All the security attention paid in recent years to securing the Windows desktop and the applications running on it have paid off a little, Cisco found, making it harder for computer scammers to successfully carry off their intended crimes on that platform. The trouble is they’re now starting to focus more attention on mobile devices, including Apple’s iPhone and iPad, and devices running Google’s Android operating system, Cisco said.

Meanwhile, the overall global volume of spam, which often contains troublemaking links that are used to deliver attacks, decreased for the first time ever in 2010. Even so, spam still increased in some developed countries where broadband connections are multiplying. In the United Kingdom, spam volume nearly doubled, while the volume in France went up 115 percent. The U.S. saw a slight decline–11.1 trillion messages down from 11.3 trillion in 2009. Spam in Brazil, China and Turkey also declined. Some of the decline can be attributed to last year’s arrest by FBI agents in Milwaukee of a Russian accused of being the “king of spam,” and to the shutdown of a few botnets used by scammers to send spam.

One thing about Cisco’s report that’s likely to draw some attention is its finding that the raw number of vulnerabilities on Apple products appear to be growing. Apple users are usually pretty sensitive about this topic, and any comparison of the Mac to Windows on the security front tends to make them grind their teeth and pound out annoyed comments on tech blogs. I know because I’ve done the same teeth-grinding and have in the past criticized other reports for similar findings.

Here Cisco is addressing vulnerabilities that Apple has itself documented and patched in software updates. One thing that’s not clear to me–though it sure looks like it–is whether Cisco is combining vulnerabilities found on both iOS (iPhone and iPad) and OS X (the Mac). The data it’s using is from its IntelliShield service, which tracks vulnerabilities and security incidents, and shows that over five years Apple’s vulnerabilities rose, from less than 200 in 2006 to more than 350 in 2010. That rate was higher than Microsoft and Hewlett-Packard and Cisco itself, the report found, though it goes on to say that Apple has worked harder than most other vendors to protect its users. Security is one of the reasons Apple imposes such strict rules on what’s available in the App store, though people still jailbreak their phones.

Another trend Cisco found is something called “money muling.” Tom Gillis, VP and general manager of Cisco’s Security business unit, describes money muling as using unsuspecting people who are attracted by “work at home” spam messages and Web ads to participate in money laundering by moving small amounts of money into bank accounts, just a few thousand dollars at a time. He says the operations around this are becoming increasingly elaborate, and criminals will devote a lot of effort to developing it this year.

I talked with Gillis about the report and other security trends that Cisco found. Here are a few highlights from our conversation:

NewEnterprise: So you’re seeing fewer attacks on Windows and more on mobile devices. Is that simply because there are more of them?

Tom Gillis: It’s the simple fact that there’s this new class of mobile device coming into the enterprise that used to be a phone and now it’s a computer, and it can access enterprise information. So what we’re seeing is that the raw number, but not the severity, is down on Windows. Part of this is that Windows 7 was a very good release on Microsoft’s part from a security standpoint. And we’ve got these new devices coming into the enterprise, and so we’re seeing a shift in focus of attacks on these mobile devices. They’re vulnerable to attack and they’re relevant in the enterprise. Two years ago this would have been too small a population to be meaningful.

What kind of attacks are you seeing?

It varies. In some cases there’s a little “phone home” code in a free gaming app. Pretty gentle stuff so far. But as people start using smartphones to access sensitive information we need to start thinking about security considerations on these devices. There’s a larger theme here that the whole nature of attacks is changing dramatically. The fact that spam volumes dropped at all is a big tell. For 10 years this has only gone up. We’re not forecasting a steady decline in spam, but the fact that it slowed down at all is an indicator of the shift in the way that attackers are using email. The attacks are more targeted and personal, for one thing.

Can’t some of this decrease be attributed to some of the arrests that happened last year?

It can. There’s been a handful of arrests. And they went after not only the botnet operators but other parts of the spam value chain. There are firms and entities that build botnets of compromised machines that relay the spam, and then there are other firms and entities that rent time on those botnets that do the merchandising. The biggest category is selling fake pharmaceuticals. Some of these fake pharma operations were shut down and the people associated with them arrested. It’s not an easy thing to do, because they’re global, they move around, and so to make an arrest in this space is a huge accomplishment.

So what is the thinking now about securing the mobile device?

We think there are two ways to make mobile devices work in the enterprise. The flood of devices into the enterprise is huge, and everyone wants to use them to check their email and access corporate directories and other fundamental things. There needs to be some kind of software on the end point–the phone or device. It will have to be light. You can’t have some kind of antivirus suite running on the phone. It would be a little piece of software that’s on all the time that knows when you’re behind the corporate firewall and when you’re not, and manages your connection accordingly. We bought a company called ScanSafe that has 40 data centers around the world. When you’re outside the firewall it connects to you the nearest data center and enforces your corporate policies, but all you as the user know is that it just works. This notion of being on or off the corporate network goes away. And we can do all kinds of scanning for security, independent of the device that’s being used.

