cyber threats report 2009

8/14/2019 Cyber Threats Report 2009

1/9

Emerging Cyber ThreatsReport for 2009

Data, Mobility and Questions of Responsibility will

Drive Cyber Threats in 2009 and BeyondOn October 15, 2008, the Georgia Tech Information Security Center (GTISC) hosted its annual summit onemerging security threats and countermeasures aecting the digital world. At the conclusion of the event, GTISCreleased this Emerging Cyber Threats Reportoutlining the top ve information security threats and challengesfacing both consumer and business users in 2009. This years summit participants include security experts fromthe public sector, private enterprise and academia, reinforcing GTISCs collaborative approach to addressinginformation security technology and policy challenges.

As one of the leading academic research centers focused on information security, GTISC believes strongly thata proactive and collaborative approach to understanding emerging threats will help us develop more eective

information security technologies and strategies, said Mustaque Ahamad, director of GTISC. The annualGTISC Security Summit on Emerging Cyber Security Threats and our annual Emerging Cyber Threats Report

seek to give us a beer understanding of the cyber security challenges we will face in the years ahead.

GTISC research and advance interviews with key information security experts from government, industry andacademia uncovered ve specic trends and some profound questions that will drive threats and countermeasuresin 2009 and beyond, including:

Malware

Botnets

Cyber warfareThreats to VoIP and mobile devices

The evolving cyber crime economy

In an eort to inform the broader community about current and future risks, this report will describe eachemerging threat, existing or potential countermeasures, and how the threat may evolve in the coming year. Inaddition, our experts will oer their opinion on the role that Internet security education and regulation may playin further preventing the spread of cyber crime.


2/9

merging Cyber Threats Report for 2009 Georgia Tech Inormation Security Center October 15, 2008

1

Malware

A total of 28940 different malicious and potentially unwanted programs were detected on users computers

in August. That is an increase of more than 8,000 on July's figures and points to a significant increase in thenumber of in-the-wild threats.

http://www.kaspersky.com/news?id=207575678

We are so conditioned to click on links, and the bad guys know this, said Naraine. The email lures, the

enticements and the personalization of malware attacks are getting much better. Social engineering attacks

on social networks are beginning to explode and will only get worse.

Ryan Naraine - Security Evangelist, Kaspersky Lab, Americas

Emerging threats for 2009all data-driven!

Data will continue to be the primary motive behind future cyber crimewhether targeting traditional xedcomputing or mobile applications. According to security expert George Heron, Its all about the data,whether botnets, malware, blended threats, mobile threats or cyber warfare aacks. And Heron expects datato drive cyber aacks for years to come. The data motive is woven through all ve emerging threat categories,beginning with malware.

Ryan Naraine, security evangelist for Kaspersky,believes that malware deliverythe rst step in creating abotwill become more insidious by taking advantage ofpoorly congured Web sites, social networking sites andfalse domains.

We are projecting a 10-fold increase in malware objectsdetected in 2008, said Naraine. This is hockey-stickgrowth driven by identity the and data-focused cyber

crime.

Naraine expects criminal senders to use beer socialengineering techniques to cloak malcode in whatappears to be legitimate email with acceptable Web links.For example:

A Facebook message sent from one friend to anotherincludes a link to a YouTube video of interest to therecipient. The recipient clicks on the link supposedly sent

by his/her friend, and then sees a prompt to install thelatest version of Flash Player in order to watch the videoclip. The user clicks to install the update, but actuallyinstalls a piece of malware on the machine, eectively

involving the computer in a botnet.

As cyber criminals move beyond mass-distributionstyle phishing scams, they are learning how to localizeand personalize their aacks for beer penetration. Socialnetworking sites like MySpace, Facebook and others willlikely be used as delivery mechanisms to get unsuspectingusers to a malicious Web site link in order to delivermalware. In the coming year, GTISC and other security

experts also expect more targeted spear-phishing vehiclesto install malware and/or steal data. For example:

Aackers might target customers of a local credit unionwith a spoofed email referencing a local news story ofinterest. When customers click the bogus link in the email,the malware is installed and can log keystrokes and mineother personal data to be sent back to a malicious botmaster or cyber criminal.

