Highly trained cyberterrorist groups have already demonstrated the destructive outcome of planned attacks on public infrastructure, most notably in Estonia last year. 

The cyber threat to national security is a growing concern and something we highlighted in our annual Virtual Criminology report. Coordinated attacks on national infrastructure take place every day. This calls for an equally persistent, resourceful response from both government and private industry.  

This year’s Cyber Storm II in which we are playing an active role in promises to be the nation’s most comprehensive cybersecurity exercise involving 18 Federal agencies, 9 states, 40 private-sector companies, and 4 international partners.

Exercises such as Cyber Storm keep government and private sector experts focused on the issue of national-scale cyberattacks, and engaged in developing new solutions and security initiatives that will elevate our preparedness when faced with the real thing.    

The big difference in this year’s exercise is a significant increase in attack complexity. This is something McAfee‘s researchers have seen – cyber threats becoming more sophisticated and more localized.  In order to coordinate a response to this new threat, government agencies and industry need to work closer together and build stronger relationships than ever before.  

I’ve just finished the wrap up meeting in Washington and on my way home.  The findings of this week’s Cyberstorm II should make interesting reading when they are released later this year by the Department of Homeland Security.

As our research continues to demonstrate, the Internet is the primary tool used by cyber criminals to distribute malware on a global scale. This begs the question: is it time for the Internet to be regulated?

Larry Seltzer at eWeek recently analyzed this issue and discussed some of the difficulties in imposing governance of the Internet – e.g., there is no governing body forcing organizations to make those changes. Instead, many of the core services of the Internet (DNS, IP protocols, etc.) rely upon committees and consensus-building to make decisions.

One of the valuable lessons we can draw from the eWeek article is that it’s more important than ever to establish a practice of security risk management. Business and government entities rely on established security practices to ensure critical infrastructure can continue to operate even amidst security attacks. They have taken appropriate steps to evaluate the risk of those systems being exploited and decided that protecting them is more cost effective than redesigning them to eliminate security issues.

So what would it take to redesign a new, secure Internet? The likely answer is that it would require billions of dollars, decades and likely business process change. This redesign is underway in the form of “Internet2,” which will focus on the integration of security, high performance networking, and advanced applications over a publicly available network “Internet.” “Advisory councils” composed of representatives from academia, research and industry are being formed which guide each of these key focus areas. After speaking with individuals who are currently connected to this network, they continue to see the same issues that occur on the Internet at large, DoS (Denial of Service) attacks etc, although at a much lower rate, and they believe the governing structures put in place on this network have significantly impacted security for the common good.

New technologies are popping up on the Internet at an alarming rate. Social networking sites such as Facebook offer the ability to extend or build applications on top of those highly trafficked properties. This instant availability of software development and distribution evokes a completely new breed of commerce, developers and attackers. In turn, security vendors will continue to deliver technologies that provide protection for these services.

Your identity is priceless, however, cybercriminals are looking to cash in on acquiring your personal information this holiday season. Earlier this week, Cyber Monday kicked off the holiday shopping season and sales rose 26 percent compared to the same day last year, reaching $733 million.

Although bargain shopping online for the best deal on a plasma TV or Louis Vuitton bag is thrilling, consider the number of people who fell victim to identity and phishing attacks this year. More than 300 million records of personally identifiable information (SSN’s, credit card numbers) etc., have been lost or stolen from the most respected brand names in various industries and government entities this year. That’s more than one record per person in the U.S.

Here are three areas of security designed to protect you as you shop online:

1. You wouldn’t venture into a mall or a store with a bad reputation by yourself no matter how good the deal, so why do the same thing online? While McAfee can’t offer you an escort to the physical mall, we can offer you escorts to the virtual world. McAfee SiteAdvisor is a FREE download that acts as your virtual tour guide for the Internet. SiteAdvisor provides visible indications within your Web browser (Green = Good, Red = Bad) of a sites rating based upon McAfee’s extensive evaluation of the site’s ability to protect sensitive information, whether or not users have been effected by spyware or malware and whether or not users of the site have reported SPAM email as a use of the site.

2. Consumers should be careful when surfing and conducting business transactions online. The credit card industry is taking a stand on consumer fraud as evidenced by the PCI DSS standard set forth by Visa and MasterCard. This important standard lays out very straight-forward and common sense practices to secure consumer credit card information held and utilized by online and traditional brick and mortar merchants. McAfee has a full range of offerings that help all types of merchants secure their systems and comply with PCI DSS to reduce the threat of unauthorized credit card use.

