Security Think Tank: Flame is an opportunity for businesses to reassess defences

What can enterprise learn from initial analysis of Flame?

An initial analysis of Flame malware suggests it is similar to, but much more complex than, the Stuxnet virus first discovered in 2010. Unlike Stuxnet, however, an initial analysis suggests Flame’s purpose is solely espionage: capturing screenshots, conversations, office documents and e-mails.

This provides an opportunity for organisations to ensure that their security measures are capable of meeting the threats posed by malware designed for industrial espionage.

The four possible sources of infection, according to Kaspersky, are: 

  1. Infection by USB memory stick; 
  2. A spear phishing e-mail; 
  3. A visit to a malicious website;
  4. Infection via the LAN from another PC.

It seems incredible that in 2012 the industry is still discussing the need to secure endpoints to prevent access to unauthorised removable media, but too many organisations overlook the need for a comprehensive solution that will block access by an authorised USB device, while also preventing malicious code from executing should an approved device become infected. 

Blacklisting code is not the answer – Flame went undetected by all the antivirus vendors for two years – and the industry needs to think much more in terms of code that can whitelist intelligently, without becoming an administrative chore.

Read more about what Flame means for businesses

Organisations should be looking at all devices on the network that support USB capability and then ensuring they have a solution that can restrict unauthorised devices and unauthorised code. 

Complementing this technology should be regular user training provided in the form of acceptable usage policies. This should use the same strategies internally as would any successful marketing campaign – using a variety of delivery formats to ensure memorability. An annual e-mail is not sufficient.

In terms of spear phishing e-mails, again technology needs to be complemented by user training. Current methodologies on the technology side mostly rely too heavily upon blacklisting, overlooking the fact various domains can be set up overnight and slip under the radar until malicious content is detected. 

Many organisations provide phishing simulations for training purposes, to look at ways of correcting user behaviour. 

Annual employee performance objectives should also include security objectives.

Phil Stewart is director of communications at ISSA UK.

Read more on Hackers and cybercrime prevention