Flame On!
- At May 30, 2012
- By Josh More
- In Business Security
0
The security world exploded today with news of a new piece of malware found in Iran. It’s been a very long time since we’ve seen an unfounded industry panic on this scale. Phrases like “most advanced malware”, “super-weapon” and “new era in cyberwar” are being thrown around like confetti. So, let’s take a bit of a reality check.
Calm Down
1) Are you in the Middle East?
If not, relax. The evidence suggests that the malware is focused on the Middle East… likely either Iran or Israel. While malware does spread quickly, highly targeted malware focused on information theft does not. After all, if it did, the people running the systems wouldn’t be able to use the information they get. There would be too much of it.
2) Have you updated your systems in the last two years?
If so, relax. While the news is new, it looks like this malware was released in 2010. Modern malware is capable of attacking along numerous vectors, so simply patching may not be enough, but if you’re monitoring your systems properly, you probably would have noticed it by now.
3) Are you profoundly unlucky?
If not, relax. The Kaspersky report that has been widely cited lists the following infection counts: Iran – 189, Israel/Palestine – 98, Sudan – 32, Syria – 30, Lebanon – 18, Saudi Arabia – 10, Egypt – 5. This means that, as of May 28th… after Flame has been out for two years… it has infected 382 systems. In 2010, there were about five billion devices connected to the Internet (probably more now). So your odds of being infected are likely less than 0.0000076%. You are 22 times more likely to be struck by lightning than you are to get infected by Flame.
4) Are you a nation state?
If so, thank you! Most geopolitical entities don’t read my blog. If not, relax. Cyberwar is unlikely to affect you. The goals of Cyberwar are to steal critical intellectual property, identify what other nation states are up to and interfere with the capabilities of other nation states. The only one that really drifts into the private sector is the theft of intellectual property, which can be protected pretty easily.
Big Deal
So why are people making such a big deal out of this? Well, the first thing to consider would be who exactly is promoting this and how they’re doing it.
First, you have what I call “set it and forget it AV” companies. Kaspersky and Symantec were among the first to bring this news out. This shouldn’t come as a shock to anyone, as they make a lot of sales when a malware attack makes it all the way to the mainstream news. This is too bad, as both of these firms tend to do excellent technical analysis and it’s sad to see their research skewed into a FUD campaign.
Next, you have the response to these sorts of firms by the vendors that focus on analysis and response. Take at look at these responses by Sophos and Sourcefire. These two firms make their money selling tools that allow a competent administrator to get more done by leveraging analytics and determining appropriate responses.
Then you have a slew of mainstream media articles that reference “cybersecurity experts” (who often have nothing to do with malware) to comment on the issue. I’ve seen and heard quotes from people who do development security, physical security and governmental policy… which seems to be a response to a reporter needing a quick quote to get into the news cycle.
Finally, you have a bunch of individual posts (like this one) of individuals trying to catch the “Flame Wave” and boost SEO ratings. (Hiya Google, how you doin’?) Basically, everyone has a reason behind their actions. Before you start tossing money around to make the scary go away, stop for a minute and think.
What To Do
The first thing you should do is, as I stated above, relax a bit. Snap decisions are seldom the ones you want to make. Think about what advanced malware can do and how it gets in. Here are the facts.
Protecting against Flame is EXACTLY like protecting against other malware. Nothing in Flame is technologically new.
Modern malware targets data and takes advantage of missing patches. If you don’t know the Who, What, Where, How and Why of your data, you can’t control it. If you aren’t maintaining your operating systems and the applications that run on them, you are at risk. Also if your users are running as local administrators, there’s not much you can do.
Modern malware does a lot of really neat things too, like infect smart phones, hide its tracks, punitively wipe systems if you tamper with it. Heck, for all I know, it’s also responsible using the last piece of toilet paper and not replacing the roll. However, if you are letting your users run with administrative permissions, you’re not patching your systems and you don’t understand your data, this isn’t going to matter.
Basically, you have to walk before you run… and before you walk, you have understand how. Most organizations that I work with are still at the crawling stage. If you cannot answer “Yes” to each of the following questions, don’t even think about Flame/Duqu/Stuxnet/BoogaThreat. Focus on getting your own house in order first.
1) I know exactly where all my data is.
2) I know that I need all of the data I have.
3) I have classified the data I have according to criticality.
4) I have implemented technology to detect and respond to data as it crosses security zones.
5) I am completely confident that all my operating systems are up to date.
6) I understand each application in my environment, why it is there and am certain that it is up to date.
7) None of my users are using administrative permissions as part of their daily work.
8) I have installed and am maintaining a modern anti-malware stack or application whitelisting solution on each system on my network.
9) I have installed and am maintaining an intrusion detection solution on my network.
10) I pay attention to the alerts from all of my awareness systems and respond appropriately.
If you’ve answered “No” to any of these, that’s where you have to focus. If you have trouble, let me know. I’m here to help. (Guess why I take the time to write posts.)
The Importance of Exercise (and rhinos)
- At May 23, 2012
- By Josh More
- In Business Security, Natural History
- 0
Exercise. With a few annoyingly fit and perky exceptions, we all hate to do it. Even when it comes to business exercises, where we can avoid the serious danger of getting all sweaty and tired, we still avoid it… generally for reasons comparable to the physical: foolishness, arrogance and wasting time.
In business, time is money. We focus on reducing waste and maximizing profit. When times are tough, we avoid future-focused activities in preference for those that we are fairly certain would benefit us right now… even when future gains would likely be much larger. So, even when we know that exercise would help us, we avoid it because there are other things that need doing.
Then there’s the other side. For a business exercise to be useful, we must learn from it. To learn from it, we must encounter something new. This is socially dangerous as it places us in a situation where, to positively respond to the scenario, we risk being viewed negatively by those around us… so there is resistance to trying new things.
Why risk social censure and waste time when you know what you’d do in a bad situation anyway? After all, we’re smart people. We think about things and we know our environment, right? If a problem happened, we’d just deal with it. Our people would have to work overtime, but we’d get the job done… right?
Well, let’s find out. Suppose you work in a zoo. Suppose one of the risks you face is that of an animal escaping. Your job is to figure out how to deal with the event and get the animal back. How would you do it? Take a couple of minutes and think what you’d do. I’ll wait.
Now, watch this video.
Tell me. In your mental model, which animal escaped? Was it dangerous? Was it hard to recapture? Did you think about what would happen if one or more of your people were injured during the escape? What about people at the zoo? Did you think of children, of adults, of any disabled people and how they might escape? Did you think about the potential damage that an animal could cause to the infrastructure both inside and outside of the zoo? What about the possibility that the animal could survive after escaping and create a breeding population of dangerous animals in the city? Did you plan include alerting the news media and trying to control the story?
Even an exercise can show you things that you might not think of on your own. By running through live exercises, you can encounter serious problems in a safe way. You can discover which events need prevention and which ones would require a pre-planned reaction. If your organization’s culture focuses on predictable work, you might find a resistance to working extra hours to make up for what is perceived for someone else’s problem. If your organization is on the other side of the continuum and tends towards interrupt-driven tasks, you may find that your people are closer to exhaustion than you think, and a true disaster could push them over the edge.
This will allow you to engage in a more accurate risk assessment, allocate resources and move to a more proactive stance. So, you could be prepared for any eventuality, from mountain lion to penguin.