3. You may have noticed that McAfee recently announced the acquisition of ScanAlert. ScanAlert is a technology that tests e-commerce websites daily for security vulnerabilities and provides cross-links from the HACKER SAFE Merchant directory which reaches over 50 million unique shoppers each month. Perhaps you have seen their HackerSafe logo on the sites that you have done business with lately, designed to provide consumers with an extra level of confidence that the transaction they are conducting on the Internet will be safe and secure against malicious activities.

Interested in learning more? You can find more information about safe online holiday shopping from the Federal Trade Commission and the National Cyber Security Alliance.

With the rise in online consumer spending this year, coupled with the plethora of online safety measures McAfee has in store for consumers, this holiday season should turn out to be very merry indeed.

You spent your entire security budget on technologies for the perimeter and the endpoint. You designed the perfect security architecture that isolates critical business function infrastructure and makes it impervious to attack. You implemented an IT management framework to optimize your environment, yet somehow the bad guys got away with the crown jewels of your organization. What could have been done differently to prevent this breach? When it comes to securing data, companies are going to have to take on the issue of the “human factor.”

Last week, The Hartford Group revealed it lost three backup tapes containing the personal records of 237,000 customers. This is by no means a rare scenario. According to Deloitte Touche Tohmatsu’s 2007 Global Security Survey, 79 percent of respondents cited humans as the root cause for information security failures.

Most of us have allowed someone else to use our work computer and maybe even left that person unattended in our office. Someone with malicious intent could easily copy sensitive files to a USB drive and bypass all security measures because he/she was allowed access to an entire corporate network of intellectual property. Given this type of access, one could even launch the next code purple attack from your machine. It’s imperative to understand the damage that can be done to the reputation of an organization with a few keystrokes.

What about your organization? Have you trained all personnel in basic security measures, no matter how minor or significant role they play? As you can see in the scenario outlined above, even physical security measures can’t stop the ability to gain physical access to a computer connected to the corporate network and the Internet. Someone with malicious intent doesn’t need a fancy shell code or exploit tools, just a USB device and a willing participant.

According to an article last Thursday by Evan Schuman of eWeek, Visa recently issued another reminder to Level 1 merchants (those that generate more than six million Visa transactions per year) that September 30 is the deadline to be compliant with the PCI DSS. Merchants will have to work quickly to meet this deadline, as only 39% of Level 1 merchants were reportedly in compliance as of July 18, according to an article posted on Digital Transaction News.

Failure to comply with PCI standards will cost merchants monthly fines of at least $25,000 along with higher commission fees. However, in my opinion, we will see a dramatic increase in the number of Level 1 merchants who reach compliance to avoid such penalties. Add to this the fact that most retailers and financial institutions go into a complete system lockdown during Q4. By some estimates, at least 30% of a retailer’s revenue is dependent upon the holiday shopping season, which officially begins on “Black Friday,” the Friday after Thanksgiving.

Let’s work through a simple non-compliant scenario for one of my favorite large chain department stores. First, take into account the system lockdown for Q4 at a base cost of $25,000 per month x 3 months = $75,000. Next, add on top the elevated commission fees. Let’s say this retailer does about $2.5 billion revenue in Q4 with 50% transacted by Visa. Because of its non-compliance, the uplifted commission fee to Visa is an extra 1%, which comes to about $12,500,000 for a grand total of $12,575,000 per quarter – serious dollars no matter how big the company.

To help organizations comply faster and reduce the risk of fines and elevated transaction commissions, McAfee today announced the Easy PCI initiative, combining technology and expert assistance to deliver a comprehensive approach to gaining PCI compliance.

It will be difficult for PCI to be implemented and enforced across such a broad range of large merchants. However, it’s a necessary standard that must be adopted to stay one step ahead of the increasingly coordinated efforts of cyber thief networks.

Since my last post on PCI legislation, an exciting development has emerged.

On Monday, Computerworld reported some exciting statistics regarding adoption rates of the PCI DSS among Level I and Level II merchants. According to VISA, 96% of the largest organizations that accept debit and credit cards have stopped storing magnetic stripe information in their systems.

This move validates the overall heightened awareness of loss of personal information witnessed by consumers, as well by those organizations responsible for collecting and storing this information. What’s the clear message in all of this? Steps must be taken to protect the data that customers trust merchants with or else end up like another poster child for data loss. Can you say TJX?

