The analysis of Flame has yielded some interesting insights, but none more so than how it spread: through well-known vulnerabilities.
The major vulnerabilities exploited were USB
sticks and a known printer
vulnerability in Windows
(MS10-061). Additionally, there was some clever programming to forge trusted certificates, to help
with signing the attack code and thus its spread and distribution.
So, what does Flame mean to information security? At the Information Security Forum (ISF), we see two dimensions.
First, the tactical dimension is to focus on the basics. This includes patching vulnerabilities, keeping signature files current and raising awareness around the dangers of USB sticks.
Second, the strategic dimension is to prepare for the unpredictable so your organisation has the resilience to withstand such attacks.
To implement this cyber resilience requires cybersecurity governance; a clear and comprehensive risk strategy and response plan; and support for cybersecurity initiatives at the very highest level. The business must lead this resilience effort, using a collaborative approach, sharing knowledge across business units and functional groups within the organisation.
The consequences of not addressing the threats posed by attacks such as Flame are too significant to ignore
Adrian Davis, principal research analyst, ISF
A key step is to align information risk management with enterprise risk management and with incident management and response.
Importantly, no organisation can respond effectively on its own to the threats from cyberspace. This means organisations must work with others to leverage the knowledge and resources of numerous stakeholders. This will improve the level of cyber resilience of each organisation, through improved awareness and sharing of experiences, leading to more effective controls and preparation for attacks.
A key step is to work with your suppliers and supply chain to reduce their vulnerabilities, and thereby reduce the possibility of attacks mediated through them and the associated affects.
Finally, information security must position itself as a boardroom issue: the consequences of not addressing the threats posed by attacks such as Flame are too significant to ignore.
Adrian Davis is principal research analyst at the Information Security Forum (ISF).
This was first published in July 2012