Naraine cited computing mono-cultures and slow ornon-existent desktop application patching as fueling themalware/botnet crisis. When you have nearly 100 percentof users standardized on a single application, it means thata single point of security failure can lead to infection of anentire computing ecosystem, said Naraine.

Naraines research indicates that some of the largest botnets are comprised of corporate machines. It takesthe average corporation two to three months to apply aWindows patch across all devices, so malware and botnetswill continue to take advantage of known vulnerabilitieswithin enterprise environments.

On the bright side, many soware vendors are nowshipping auto-patch/update capability with each newsoware release. Firefox, Adobe and Apple all do this.And Naraine believes that Microso operating systemsecurity has improved with each successive release. Theauto-update features help both corporate and consumerend users stay up to date with patcheswhich eliminates alot of low-hanging fruit for the cyber crime community.


3/9

Emerging Cyber Threats Report for 2009 Georgia Tech Inormation Security Center October 15,

Botnets

Botnets Continue to Grow and Transorm

Bot Army Name Number of Binaries Distinct Compromised Hosts

in Typical Enterprise

Distinct Binaries per

Compromise

RAT-SZ-1 10,493 155 67.7

Sality-1 886 18 49.2

IRC-VR-1 804 75 10.7

IRC-SD-1 541 11 40.2

Poebot-1 369 2 184.5

RAT-DL-1 212 14 15.1

Metcash-1 194 47 4.1

IRC-SD-2 139 21 6.6

RAT-SM-1 54 4 13.5

Kraken 48 301 0.2

1 http://www.darkreading.com/document.asp?doc_id=1615242 Source: Damaballa; http://www.damballa.com/downloads/press/GartnerITSecSummit_Q2Research_PRFINAL_2008-06-02_.pdf

In 2008, botnets have become worsea trend expectedto continue next year. GTISC estimated in last years reportthat 10 percent of online computers were part of botnets,groups of computers infected with malicious code andunknowingly controlled by a malicious master. This year,GTISC researchers estimate that botnet-aected machines

may comprise 15 percent of online computers.Compared with viruses and spam, botnets are growing

at a faster rate, said Wenke Lee, an associate professorat GTISC and a leading botnet researcher. Lee cites threeunavoidable factors that are spurring botnet growth:

Infection can occur even throughlegitimate Web sites

Bot exploits/malware delivery mechanismsare gaining sophistication and beerobfuscation techniques

Users do not have to do anything to becomeinfected; simply rendering a Web page canlaunch a botnet exploit

Bots can be delivered to a machine in a variety of waysvia Trojans, emails, an unauthorized instant messageclient or an infected Web site. Once installed, bots lie lowto avoid notice by antivirus and anti-spyware technology.Periodically, the bot communicates to a command andcontrol server and waits for a response. The commu-nicationusing the command and control server as anintermediarycan keep the malicious bot mastersidentity hidden.

Lee points out the distinction between botnets andmalware: What we think of as malware can beresponsible for turning a machine into a bot, said Lee.But traditional malware is a single-purpose aack.

A bot actually remains on the machine, maintainsa command and control mechanism to enablecommunication with the bot master, and can updateitself based on those communications. The updatesenable new bot communication and malicious capabilities,and are oen used to avoid detection.

Bot communications are designed to look like normal(Web) trac using accepted ports, so even rewalls andintrusion prevention systems have a hard time isolating

bot messages. Lee agreed, Its very dicult to lter bottrac at the network edge since it uses hp and everyenterprise allows hp trac.

Prompted to act in unison, bots become bot armies thatharness considerable computing power to engage in avariety of malicious activities, including:

Data the (social security numbers, credit cardinformation, trade secrets, etc.)

