The vulnerability affects all major versions of Microsoft Windows.  In just a matter of moments, attackers can gain total remote control of a system and install malware, keyloggers, and Trojans. A successful attack can lead to corrupted systems and stolen confidential data: intellectual property, credit card numbers, social security numbers, passwords, and more.  Within hours of the Microsoft patch release, public source code to exploit this vulnerability was distributed on the Web.  And, according to Microsoft, by the time the patch was announced targeted attacks had already begun.

Because of the extreme critical nature of the vulnerability, Microsoft recommended immediate deployment of its emergency patch without testing, hitting enterprises with a dilemma.  Should they immediately deploy the out-of-cycle patch and risk impacting or even bringing down production systems?  Or should they continue leaving their systems at risk to a critical vulnerability while IT security is testing the Microsoft patch. Either way, businesses are negatively impacted by additional patch management costs, associated business disruptions, and increased security risk exposure.

This incident reinforces the larger industry issue that companies require zero-day protection, especially during the window of vulnerability – the time between when a vulnerability is discovered and when the patch is deployed to protect the system. Relying solely on patch cycles and signature-based solutions doesn’t protect against unknown, zero-day attacks such as this one. With host intrusion prevention, IT teams can establish a more efficient, well-planned, and controlled patching process. Host IPS puts zero-day vulnerability shielding in place which allows IT staff time to analyze, plan, prioritize, test, and deploy relevant patches. 

While most security vendors struggled frantically to release new signatures for Microsoft’s vulnerability, McAfee customers using Total Protection for Endpoint (including McAfee Host IPS) were already protected. By using Total Protection for Endpoint, McAfee customers have comprehensive, layered security against this vulnerability through zero day protection rules already enabled by default.  McAfee customers apply Microsoft patches on their own schedule following their own procedures to significantly lessen patching costs associated with out-of-band patch cycles.

In fact, non-McAfee customers spent over $250 million to address the unplanned patch cycle. While companies scrambled to get protected and lost precious productivity resulting in lost profits, McAfee customers had peace of mind that their systems were protected at no additional cost. Furthermore, McAfee customers went on with business as usual while unprotected companies spent long hours and late nights to get protected.

The lawmakers suggest that the break-ins were carried out by people who appear to be working from inside China seeking confidential lists of names of dissidents.

Virginia Rep. Frank Wolf said four of his computers were compromised, beginning in 2006. New Jersey Rep. Chris Smith, a senior Republican on the House Foreign Affairs Committee, said two of his computers were attacked, in December 2006 and March 2007.

The Pentagon last month acknowledged that its vast computer network is continuously being scanned or attacked by outsiders. The Air Force in a recruitment ad says the Pentagon is attacked more than 3 million times each day.

As has been well documented by McAfee and by others, cyberattacks are on the rise and are increasingly nefarious. Several years ago hackers defaced Web sites and created fast-spreading worms for glory and notoriety. Today hackers, either part of organized crime rings or backed by governments, hack to steal valuable information and make money.

Government systems have been an increasing target. The number of federal government related cyberincidents reported to the US Computer Emergency Readiness Team (US-CERT) more than doubled to 12,986 in the government’s 2007 fiscal year, which ended Sept. 30. That compares to 5,143 in fiscal 2006.

Computer systems all over the world are under a growing assault from hackers, cyberterrorists and foreign spies looking to steal secrets and disrupt operations. We highlighted the threat of cyberespionage in particular in our Virtual Criminology report late last year.

We applaud the government for being open and upfront about these attacks and taking important steps toward strengthening the protection of its systems. It has been clear to us for a long time that more needs to be done, we’re happy to see the government agrees.

A recent study released in the Journal of Neuroscience, found that the brain has two separate channels for predicting and evaluating errors from risks we take.  This finding suggests people incorporate lessons learned from incorrectly measured risks in future decision making. Additionally, the brain appears to be using a complex quantitative risk assessment approach, which is far more sophisticated then earlier high/low classification systems that were originally proposed.  Amazing that our brains can quantify risk, but measuring it in InfoSec world is still a work in progress.

Another study in Psychology Today, found that when we sleep our dreams provide a way for our brain to visually rehearse responses to threats in our world.  For example, dreaming that you’re being chased by a ravenous bottlenose dolphin at a marine park is a way of practicing escape tactics.  This effectively enables us to react to situations in our world without thinking.