This year we also saw the Stuxnet attacks, which we now know for certain were carried out against the Iranian nuclear program. Clearly this is a new kind of attack that can be mounted against industrial control systems via computer networks. Is Cisco researching this?

Massively. Often these types of attacks are targeted against Cisco’s biggest enterprise customers. Who buys Cisco’s infrastructure? The biggest banks in the world, the defense contractors. If the goal of an attacker is to disrupt an economy, their targets will be our customers, and they’re demanding a response from us. I like to call it global threat correlation, but it comes down to taking huge samples of network traffic and picking out good traffic from the bad. Cisco has a good advantage here because our equipment is so widely deployed around the world. As we start measuring traffic we can develop reputation data on every publicly routable IP address on the Internet. As we start putting telemetry info into that equipment–and the customer can choose to enable it or not, and it’s turned off by default. But people turn it on because it helps them against the unknown kind of attacks that are popping up. If a Web server says its a Web server, but you just saw it sending spam three minutes ago, there’s a pretty good chance it’s part of a botnet. Once you know that you know that, you can start to mount a pretty good defense. We’re putting a lot of energy into developing that, and it’s proven to be pretty robust.

Under terms of the deal, EA (ERTS) will initially pay $300 million for the developer of such social games as Pet Society, Who Has the Biggest Brain and Restaurant City, including a $25 million retention agreement with Playfish employees. It will subsequently pay $100 million more if the company meets undisclosed profit targets.

By acquiring Playfish, EA is not only validating the social gaming market, but perhaps setting the valuation benchmark for Mafia Wars creators Zynga, which is expected to go public next year. It also tempers–to some extent, anyway–concerns that the lead-generation scam controversy that recently blew up around Zynga and Playfish might harm their perceived value in the market.

“This deal came about very quickly, but let me say that Playfish was never ‘up for sale’,” de Halleux told PaidContent. “We were focused on building our business, because we believed—and still do—that the game industry is changing. EA approached, and we realized that we could be in a better position to act as an agent of change, through them. We could build games and attract users on our own, but this deal accelerates that to a degree that wouldn’t have been possible.”

“Social gaming, with its emphasis on friends and community, is seeing tremendous growth and this is the right time to invest to strengthen our participation in this space,” said Barry Cottle, senior vice president and general manager of EA Interactive. “With the addition of proven expertise from Playfish, their broad consumer base and strong game brands, we’re moving ahead aggressively in our plans to lead in the category of cross-platform social entertainment.”

If there was ever a doubt that social networks might be a viable gaming platform, this acquisition pretty much obliterates it.

Over at Mini-Microsoft, the Redmond insiders who frequent the site’s comments are incredulous over the layoff rumors, insisting that they are baseless. Costs will be cut, they say, but they will be cut through attrition and reduction in open headcount. “For the last time folks–THERE ARE NO LAYOFFS HAPPENINGS IN JANUARY,” writes one Mini-Microsoft commenter. “Beyond Jan…well we dont have a crystal ball–but if the economy doesn’t improve and the company misses targets–it would get uglier for everyone–from no raises/no bonuses to (maybe) cutbacks/layoffs… but then, those are the rules of the game in corporate America.”

A lot has been written about the need for drastic layoffs at Yahoo, including reports that the troubled company was preparing to fire from 3,000 to 3,500 of its 15,000 employees.

As dramatic as that figure is, according to numerous sources, it’s more likely that Yahoo will cut only half that, beginning sometime in mid-December.

That date could move up, of course, depending on how bad the economic outlook get for Yahoo, but it is not likely Yahoo will make any move in front of its earnings next Tuesday, October 21.

Why? Well, because what Yahoo’s top brass has already done is given its managers cost-cutting targets and not specific marching orders on laying off a certain number of people across the board.

And that’s even if the management consulting company that Yahoo has hired to look over the company’s operations, Bain & Co., recommends more.

In addition, the figures that top execs–such as SVPs Hilary Schneider and Ash Patel–have handed down to their minions is a process that includes considerable negotiating and maneuvering among and between various managers. So, nothing is set in stone.

Thus, how Yahoo (YHOO) under-bosses reach those goals and what gets lopped does not have to necessarily be employees.

For example, a manager could table a project in the search area or perhaps not expand features planned.

Of course, slashing employee costs is always the easiest way to show significant cuts, and it does send a definite message to investors that Yahoo realizes it must clean up its operations.

“But that’s hacking and we have to be more surgical,” said one exec involved in the process.

But look for more cuts in staff in certain areas, because people are its major cost, such as in Yahoo’s finance, human resources and general and administrative units.

Of course, if its economic situation continues to dim and its stock keeps up its downward slide, Yahoo could move to more dramatic staff cuts, which many feel it should do right away.

One note: If Yahoo manages to successfully complete its merger talks with Time Warner (TWX) over its AOL unit before the December cost-cutting moves go into effect, the company could hold off all cuts until the pair figure out their integration plans.

And then, I would expect, the really large-scale layoffs would begin.