ISSA’s Raj Samani suggests that within control system networks where only known applications run, a simple strategy to combat Stuxnet would be to allow only authorised executables to run and deny everything else.
Alan Bentley, senior vice-president international at security firm Lumension Security, says thinking needs to switch from allowing everything in until it is proved to be bad, to preventing anything from coming in until it is proved to be good.
But control systems aside, Stuxnet’s unprecedented level of sophistication and the mystery surrounding its true purpose mean IT security professionals should not be tempted to dismiss its relevance and risk leaving their organisations open to attack, says Eddy Willems, security evangelist at security firm G Data.
“A key thing IT security managers should learn from the Stuxnet episode is that it is important to have antivirus software installed on every machine in an organisation,” says Willems. “Just because a computer performs limited functions, or has limited human interaction, does not mean it doesn’t need protecting.”
John Walker, a member of the ISACA Security Advisory Group, says manifestations of malicious code such as Stuxnet demand that organisations deploy anti-malware systems, ensure they are kept up to date, apply all security patches for applications, and identify data assets. But he agrees with Hyppönen that technology alone will not solve all problems.
It has never been more important for business security strategies to address people, process, organisation and technology, says Walker, which means IT security managers must ensure users are kept up to date with tuned security education and awareness programmes.
Dani Briscoe, services manager at the Corporate IT Forum, points out: “It is a relatively old lesson: [security is about] training, training, and training.
“Teach people not to accept updates blindly. Put a process in place that allows then to check updates are genuine and uncorrupted, quickly and easily, and check the process is being followed.
“As an IT professional, your challenge is to keep the message fresh in the minds of all employees, irrespective of their role.”
But Peter Wenham, committee member of the BCS Security Forum strategic panel, says education and awareness must extend to software developers and network architects to think security from the outset, to managers to convey the message that good security requires secure software and well-designed and maintained networks, and finally to board members to ensure security is business-led, so it becomes part of every organisation’s ethos.
Above all, Stuxnet means IT security managers have to raise their game. Skillset maintenance, belonging to professional organisations, interfacing with, and carrying the security message to, the board, management and staff, are all no longer optional, says Wenham.
“Being able to translate a risk assessment into continuous security improvement programmes is a key part of the security professional’s job,” he stresses.