One important lesson IT managers can learn from Stuxnet is that it is a huge mistake to buy software with known hardcoded passwords, says John Pescatore, research vice-president at Gartner.
It is a good idea at system install to make sure all default passwords are changed, because it is often much easier then than trying to do it at a later stage, he says.
According to Pescatore, simply having software applications, including browsers, up to date, avoiding default passwords, and making sure all portable media are controlled, organisations could substantially increase their defences, even against sophisticated malware like Stuxnet.
“Certainly, more proactive mechanisms such as intrusion prevention systems and network forensics would have been better, but those who got hit by Stuxnet really suffered from a lack of basic levels of security,” he says.
So Stuxnet is not something that borders on science fiction and applies to only a select few in charge of security for systems linked to critical national infrastructures. Rather, it is proof that the game is changing and that the stakes have never been higher.
Instead of burying their heads in the sand, IT security managers should recognise that Stuxnet is relevant to every one of them.
At the very least, Stuxnet is a call to action to ensure that basic security principles such as system configurations are covered, supported by continual updates to user education programmes, defence strategies, software applications, and incident response plans.