Denial of service aacks Spam delivery

DNS server spoong

According to a report compiled by Panda Labs, in 2Q2008, 10 million bot computers were used to distributespam and malware across the Internet each day1.Damballa continues to discover that 3-5 percent ofenterprise assets are compromised on average by targetedthreats such as botseven in the presence of the bestand most up-to-date security. Leading industry analystspredict this number to be even higher.

Most botnet command and control sites can be tracedback to China2. But Lee cautions that this statistic could be misinterpreted because "a lot of Chinese are using


4/9


3

Security experts consulted by GTISC believe cyberwarfare will accompany traditional military interactionmore oen in the years ahead. They expect it will alsoplay a more shadowy role in aempts by antagonistnations to subvert the U.S. economy and infrastructure.

Consider the cyber aacks that occurred between Russiaand Georgia earlier this year as a model for militarycyber engagements in 2009 and beyond. Don Jackson,director of threat intelligence for SecureWorks, compiledthe following research to implicate direct Russian govern-

ment involvement in cyber aacks against Georgia:Physical and cyber aack targets and timing align:

Logs of DDoS trac and changes in networkrouting indicate that Russian cyber warfareoperations coincided almost exactly with the nalall clear for Russian Air Force aacks sometime

between 0600 and 0700 on August 9, 2008.

Both cyber aack targets (media outlets andlocal government communication systems) andair force targets were located in the Georgiancity of Gori.

The exact timing of cyber aacks against newclasses of targets in Gori and Russian Air Forceaacks indicated coordination between knownhacking groups and military operators.

Source of Russian cyber aacks against Georgia:

The vast majority of Georgian Internet tracis routed through Turkey and Russia. As ofAugust 10, 2008, trac routed through Turkeywas almost completely blocked, and IP tracthrough Russia (via Azerbaan) was slowand eectively unusable.

Russian government-run Rostelecom conductedmost of the routing changes that blocked trac toGeorgian IP address space.

The Moscow-based COMSTAR network alsocooperated with government demands to followsuit, as did other network operators that controlrouting through the ostensibly neutral MoscowInternet Exchange (MSK-IX).

DDoS and cache poisoning aempts targetingDNS servers for major Georgian networks were

also launched from the state-operated Rostelecomand Moscow-based COMSTAR networks. Theseaempts utilized the same tools, tactics andtarget lists as aacks from portions of Turkishnetworks controlled by former associates of theRussian Business Network (RBN). The associatesare believed to have connections to local St.Petersburg government, the former powerbaseof Putin and those now in charge of the FSB statesecurity organization.

Aack types:

In addition to DDoS aacks against Georgian

media outlets and government Web sites,researchers observed:

Route hacking

Brute force server compromise

Data the

Multi-factor DDoS aacking networkand application layers

Defacement and hosting of fake GeorgianWeb pages containing misinformationand propaganda.

Cyber Warfare

pirated soware which doesnt receive security updates.According to Lee, That means many Chinese

computers are rife with vulnerabilities, making thema haven for botnet command and control sites.

Botnets en masse are considered a bot army and thesemalicious computing forces may be used to conductcyber warfare in the future. In addition, bot payloads are

becoming increasingly complex to avoid evolving security

measures. According to Lees research at GTISC, severalrecent bot variants have exhibited more than 100 distinct binary payloads used to hide the communications pathand to vary the command and control IP address. The neteect makes botnets and bot masters harder to track.

However, new technologies can pinpoint the Internetcommunications between botnets and bot masters andshut down the vital links required for cyber crime andcyber warfare. Signature-based defenses like antivirusand intrusion detection are no match for the subtle

communications between bot and bot master. But newer behavior analysis techniques can help identify botswithout signatures.

Lees research team at GTISC is developing algorithmsto analyze trac paerns from internal machines tooutside machines. Strange anomalies in connectionduration, time of day, or type of information uploaded/downloaded can indicate a botnet command and

control aempt. Lees research also examines how botnets use the Internet infrastructure. For example,look-up requests to DNS servers might provideinformation on which domain is used for botnetcommunications. In addtion, global sensor networks arenow using specialized algorithms to pinpoint bot armycommunications. Once the command and control linksare found and disrupted, the bot army threat can beneutralized as long as layered security is already in place.


