Don't Think Targeted Attacks Like Stuxnet Can't Hit You

Enterprises of all types are vulnerable to sophisticated targeted malware attacks like Stuxnet. Security managers must take immediate action to protect against these attacks, and the even more dangerous ones to come.

On 23 September 2010, media reports worldwide stated that the Stuxnet worm, which was first identified by information security researchers in June, may have been designed to attack specific installations. Stuxnet targets IT systems that are, for security reasons, not directly exposed to the Internet. The worm infects Windows-based PCs via USB drives, searching for software that runs industrial facilities such as power plants. The worm's sophistication, and the fact that many of the computer networks known to have been infected by it are in Iran, have led to speculation that Stuxnet is a state-sponsored attack.

The Stuxnet worm is a clever, complex example of a targeted threat. But security managers should not make the mistake of thinking that this level of malware – or the even more sophisticated attacks to come – requires state sponsorship. Stuxnet, like all malware, exploits vulnerabilities in corporate systems, processes and people, and a broad and highly experienced talent pool with varied motivations is at work producing powerful targeted malware. The key to avoiding or reducing damage from future targeted cybercrime attacks is to focus on eliminating or mitigating the vulnerabilities.

• Stuxnet combines a number of techniques to use and exploit:
• Zero-day vulnerabilities
• Unpatched Windows vulnerabilities
• Known software vulnerabilities
• Vulnerabilities in programmable logic controllers (PLCs) commonly used in industrial control systems
• USB-based techniques infecting networks without direct Internet connections

This attack represents an innovative combination of techniques that have already been used in financially motivated cybercrime attacks. The code targeting PLCs has attracted a great deal of attention, but is just another example of an attack that targets specific systems and attempts to evade detection. The control system vulnerabilities that Stuxnet exploits are well-known in the utilities industry. Similar attacks have targeted point-of-sale devices and payment systems, and there will be more attacks of this type. Enterprises need to focus on removing well-known vulnerabilities and ensuring that critical systems are shielded where unpatchable vulnerabilities could be exploited. And enterprises using industrial control systems shouldn't assume that they're protected by "security through obscurity" or that their networks are not vulnerable to external threats.

All enterprises (including those using industrial control systems):

• Accelerate patching processes – or at least ensure that they have not degraded.
• Install endpoint protection software, including port control, device control and host-based intrusion prevention, on all PCs.
• Shield all business-critical systems with well-managed intrusion prevention technology and ensure that change management and control procedures are being complied with.