How the security community and the enterprise at large adapts to rapidly advancing cybersecurity threats has to be one of the top priority items in technology today. There is a race on the part of security teams everywhere to prepare for a brewing storm of ever-increasing threats. Security as a whole is sprawling in scope as more and more devices break away from traditional computing and security mechanisms.
For one, portable device adoption is growing quickly. Strategies and issues around the management and security of these devices are becoming very real to corporate environments and of course the consumer markets as well. These devices are seeping in to these environments with little to nothing security-wise in place due to limited technology to manage the above mentioned concerns. There are enormous volumes of data that are growing “in the cloud”, on devices themselves, and in massive data stores, including health, financial, personal, corporate and national information. Social media, more often than not is not private and it is rapidly replacing email as a primary form of communication, and even worse – it is forever out there. Rapid intelligence and information can easily be compiled from sources like this alone.
One of the most serious threats in existence today is Stuxnet. Last week, when the security firm HBGary was hacked by the Anonymous group, emails from McAfee to HBGary were recovered and released on the internet. Reportedly a piece of or the actual code for Stuxnet was included in that. At a minimum it is reported that the information contained in that transmission is enough of a roadmap to create clones or variants of the Stuxnet virus. This malware is perhaps the most significant cyberweapon to have ever been released and reported. In July of 2010, it was revealed that up to 20% of Iranian nuclear centrifuges were targeted and damaged by Stuxnet infection and set that country’s nuclear ambitions back potentially for a number of years.
In the hands of the right or wrong people, depending on how you look at it, this could be catastrophic in terms of its scope of potential damage. In November, the Senate Committee on Homeland Security and Governmental Affairs conducted a meeting described as “Securing Critical Infrastructure in the Age of Stuxnet.”
One significant statement from the resulting report reads “Stuxnet’s design revelations may make it easier for terrorist organizations to develop such capabilities in the future.” The threats are real. The targets could be anything. We are vulnerable. This is not only cyber terrorists, but foreign countries willing and with the means to perform espionage, wreak havoc, or cause a number of other forms of damage to our financial systems, critical infrastructure, and more. One week ago it was reported that still unidentified hackers had penetrated the computer network of the company that runs the NASDAQ stock market, repeatedly. The damage and what total compromises existed have still not all been identified.
At the RSA Conference Symantec president and CEO Enrique Salem pointed to the day of July 13, 2010 a harbinger of things to come. That day marked the discovery of Stuxnet, which Salem states:
“”When you look at Stuxnet, it will be remembered as the attack that moved the game from espionage to sabotage…This is a sophisticated, elaborate and meant-to-destroy attack.” .
This malware that has been described as unsophisticated, but the result of lots of focused and determined work by a number of experts, in one case:
“A hacker did not write this, it appears to be something that would be produced by a team using a process, all of the components were created using code similar to what is already publically available. That is to say it’s ‘unremarkable’. This was created by a software development team and while the coders were professional level I am really not impressed with the end product, it looks like a picture a child painted with finger paints.”
Back to Symantec, it is offering a potential solution through its offering Symantec Endpoint Protection 12 and a concept known as “O3”, which refers to ozone – named after that element which is above the clouds. Described as an approach that is a “layer above the clouds policy, protection and monitoring”, as Salem stated.
The bottom line is that concepts and positions on security have to adapt to this and other threats. It is no longer about just compliance anymore or a defaced corporate webpage. A multi-faceted approach of prevention, detection, auditing and much more needs to be implemented in what is likely to be a very painful and costly endeavor. Being the target of espionage, financial compromise, destruction of physical and intellectual assets, loss of reputation or any other number of potential vectors for cyber threat compromises is much more significant than any bottom line expense considerations. At a minimum, as an industry , we must implement at least the most critical of security measures and do so with a renewed sense of urgency in today’s climate of threat.