5/9


Some DDoS aacks, route hacking, and systemintrusions originated from sources not previouslyaliated with known hacking groups and appear tohave been coordinated in a manner that would allowaackers to disable or intercept Georgian governmentcommunications in accordance with Russian military andintelligence objectives.

Jon Ramsey, chief technology ocer for SecureWorks at-

tributes increasing cyber warfare activity to the following:The low cost to launch cyber aackscompared with physical aacks

The lack of cyber defenses

The plausible deniability the Internet aords

The lack of cyber rules of engagement inconicts between nation states

George Heron, founder of BlueFin Security and formerchief scientist for McAfee believes cyber warfare will play asignicant role between China and the U.S. Cyber threatsoriginating from China are very real and growing, said

Heron. Other evidence supports this, such as the majorityof bot masters being traced back to China, along withmalware and other disruptive threats.

Heron pointed to the U.S. transportation system infra-structure, the telecommunications system, nuclear energyplant communications, the water supply IT infrastructureand other entities as prime cyber targets of enemy nations.

We now know that it only takes inltrating the DNSoperator vulnerability to subvert an entire DNS sector,Heron continued. Cyber warfare eorts could take thisapproach to exploit vulnerable servers and gatewayscontrolling the power grid or water/dam ow control.

Howard A. Schmidt, a GTISC professor of practice agrees.Our critical infrastructure systems are fundamentallydependent on the Internet and IP-based technology,and there are interdependencies between them that ourenemies will seek to exploit, said Schmidt. Cyber warfarecompletely evens the playing eld as developing nationsand large nations with a formidable military presence canboth launch equally damaging aacks over the Web.

The U.S. government is already bracing for the inevi-tability of cyber warfare and hosted the second annualCyber Storm exercise in March 2008involving ninestates, four foreign governments, 18 federal agencies and40 private companies in a weeklong cyber aack scenario3.

Cyber Storm II is a successful instance of public andprivate partnership to identify cyber warfare threats andplan eective countermeasures, said Heron. We needmore information sharing and more collaboration like thisto defend our national interests against an onslaught ofcyber terrorism.

Schmidt advocates a three-step approach to bolstering

U.S. cyber defenses:Identify the Internet-enabled systems we dependon and also the interdependencies between them.

Develop a comprehensive plan to protect thosesystems, including roles and responsibilities,vulnerability identication and remediation,threat mitigation and response.

Design information security for the futureas soware improvements, networkenhancements and new technologies like mobilecommunications gain traction.

Threats to VoIP and Mobile Convergence

The future threat goes beyond what we think of as cyber-espionage and intellectual property theft,

although that certainly remains a factor, said Heron. I think were going to see more technologically savvy,

state-sponsored attacks to the IT systems that support foundational services here in the U.S.

George Heron - Founder, BlueFin Security

3 Source: Federal Computer Week, Cyber Storm II Stirring; Feb. 29, 2008; http://www.fcw.com/online/news/151806-1.html

The cell phone is becoming an entirely new toolespecially outside the U.S., where accessing the Internetfrom a mobile device can provide a beer experiencethan traditional xed computing. VoIP technology alsocontinues to improve and will rival landline and mobilecommunications in terms of reliability and call quality.As Internet telephony and mobile computing handle moreand more data, they will become more frequent targets ofcyber crime.

From the outset, VoIP infrastructure has been vulnerableto the same types of aacks that plague other networked

computing architectures. When voice is digitized, encoded,compressed into packets and exchanged over IPnetworks, it is susceptible to misuse. Cyber criminals willbe drawn to the VoIP medium to engage in voice fraud, datathe and other scamssimilar to the problems email hasexperienced. Denial of service, remote code execution andbotnets all apply to VoIP networks, and will become moreproblematic for mobile devices as well.

