Talent Is Tight

The government's efforts to improve cybersecurity are being hampered by a shortage of available — and affordable — data security professionals, a problem that could lead to slow and confused responses to data breaches, The Washington Post reported last week.

Relatively few people are available to fill roles requiring computer skill and a security clearance, the article said, and demand has pushed salaries very high; the government is often outbid by the private sector, which is willing to pay six-figure salaries to technicians with just three years' experience and a clearance, the Post said.

The seven months it took President Obama to hire Howard Schmidt as national cyberadviser is just one example of the trouble the country has filling these jobs, the Post said.

The Department of Homeland Security is planning to expand its cybersecurity team by 1,000 people in the next three years, and the Pentagon is seeking to hire people for its new Cyber Command, the article said.

Two 2006 cyberattacks show the difference a skilled computer staff can make when government systems are compromised.

In May of that year, computers at a U.S. embassy in East Asia were compromised in what the Post described as "the most significant cyberattack the State Department has yet faced." The department's experienced team, which it had been assembling since 2000, was able to stop the attack and reverse-engineer the malicious code it found on the department's systems.

By contrast, the Commerce Department detected a similar attack two months later but has never determined when the attack actually began, the article said. The department hired contractors to contain the intrusion, and they took eight days to install a filter to prevent data from being taken — only to realize later that they had installed the wrong kind of filter, the article said.

Alan Paller, the director of research at the Sans Institute, an information technology research and training organization, told the Post he concluded that, in responding to computer intrusions, "skills … are much more important than hardware."

Breach Settlement

Consumers whose data was exposed in a breach at Countrywide Financial Corp. may be entitled to compensation under a class-action settlement to which a federal judge has given preliminary approval.

The settlement's terms call for any of the 17 million people whose data was exposed in the breach — those who obtained a mortgage from Countrywide or had it serviced by the company before July 1, 2008 — to get free credit monitoring, according to an Associated Press article last week.

Countrywide, now part of Bank of America Corp., would also pay up to $50,000 to compensate anyone who could show an unreimbursed monetary loss resulting from the breach.

The 35 lawsuits that were combined into the class action were filed after the arrests of California residents Rene Rebollo Jr. and Wahid Siddiqi. Rebollo, a former senior analyst at Countrywide, is accused of stealing financial data and Social Security numbers on a thumb drive from 2006 through August 2008 and then selling them to Siddiqi. Rebollo has pleaded not guilty and faces trial in January; Siddiqi pleaded guilty on Dec. 9 to 10 counts of fraud.

Looking Ahead

Old cyberattacks have become new again as hackers try to trick a new generation of Internet users, Msnbc.com's Bob Sullivan reported last week in his "The Red Tape Chronicles" column.

The top risk Sullivan highlighted for 2010 is the e-mail attachment. Ten years ago, the LoveBug and Melissa viruses spread when users were tricked into opening files attached to e-mails — until users wised up and some companies even banned attachments from their e-mail systems.

"Attachment viruses nearly dried up," Sullivan wrote. "Then a new generation of users came online who hadn't learned the Melissa lesson, and older users forgot," so the hackers found a new audience just as vulnerable today to being tricked by attachments as the old audience was 10 years ago.

Another trend Sullivan spotlighted is the increasing abundance of fake anti-virus software, used by virus writers to get infected users to make credit card payments to them for bogus software that purports to clean up the infection. This technique gained prominence this year and is expected to become even more prevalent in 2010, Sullivan wrote.

Even legitimate anti-virus software can become less effective at detecting viruses that have been written to "mutate" over time, Sullivan wrote. Since conventional anti-virus software spots bugs by comparing them against a list of "signatures," virus writers have adapted by making viruses that change their look often enough not to be identifiable against a static signature. Further, today's viruses cause less slowdown on infected computers than older versions and are thus harder for users to detect.

Sullivan also described scammers' growing use of social networking Web sites. Some use viruses to harvest personal information from the sites, and others hijack accounts to impersonate users and trick their friends into handing over money to resolve a made-up financial emergency.

Looking Back

Computerworld published a story last week highlighting the specific patches computer users must apply to protect their data from most hacks.

Though the article focused on patches released in 2009, it spotlighted two older ones that are still helpful against current attacks. A patch Microsoft Corp. released three years ago for its Office software suite could thwart 71% of all attacks that target Office users, the article said, but many people today still have not applied it.

An October 2008 patch from Microsoft could prevent the notorious Conficker worm from infecting more computers, but it has not been applied by all users, and just this month Microsoft's Malicious Software Removal Tool cleansed 156,000 computers of Conficker infections that the patch could have prevented.

The other relevant patches were all released in October by Microsoft or Adobe Systems Inc., and the article also highlighted a patch Adobe plans for January.

Computerworld concluded, "Everyone who patches is safer …, [but] not everyone patches."

Security Watch is a weekly roundup of news and developments in data security and their impact on financial services companies.
Please e-mail us any comments, ideas, and suggestions about this column.