Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Risk

6/1/2012
05:29 PM
50%
50%

5 Flame Security Lessons For SMBs

Flame malware case offers small and midsize businesses (SMBs) a valuable refresher course in security.

Who Is Anonymous: 10 Key Facts
Who Is Anonymous: 10 Key Facts
(click image for larger view and for slideshow)
Flame, also known as Flamer, Skywiper (sKyWIper), and Wiper, wasn't created with SMBs in mind, but it can still teach them a thing or five about IT security.

"These sorts of things provide us with teachable moments because they are high-profile," said Kevin Haley, director of Symantec Security Response, in an interview. "They grab people's attention, and they may listen for a little bit."

Flame is a highly sophisticated espionage tool that appears to have been used to spy on various governments in the Middle East. Haley points out that, at its core, it's simply a piece of malware--one with fundamental goals that don't differ all that much from the kinds of threats that do directly affect SMBs, such as banking Trojans. "It will attempt to steal information, capture screen shots, steal documents from a machine," he said. "There are thousands of pieces of malware that do that, and they're not all directed just at certain countries; they're directed at all of us."

[ What is Flame? Read Flame FAQ: 11 Facts About Complex Malware. ]

About that teachable moment: Here are five security reminders SMBs should take away from the Flame case as it continues to unfold.

1) No security plan is foolproof. Comforting, isn't it? But it's true--there is no such thing as 100% secure, and I've yet to an encounter a security pro that would argue otherwise. (Some governments in the Middle East would likely agree now, too.) That's not an excuse to do nothing. When online crooks target SMBs, either via targeted attacks or indiscriminate malware, they usually do so for two reasons: SMBs have more money than the average individual, and they have less security in place than large enterprises. That can make them easy, profitable targets. The SMB's job: don't be an easy mark. Practice good basic security at bare minimum. If time and money are key challenges, consider a risk-management approach--more on that below in number five.

2) You might not know it if you're infected. Flame's just now coming to light, but it has existed since 2010--and possibly as far back as 2007. Even if you've got strong security controls in place, you might not necessarily know if you've been infected by malware or other means. "Most malware is written to be very stealth and not let you know that it's on the machine, so what Flame does is very typical," Haley said. Robust, current security technology is a good first step toward minimizing the chance of undetected breaches--the straightforward anti-virus programs of yore aren't likely to cut it. Haley also advises SMBs take steps to eliminate spam in their corporate email accounts; the bane of inboxes continues to be a favorite delivery method for malware makers. Expect social media to continue to grow as a malware vector, too. Haley thinks SMBs need to be thinking about social risk and actively monitoring their accounts for unusual activity.

3) Attacks are increasingly sophisticated. The complexity of today's security threats almost make you long for the good old days of the Wazzu virus. Flame appears to have reset the bar. For SMBs, it's a reminder that a set-it-and-forget security plan is a recipe for failure. What worked in 2010 probably won't pass muster in 2012. "You really need to review everything [periodically]," Haley said. That's important even if you outsource security to a consultant or other vendor. If time is an issue, an annual review is better than none at all. Depending on how much a particular company invests in security--or doesn't--it might want to consider more frequent checks on its technologies and processes to ensure it's keeping up with the times.

4) Reputation harm can be expensive. The fallout from the Flame revelation is just getting started, but it's safe to say this is a public embarrassment for the affected governments. For SMBs, it's a reminder that security breaches don't necessarily need to hit your bank account to be costly. A website that gets co-opted into a malware host, for example--they're at an all-time high, according Symantec's most recent annual security report--could have a difficult time earning back the trust of its customers and other visitors. Likewise, data theft can be both embarrassing and expensive.

"It's bad enough if you get your money or your customer list or some sort of intellectual property stolen," Haley said. "But also the damage of the publicity from it could be really crippling to a business. Some people may be reluctant to do business with you if they think that you can't keep your information secure."

5) Prioritize your most important assets. A sound strategy for some SMBs is simply to not try to protect everything. Rather, identify your most valuable assets--banking credentials and other financial information, customer databases, and intellectual property, to name a few examples--and focus your efforts there. That can help resource-strapped organizations minimize their vulnerabilities in a practical manner rather than waving a white flag of surrender.

"That's the issue: Businesses just don't think about it. They go: 'Ah, there's nothing anyone would want to steal from me' and that's the end of it," Haley said. "It's really worth investing the time to just sit down and [ask]: 'What are my risks and what do I really need to prioritize and protect?' And if you can't do it yourself, get someone to help."

Employees and their browsers might be the weak link in your security plan. The new, all-digital Endpoint Insecurity Dark Reading supplement shows how to strengthen them. (Free registration required.)

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Aviation Faces Increasing Cybersecurity Scrutiny
Kelly Jackson Higgins, Executive Editor at Dark Reading,  8/22/2019
Microsoft Tops Phishers' Favorite Brands as Facebook Spikes
Kelly Sheridan, Staff Editor, Dark Reading,  8/22/2019
MoviePass Leaves Credit Card Numbers, Personal Data Exposed Online
Kelly Sheridan, Staff Editor, Dark Reading,  8/21/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon
Current Issue
7 Threats & Disruptive Forces Changing the Face of Cybersecurity
This Dark Reading Tech Digest gives an in-depth look at the biggest emerging threats and disruptive forces that are changing the face of cybersecurity today.
Flash Poll
The State of IT Operations and Cybersecurity Operations
The State of IT Operations and Cybersecurity Operations
Your enterprise's cyber risk may depend upon the relationship between the IT team and the security team. Heres some insight on what's working and what isn't in the data center.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2016-6154
PUBLISHED: 2019-08-23
The authentication applet in Watchguard Fireware 11.11 Operating System has reflected XSS (this can also cause an open redirect).
CVE-2019-5594
PUBLISHED: 2019-08-23
An Improper Neutralization of Input During Web Page Generation ("Cross-site Scripting") in Fortinet FortiNAC 8.3.0 to 8.3.6 and 8.5.0 admin webUI may allow an unauthenticated attacker to perform a reflected XSS attack via the search field in the webUI.
CVE-2019-6695
PUBLISHED: 2019-08-23
Lack of root file system integrity checking in Fortinet FortiManager VM application images of all versions below 6.2.1 may allow an attacker to implant third-party programs by recreating the image through specific methods.
CVE-2019-12400
PUBLISHED: 2019-08-23
In version 2.0.3 Apache Santuario XML Security for Java, a caching mechanism was introduced to speed up creating new XML documents using a static pool of DocumentBuilders. However, if some untrusted code can register a malicious implementation with the thread context class loader first, then this im...
CVE-2019-15092
PUBLISHED: 2019-08-23
The webtoffee "WordPress Users & WooCommerce Customers Import Export" plugin 1.3.0 for WordPress allows CSV injection in the user_url, display_name, first_name, and last_name columns in an exported CSV file created by the WF_CustomerImpExpCsv_Exporter class.