Criminals know that VoIP can be used inscams to steal personal and nancial data so voicespam and voice phishing are not going away said Tom


6/9


5

Most people have been trained to enter social security numbers, credit card numbers, bank account

numbers, etc. over the phone while interacting with voice response systems, said Cross. Criminals will ex-ploit this social conditioning to perpetrate voice phishing and identity theft. At the same time, customers will

demand better availability from phone service than they would from an ISP, so the threat of a DoS attack

might compel carriers to pay out on a blackmail scam.

Tom Cross - X-Force Researcher, IBM Internet Security Systems

At this point, mobile device capability is far ahead of securit y, said Traynor. Well start to see the botnet

problem infiltrate the mobile world in 2009.

Patrick Traynor - Assistant Proessor, School o Computer Science at Georgia Tech,

and member o the Georgia Tech Inormation Security Center

Cross,a researcher with the IBM Internet Security Sys-tems X-Force team. Denial of service will also continueto be a signicant threat to VoIP. If a large number of VoIPphones become infected by malware and ood a networkwith trac, the results could be extremely disruptive. Weexpect some cyber criminals to aempt to blackmailcarriers based on a DoS aack scenario.

According to Cross, large telecom companies in Europe

are now servicing customers with VoIP. And where phoneservice is concerned, users have a dierent mentality aboutsharing personal information and a higher expectationof quality.

On the bright side, Cross believes the IT and telecomcommunities have learned valuable security lessons fromthe spam and phishing problems that have plagued theSimple Mail Transfer Protocol (SMTP).

VoIP providers and users want to avoid the spam crisisthat has inundated email, said Cross. Current researcheorts at university-based centers like GTISC are studyinghow reputation networks based on inherited trust could

be applied to VoIP to prevent voice fraud. In this type ofsystem, good security reputations will improve VoIP peer-ing and call ranking so that legitimate calls get through,and voice spam and phishing are blocked.

Cross also cited the need for intrusion preventionsystems at the VoIP carrier level, along with endpointsecurity for Session Initiated Protocol (SIP) phones andother VoIP devices.

When it comes to the mobile experience, the iPhonehas dramatically changed the perception of what mobiledevices can do, and who is using them. Now in additionto business users, consumers are more likely to want the

advanced capabilities of a smartphone for everything frommobile banking to iTunes access.

While exploits targeting the iPhone have circulatedpublicly, Im somewhat surprised that there havent beenmore aacks to date, said Cross. Financial motivationand increased adoption will increase aacks to smart-phones in the years to come. As more payment infrastruc-ture gets placed on these devices, they will become a morearactive target.

Dave Amster, vice president of security investigationsfor Equifax also sees the security challenges presented bymobile computing. More and more nancial transactionswill take place over mobile devices, said Amster. Con-sumers are ordering credit reports from their Blackberrys,which puts valuable information at risk. The challenge for

businesses and banks is going to be maintaining securemobile applications and ease of use at the same time.

Patrick Traynor, an assistant professor in the Schoolof Computer Science at Georgia Tech and a member ofGTISC, discussed the concept of the digital wallet,in which smartphones store personal identity, paymentcard information and more. Already in Japan, peopleuse their cell phones at vending machines and subwaytoken dispensers.

According to Traynor, malware will be injected ontocell phones to turn them into bots. Large cellular botnetscould then be used to perpetrate a DoS aack againstthe core of the cellular network. But because the mobilecommunications eld is evolving so quickly, it presentsa unique opportunity to design security properlyanopportunity we missed with the PC.

Traynor pointed out that most people buy a new mobiledevice every two yearsa much shorter life cycle thanthe typical PC and Windows installation, which is closerto 10 years.

The short life cycle of mobile devices gives manu-facturers, developers and the security community anopportunity to learn what works from a securitystandpoint and apply it to devices and applications morequickly, said Traynor. However, it is not going to be aneasy problem to solve.

