2012 May

May 2012

“Flame” Virus Reinforces the Need for Situational Awareness

If you are a security professional, or working in an IT Security capacity, I’m sure you have heard by now of the “Flame” virus that is being used to extract intellectual property with various stealth surveillance capabilities, including turning on the system microphone to record conversations in the room.  This hacking framework has been likened to Stuxnet, but it does not have the same targeted focus of causing damage to SCADA and Industrial Control Systems equipment. The main objective of this virus appears to be to steal information.

While some have called this the most complex malware framework since Stuxnet, in my opinion, Flame is just the next logical evolution for similar IP-stealing threats we have seen for the past 18 months.

Although Flame does not appear to have been written to specifically harm SCADA and Industrial Control Systems, it does reinforce the need for strong perimeter protection and situational awareness.  Since Flame is targeting corporate IT environments, those organizations that still have their SCADA and Industrial Control Systems directly on their Corporate IT networks will have the most difficult time in protecting their SCADA / ICS components.

We are often asked by our clients what small security investments would pay off the greatest amount in terms of a more secure environment. Implementing a strong perimeter between the corporate IT and SCADA networks will block about 95% of typical IT threats. If we assume that most major corporations have or will be hacked at some point in their lifecycle, we should backup that strong SCADA defense perimeter with detective capabilities. In our field assessments, we have seen an unfortunate trend that most organizations do not have the technology or processes in place to detect when they have been compromised. Monitoring basic network statistics like the amount of traffic (bytes) sent and received by each switch port and trunk can provide a clue when information is being stolen right through the firewall.

Ask yourself and others within your company if you believe that your organization can currently deflect stealthy network attacks like Flame. Then ask the next question… Can you detect if you have been compromised? Start asking the tough questions – that is the only way we can collectively increase our level of security.


Leave a Reply