One of the great unintended consequences of my job, having covered the IT security space for nearly four years, is my great inability to accurately gauge the awareness that mainstream America has for cyber-risks.

Because I am so immersed in the topic, covering stories on a daily basis, writing about the vast array of vulnerabilities and breaches, legislation and lawsuits, phishing and spam, arrests and prosecutions, that I often forget infosec is not your typical cocktail party material.

But while I am certain that most of my friends and family aren't aware of even a small percentage of the digital threats out there today, I do believe that they are catching on to the problem, bit by bit.

The tipping point is still not here -- just last night, for example, I was borrowing a friend's laptop and noticed it didn't have active AV protection. She didn't seem too pressed to fix the problem.

Part of the blame for this apathy could be sheer risk/reward. Why accept security advice when the rational economic move is to ignore it, as a Microsoft researcher recently wrote about? Not to mention, attacks are more targeted these days (meaning nobody notices the threats out there), and banks are pretty good at reimbursing you if you do happen to fall victim to financial fraud.

Still, each year, cognizance grows.

So, with that said, here is SC Magazine's token summation of 2010 threat predictions, compiled through the dozens of emails we received from the Nostradamus' of the IT security community.

• Social networking threats: Experts seem to be in across-the-board agreement that cybercrooks are going to increasingly target these new media platforms to push their wares. Also, organizations will have to worry that their end-users will leak sensitive information. I mean, this makes sense. And it's been happening already. After all, where else can you find 350 million people chilling out on a website?

• Windows 7: Well, that whole Vista thing didn't go over so well, but all signs seem to be pointing to much higher adoption of the next iteration of the Microsoft OS. So that means cybercrooks will begin targeting this platform.

• New platforms: No surprises here. Take your pick. Mobile devices, though, seem the likeliest candidate -- yet some experts seem unconvinced. Still, one has to believe that once people are actively using these smartphones to make transactions, the bad guys will be riding right along.

• Apple: I'll believe that the Mac OS has become a viable target when the PR folks in Cupertino start returning my phone calls. Next...

• Peer-to-peer malware/data leakage: This seems more plausible, and we saw some examples of it this year. But, with increased organizational awareness to the dangers of file-sharing networks, and a focus around this on Capitol Hill, one is foolish to expect an epidemic.

• HTML5/IPV6: Updated web language and increased address space have some believing that these new technologies are going to be abused. But adoption may not come in 2010. I'm sure this will be on the list next year, as well.

Other mentions: Continued targeted attacks via socially engineered malware, such as banking trojan Zeus (Zbot); search engine poisoning, cloud computing risks and botnet infrastructure innovations.

The news, though, is not all doom-and-gloom. One interesting prediction from McAfee suggests that the threat of rogue anti-virus will actually drop now that "the fake anti-virus market has...been saturated and the profits for cybercriminals have fallen."

With all this said, I wish you all a Happy New Year, and look forward to talking about cybercrime over a cocktail with you in 2010. Or 2011.

I find it hard to believe that Citigroup's media relations department would so adamantly deny the occurrence of a breach if it wasn't being completely genuine.

Because that is what they have done today in light of a report in The Wall Street Journal that the partially government-owned financial services firm was the victim of a hack that stole tens of millions of dollars.

When I read this story, there wasn't much meat, and I was pretty skeptical. I got even more skeptical when the FBI wouldn't comment on the story at all — not even to say that it was investigating.

So I did some searching around the blogosphere and saw that many others were equally suspicious of the story.

And then I remembered a story we wrote not too long ago, when the FBI said it was actively investigating a huge number of Automated Clearing House (ACH) fraud cases in which cybercriminals got a hold of mostly small- and mid-size corporate bank accounts to transfer large sums of money out. Attempted losses, the FBI said, have reached more than a $100 million.

This type of fraud, made possible by the data-stealing Zeus, or Zbot trojan, is arguably the biggest information security news story of the year.

So here's the FBI saying Citi, one of the world's biggest banks, has lost tens of millions of dollars due to a breach.

Well, I wouldn't call ACH a breach — it's more of an issue of a customer getting hacked than any bank — but I could see how something like this could get lost in translation.

So there you have it. This is nothing new.

Call it a scoop that wasn't.

Problem solved.

Then again, maybe this was, in fact, a well-orchestrated Russian Business Network hack, and nobody is talking because the presidential administration wants to protect one of the financial services industry's most prized assets from any additional pounding.

Can you say data breach bailout?

Happy Holidays everyone.

Time and time again, we've seen information security regulations and guidelines delayed due to the burden they might impose on small businesses.