A couple of weeks ago, I spoke at a CIO event in Los Angeles and my presentation included data loss. While doing research for this presentation I looked up the latest statistics for data loss at attrition.org. It blew me away to discover that in June and July of this year more than 5.5 million pieces of PII (Personally Identifiable Information) were lost!

While VISA and the PCI Gang are making great strides at getting organizations closer to compliance, can they move fast enough? Is the PCI standard stringent enough to help reduce this onslaught of information loss? If my two-month statistics are any indicator, it would seem the answer is that there is more work to be done. However, my gut instinct says that PCI is a great step towards good security protocol at every organization regardless of merchant status and will continue to pay benefits in the long run.

The credit card industry is working hard to evangelize the PCI standard for card security. However, as with any compliance initiative, organizations are slow to adopt and enforce standards until real “teeth” are in place (think HIPAA). As Charles Ross mentioned in his blog post, PCI-compliance alone doesn’t guarantee security.

Wal-Mart recently announced an expansion plan to bring on 1,000 “Money Centers” by 2009. The goal of these centers is to provide lower-income consumers with the convenience of a bank. Unfortunately, with this convenience comes more risk and customers may have to deal with issues such as identity theft and data loss. While most of the transactions will be fueled by refillable money cards, customers will be required to provide basic information and will be targeted to purchase additional products and services requiring even more information to be collected and stored.

The privatization of banking isn’t going to slow down as retailers seek to capitalize on this very profitable trend. The Wal-Mart expansion plans were announced one month after the U.S. House of Representatives passed legislation to block non-financial firms from operating banks.

One piece of California legislation, would prevent individuals and organizations that accept credit card and debit card payments from storing sensitive information, including the data track from the magnetic strip on the back of the card, PIN or encrypted PIN block and the card verification code. Its sponsor? The California Credit Union League. It seems that the credit unions, which are non-profits, are tired of holding the bag for costs such as card replacement and notification services after merchants suffer a breach.

The combination of legislative action and mandatory PCI compliance will hopefully get merchants to take the protection of customer privacy and data security more seriously than they have in the past. Protecting consumers’ private information is vital. The problem with retailers housing the personal information of consumers is that often these retailers rarely have conducted the due diligence and deep analysis of how to best identify and protect assets prior to suffering a major breach. Legislation will force retailers to take a deep look at their own data security practices, or suffer the legal consequences.

As Christopher Bolin touched upon in his blog earlier this month, spam is a complicated topic which affects nearly anyone who has an e-mail account. It appears the industry is finally taking notice and attempting to gain back the upper hand on this issue.

Check out this article posted yesterday on CNET.com which discusses the preliminary approval of a new technology designed to detect and block fake e-mail messages.

While this technology won’t address the problems associated with grey spam because those are self-inflicted, it’s a definite step in the right direction.

I was at my usual Starbucks this morning and saw a well-dressed guy using the Wi-Fi hotspot. For all I know he might have been a struggling author trying to write the next great novel. Or maybe not. Maybe he was a claims administrator for the hospital up the street—with a few thousand very personal records on his laptop, and with absolutely no idea that during his morning coffee he could end up having his most valuable data maliciously copied over the Wi-Fi network.

McAfee set out to understand the global landscape of data leakage and its impact on companies. The results are shocking. 33 percent of IT decision-makers across a broad spectrum of industries said that one high-profile security breach could lead to a monumental collapse as well as potential bankruptcy.

Companies have faced intellectual property theft for decades, right? So why has this problem only recently come to the forefront in the media? Sarbanes Oxley, that’s why. And HIPPA, and here in California, SB-1386—and they mandate that these companies report when a security breach takes place. You may think that encryption will solve the problem, but it isn’t the total solution. Companies need a game plan when it comes to compliance; process methodologies must be implemented as part of a multi-layered defense against data leakage. The days are over of firing an employee and using a security guard to escort them out of the building; companies need policies in place well in advance on how to handle sensitive information.

The acquisitions McAfee has made over the past 12 months allow us to combat both internal and external security risks by securing data from both insider and outsider threats. We are providing a complete platform for security risk management so companies have full visibility and control of their data. It’s a mobile world – and employees use the freedom to access data at work, at home and on the road. If you’re not familiar with the products that address these problems, check out McAfee’s Data Loss Prevention solution. Because your employees need the convenience of access to the network and all of its resources, and you need to prevent them accessing data that wasn’t intended for their eyes.

2007 has been a wake-up call for enterprises. Now that we’re aware of the problem, we’re one step closer to a coordinated effort so we can sleep comfortably at night knowing our data is safe.