Monday, August 9, 2010

From Stuxnet to Web 2.0 - Are we losing our security control?

It has been more than two weeks since the widespread propagation of the Stuxnet malware in mid-July, and experts remain stumped about the origins and perpetrators of this large-scale and damaging attack.

It is undisputed that cybercrime and cyber-espionage are on a constant rise—SonicWall reports that malware instances grew by 300% in the first six months of 2010 from 60 million to approximately 180 million attacks—which can be witnessed through the wide spreading of the Zeus botnet we reported about in April, and growing methods of cyber-espionage that are launched daily, such as the recent posting of Facebook user data on the Pirate Bay for public download, an issue Comsec brought forth in our position paper on the Social Networking Corporate Threat.

It’s not surprising then that according to a Checkpoint sponsored Ponemon study, more than 80% of security professionals expressed concern about the many and widely available virtually OS-independent Web 2.0 platforms that run diverse and complex applications in any common browser, believing they “have a significant [adverse] impact on a company’s security posture”.

However, if until now these types of attacks have largely been intended for the personal financial gain of the attackers, this new sophisticated Stuxnet exploit doesn't conform to this trend at all. This stealthy malware, that primarily targets sensitive infrastructure companies (power plants and physical systems) through their SCADA [Supervisory Control and Data Acquisition] systems, abuses a zero-day vulnerability that automatically executes the malware through specially-crafted shortcut files placed on USB drives (generally known as .lnk files) immediately when the .lnk file is read by the operating system, allowing the attacker to then take control of the system.

Leading organizations have dubbed this virus "the most advanced attack seen to date", which has led security researchers to believe that the attack may even originate from a national government or intelligence agency.

While cyber-espionage is no new phenomenon, with the US being the leader of the pack in this area, what's essentially troubling is the consensus by the general public that cyber-espionage at the government tier is all but acceptable, as was brought forth in a recent Sophos report that indicates that 63% of people in the UK think it's ok for their government to spy on other countries using hacking or malware, albeit 40% added the provision that this was only acceptable "if the UK is at war with them". This being in spite of the fact there are no real "game rules" that dictate or govern this type of spying, pretty much making this territory anyone's game right now.

Comsec as a veritable hub for projects in the private business sector and public authorities and regulatory entities has had a bird’s-eye view of the security in both these sectors for years, and as a result has long-since been advocating the importance of combining these two forces. With the unique strengths available in each sector from methodologies, technology, and R&D in the private sector through legislature, regulations & enforcement, and advanced intelligence capabilities in the public sector; the fusion of both worlds is the most promising approach to a comprehensive solution for this arena.

Former NSA Director, Michael Hayden, in his keynote speech at the Blackhat Convention in Las Vegas on July 29th primarily focused on the present state of cyber-war and the vagueness and grey areas that dominate this activity. If until now in warfare there have been four domains, air, ground, water, and space - the cyber world now represents a fifth domain that is for the most part uncharted territory. The current NSA Director General Keith Alexander, who also spearheads the U.S. Cyber Command, recently discussed the need for the United States to establish a proper framework that will serve to guide its responses to cyber-attacks. However, in a rather ambiguous statement, Hayden emphasizes that although 90 percent of Cybercom's thinking is about attack, at least 90 percent of their work is actually spent on defense.

Hayden believes that the US is best positioned to lead the initiative and establish an international agreement that will dictate the methods of operation in this realm—from the types of systems that can be tapped through actions that will be defined as against international law, in the same way that there are guiding principles in all other warfare domains.

Until then however, it is largely agreed upon that many more advanced and sophisticated attacks will come into play before these international guidelines are ironed out, and prudence is of the essence.

Comsec experience has proven that the following measures have been the most effective, with the highest success rates amongst our clients in dealing with threats of this nature:

  • Assess the threat. Carry out an in-depth risk assessment taking into account all of the potential risk factors involved when using Web 2.0 platforms and other company applications.
  • Devise a defensive countermeasure strategy. Analyze the results and formulate a company policy that takes all of the risk factors into account.
  • Security controls. Assess current company security controls and measures in place, ensure they are modified to conform with the new company policy, and gauge their level of relevance and effectiveness when dealing with these types of threats.
  • Educate. Increase the awareness amongst your employees to the threats these platforms pose through a comprehensive awareness campaign that will enlighten them to the “dos and don’ts” of Web 2.0.
  • Measure success. Establish measurable KPIs and KSIs to evaluate the steps that have been taken, and the adherence to the new company policy, especially over an extended period of time.

For further information contact: