Viewpoint: We must resist over-hyping security threats
- 8 March 2012
- From the section Technology
2011 has been the year of cybersecurity awareness, with the headlines frequently featuring reports of serious cyber-attacks and references to "cyber-warfare".
As a result, "cybersecurity" has gained much needed attention, allowing us to address some very real issues.
The last 18 months have also seen a spate of attacks on critical national infrastructure and control systems used by facilities including power stations and water treatment facilities.
These attacks, while not entirely new, provided new peaks of interest among hackers and the general public.
They were particularly interesting as they moved away from the most common targets of cyber criminals over the past few years: fraud and credit cards.
Threats such as Stuxnet and Duqu achieved widespread fame for targeting these systems. Unfortunately, they also invoked a torrent of security theatre and over-the-top speculation that provided rich fodder for media and security discussion groups.
There were many counts of inaccurate data and conflicting facts which led to all manner of interesting conclusions about the targets and origins of the attackers.
For example, the number 19790509 was found in Stuxnet's code.
Its meaning was explained by various individuals to be anything from the reference code for a planning application for a kitchen - disgruntled individuals denied planning applications are probably angry, but not to the extent of writing malware to infect control systems - to the politically significant execution date of an Iranian in Tehran.
My favourite theory: that it was the birthday of Rosario Dawson who starred in Men in Black 2.
Given that there are countless ways to interpret this number it is wise to question the facts, especially when discussions are full of contradictory statements from experts stating that "of course, the answer is obviously X".
Rather than trying to speculate, it makes more sense to focus on what we can actually do to mitigate the real, known issues.
Similarly, many claimed Stuxnet was some kind of unblockable super-virus.
I was particularly enchanted by the claim that Stuxnet could have easily shut down the entire UK transport network. This would have been impressive, as the last time I looked, these systems were not even that integrated or connected.
The fact is that, while Stuxnet undoubtedly was interesting, it was actually rather detectable and did not really practise any of the nasty techniques we see with so much modern malware that makes it hard to detect and block.
For example, many threats today frequently change their "appearance" to make detection difficult. Indeed, in SophosLabs we see on average 150,000 individual new threats every day and many use such nasty capabilities.
Stuxnet did not do this, but it did demonstrate that liberal use of USB keys in supposedly isolated environments was commonplace and that use of basic security controls including anti-virus software were sadly infrequent in affected sites.
But what about the potential impact of these threats? Super-virus or not, the control systems that they targeted are indeed connected to important devices we need to worry about.
Equally, there are clearly security holes that need to be fixed - as demonstrated bya hacker posting evidencethat he had penetrated a water treatment plant in South Houston in the US.
Stuxnet and other attacks show that it is actually basic security practices that fail on these systems rather than the success of unblockable super-viruses.
Failure to patch software, failure to run basic security controls, failure to use decent passwords and an abysmal and seemingly unrealistic reliance on isolation - a network isolated from the internet and other unsafe computers - are the real causes of failure here.
Yes, that's right, these are traditional desktop-style problems.
The issue could not be better expressed than by the words of a hacker involved in one of these breaches, pr0f: "I have entered a couple of different kinds of systems, but I am under no illusions about my level of skill. These are the least secure systems."
I absolutely do not want to play down the severity of attacks on such critical national infrastructure or of cyber security in general - clearly there is a real threat.
However, cybersecurity is all about proportionality and accuracy as to what the real issues are.
Without it remediation becomes all the more difficult, particularly if companies gravitate towards remediating hyped theory rather than the real issues, with somewhat limited budgets.
Moving into 2012, it is likely that we will see more examples of these attacks.
There are still many systems that do not apply the appropriate best practice and it seems to be "in vogue" to compromise them.
We would all do well though to remember that the most sexy attack does not mean it is the number one priority and we should be sceptical sometimes, just as we are with those spam messages we receive online.
James Lyne is director of technology strategy at the internet security firm Sophos. He can be followed on Twitter at @jameslyne