Safeguarding critical infrastructure from the next Stuxnet

By Francis deSouza, senior vice president, Enterprise Security Group, Symantec, Network World |  Security, Stuxnet

* Leverage reputation-based detection techniques. Traditional protections, such as signature-based antivirus, are the most common method of defending against the initial infection stage. Unfortunately, many modern pieces of targeted malware rely on mutated code that is altered before each new attack and tested against antivirus solutions to ensure it will evade detection. Some malware even utilizes self-mutating code that makes it all but invisible to traditional signature-based protection. In addition, signature-based detection is ineffective at identifying brand new, never-before-seen malware. Such was the case with many of the initial Stuxnet infections. Look for a reputation-based detection system that leverages massive databases containing demographic information on virtually all good and bad files in existence to single out unknown and likely malicious software applications.

* Take advantage of managed security services. Managed security services are offered by many security vendors. The goal is to shift the burden of security operations to a qualified vendor. In the case of Stuxnet, managed security services would, for example, watch for downloaded data traffic carrying .LNK files, which could potentially be related to one of the now patched zero-day vulnerability exploits used by the threat.

* Implement and enforce device control policies. A feature of advanced endpoint protection solutions, device control provides administrators with the ability to monitor and control the behavior of devices by creating and enforcing related policies. Because industrial control systems are often disconnected from the Internet and overall corporate networks for security reasons, thumb drives are frequently used to transfer data to and from such systems and also to implement patch updates. Stuxnet authors knew this and the spread of the threat relied on this fact. In fact, infected thumb drives carried into organizations by unwary contractors was likely one of the initial propagation methods used to spread the threat. Device control policies can control what files and applications are allowed to run off thumb drives and, if properly set, will prevent malicious executable files, like those used by Stuxnet, from running on targeted systems.

Originally published on Network World |  Click here to read the original story.
Join us:






Answers - Powered by ITworld

Ask a Question