- What can enterprises learn from the initial analysis of Flame?
Most of the press attention has been around the "who" of Flame - who launched it, who was it aimed at, and so on. That creates exciting headlines, but there have been many more damaging attacks using similar techniques that haven't received as much hype. Organisations should focus on the "how" of Flame - how did it get in?
While Flame is very sophisticated code, it basically exploited several known vulnerabilities, (such as missing Windows patches and USB auto run), to get in and had to communicate outwards to cause damage. It used sophisticated evasion techniques, but still left many signs that it was installed and active. Flame exploited the lack of attention to these signs.
There is also one very important "how" that the analysis of Flame has not discovered: how did the Flame malware initially get on a PC? The most important vector is a targeted e-mail attack, known as "spear phishing." The authors of Flame probably exploited the fact that e-mail security systems are looking for broad, mass attacks - not custom e-mail attacks targeting individuals.
- What practical things can organisations do in response to what has been revealed by the initial analysis of Flame?
Firstly, organisations should make sure they haven't become lax in their patching and security configuration controls on PCs and servers - many have slipped in this area. "White-listing" approaches (alerting on installation of unknown software, if not blocking it) should be deployed on servers and, where possible, PCs. Web security gateway controls should be reviewed to make sure connections are blocked to known malicious sites and inbound executables are examined - for both HQ PC users and mobile laptop users. Intrusion prevention controls should be reviewed to make sure that outbound communications are being monitored for the indications of an internal compromise, not just external attack.
- How can what we know about Flame practically help shape company information security strategies?
Gartner has pointed out for several years that targeted attacks require organisations to evolve their security strategies - Stuxnet and Flame are just highly publicised examples of targeted threats that have been causing financial damage to businesses recently. Threats will continue to morph and evolve, and enterprise security strategies will continue to need to so as well. "Next-generation" firewalls, intrusion prevention, web security, white-listing and other security controls need to replace last-generation solutions.
There will be no last-generation security controls until threats become static. That is about as likely as crime and global conflict becoming static. Just as financial organisations have always had to continue to adapt their anti-fraud strategies as clever criminals think up new ways to commit crime, organisations will need to adapt their information security processes, architectures and controls to become both more effective and more efficient in dealing with threats.
The most secure organisation doesn't spend the most on security - they optimise their processes and controls to reduce vulnerabilities and avoid threats, often in ways that reduce overall security spending.
John Pescatore is a research vice-president at Gartner
Read more about what Flame means for businesses
- Security Think Tank: Flame – business must prepare for the unpredictable
- Security Think Tank: Flame is an opportunity for businesses to reassess defences
- Security Think Tank: Flame a good reason to keep up with emerging threat analysis
- Security Think Tank: Are companies too confident about targeted attacks?