org, a nonprofit based at Harvard University's Berkman Center for Internet & Society, where he can draw from his experiences in education and behavioral economic theory to help rid the internet of malware, StopBadware's ultimate goal.

“A lot of my background before coming to Berkman was in IT and the intersection of IT and education,” Weinstein says. “For me, it was really neat to dive down deep on a specific area of technology and to be able to say, ‘OK, let's take everything we know about the actual technology problem and figure out how we change people's behavior.'”

In revamping the four-year-old StopBadware from its original purpose as a clearinghouse for adware and spyware applications to its current focus – raising awareness about the potent and widespread threat of web malware with the help of IT thought leaders, academics and volunteers – Weinstein and his team view their mission as an economic problem.

“We know there are people, organizations and entities that could be doing more,” he says. “But they don't have the incentive. How can we find ways to get people to do what they need to do? I think some of the efforts we've done provide that incentive. We're finding new levers to influence people's actions.”

That never has been more evident than in 2009. Arguably the group's biggest success story this year was the launch of BadwareBusters.org, a growing, popular volunteer-driven destination to spread information about internet threats and for website owners to receive assistance on how to clean malware from their sites.

“We get something like 20,000 unique visits per month, and we have thousands of messages posted there at this point,” Weinstein says. The goal, he says, was to create a “vibrant, safe place.”

“We want to make the site feel comfortable as a place for someone to come and ask for help,” he says. “There are a lot of places where you can get assistance online, but a lot of them feel technical.”

User-generated content is one incentive toward meeting StopBadware's mission. Another that Weinstein finds to be particularly effective is embarrassment. The organization this year began releasing a daily list of the top 50 autonomous systems, ranked by the number of badware sites they are hosting based on data from Google and Sunbelt Software, two StopBadware partners (Weinstein's group, which is funded by companies, such as Google, PayPal and VeriSign, defines badware as software over which the user is not in control).

Weinstein says offering lists such as these can shame companies into action. “We might even blog about it if we see a particular company which consistently shows up on the list and isn't being responsive,” he says. So far this year, the group's blog has touched on a number of important trends impacting websites, such as stolen FTP credentials and WordPress vulnerabilities.

Also this year, StopBadware unveiled Chain of Trust, an ambitious initiative which seeks to bring together all of the parties that influence the web – security firms, researchers, government agencies, internet companies, network providers, advocacy groups and academia – to document how they interact with each other, and then recommend how they can better work together.

“It's the idea of community and really building an active group of people who are tied together by a common hatred of malware, people who really have a personal stake in getting rid of badware,” Weinstein says. “And we want these people to talk to each other and to build a sense of ‘Hey, you know what? There are a lot of good guys out there."

Despite the many endeavors underway at StopBadware, the site will continue to serve some of its traditional functions. These include offering an archive so people can search through incidents of badware site infections. So far, StopBadware partners have reported around 350,000 instances.

In addition, the site serves as a neutral party to evaluate infections reported by Google.

Many websites rely on Google rankings to generate traffic. So when the search giant flashes a warning that a particular site may be hosting malware, business can plummet in a hurry.

“If a user believes their site is flagged inappropriately, they can come to us and we can look at it and say, ‘Yep, there's malware there. Or, no, Google is wrong and we're going to go ask them about it,'” Weinstein says.

Going forward, StopBadware will play even more of a role as the hub of communication and collaboration among organizations committed to fighting badware. Weinstein, part technologist, part educator, appears to be the right man for the job.

“He is very into sharing ideas and he's something that is very rare in this space,” says Ari Schwartz, vice president and chief operating officer of the Center for Democracy and Technology and a StopBadware advisory board member. “He does not have the same kind of ego and he's not interested in self-promotion like a lot of people in the security space. He's extremely altruistic in his motives and it comes across in everything he does.” – Dan Kaplan

Gregory Wilshusen

Age: 53
Occupation: director of information security issues at the U.S. Government Accounting Office
Personal: Married
College: undergraduate, University of Missouri; M.S., George Washington University
Accomplishments: Received GAO's 2008 “Distinguished Service” award; assisted in updating the Federal Information System Controls Audit Manual (FISCAM), which provides guidance to federal government auditors

Ask Gregory Wilshusen how long he's been married and he can tell you without hesitation: As of October 30, it had been, 21 years, 10 months and nine days. “I'm an auditor,” he explains. “I keep track.”

