Flame: What are the immediate implications for business?

Security researchers discovered the most powerful cyber weapon to date, but what does the latest threat, dubbed Flame, mean for IT security?

Security researchers have discovered the most powerful cyber weapon to date, but what does the latest super cyber threat, dubbed Flame, mean for the security industry?

Initial analysis reveals that Flame can steal valuable information, including – but not limited to – computer display contents, information about targeted systems, stored files, contact data and even verbal conversation, which could enable attackers to hijack administrative accounts and acquire high-level privilege to other computers and network locations.

Flame is described as one of the most advanced and complete attack toolkits ever discovered, and is believed to comprise multiple modules with 20 times more executable code than Stuxnet.

It is also already clear that Flame has the ability to replicate over a local network using several methods, including the same printer vulnerability and USB infection method exploited by Stuxnet.

Researchers believe Flame has been "in the wild" since March 2010, which means it has evaded detection by security software for just over two years.

Flame could have remained undetected for much longer, had researchers not come across it while investigating another, still unknown destructive malware programme – codenamed Wiper – which deleted data on a number of computers in the Middle East and Western Asia.

Flame can steal valuable information which could enable hackers to hijack administrative accounts and acquire high-level privilege to computers and network locations

According to researchers at the Laboratory of Cryptography and System Security in Hungary, Flame stayed hidden because it was so different to the viruses, worms and trojans that most security programmes are designed to detect.

Flame appears to have the ability to identify which security scanning software was installed on a target machine and then disguise itself as a type of computer file that the detected anti-virus software would regard as benign.

Proactive protection against evolving threats

What are the implications of all this?

Security industry representatives say Flame provides confirmation that traditional security technology no longer does the job.

“In the past 18-24 months, everything that we’ve known about security has changed. Perimeter security as we knew it is dead," said Adam Bosnian, executive vice-president at privileged identity management firm Cyber-Ark.

In the light of the fact that anyone can infect a network regardless of an organisation’s perimeter security protocols, organisations need to change their thinking quickly and focus on protection from the inside out, he said. 

In this new era of cyber threats, a growing number of security professionals believe that security has to start with the assumption that the attackers are already on the inside. 

"Organisations need to identify their most valuable assets and proactively secure them before moving towards perimeter security," said Bosnian.

This does not mean anti-virus software is no longer necessary, said Richard Turner, chief executive of UK security firm Clearswift, because organisations still need a way to capture the 30% of known and copycat malware, and this can be done with signatures and heuristics. But it does mean that the current approach to information security must change.

"It is no longer about keeping everybody out. Organisations need to recognise that they can't stop the determined attacker, that there is risk involved, and that they need to identify mission-critical data and focus resources on ensuring that is not compromised," he said.

Security with business benefits

This change in focus and approach from reactive to proactive security, said Turner, is also an opportunity to move away from purely preventive security that is just a cost to business to making security the means for expanding the business, providing new sources of revenue and building competitive advantage.

This is achieved by thinking about what the business needs to do to grow and then planning the security strategy and capability based on that, he said. This can be something as simple as enabling a secure bring-your-own-device (BYOD) programme to attract the best employees who want the latest devices and know how to use them to work flexibly and improve productivity and efficiency.  

Privileged accounts and passwords are the number one target for hackers

Adam Bosnian, executive vice-president, Cyber-Ark

This approach, where security is tightly linked to the aims of the business, not only provides better business cases for security investments, but also leads to the creation of more defensible IT environments, said Turner.

Privileged access points under attack

Flame also provides a good example of how attackers are using the exploitation of privileged accounts as the primary attack method for enterprise cybersecurity assaults, said Cyber-Ark's Bosnian. 

Privileged access points consist of privileged and administrative accounts, default and hardcoded passwords, application back doors, and more.

"These accounts act as a gateway to an organisation’s most sensitive data, which is accessible across systems, applications and servers," he said. 

While Flame appears to have multiple methods of infection at its disposal, it was discovered to propagate through networks exploiting the same privileged exploit that Stuxnet used: printer vulnerability MS10-061. Exploiting this privileged access point allows the virus to attack other machines on a network.

“This is the same privileged pathway attackers have taken in some of the world’s most devastating breaches," said Bosnian. 

Privileged access points exist in almost every device with a microprocessor, but they are often secured with weak or default passwords, he said, and once inside, attackers use the privileged account, or elevate privileges associated with the account, to gain access to additional servers, databases and other high-value systems that only a select few people are actually granted permission to access. 

"The result is easy access to millions of sensitive records, which means at some point, businesses and government organisations need to wake up and understand that privileged accounts and passwords are the number one target for hackers," said Bosnian. 

Flame could spread like wildfire

Perhaps the most sobering observation on the significance of Flame comes from Stephen Wolthusen of the information security group at Royal Holloway, University of London. "Any zero-day attack will quickly become part of the general armoury; these soon percolate down," he told a Westminster eForum on cyber security in London.

Businesses therefore cannot afford to disregard Flame and dismiss it as a cyber weapon that is about nation states and nothing to do with them.

Flame is an indication that the game is yet again changing, and if nothing else, it means that businesses need to look at controlling privileged access points as a matter of urgency. Flame also highlights the need for businesses to focus on their internal security structure to safeguard the access points to sensitive data.

Image: Kaspersky Lab

Read more on Hackers and cybercrime prevention