Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/1/2012
05:29 PM
50%
50%

5 Flame Security Lessons For SMBs

Flame malware case offers small and midsize businesses (SMBs) a valuable refresher course in security.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Flame, also known as Flamer, Skywiper (sKyWIper), and Wiper, wasn't created with SMBs in mind, but it can still teach them a thing or five about IT security.

"These sorts of things provide us with teachable moments because they are high-profile," said Kevin Haley, director of Symantec Security Response, in an interview. "They grab people's attention, and they may listen for a little bit."

Flame is a highly sophisticated espionage tool that appears to have been used to spy on various governments in the Middle East. Haley points out that, at its core, it's simply a piece of malware--one with fundamental goals that don't differ all that much from the kinds of threats that do directly affect SMBs, such as banking Trojans. "It will attempt to steal information, capture screen shots, steal documents from a machine," he said. "There are thousands of pieces of malware that do that, and they're not all directed just at certain countries; they're directed at all of us."

[ What is Flame? Read Flame FAQ: 11 Facts About Complex Malware. ]

About that teachable moment: Here are five security reminders SMBs should take away from the Flame case as it continues to unfold.

1) No security plan is foolproof. Comforting, isn't it? But it's true--there is no such thing as 100% secure, and I've yet to an encounter a security pro that would argue otherwise. (Some governments in the Middle East would likely agree now, too.) That's not an excuse to do nothing. When online crooks target SMBs, either via targeted attacks or indiscriminate malware, they usually do so for two reasons: SMBs have more money than the average individual, and they have less security in place than large enterprises. That can make them easy, profitable targets. The SMB's job: don't be an easy mark. Practice good basic security at bare minimum. If time and money are key challenges, consider a risk-management approach--more on that below in number five.

2) You might not know it if you're infected. Flame's just now coming to light, but it has existed since 2010--and possibly as far back as 2007. Even if you've got strong security controls in place, you might not necessarily know if you've been infected by malware or other means. "Most malware is written to be very stealth and not let you know that it's on the machine, so what Flame does is very typical," Haley said. Robust, current security technology is a good first step toward minimizing the chance of undetected breaches--the straightforward anti-virus programs of yore aren't likely to cut it. Haley also advises SMBs take steps to eliminate spam in their corporate email accounts; the bane of inboxes continues to be a favorite delivery method for malware makers. Expect social media to continue to grow as a malware vector, too. Haley thinks SMBs need to be thinking about social risk and actively monitoring their accounts for unusual activity.

3) Attacks are increasingly sophisticated. The complexity of today's security threats almost make you long for the good old days of the Wazzu virus. Flame appears to have reset the bar. For SMBs, it's a reminder that a set-it-and-forget security plan is a recipe for failure. What worked in 2010 probably won't pass muster in 2012. "You really need to review everything [periodically]," Haley said. That's important even if you outsource security to a consultant or other vendor. If time is an issue, an annual review is better than none at all. Depending on how much a particular company invests in security--or doesn't--it might want to consider more frequent checks on its technologies and processes to ensure it's keeping up with the times.

4) Reputation harm can be expensive. The fallout from the Flame revelation is just getting started, but it's safe to say this is a public embarrassment for the affected governments. For SMBs, it's a reminder that security breaches don't necessarily need to hit your bank account to be costly. A website that gets co-opted into a malware host, for example--they're at an all-time high, according Symantec's most recent annual security report--could have a difficult time earning back the trust of its customers and other visitors. Likewise, data theft can be both embarrassing and expensive.

"It's bad enough if you get your money or your customer list or some sort of intellectual property stolen," Haley said. "But also the damage of the publicity from it could be really crippling to a business. Some people may be reluctant to do business with you if they think that you can't keep your information secure."

5) Prioritize your most important assets. A sound strategy for some SMBs is simply to not try to protect everything. Rather, identify your most valuable assets--banking credentials and other financial information, customer databases, and intellectual property, to name a few examples--and focus your efforts there. That can help resource-strapped organizations minimize their vulnerabilities in a practical manner rather than waving a white flag of surrender.

"That's the issue: Businesses just don't think about it. They go: 'Ah, there's nothing anyone would want to steal from me' and that's the end of it," Haley said. "It's really worth investing the time to just sit down and [ask]: 'What are my risks and what do I really need to prioritize and protect?' And if you can't do it yourself, get someone to help."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
News
Former CISA Director Chris Krebs Discusses Risk Management & Threat Intel
Kelly Sheridan, Staff Editor, Dark Reading,  2/23/2021
Edge-DRsplash-10-edge-articles
Security + Fraud Protection: Your One-Two Punch Against Cyberattacks
Joshua Goldfarb, Director of Product Management at F5,  2/23/2021
News
Cybercrime Groups More Prolific, Focus on Healthcare in 2020
Robert Lemos, Contributing Writer,  2/22/2021
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Write a Caption, Win an Amazon Gift Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
2021 Top Enterprise IT Trends
We've identified the key trends that are poised to impact the IT landscape in 2021. Find out why they're important and how they will affect you today!
Flash Poll
Building the SOC of the Future
Building the SOC of the Future
Digital transformation, cloud-focused attacks, and a worldwide pandemic. The past year has changed the way business works and the way security teams operate. There is no going back.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2021-27132
PUBLISHED: 2021-02-27
SerComm AG Combo VD625 AGSOT_2.1.0 devices allow CRLF injection (for HTTP header injection) in the download function via the Content-Disposition header.
CVE-2021-25284
PUBLISHED: 2021-02-27
An issue was discovered in through SaltStack Salt before 3002.5. salt.modules.cmdmod can log credentials to the info or error log level.
CVE-2021-3144
PUBLISHED: 2021-02-27
In SaltStack Salt before 3002.5, eauth tokens can be used once after expiration. (They might be used to run command against the salt master or minions.)
CVE-2021-3148
PUBLISHED: 2021-02-27
An issue was discovered in SaltStack Salt before 3002.5. Sending crafted web requests to the Salt API can result in salt.utils.thin.gen_thin() command injection because of different handling of single versus double quotes. This is related to salt/utils/thin.py.
CVE-2021-3151
PUBLISHED: 2021-02-27
i-doit before 1.16.0 is affected by Stored Cross-Site Scripting (XSS) issues that could allow remote authenticated attackers to inject arbitrary web script or HTML via C__MONITORING__CONFIG__TITLE, SM2__C__MONITORING__CONFIG__TITLE, C__MONITORING__CONFIG__PATH, SM2__C__MONITORING__CONFIG__PATH, C__M...