Risk
6/1/2012
05:29 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

5 Flame Security Lessons For SMBs

Flame malware case offers small and midsize businesses (SMBs) a valuable refresher course in security.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Flame, also known as Flamer, Skywiper (sKyWIper), and Wiper, wasn't created with SMBs in mind, but it can still teach them a thing or five about IT security.

"These sorts of things provide us with teachable moments because they are high-profile," said Kevin Haley, director of Symantec Security Response, in an interview. "They grab people's attention, and they may listen for a little bit."

Flame is a highly sophisticated espionage tool that appears to have been used to spy on various governments in the Middle East. Haley points out that, at its core, it's simply a piece of malware--one with fundamental goals that don't differ all that much from the kinds of threats that do directly affect SMBs, such as banking Trojans. "It will attempt to steal information, capture screen shots, steal documents from a machine," he said. "There are thousands of pieces of malware that do that, and they're not all directed just at certain countries; they're directed at all of us."

[ What is Flame? Read Flame FAQ: 11 Facts About Complex Malware. ]

About that teachable moment: Here are five security reminders SMBs should take away from the Flame case as it continues to unfold.

1) No security plan is foolproof. Comforting, isn't it? But it's true--there is no such thing as 100% secure, and I've yet to an encounter a security pro that would argue otherwise. (Some governments in the Middle East would likely agree now, too.) That's not an excuse to do nothing. When online crooks target SMBs, either via targeted attacks or indiscriminate malware, they usually do so for two reasons: SMBs have more money than the average individual, and they have less security in place than large enterprises. That can make them easy, profitable targets. The SMB's job: don't be an easy mark. Practice good basic security at bare minimum. If time and money are key challenges, consider a risk-management approach--more on that below in number five.

2) You might not know it if you're infected. Flame's just now coming to light, but it has existed since 2010--and possibly as far back as 2007. Even if you've got strong security controls in place, you might not necessarily know if you've been infected by malware or other means. "Most malware is written to be very stealth and not let you know that it's on the machine, so what Flame does is very typical," Haley said. Robust, current security technology is a good first step toward minimizing the chance of undetected breaches--the straightforward anti-virus programs of yore aren't likely to cut it. Haley also advises SMBs take steps to eliminate spam in their corporate email accounts; the bane of inboxes continues to be a favorite delivery method for malware makers. Expect social media to continue to grow as a malware vector, too. Haley thinks SMBs need to be thinking about social risk and actively monitoring their accounts for unusual activity.

3) Attacks are increasingly sophisticated. The complexity of today's security threats almost make you long for the good old days of the Wazzu virus. Flame appears to have reset the bar. For SMBs, it's a reminder that a set-it-and-forget security plan is a recipe for failure. What worked in 2010 probably won't pass muster in 2012. "You really need to review everything [periodically]," Haley said. That's important even if you outsource security to a consultant or other vendor. If time is an issue, an annual review is better than none at all. Depending on how much a particular company invests in security--or doesn't--it might want to consider more frequent checks on its technologies and processes to ensure it's keeping up with the times.

4) Reputation harm can be expensive. The fallout from the Flame revelation is just getting started, but it's safe to say this is a public embarrassment for the affected governments. For SMBs, it's a reminder that security breaches don't necessarily need to hit your bank account to be costly. A website that gets co-opted into a malware host, for example--they're at an all-time high, according Symantec's most recent annual security report--could have a difficult time earning back the trust of its customers and other visitors. Likewise, data theft can be both embarrassing and expensive.

"It's bad enough if you get your money or your customer list or some sort of intellectual property stolen," Haley said. "But also the damage of the publicity from it could be really crippling to a business. Some people may be reluctant to do business with you if they think that you can't keep your information secure."

5) Prioritize your most important assets. A sound strategy for some SMBs is simply to not try to protect everything. Rather, identify your most valuable assets--banking credentials and other financial information, customer databases, and intellectual property, to name a few examples--and focus your efforts there. That can help resource-strapped organizations minimize their vulnerabilities in a practical manner rather than waving a white flag of surrender.

"That's the issue: Businesses just don't think about it. They go: 'Ah, there's nothing anyone would want to steal from me' and that's the end of it," Haley said. "It's really worth investing the time to just sit down and [ask]: 'What are my risks and what do I really need to prioritize and protect?' And if you can't do it yourself, get someone to help."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web