This research suggests that taking risks is a complex process for people based on the experiences and stimuli they have been exposed to in their lives.  Not all people are equal when it comes to making rational risk decisions.  Some may be better than others based on their experiences.  The reality of course is that we entrust people with the power to respond to information security risks that face our IT environments.  Do we really know whether we have the most effective cerebral cortexes, neurons, synapses, etc. to protect our organizations?  Until neuroscience has some answers, you can either invest in a Siemens Trio 3T full-body MRI scanner as part of your security program, or realize that people vary considerably when it comes to effective risk taking.  Factoring this into your risk analysis process is critical.

The cyber threat to national security is a growing concern and something we highlighted in our annual Virtual Criminology report. Coordinated attacks on national infrastructure take place every day. This calls for an equally persistent, resourceful response from both government and private industry.  

This year’s Cyber Storm II in which we are playing an active role in promises to be the nation’s most comprehensive cybersecurity exercise involving 18 Federal agencies, 9 states, 40 private-sector companies, and 4 international partners.

Exercises such as Cyber Storm keep government and private sector experts focused on the issue of national-scale cyberattacks, and engaged in developing new solutions and security initiatives that will elevate our preparedness when faced with the real thing.    

The big difference in this year’s exercise is a significant increase in attack complexity. This is something McAfee‘s researchers have seen – cyber threats becoming more sophisticated and more localized.  In order to coordinate a response to this new threat, government agencies and industry need to work closer together and build stronger relationships than ever before.  

I’ve just finished the wrap up meeting in Washington and on my way home.  The findings of this week’s Cyberstorm II should make interesting reading when they are released later this year by the Department of Homeland Security.

Today I showed an audience of about 4,500 people at VMworld Europe how VMware and McAfee together will be able to protect virtual environments in ways beyond what is available to protect physical environments today.

Our customers are using more and more virtualization. We’ve devoted a lot of time and energy to provide the best protection possible, for both physical and virtualized environments.

Virtualization represents a disruptive change in how the world uses its computing devices. It has also expanded the possibilities for more comprehensive security for the virtualization platforms and the guest operating systems they host.

With the popularity of virtualization and the rush to reap its benefits, security must not become an afterthought. That is why I am excited about today’s big news: VMware VMsafe. With VMsafe, VMware is building adaptable security interfaces as a fundamental part of its products, allowing partners such as McAfee to offer innovative security solutions.

McAfee is the first security company to publicly demonstrate VMsafe. At VMworld we showed how, with VMsafe, we can block a malicious driver being executed in a virtual machine. We also showed that we can scan and clean offline VMs so they are up-to-date when they’re spun up.

We deliver real and meaningful security for virtualized environments today. Our security risk management solutions are fully compatible with VMware virtualization and help organizations create a safe computing environment, spanning virtualized servers, networks and desktops.

In the future, VMsafe could be used in a range of our products, further enhancing the protection. Just as VMware has provided a fundamental change to how computing resources are used, it will allow security technologies to protect virtual environments in ways beyond those possible for a single monolithic OS. VMsafe is the key to that promise.

Aside from our support for VMsafe, we also announced an OEM (original equipment manufacturer) agreement with VMware to use VMware ESX Server in future products. In addition, we announced beta availability of our new Email and Web Security Virtual Appliance, built from the ground up for the VMware platform, and unveiled a new virtual infrastructure security assessment service. 

You can read more about how McAfee secures virtual environments in our news releases and on our virtualization Web site: http://www.mcafee.com/virtualization

Virtually yours,

Christopher

First, and foremost as a security professional, I was struck by how little concern there is in the Mac community for matters of information security and personal information protection. Everyone reading this blog knows there are fewer vulnerabilities and much less of a malware presence on OS X compared to Windows – but I thought at least some of the attendees I encountered would have some interest in the dangers lurking out there.

I presented on the security topic in the Developer area of the exhibit hall and got a respectable number of people in the audience; but I suspect they more sought the comfort of a soft chair rather than my pearls of wisdom regarding securing their MacBooks.

My main message was “Leopard is great and it’s an OS designed with many facets of good security in mind, and therefore I agree with much of the relaxed attitudes regarding use of additional safeguards.” In other words, the sky is certainly not falling.

My sub-message, however, was an overview of the bad stuff out there on the Internet, and how it’s just a matter of time before the professional malware writers target the OS X market as being ripe enough for harvesting credit card numbers and SSNs. In fact, one could argue that this has already begun but is just below the radar.

