Stealth bomb: A stolen digital certificate originally and legitimately issued by Verisign was used to cloak the virus
The much-publicised Stuxnet attack on an Iranian nuclear facility ought to worry all of us – not just those working close by when the virus caused about 1,000 centrifuges to start spinning out of control. Digital security threats – and sometimes the hype surrounding them – have become commonplace in our interconnected world. However, the attack on Iran’s secret nuclear facility near Natanz brought a new dimension to cyber weapons, writes Jeff Hudson.
Apparently malware was introduced into the local area network, possibly on a USB mini-drive. As researchers later discovered, the attack used four zero-day exploits on Windows platforms. In addition, the ‘payload’ included a stolen digital certificate that had originally and legitimately been issued by Verisign, the world’s largest provider of electronic certificates that secure and authenticate internet traffic.
The Stuxnet virus unleashed at Natanz was self-propagating and spread to systems controlling the speed of the centrifuges, which will break down if not run at a precise speed. The virus’s mission was to wrest control of the system monitoring the centrifuge’s speed and damage the centrifuges. In other words: to act as a weapon. This is a significant step forward in the development of malware.
The new element to this virus-borne attack is that it was designed to cause physical damage to the Iranian facility that would normally have been done by bombs. Stuxnet has thus earned the dubious classification as weaponised malware.
This particular virus is estimated to have taken 10 years of human effort to develop. The tools used in development, the timestamps on the binaries, and the number of modules with different coding styles suggest multiple development teams. The origin of the malware has not been verified but among the theories being touted is that it was developed by a nation state or states that were attempting to disrupt the Iranian nuclear programme.
Iran has the largest percentage of known instances of the Stuxnet virus. However it has also been found on systems in many other countries, a some security gurus predict that numerous undetected instances are still active.
It’s no secret that weapons developed by national military programmes frequently become available to terrorists, rogue nations such as North Korea and to criminal organisations. It is just a matter of time. Modern examples include night-vision goggles, GPS systems, airborne drones, fully automatic rifles, Kevlar body armour and shoulder-launched missiles.
The questions are: when will weaponised malware and its derivatives be used to destroy, disable or steal valuable assets and information from other nations, utilities, banks, or telecommunication companies; and what can be done about it?
The Stuxnet weaponised malware used multiple zero-day vulnerabilities to infect, and employed a signed digital certificate to authenticate itself in the environment. The certificate allowed the malware to act as a trusted application and to communicate with systems and devices.
This is the first reported incident of the use of a digital certificate in this type of attack, and is a very ominous and worrying development. The level of threat has moved from downtime and a damaged reputation because your certificate has expired to physical damage to you and your employees if the virus successfully makes a manufacturing or utility process go critical.
The use of four zero-day vulnerabilities and a stolen digital certificate signals the beginning of a new era of cyber warfare and cyber crime. The implications are enormous.
This is not the first occurrence of this virus species. The Aurora virus was a first-generation variant, and Stuxnet represents a significant evolutionary leap in complexity and sophistication. And the potential costs to the targeted organisation in the event of a successful attack are higher than ever.
Zero-day vulnerabilities are by definition impossible to defend against. The use of unauthorised digital certificates by weaponised malware in a networked environment is another matter. There are steps organisations can take to significantly reduce the risk of a successful attack.
The first consideration is the knowledge of digital certificates that are active in a network. Most organisations do not know how many they have, where they are installed, who installed them, their validity, and the expiration date of the digital certificates in their network. An analogy in the world of physical security would be not knowing which people in a secure building are authorised to be on the premises and which ones are unauthorised. Imagine a bank where no one knew which people in the building were authorised to be there or not. This is not an exaggeration. This is an unacceptable situation to anyone who takes security seriously. This is an unquantified risk. The only acceptable practice is to continually and actively discover certificates on the network.
Additionally those certificates must be validated that they are functioning as intended and that they are monitored throughout their lifecycle so that they can be expired and replaced as dictated by the security policies of the organisation. Most organisations are deficient in this regard. This is an unmanaged risk and can be easily brought under management. A failure to manage this kind of risk exposes organisations to increased vulnerabilities like the Stuxnet attack. This is not scaremongering – it is a real threat which will affect an organisation sometime soon.
Why are organisations exposing themselves to this unquantified and unmanaged risk? The reason is simple enough to understand. Before Stuxnet, the lackadaisical knowledge and management of digital certificates was viewed as acceptable. Additionally many board-level executives are not familiar with digital certificates, how they work, their role in security, and the management practices and policies. This has to change. There is not one board – level executive that misunderstands or underestimates the importance of ensuring that only authorised individuals can enter a secure building. Those same executives naively allow unauthorised or unknown certificates to enter and operate on their networks.
In summary there is unquantified and unmanaged risk that allows Stuxnet to propagate and operate on a network. This represents bad management practice of a critical part of a layered security model. Digital certificates are widely used to authenticate and identify entities in a network. Poor management practices render digital certificates ineffective for their intended purpose. In fact poor management in some cases creates an exploitation opportunity.
The Stuxnet weaponised malware is a very loud wakeup call as it has exploited the poor management practices of digital certificates that exist in many firms today. Implementing practices and policies for the management of digital certificates is an important and necessary component of a broad and wide security strategy. It is the one strategy that can detect the appearance of malware that utilizes digital certificates for authentication. weaponised malware has or will be aimed at every company in the Global 2000. The responsibility is to act before the weapon strikes.
• Jeff Hudson is CEO of Venafi, the firm which developed enterprise digital certificate and encryp-tion key management (ECKM) solutions. www.venafi.com
Subscribers 0
Fans 0
Followers 0
Followers