In his professional life, Wilshusen oversees information security-related audits of the federal government for the U.S. Government Accountability Office, an independent watchdog agency whose mission is to help Congress improve the performance of the federal government.

The audits Wilshusen and his team conduct come at the request of congressional committees and members or are mandated by public laws. The audits examine the effectiveness of information security controls for specific systems, agencies or the federal government as a whole.

“Our greatest benefit is to inform Congress with fact-based objective analysis and studies so they can use that information in the discharge of their responsibilities,” Wilshusen says. “It's an honor and pleasure to inform Congress.”

One report released this May, for example, studied how agencies were responding to regulations described in the Federal Information Security Management Act of 2002 (FISMA). The study revealed that 23 of the 24 major U.S. government agencies contain weaknesses in their information security programs, potentially placing sensitive data at risk to exposure.

In a recommendation in the report, the GAO said the federal Office of Management and Budget should better describe the effectiveness of information security programs so that Congress can more effectively “monitor and assist federal agencies in improving the state of federal information security.”

This year alone, Wilshusen's unit has produced 16 reports related to information security issues at federal government agencies, which have included about 350 specific recommendations that agencies should make to improve their information security postures.

One internal performance measure kept at the GAO is the percentage of recommendations that were implemented over the past four years, Wilshusen says. In 2005, nearly 194 recommendations were made in reports about information security and since then agencies have implemented 88 percent of those recommendations.
“I think that speaks to the sufficiency and usefulness of the recommendations we make to the federal agencies,” Wilshusen says.

As director of information security issues at GAO, one of Wilshusen's primary responsibilities is to testify before congressional staff about audit findings and to convey technical issues in a manner that can be easily understood. Those members in Congress depend on the GAO's independent assessments and Wilshusen's testimony to help form legislation and policies for securing federal government systems.

“My colleagues and I rely on GAO to look at issues that are very complex, like cybersecurity, and to tell us what our options are,” says Sen. Tom Carper, D-Del., who is chairman of the subcommittee on Federal Financial Management, Government Information, Federal Services, and International Security.

Carper says his subcommittee has previously asked Wilshusen to examine whether agencies are spending money wisely with respect to cybersecurity.

“With Greg's help, we learned that not only were taxpayers paying over a billion dollars for ineffective paperwork, but agency information was still vulnerable to threats like identify theft,” Carper says. “So with Greg's help, we will be teaming up with the new administration to focus on this issue and make sure we are spending the money wisely.”

Wilshusen has spent more than 28 years as an auditor and information systems professional and has worked at a variety of organizations. Before joining GAO in 1997, he was a senior systems analyst with the U.S. Department of Education, controller at the North Carolina Department of Environment, Health and Natural Resources, and held senior auditing positions at professional services firm Irving Burton Associates and the U.S. Army Audit Agency. – Angela Moscaritolo

[sidebars]

Top 10 threats in 2009

Zeus: Also known as Ztob, this bank credential-stealing trojan is masterfully built. It is designed to evade anti-virus detection and then sit quietly in the background until victims login to their accounts. Infections have hit small businesses particularly hard this year, sometimes resulting in individual losses of hundreds of thousands of dollars.

Koobface: Arguably the first widespread social networking threat, this worm initially targeted MySpace. This year, however, it exploded in its number of variants and set its sights on Facebook and Twitter. It leverages thousands of IP addresses to host social engineering ploys that infect victims with data-stealing and DNS-changing malware.

Rogueware: Perhaps the most persistent and well-organized threat on the internet today, families of “scareware” try to dupe users into believing their computer is infected with viruses. Typically, the bogus programs run a fake scan – with phony results – and then ask victims to pay up for protection. In the process, they install a trojan.

Clampi: Another devastating banking trojan, this one is worrisome because of how quickly it can spread. The malware steals login details at some 4,600 bill-paying sites and leverages PSExec, a Microsoft tool to execute processes on remote Windows systems, to propagate across a victim company's network.