I pointed out that there is no one silver bullet to protect a user of any computer platform – be that a PC or a Mac. In fact, we employ techniques that go far beyond the conventional antivirus and firewall-blocking approaches for protecting personal information. Techniques such as safe surfing (SiteAdvisor), safe e-commerce (ScanAlert), and Data Leakage Prevention to help prevent sensitive data from inadvertently leaving the computer in the first place.

I found that my audience was indeed pretty interested in the various types of malware, how it operates, what its symptoms are, and what is done with their stolen information. So I guess the effort we made for a security presence in the expo area wasn’t in vain.

A disappointment I had was in missing out on the Steve Jobs keynote that opened the expo. I thought I’d try getting a seat in the front by getting to the Moscone by 6am; but even by then the line wrapped fully around the bock … and these are big blocks! I later understood that people starting lining up for entrance to the keynote at 10pm the night before. Oh well, at least later on I was able to fondle the newly-announced MacBook Air, which is a delightfully thin and light notebook computer. It runs the same OS X as the big brothers in the family, so it ultimately offers us security professionals some additional fertile ground.

All in all, the Mac platform is a great one for developers, users, consumers and enterprises alike. Unfortunately so too for the bad guys … but we’ll be there watching for them.

What is troubling is the scope and opportunity for such abuse and loss of data, even worse is the fact that the intentional, or malicious, attacks are the easiest to spot and manage, with the unintentional data losses caused by rogue emails and employee ignorance doing the most damage.

No matter how data loss occurs, it is a watershed moment for large organizations all over the world. And with increasing pressure to stay compliant, organizations need to start taking proper precautions to prevent the floodgates from bursting. Bottom line: you want to build a brand around trust and losing data weakens consumer confidence, which translates to lost business.

Awareness is an important first step, but it is not enough to forestall disaster. Every enterprise needs to make data loss preparedness a priority.

The following are some key things to think about before embarking on a data leakage protection initiative:
- While IT maintains the systems and networks that process and store data, they are not
always aware of the criticality or value of that data. Business owners need to be an active participant when it comes to data protection in order provide business context around the data

- Data protection requirements will change over time, so technology solutions need to be flexible. Today you may choose to alert against certain data activities, but tomorrow you want to block or encrypt them. Encryption is a key consideration of any data leakage protection initiative and currently no one else is looking at this. This is extremely important when talking about lost laptops

- Data loss protection offers an excellent opportunity for IT and business units to work together toward a common set of objectives. However, it’s critical that all parties involved understand the scope of the effort, individual roles and responsibilities, and service delivery levels

By establishing data loss prevention policies, educating employees, and implementing technologies that automate and simplify enforcement and monitoring tasks, large organizations can prevent data breaches and focus on their business goals. It is only by taking responsibility that enterprises can maintain a global commerce environment that is flexible, collaborative and innovative. It is not too late, at least not yet.

Why is open source code so important? Well, because a software developer can use open source code instead of spending time developing code that does the same job. Simply said, it doesn’t make sense to reinvent the wheel.

At McAfee we distribute and use open source code including Linux, OpenSSL and Apache, with our products. Linux has proven to be a very solid platform to deliver security appliances, OpenSSL has created some great tools to secure connections and Apache is so robust it prevents us from having to write a Web server every time we need that functionality. And these are just some of the examples.

Because of the availability of open source code we didn’t have to develop the functionality provided by the readily available code ourselves. Instead, we could focus on our core competency: delivering the world’s best security products.

Further, our customers use open source software as well. As a security vendor we cannot ignore that requirement. We have several products available that support Linux, OpenBSD and other well known platforms and projects.

Of course we know that while open source code is freely available, the use and modification of the code incurs some obligations. The requirements differ depending on the applicable license. We are very careful to meet these requirements, doing both legal and technical inspections. For example, if we make any changes to software licensed under the GPL, then we provide those changes with our distribution.

Recently we filed an annual report with the U.S. Securities and Exchange Commission. SEC rules require us to include a detailed list of potential risks we face in our business. Among these risks we also described potential risks associated with our use of open source software, as well as risks associated with our use of any other third party software, regardless of the license type.

Our mention of the open source risk could be misconstrued by people unfamiliar with such regulatory filings as suggesting that these risks are new, unique and dangerous or indicate a negative opinion of the value of open source. Nothing could be farther from the truth. In fact, this risk factor has been included in previous McAfee filings and is similar to open source risks described in current filings from other companies including Symantec, Oracle and many others.

The open source communities around the world continue to provide valuable solutions for many customer problems and for McAfee as well. We’re grateful for that and we are also happy contributors to several open source projects for almost 10 years.

Meet the blogger and read disclaimer information