Get Back to Basics: Stuxnet and Aurora Lessons

Thursday, February 24, 2011



Dennis Fisher of ThreatPost had an interesting post-RSA Conference take on the information security industry, and the need for enterprise security to get back to basics.

Fisher characterizes the extremely high level of attention tailored exploits like Stuxnet and Aurora have received as being "scare 'em and snare 'em" tactics used by vendors to drive sales.

While the vendors continue to point out the latest and greatest malware to hit the scene, the majority of enterprises are still vulnerable to the old, boring, less sexy threats - and that is where information security resources should be focused.

"The plain fact is that most organizations are falling far short in protecting against the same threats that they've faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies," Fisher wrote.

Fisher says that too many companies are being distracted by the glitzy, news-making exploits that may in fact never materialize as a threat to most organizations, while ignoring remediation of the more remedial threats that are most likely something the company will actually run up against.

Fisher's article goes on to cite security researcher Michal Zalewski's recent blog which points out that all of the discussion in recent months about complex, targeted attacks is merely over-hype that is drawing the attention of the industry away from the areas where substantial progress can be made.

"It is tempting to frame the constant stream of high-profile failures as a proof for the evolution of your adversary. But when you realize that almost every single large institution can probably be compromised by a moderately skilled attacker, this explanation just does not ring true. The inability to solve this increasingly pressing problem is no reason to celebrate - and even less of a reason to push for preposterous, unnecessary spending on silly intelligence services, or to promote overreaching and ill-defined regulation. If anything, it is a reason to reflect on our mistakes and perhaps go back to the drawing board," Zalewski blogged.

Fisher closes his article by commenting that the bad guys have always been there, and have always had the advantage in designing successful attacks, and that fact will remain a constant.

Security professionals, and the organizations that employ their skills, should not get caught up in the emotions generated by the vendor marketing department, and should get back to security basics.


Possibly Related Articles:
Viruses & Malware
SQl Injection malware Vulnerabilities Stuxnet Headlines Cross Site Scripting vendor Operation Aurora
Post Rating I Like this!
The views expressed in this post are the opinions of the Infosec Island member that posted this content. Infosec Island is not responsible for the content or messaging of this post.

Unauthorized reproduction of this article (in part or in whole) is prohibited without the express written permission of Infosec Island and the Infosec Island member that posted this content--this includes using our RSS feed for any purpose other than personal use.