Flame On!

The security world exploded today with news of a new piece of malware found in Iran. It’s been a very long time since we’ve seen an unfounded industry panic on this scale. Phrases like “most advanced malware”, “super-weapon” and “new era in cyberwar” are being thrown around like confetti. So, let’s take a bit of a reality check.

Calm Down

1) Are you in the Middle East?

If not, relax. The evidence suggests that the malware is focused on the Middle East… likely either Iran or Israel. While malware does spread quickly, highly targeted malware focused on information theft does not. After all, if it did, the people running the systems wouldn’t be able to use the information they get. There would be too much of it.

2) Have you updated your systems in the last two years?

If so, relax. While the news is new, it looks like this malware was released in 2010. Modern malware is capable of attacking along numerous vectors, so simply patching may not be enough, but if you’re monitoring your systems properly, you probably would have noticed it by now.

3) Are you profoundly unlucky?

If not, relax. The Kaspersky report that has been widely cited lists the following infection counts: Iran – 189, Israel/Palestine – 98, Sudan – 32, Syria – 30, Lebanon – 18, Saudi Arabia – 10, Egypt – 5. This means that, as of May 28th… after Flame has been out for two years… it has infected 382 systems. In 2010, there were about five billion devices connected to the Internet (probably more now). So your odds of being infected are likely less than 0.0000076%. You are 22 times more likely to be struck by lightning than you are to get infected by Flame.

4) Are you a nation state?

If so, thank you! Most geopolitical entities don’t read my blog. If not, relax. Cyberwar is unlikely to affect you. The goals of Cyberwar are to steal critical intellectual property, identify what other nation states are up to and interfere with the capabilities of other nation states. The only one that really drifts into the private sector is the theft of intellectual property, which can be protected pretty easily.

Big Deal

So why are people making such a big deal out of this? Well, the first thing to consider would be who exactly is promoting this and how they’re doing it.

First, you have what I call “set it and forget it AV” companies. Kaspersky and Symantec were among the first to bring this news out. This shouldn’t come as a shock to anyone, as they make a lot of sales when a malware attack makes it all the way to the mainstream news. This is too bad, as both of these firms tend to do excellent technical analysis and it’s sad to see their research skewed into a FUD campaign.

Next, you have the response to these sorts of firms by the vendors that focus on analysis and response. Take at look at these responses by Sophos and Sourcefire. These two firms make their money selling tools that allow a competent administrator to get more done by leveraging analytics and determining appropriate responses.

Then you have a slew of mainstream media articles that reference “cybersecurity experts” (who often have nothing to do with malware) to comment on the issue. I’ve seen and heard quotes from people who do development security, physical security and governmental policy… which seems to be a response to a reporter needing a quick quote to get into the news cycle.

Finally, you have a bunch of individual posts (like this one) of individuals trying to catch the “Flame Wave” and boost SEO ratings. (Hiya Google, how you doin’?) Basically, everyone has a reason behind their actions. Before you start tossing money around to make the scary go away, stop for a minute and think.

What To Do

The first thing you should do is, as I stated above, relax a bit. Snap decisions are seldom the ones you want to make. Think about what advanced malware can do and how it gets in. Here are the facts.

Protecting against Flame is EXACTLY like protecting against other malware. Nothing in Flame is technologically new.

Modern malware targets data and takes advantage of missing patches. If you don’t know the Who, What, Where, How and Why of your data, you can’t control it. If you aren’t maintaining your operating systems and the applications that run on them, you are at risk. Also if your users are running as local administrators, there’s not much you can do.

Modern malware does a lot of really neat things too, like infect smart phones, hide its tracks, punitively wipe systems if you tamper with it. Heck, for all I know, it’s also responsible using the last piece of toilet paper and not replacing the roll. However, if you are letting your users run with administrative permissions, you’re not patching your systems and you don’t understand your data, this isn’t going to matter.

Basically, you have to walk before you run… and before you walk, you have understand how. Most organizations that I work with are still at the crawling stage. If you cannot answer “Yes” to each of the following questions, don’t even think about Flame/Duqu/Stuxnet/BoogaThreat. Focus on getting your own house in order first.

1) I know exactly where all my data is.
2) I know that I need all of the data I have.
3) I have classified the data I have according to criticality.
4) I have implemented technology to detect and respond to data as it crosses security zones.
5) I am completely confident that all my operating systems are up to date.
6) I understand each application in my environment, why it is there and am certain that it is up to date.
7) None of my users are using administrative permissions as part of their daily work.
8) I have installed and am maintaining a modern anti-malware stack or application whitelisting solution on each system on my network.
9) I have installed and am maintaining an intrusion detection solution on my network.
10) I pay attention to the alerts from all of my awareness systems and respond appropriately.

If you’ve answered “No” to any of these, that’s where you have to focus. If you have trouble, let me know. I’m here to help. (Guess why I take the time to write posts.)