There are two main lessons to learn from Flame at present. One is that when malware with a political dimension that seems to press the “cyberwarfare” button is found, security companies will stampede towards attracting the attention of the media with speculation about aspects of the malware that go far beyond the bits and bytes of the executable, using it as a tool to enhance their own profiles and emphasise the relevance of their own software even when there is comparatively little firm information. But that’s not particularly novel.
The other lesson is more subtle: Are companies maybe too confident they are resistant to such targeted attacks?
A report from BAE Systems Detica recently came up with the interesting statistic that 89% of survey respondents representing UK private sector companies with a +£350m turnover were “fairly confident” that they’re well-equipped to prevent targeted attacks, while 61% thought it would take an attack on their company or a competitor before their board would take the risk of cyber attacks seriously.
I find it hard to imagine that they’re all implementing extensive educational programmes so that their staff becomes more resistant to the social engineering components of targeted attacks. If I’m right, that probably means that they’re relying on technical solutions to reduce the impact of the 0-days and 1-days that tend to carry the technical payloads. Or, worse, they are relying on the ability of the companies responsible for the vulnerable software not only to patch, but to ensure the take-up of patches by potential victims.
It’s not a matter of which kinds of attack they should be aware of: it’s a matter of persuading them that they need to expect the unexpected. Iran itself (assuming that it’s the main target, which is by no means proven) is a special case, in that it is, in theory, cut off from mainstream software, (including operating systems and security software), from companies headquartered in the US, and that is likely to entail difficulties that embargo-free countries don’t experience.
Nevertheless, while the exact dating of Flame’s modules has been intentionally obscured by the malware authors, there’s evidence that it has been lurking undetected for years in countries that don’t have trade embargo difficulties with obtaining or getting support for security software.
It doesn’t surprise me, however, that so many think their board won’t act until there’s an attack close to home. That’s been the story of security procurement within the enterprise since the Jurassic. The problem is that there’s a perception that targeted attacks are directed only towards big names like RSA and Lockheed, or government departments. That’s already significantly less true than it was a year ago.
David Harley is an active member of (ISC)2