231-922-9460 | Google +

Wednesday, May 30, 2012

Flame Malware A Real Scare

Story first appeared in The Wall Street Journal.
The complexity, size and geographic location of the computers affected by Flame, the malware that came to light Monday, points to state-sponsored cyber-espionage, and has been seen mainly as a geopolitical event. But the Flame code, which extracts data from networked computers and sends it to remote servers controlled by hackers, should also be seen by CIOs as a potential commercial threat and should cause them to reassess their Security Solutions – both on-premise and in the cloud.

Flame represents a next generation of malware because, while it combines many known ways of attacking systems and transmitting data back to remote servers, it is unique in how it has combined all of those malicious characteristics. Although many cyber-security experts have said most companies that create intellectual property – including a wide assortment of activities from pharmaceutical research to financial services and oil drilling – have already had their systems hacked, it may not be too late for CIOs to protect critical data. But, say experts, they will have to carefully assess their own networks, as well as their relationships with software vendors and cloud service providers with whom they do business.

Help Desk Services and analysts say that Flame should serve as a reminder to CIOs of how vulnerable they are, and give them a greater sense of urgency. Indeed the CIO of Land O’ Lakes, says he learned about Flame on the radio on his way into the office Tuesday, and his thoughts turned immediately to his cloud vendors. Like many CIOs, he has software running both on-premise and in the cloud, and says Flame is equally threatening to cloud and on-premise applications, but he wonders more about the risk mitigation strategies employed by his cloud partners. The question is, who will respond more quickly — cloud providers or his own internal data centers?

That’s a good question – cloud vendors generally do not accept liability for their clients data in the cloud.

The terms of service for Amazon’s AWS web services stipulate that the cloud vendor doesn’t accept liability for lost or altered data, and that customers are responsible for taking your own steps to maintain appropriate security, protection and backup of Your Content, which may include the use of encryption technology to protect Your Content from unauthorized access and routine archiving Your Content.

A Microsoft spokesperson said the company does accept liability for customer data on its Azure cloud platform, unless the customers themselves configured software improperly or otherwise created the conditions for a data breach. Rackspace and Google did not reply to requests for comment at the time of this writing.

Maintaining network security is hard enough on company-owned networks, but if you throw it over the wall to the cloud vendor and you don’t have visibility and control, it becomes impossible. Cloud vendors should provide customers with security tools, even if the customers themselves are responsible for configuring them.

The senior vice president and CIO of Hostess Brands Corporation, seemed to have these challenges in mind when he said he believes companies are limiting much of the data that they move to the cloud to less-critical information, because they are concerned about security.  Until CIOs can get a comfort level that is tenable and sustained, the movement to the cloud will be selective.

Closer to home, however, CIOs still have work to do. A security and privacy expert with the IEEE, a professional IT organization, says even a next generation of malware such as Flame can only get a toehold in an organization’s network by taking advantage of bad software. He blames vendors for building software that leaves customers susceptible to a malware attack, but says customers have to ask their vendors if the stuff you’re buying from them is secure or not, because a lot of people don’t even ask.

He says responsible vendors will respond honestly to that question.

CIOs need to ensure that software written by their own developers has security built into it, and can do this by following guidelines established in the BSIMM [Building Security In Maturity Model] standard. Beyond that, he said good security practice includes using tools to analyze existing software architecture, review code, and regularly hiring third parties to test the network for vulnerabilities by trying to penetrate it. McGraw says he’s “optimistic we’re actually making progress” in making safe software more ubiquitous. But, he said, the only way we can get in front of [issues like Flame] is building systems to be secure in the first place.

A Gartner analyst says Flame highlights the fact that we have to take a multi-pronged approach to malware. No single approach will be a silver bullet. New technologies that analyze the behavior of applications on networks can identify malware before it executes its code. Older anti-virus applications depend on being able to recognize the code used by malware, whereas newer generations of technology can see whether a particular type of application, like a PDF file, is trying to execute code – which it shouldn’t normally do.

An independent cybersecurity analyst, says CIOs should create an inventory of all a company’s data and classify it according to its value, much like the government does with state secrets. They should then take the equivalent of “top secret” data off the Internet. CIOs should also segregate data that is important but not critical, and monitor which persons and applications have access to it.

The reason this isn’t common practice is that many CIOs think about security in terms of legal requirements rather than common-sense approaches. Security is often a matter of compliance. Knowing where your critical data is isn’t an obligation, so it’s not done.

For more national and worldwide Business News, visit the Peak News Room blog.
For more local and state of Michigan Business News, visit the Michigan Business News blog.
For more Health News, visit the Healthcare and Medical News blog.
For more Electronics News, visit the Electronics America blog.
For more Real Estate News, visit the Commercial and Residential Real Estate blog.
For more Law News, visit the Nation of Law blog.
For more Advertising News, visit the Advertising, Marketing and Media blog.
For more Environmental News, visit the Environmental Responsibility News blog.
For information on website optimization or for the latest SEO News, visit the SEO Done Right blog.