Traynor pointed to baery power as a primary securityhurdle, If you place antivirus soware on a mobiledevice, it will run the baery down, so mobile securitywill require new approaches and partnerships betweenmanufacturers, carriers and application developers.Researchers like Traynor and Cross expect openstandards for handset security to gain more ground in 2009.They both cited Googles Android platform for mobileapplications as a step in the right direction. Android


7/9


The evolving cyber crime economy

The Web-based attack platforms come in a variety of packages and are available for lease, purchase or

any payment model in between, said Ollmann. And for those criminals that dont want to host their attack

platforms, managed service providers have emerged to rent existing installations for global malware

delivery. Some of the MSPs charge on a per-click basis just like Web advertising.

Gunter Ollmann - Chie Security Strategist, IBM Internet Security Systems

Members of the security community have beenengaged in debate over responsibility for securityeducation and potential regulatory schemes to governonline behavior. The conversation may only become more

heated in 2009. While the decentralized and open natureof the Internet can be extremely positive characteristics,malicious criminals are threatening the very foundationsof the Internet.

makes the mobile application development environmentpublicly available so that it becomes easier for applicationdevelopers to apply security to programs designed for

smartphones. Traynor and Cross also support a layeredapproach to security on mobile devices that encompassescarriers, manufacturers and application developers.

Sources of cyber crime will become increasinglyorganized and prot-driven in the years ahead. GunterOllmann, chief security strategist for IBM Internet SecuritySystems describes todays (and tomorrows) cyber crimi-nals as an international conglomerate of professionallytrained authors motivated by high prot.

You can buy, lease, subscribe and even pay-as-you-goto obtain the latest malware kits, which are much moresophisticated than their predecessors. Malware transi-tioned to the criminal world just over three years ago,said Ollmann. The new sophisticated malware-for-salefeatures encrypted command and control channels, built-in Web services for hosting phishing content, man-in-the-

browser proxy engines for identity the, along with drivescanners for capturing sellable data like email addressesand credit card details.

Ollmann reports that several malware kits are supported by product guarantees and service level agreements.A few malware developers are even oering multiplelanguage customer support in order to reach a wideraudience of criminals. New Web-based aack platformshave been developed in tandem so that social engineeringand end-user action are no longer required for exploita-tion. All of these trends are expected to evolve further inthe coming year.

The managed service approach basically extends thefunctionality of a malware purchase. One malicious man-aged service model revolves around breaking CAPTCHAs(Completely Automated Public Turing test to tell Computersand Humans Apart). CAPTCHAs are used to prevent

brute-force aacks and fraudulent account creation onWeb sites and require end users to correctly enter a stringof characters and login details before access is granted. AsCAPTCHA systems were continuously broken by aackersand then subsequently strengthened against compromise,the cyber crime MSPs saw a business opportunity.

The managed service operators provide cheap humanlabor to bale through CAPTCHAs, said Ollmann."These predominantly Russian-operated entities oer payscales starting at $1 per 1,000 CAPTCHAs broken, andprovide an extensible API structure for easy integrationinto malware. This combined approach will continue inthe future.

Ollmann divides the cyber criminal industry intothree tiers:

Low-level criminals who use kits to createthe specic malware required for theirtargeted crimes.

Skilled developers and collectives of technicalexperts creating new components to embedwithin their commercial malware creation kits.

Top-tier managed service providers that wrapnew services around malware kits to increasepropagation and enable organized fraud on a

global scale, feeding gains back into existingmoney laundering chains.

He warns of a tough road ahead in the baleagainst malware.

Expert opinion onInternet security education and regulation


8/9


7

Michael Barre, the chief information ocer forPayPal frames the debate in concrete terms, Even ifcustomers are condent in PayPals security, but still dontthink the Internet as a whole is safe, then we all lose.Barre believes a robust debate will go on for the next fewyears between public and private entities about how bestto protect the Internet ecosystem. I think we have about10 years to gure out how to structure Internet securityprinciples and regulation before the problem of onlinefraud and cyber crime completely gets away from us, hesaid.