For example, state officials, on multiple occasions, have pushed back enforcement of the Massachusetts data security regulations due to small business complaints, and most recently, the Federal Trade Commission announced it would postpone enforcement of the the Red Flags Rules until next summer.

The economy is partially to blame, and it is a decent justification. After all, many small- and mid-size businesses are having enough trouble simply surviving the worst recession in a half-decade, never mind needing to concern themselves with additional costs.

But then comes astounding alerts from the FBI that hackers have this year seriously turned their attention to smaller organizations as part of their slick, moneymaking operations. Bigger businesses may have the resources to better deal with the problem, and cybercrooks know this. So they now seem to be focusing more on the weakest link. And why not? Raiding the bank accounts of 10 mom-and-pop shops is likely just as valuable as compromising one big business. And probably much easier.

In today's threat landscape, it is incomprehensible for any size organization to consider implementing tougher security controls an unnecessary burden.

I've had discussions with experts about this. And they've told me that securing an organization does not require a great deal of investment. In fact, the basics -- updated anti-virus, patched machines, a comprehensive security policy, employee training, some web and email filtering -- should be enough to keep the bad guys out. The sad part is, many firms simply aren't doing the most fundamental stuff.

There is another side to this coin. Regulators must stiffen their enforcement agendas. Enough submitting to the concerns of business owners. It's 2009. There is no more slack that can be given. The losses are simply too large to bear any longer.

Thanksgiving is a holiday during which to cherish what we have. But the organized cybercriminal groups that always seem to be one step ahead of everyone else want to take all of that away, one phishing email or compromised PC at a time.

It's time the smaller firms fight back.

They say that imitation is the highest form of flattery. Well, some 45 states have more or less copied California's pioneering move. And there was no reason to believe that a similar scenario wouldn't have played out again had the Governator signed SB-20 into law.

But, alas, it was not to be. The new legislation would have required that breach notification letters going to California residents also contain specifics around the data-loss incident, including the type of personal information exposed, a description of the incident, and advice on steps to take to protect oneself from identity theft. The law also would have mandated that organizations that suffer a breach affecting 500 or more people must submit a copy of the alert letter to the state attorney general's office

"“It was one of the most surprising vetoes I've gotten in nine years in the legislature,” Simitian told ApparelNews.net. “There were no amendments from the business community. There was no cost to the state.”

But Schwarzenegger, known for his large army of business allies, argued that the additional information that corporations would have been required to provide would have proved an additional burden to them, while not really helping consumers.

Simitian isn't the only one reacting with displeasure. From the Consumer Federation of California:

Governor Schwarzenegger's final verdict on a host of critical consumer protection bills this past weekend left consumer advocates disappointed. Of the 14 bills identified by the Consumer Federation of California (CFC) as most important, in only six instances did thegovernor take the side of the consumer.

While acknowledging that the governor signed several consumer protection laws, Richard Holober, executive director of the Consumer Federation of California stated: “We are disappointed that the governor sided with big business interests and against consumers on the majority of bills that reached his desk. The governor turned a deaf ear to California consumers on key food safety, automobile insurance and financial privacy proposals."

I also must respectfully disagree with the governor. How does he know the additional details won't help consumers. With data breaches becoming such a regularity, I would think consumers are now demanding more details, if for no other reason so they can discern between incidents.

And I'm not so sure that I can empathize with businesses. While the law may require organizations to do some additional work, I would argue that it is work that should be done anyway. After all, businesses must learn from their mistakes. Isn't the best way to do that by understanding the entire scope of an incident.

Simitian, is pledging that, pardon the metaphor, he'll be back with this bill in next year's session.

And at least not all of Schwarzenegger's legislative decisions are bad ones.

Businesses and consumers do not enjoy the same legal protections when banking online as consumers. Consumers typically have up to 60 days from the receipt of a monthly statement to dispute any unauthorized charges.

In contrast, companies that bank online are regulated under the Universal Commercial Code, which holds that commercial banking customers have roughly two business days to spot and dispute unauthorized activity if they want to hold out any hope of recovering unauthorized transfers from their accounts.

To top it off, we’ve fallen into a trend of diverting and rewarding the best of our collective I.Q. to people doing financial engineering rather than real engineering. These rocket scientists and engineers were designing complex financial instruments to make money out of money — rather than designing cars, phones, computers, teaching tools, Internet programs and medical equipment that could improve the lives and productivity of millions.

Barnaby should quit Juniper and join me in being an independent consultant. The corporate environment stifles interesting security research.