Gumblar: This botnet spreads by compromising legitimate, but vulnerable, websites and then seeds the victim site with malicious code from a Chinese distribution domain, gumblar.cn. Unpatched user machines that visit the sites can be infected and their users' Google search results can be redirected to other malware-hosting sites.

Conficker: One of the most talked about worms of the decade, it remains the most prevalent individual threat family overall. Infected machines still sit dormant waiting for instruction.

Taterf: First detected last year, this malware jumped in frequency in 2009. It is designed to steal usernames and passwords for role-playing games, such as World of Warcraft.

Sality: This virus tries to infect .exe and .scr files on a user's local network and on removable drives by overwriting code in the original file.

Waledac: It remains a prolific botnet responsible for a number of spam campaigns that leverage big holidays and other popular events.

Virtumundo: Some things never die. This longtime spyware/adware trojan, also known as Vundo, causes pop-up ads and can modify an infected user's Google search results.

---

Top five research revelations

iPhone SMS bug: Expert Mac hacker Charlie Miller and Ph.D. student Collin Mulliner revealed a bug that could enable someone to deliver a single invisible iPhone text message that would cause the popular Apple device to be knocked offline.

Malware trading network: Researchers at Finjan discovered a one-stop-shop for hackers. Called Golden Cash, the network enables cybercrooks to buy and sell control of compromised computers, as well as trade stolen FTP credentials and other botnet tools.

SSL signing weakness: Fresh off his appearance at the 2008 Black Hat show, Dan Kaminsky's encore took the form of an SSL vulnerability that could allow an attacker to dupe a certificate authority to issue a malicious cert that browsers will accept as legitimate.

Month of Twitter bugs: Researcher Aviv Raff spent July publishing a bug a day in popularly used third-party Twitter services, such as TwitPic and TweetDeck. The project was an attempt to call attention to the insecurity of many sites that use the microblogging site's API.

Peer-to-peer leaks: At a Congressional hearing called to highlight the risks of file-sharing networks, P2P monitoring firm Tiversa revealed that its researchers found documents listing U.S. nuclear fuel locations, directions to the safe house for former First Lady Laura Bush, and Social Security numbers of U.S. soldiers.

---

Top three IT security buzzwords

End-to-end encryption: Popularized by the massive hack of Heartland, this technology is designed to cloak credit card numbers from point-of-sale through the handover to the issuing bank.

Private cloud: This service offers lower costs, increased storage and automation without having to lose control of data.

Out-of-band authentication: A fraud-prevention technique, usually in the form of a phone call, used by banks to ensure that customers making transactions are who they say they are. That means that cybercrooks would have to compromise both the internet channel and telephone network to be successful.

---

Top three weirdest cybercrime stories

1 An ATM machine containing a skimming device was planted at a Las Vegas hotel while the DEF CON hacker show was taking place. The machine captured data from an unknown number of attendees before a security expert discovered the malicious unit.

2 This June, after promoting his Social Security number in an ad campaign that dared anyone to crack his account, someone used the identity of Todd Davis, CEO of identity theft prevention company LifeLock, to take out a $500 loan.

3 A group of Los Angeles-area hospital workers couldn't contain their curiosity about one patient -- Nadia Suleman (below), aka “OctoMom,” and peeked at her records without authorization. In March, 15 of them were fired for the privacy violation.

---

Top five cybersecurity bills

Cybersecurity Act of 2009, introduced in the U.S. Senate this April, is designed to address the nation's vulnerability to cybercrime through a number of reforms, but has drawn criticism because of concerns that it would give the president power to shut down the internet.

The Critical Electric Infrastructure Protection Act, introduced in April by federal lawmakers, aims to create standards for protecting the nation's power grid.

Cybersecurity Research and Development Amendments Act of 2009, passed in late September by the U.S. House Research and Science Education Subcommittee, would require federal agencies to submit a long-term research and development plan.

Informed P2P User Act, passed by the U.S. House Energy and Commerce Committee in October, is designed to prevent inadvertent file sharing by requiring P2P programs to provide notice and acquire consent from users prior to installation.

Fair Credit Reporting Act Amendment, passed by the U.S. House of Representatives in October, would exempt certain small organizations from complying with the Red Flags Rule.