The Lesson of Stuxnet and Aurora: Get Back to Basics or Get Owned

SAN FRANCISCO–It’s often said that after decades of work and technological advances, the security industry hasn’t actually solved any problems or made things any better. But that’s not entirely true. The industry has in fact perfected the art of exploiting the scare ’em and snare ’em, threat-of-the-moment mentality that’s turned security into a perpetual cash-generation machine. And it’s all for naught.

SAN FRANCISCO–It’s often said that after decades of work and technological advances, the security industry hasn’t actually solved any problems or made things any better. But that’s not entirely true. The industry has in fact perfected the art of exploiting the scare ’em and snare ’em, threat-of-the-moment mentality that’s turned security into a perpetual cash-generation machine. And it’s all for naught.

Nowhere is the state of this art clearer or on more flagrant display than at the RSA Conference here every year, a week-long industry love-in during which thousands of sales and marketing executives descend upon the city to mingle with dozens of actual security professionals. The agenda for the week is clear: Hammer home the fact that your product protects enterprises against <insert threat here>. The flavor of the week this time around was Stuxnet/Aurora/Iran/China/terrifying professional adversary.

For the most part, the idea that Product A, which was designed to address Threat A seven years ago, is now being touted as a perfect countermeasure to Threat B is treated as a harmless joke in the industry. Everyone does it. Threats come and go, so companies that want to stick around need to adapt. The threat from professional or state-sponsored attackers using super-sophisticated custom malware to compromise government agencies, banks, Google, nuclear plants and other high-profile targets is simply the latest iteration of that.

But the problem with this evolution is that attacks such as Stuxnet or Operation Aurora or GhostNet are not what most enterprises and organizations need to be worried about. The plain fact is that most organizations are falling far short in protecting against the same threats that they’ve faced for the last 10 years. SQL injection, phishing, malicious attachments, social engineering. Old, every one of them. And yet, still incredibly effective at compromising networks in some of the best-known and theoretically best-protected companies.

In other words, Stuxnet and Aurora have been owning networks around the world, without ever touching them.

Security researcher Michal Zalewski points out that all of the discussion in recent months of these highly targeted attacks has obscured the fact that this kind of attack not only is nothing new, it’s not even worth worrying about for most organizations.

“It is tempting to frame the constant stream of high-profile failures as a proof for the evolution of your adversary. But when you realize that almost every single large institution can probably be compromised by a moderately skilled attacker, this explanation just does not ring true. The inability to solve this increasingly pressing problem is no reason to celebrate – and even less of a reason to push for preposterous, unnecessary spending on silly intelligence services, or to promote overreaching and ill-defined regulation. If anything, it is a reason to reflect on our mistakes and perhaps go back to the drawing board,” Zalewski wrote in a blog post recently.

His point is well-made. And while it may be tempting to dismiss this line of thinking as just a thought exercise or hair-splitting about who the attackers are, that would be a mistake. Focusing on shadowy, highly-funded and motivated attackers that may be targeting your organization can divert your resources and personnel away from the less sexy and headline-worthy attackers who most definitely are targeting you.

The script kiddies that were defacing web sites and playing DDoS tag 10 years ago didn’t go away; they moved on to more profitable activities such as spear phishing and planting malware on your home page to exploit visitors. Doesn’t sound serious? Keep in mind that many of the victims of Operation Aurora were compromised through malicious PDFs attached to emails. None of these attacks is a joke and if you’re compromised, you don’t much care who did it in many cases. You just care that you’re owned.

But it’s important to remember when trying to discern the signal from the noise that determined attackers have always existed and they’ve always had the advantage. That’s not likely to change anytime soon, regardless of what scary mask they may be wearing at the moment or may don in the future.

Suggested articles