Experts: Cyber Threats Can Be Defeated With Off-the-Shelf Software
The Stuxnet worm that infected thousands of computers from Iran to the United States could have easily been prevented, security professionals said.
Experts believe the attack, first discovered last summer, aimed to physically damage equipment that control power plants in Iran. The malware spread to 12,000 computers, the majority of which were in Iran, Indonesia and India, though machines in the United States and Pakistan also were infected.
Despite the frenzy that surrounded Stuxnet, it is nothing more than software and it can be beaten, said Paul Williams, executive director of security services for Pennsylvania-based White Badger Security.
“There’s absolutely no way it would have happened with just a reasonable dose of off-the-shelf commercial technology,” Williams said July 20 at the FOSE information-technology exposition and conference in Washington, D.C.
The number of cyber-attacks has steadily been increasing over the past few years, going from the general loss of data to high-profile intrusions like those at Sony and Citibank, which saw hackers steal $2.7 million. The Defense Department also recently revealed that 24,000 Pentagon files had been stolen from a contractor’s computer this past spring. Officials said the attack might have been carried out by a foreign intelligence organization.
Jimmy Sorrells, senior vice president of Integrity Global Security, said that the majority of IT systems in the government and the private sector were optimized for business, not necessarily for stringent security. They all have one thing in common: the castle complex.
“Perimeter defense is the de facto standard in the world today,” Sorrells said, comparing it to building motes around castles during the Middle Ages.
Companies and agencies put up firewalls and virtual private networks around the perimeters of their systems, but if someone busts through that initial level of security “you’ve got really, really big trouble,” said Sorrells, whose company’s operating systems are used in F-35 Joint Strike Fighter and F-22 aircraft.
What organizations need to do is turn their network defenses inside out, somewhat in the way the Defense Department has done, Sorrells said. They should take inventories of their assets and segment them off into different areas based on characteristics like confidentiality, integrity and availability, he said. This keeps an entire system from being at risk when a certain zone is breached.
The Pentagon has the right idea, but Sorrells cautioned, “they have kind of let it run away from them in terms of policing the assets into the right compartments. There’s way too much stuff in the wrong compartments.”
It is internal security that becomes key after an intrusion, Williams said. An initial infection is one thing, but the real damage is caused by the widespread and silent compromising of a system, he said.
Organizations must monitor their systems for changes in connections between computers and servers, as well as patterns of mutations that seem to spread on their own. These are indicative of a stealthy malware attack, Williams said.
His company, White Badger Security, sells no products, just advice and information. He said that cybersecurity professionals must understand the makeup of an IT system and the threats to it before they can know where to use certain products, he said.
“Standard techniques like intrusion detection, looking at logs or anti-virus software will not detect the most advance cases [of malware],” Williams said. “There is no product sold that can match manual analysis.”