Security in the World of Flame

Security in the World of FlameThe recently revealed Flame virus has taken cyberweapons to a new level. In size and scope it represents an order-of-magnitude advance over the Stuxnet worm, which first ushered us into the age of Great Power cyberwar.

Oh, yes, and Flame probably spread itself by hijacking the ubiquitous Windows Update.

Two early lessons emerge from the unfolding story of Flame. First, security challenges in the age of cyberweapons and cyberwar are every bit as complex and murky as we might have imagined. And second, you can't really depend on others to safeguard your data. You have to protect it yourself.

Flame itself is not entirely new. According to Kaspersky Labs, the security outfit that first publicly identified and reported it, the weapon virus has been spreading since 2010. The package itself is about 20 times larger than Stuxnet. And unlike Stuxnet, Flame is (as far as we know) not a "weapon" in the narrow sense of physically disabling the systems it runs on.

If Stuxnet was a smart bomb, Flame is a reconnaisance drone. Stuxnet reportedly wrecked centrifuges used for the Iranian nuclear program. Flame burrows into systems and reports back their data and status. Whether the drone can also carry missiles remains unknown or unreported.

Flame has spread primarily through the Middle East, and – as with Stuxnet – Iran appears to be the specific target. The sophistication of Flame suggests a "state sponsored" cyberweapon. And given its targeting, the US and Israel are leading suspects in its development and deployment.

All of this would by itself be plenty to grab out attention. But a few days after Flame was first revealed to the world, a dramatic further twist emerged. Flame exploited Windows Updates to propagate itself.

If you are a Windows user, have you ever idly wondered how you could be sure that those weekly Windows Update downloads really come from Microsoft? Now you know the answer: You can't be absolutely sure.

Microsoft is taking steps to beef up the security of Windows Updates, but these steps are already encountering criticism. And the fact is that users cannot assume that any updating process is absolutely secure.

(Mac users should not be too quick to pat themselves on the back. As we are learning, Macs are not invulnerable, especially if any might be in use by Iranian weapons programs.)

Vendors, even giants like Microsoft, cannot take care of your data security for you. Only you can do that. Data security is not primarily about technology as such. It is about creating and implementing the policy that governs technology.

The security principles set forth in industry standard ISO/IEC 27002 provide a framework for effective security, built around the cycle of Plan, Do, Check, and Act (PDCA). Many good security products are on the market, but all are designed to meet specific threats – and will not block other threats. At GRT Corp. our security philosophy is built around these words by noted security expert Dr. Bruce Schneier: "Security is not a product, but a process."