Viewpoint: We must resist over-hyping security threats

Related Stories

2011 has been the year of cybersecurity awareness, with the headlines frequently featuring reports of serious cyber-attacks and references to "cyber-warfare".

As a result, "cybersecurity" has gained much needed attention, allowing us to address some very real issues.

The last 18 months have also seen a spate of attacks on critical national infrastructure and control systems used by facilities including power stations and water treatment facilities.

These attacks, while not entirely new, provided new peaks of interest among hackers and the general public.

Hacked computer graphic There were claims that Stuxnet could shut down the entire UK transport network

They were particularly interesting as they moved away from the most common targets of cyber criminals over the past few years: fraud and credit cards.

Far-fetched analysis

Threats such as Stuxnet and Duqu achieved widespread fame for targeting these systems. Unfortunately, they also invoked a torrent of security theatre and over-the-top speculation that provided rich fodder for media and security discussion groups.

There were many counts of inaccurate data and conflicting facts which led to all manner of interesting conclusions about the targets and origins of the attackers.

For example, the number 19790509 was found in Stuxnet's code.

Its meaning was explained by various individuals to be anything from the reference code for a planning application for a kitchen - disgruntled individuals denied planning applications are probably angry, but not to the extent of writing malware to infect control systems - to the politically significant execution date of an Iranian in Tehran.

My favourite theory: that it was the birthday of Rosario Dawson who starred in Men in Black 2.

Start Quote

Cybersecurity is all about proportionality and accuracy as to what the real issues are.”

End Quote James Lyne Sophos

Given that there are countless ways to interpret this number it is wise to question the facts, especially when discussions are full of contradictory statements from experts stating that "of course, the answer is obviously X".

Rather than trying to speculate, it makes more sense to focus on what we can actually do to mitigate the real, known issues.

Seeking Stuxnet

Similarly, many claimed Stuxnet was some kind of unblockable super-virus.

I was particularly enchanted by the claim that Stuxnet could have easily shut down the entire UK transport network. This would have been impressive, as the last time I looked, these systems were not even that integrated or connected.

The fact is that, while Stuxnet undoubtedly was interesting, it was actually rather detectable and did not really practise any of the nasty techniques we see with so much modern malware that makes it hard to detect and block.

Rosario Dawson Hollywood actress Rosario Dawson was linked to the Stuxnet by her birth date

For example, many threats today frequently change their "appearance" to make detection difficult. Indeed, in SophosLabs we see on average 150,000 individual new threats every day and many use such nasty capabilities.

Stuxnet did not do this, but it did demonstrate that liberal use of USB keys in supposedly isolated environments was commonplace and that use of basic security controls including anti-virus software were sadly infrequent in affected sites.

Basic mistakes

But what about the potential impact of these threats? Super-virus or not, the control systems that they targeted are indeed connected to important devices we need to worry about.

Equally, there are clearly security holes that need to be fixed - as demonstrated by a hacker posting evidence that he had penetrated a water treatment plant in South Houston in the US.

Stuxnet and other attacks show that it is actually basic security practices that fail on these systems rather than the success of unblockable super-viruses.

Start Quote

The most sexy attack does not mean it is the number one priority.”

End Quote James Lyne Sophos

Failure to patch software, failure to run basic security controls, failure to use decent passwords and an abysmal and seemingly unrealistic reliance on isolation - a network isolated from the internet and other unsafe computers - are the real causes of failure here.

Yes, that's right, these are traditional desktop-style problems.

The issue could not be better expressed than by the words of a hacker involved in one of these breaches, pr0f: "I have entered a couple of different kinds of systems, but I am under no illusions about my level of skill. These are the least secure systems."

Limited funds

I absolutely do not want to play down the severity of attacks on such critical national infrastructure or of cyber security in general - clearly there is a real threat.

However, cybersecurity is all about proportionality and accuracy as to what the real issues are.

Without it remediation becomes all the more difficult, particularly if companies gravitate towards remediating hyped theory rather than the real issues, with somewhat limited budgets.

Moving into 2012, it is likely that we will see more examples of these attacks.

There are still many systems that do not apply the appropriate best practice and it seems to be "in vogue" to compromise them.

We would all do well though to remember that the most sexy attack does not mean it is the number one priority and we should be sceptical sometimes, just as we are with those spam messages we receive online.

James Lyne is director of technology strategy at the internet security firm Sophos. He can be followed on Twitter at @jameslyne

More on This Story

Related Stories

The BBC is not responsible for the content of external Internet sites

More Technology stories

RSS

Features

  • chocolate cake and strawberriesTrick your tongue

    Would this dessert taste different on a black plate?


  • Duke and Duchess of Cambridge and Prince George leaving New Zealand'Great ambassadors'

    How New Zealand reacted to William, Kate - and George


  • Major Power Failure ident on BBC2Going live

    Why BBC Two's launch was not all right on the night


  • Front display of radio Strange echoes

    The mysterious 'numbers stations' left over from the Cold War era


  • A letter from a Somali refugee to a Syrian child'Be a star'

    Children's uplifting letters of hope to homeless Syrians


BBC © 2014 The BBC is not responsible for the content of external sites. Read more.

This page is best viewed in an up-to-date web browser with style sheets (CSS) enabled. While you will be able to view the content of this page in your current browser, you will not be able to get the full visual experience. Please consider upgrading your browser software or enabling style sheets (CSS) if you are able to do so.