The borderless nature of the Internet, the astoundinggrowth of online users, the diculty in establishing trustedidentity online and the lack of standardization aroundprotection all contribute to the challenge of developing aregulatory scheme. But phishing and e-crime losses maycompel interested parties to action.

So what would Internet security regulation look like?According to Barre, it could follow the model of roadand airline safety

We can even draw comparisons between car insur-ance and antivirus soware, said Barre, who believesthat voluntary car insurance penetration would be aboutthe same as antivirus soware. Most people buy carinsurance because it is mandated by the government.Perhaps we need a similar mandate for keeping securityprotection up-to-date.

Barre was also quick to point out his optimism whenit comes to security. I believe phishing is a completelypreventable crime when you combine technology witheducation, he said. Our anti-phishing eorts with Yahooover a 10 month period prevented more than 85 millionphishing emails from ever reaching the intended victim.And if we can teach end users some simple rules, it willhave a big impact.

With a focus on preventing phishing emails from arriv-ing in the inbox, PayPal now uses DomainKeys Identied

Mail (DKIM) and Sender Policy Framework (SPF) to signits customer emails. When the major ISPs see an emailsupposedly from PayPalbut without the proper DKIMor SPF signaturethey block it.

Technology is one piece of the puzzle, regulation isanother and user education is the nal hurdle, saidBarre. Just 15 years ago, Mosaic 1.0 was released andthe Internet as we know it was born. Back then about 1,000

people were using the Web. Today, there are more thanone billion active Internet users. Yet despite this explosivegrowth, weve had no formal education about safe behavioron the Internet, and the security industry has neverspoken with one voice.

Mustaque Ahamad, the director of GTISC, supportsa combination of security awareness, education andpersonal responsibility. Although we can argue that endusers could do more to protect themselves and the onlinecommunity, we should also expect more from the securityindustry in terms of viable solutions, said Ahamad.

Howard A. Schmidt believes the government should

play a role in security regulation for cyber defense. Thegovernment should establish a regulatory constructfor assessing the state of security and seing minimumstandards of security for entities that are part of ourcritical infrastructure, he said. The goal would be toidentify deciencies and assess certain sectors with asecurity grade. It could be supported with a tax credit for

businesses that make the grade. Most importantly, anygovernment involvement should not inhibit innovationor investment.

We can think of security as the environment of the Inter-net and cyber crime as the pollution that could eectivelykill it, said Jon Ramsey of SecureWorks. The problem is

bigger than industry, end users and government boundar-ies. Thats why GTISC research and the public/private col-laboration it promotes is so important to nding solutionsto the threats of the future.

If you own a dangerous old jalopy that cant pass emission standards and you want to drive it around your

private 10-acre field, thats fine. But as soon as you take that unsafe car out onto the public road, you

become a threat to others, said Barrett. The same is true of a PC running Windows 98 and Internet

Explorer 3 without any meaningful AV or firewall protection. If that machine never connects to the Internet,

fine. But once it does, it can become infected and in turn be used to compromise more machines.

Michael Barrett - Chie Inormation Security Ofcer, PayPal


9/9

GTISC Emerging Cyber Threats Report Contributors

Mustaque AhamadDirector of the Georgia Tech Information Security Center

Dave AmsterVice President of Security Investigations, Equifax

Michael BarreChief Information Security Ocer, PayPal

Tom CrossX-Force Researcher, IBM Internet Security Systems

George HeronFounder, BlueFin Security

Don JacksonDirector of Threat Intelligence, SecureWorks

Je KingDoctoral Student, Georgia Tech Information Security Center

Wenke LeeAssociate Professor, Georgia Tech Information Security Center

Ryan NaraineSecurity Evangelist, Kaspersky Lab, Americas

Gunter OllmannChief Security Strategist, IBM Internet Security Systems

Jon RamseyChief Technology Ocer, SecureWorks

Howard A. SchmidtProfessor of Practice, Georgia Tech Information Security Center

Patrick TraynorAssistant Professor, School of Computer Science at Georgia Tech,

and member of the Georgia Tech Information Security Center

cyber threats report 2009

Documents