Information Security In A Post-Stuxnet World


The advent of Stuxnet and other weapons-grade malware has profoundly changed the IT security landscape. That common denominator summarizes the viewpoints of three security industry executives participating in a COMDEXvirtual panel discussion, Information Security in a Post-Stuxnet World."

"[Stuxnet] demonstrates the ability of a dedicated team to develop extremely sophisticated and complex weapons by leveraging the resources of nation-states," said Patrick Bedwell, vice president of products at Sunnyvale, Calif.-based Fortinet. "These tools then trickle down into the hacker community and begin to be used against enterprises."

In the case of Stuxnet, it's widely believed that the code was developed by the United States and/or Israel in order to cause nuclear centrifuges in Iran to spin out of control, thereby interfering with that Middle Eastern nation's alleged attempt to develop nuclear weapons. Stuxnet subsequently "leaked into the wild" when an individual, presumably with legitimate access to the malware, connected his machine to the Internet, thereby enabling the bug to accidentally escape. Stuxnet and various modules of the same malware have occasionally been identified on other networks. Last week, it was reported that the malware was discovered on the enterprise network of Chevron, a U.S.-based oil company.

 

[Related: Cyberwar: The Digital Age's Dark Side]

"While these particular attacks [for which Stuxnet was developed] were not targeting the enterprise, we see in many cases the code's concepts and tactics being used by cybercriminals attacking businesses," observes Chris Doggett, vice president of North America channel sales at Kaspersky, a Russian-based security company.

The net effect is to raise the stakes between the proverbial "white hats" and "black hats" who are continually vying for the upper hand in either penetrating or defending networks of all types and sizes.

"It's a cat and mouse game," added Doggett. "The white hats have not kept up with the black hats, or we wouldn't be reading about all these exploits. It's a very difficult game. The bad guys only need to be right once, while the defenders need to try to be right 100 percent of the time."

Stuxnet is not the only piece of weaponized malware worthy of concern. Other similar bugs include Flame, Duqu, Gauss and Shamoon.

One of the other challenges faced by security professionals involves convincing customers to seriously approach risks from threats that are not aimed at them in the first place. With tight budgets and difficult economies, many decision-makers are reluctant to invest substantial sums of money in security solutions without knowing for sure that their company is under attack. And if it is, it might already be too late.

"You might not know it's happening, and therefore be unable to justify the budgets to protect against it," said Chet Wisniewski, senior security advisor at Sophos, a Boston-based security company. In addition, there is an ongoing debate regarding full disclosure versus responsible disclosure. Is the information being disclosed in a way that makes us safer, or is it being shared in a way that helps the black hats keep us in a state of playing catch-up?"

The panelists agreed that, to a large extent, the task falls to the channel to help customers strike a balance between the actual threat, the potential threat and the budgetary realities that they face.

"In a perfect world, there would be unlimited resources for security, but in reality that is not the case," said Doggett. So the challenge is to understand and prioritize the threats that they will address. IT administrators are trying to cover many bases, and security is just one of those things on that list. This is where the channel can offer great value in helping them to step back and evaluate likely targets and vulnerabilities while developing appropriate responses to defend against the attacks. They can assist in developing a practical approach to risk management that addresses the highest priorities and brings together the products and services that mitigate those risks."

PUBLISHED NOV. 14, 2012