Stuxnet, Duqu, Flame: What It Means For You

Stuxnet.jpgThe cyberweapon genie is out of the bottle, and the U.S. is engaged in a cyberwar. Now it becomes clear why the Government has been trying to get private industry to agree to certain cybersecurity standards. They are basically like an "arsonist calling for a better fire code", as per Jason Healey, director of the Cyber Statecraft Initiative at the Atlantic Council.

June 2012 it was revealed that the White House decided to wage cyberwar against Iran starting with the Bush Administration and continued in an intensified form by the Obama Administration. President Obama was, and I assume still is, personally involved with the details of the attacks on the Iranian Natanz uranium enrichment facility.
In David E. Sanger’s book ‘Confront and Conceal: Obama’s Secret Wars and Surprising Use of American Power’ this has been spelled out for the first time. Michael D. Hayden, the former chief of the CIA, said: ”This is the first attack of a major nature in which a cyberattack was used to effect physical destruction… you can’t help but describe it as an attack on critical infrastructure.”
He continued with: “Somebody has crossed the Rubicon… in one sense at least, it’s August 1945, the month that the world saw the first capabilities of a new weapon, dropped over Hiroshima. The big difference is that the cyberweapons that were created by the U.S. Administrations are weapons of precise destructions, not mass destruction, but Hayden does make a good point, in the hands of cybercriminals it easily can become a weapon of mass destruction.

The U.S. Administration obviously wanted to keep this under wraps as long as possible, and even when it was discovered, hoped it would be unattributable. So much for that. The idea was if they could damage Iran’s uranium enrichment capabilities, it would not be necessary for Israel to bomb Natanz, and potentially spark a war in the Middle East with disastrous consequences for oil prices. I understand all that. But now you have highly powerful cyberweapons in the hands of every somewhat capable hacker. Compare that to the limited nuclear proliferation we have today and you see that this genie is impossible to put back in the bottle.

Now, what risks are we talking here? Well, there is a spectrum of cyberthreats that you can see in a gradient scale from nuisance to catastrophic. Spam is a nuisance, your economic infrastructure shut down and utilities destroyed sets you back 50 years as a country. No, the sky is not falling. But bad guys are now having their hands on some mighty powerful malcode that could be used to penetrate your organization. How to protect yourself?

ABC News investigative producer Lee Ferran argues that “human carelessness” is more responsible for cyberthreats than technical advances: “no matter how sophisticated the attack or how capable the defenses, the weakest link in cybersecurity is often the human at the keyboard.” He just wrote an article called Bigger Than Flame, Stronger Than Stuxnet: Why ‘Idiot’ Humans Are Best Cyber Weapon.

And I think he is right. How did the U.S. and Israel get Stuxnet into Natanz? With a bit of simple social engineering: the humble thumbdrive carried it in. All your employees need to be trained against social engineering attacks. And our
new Internet Security Awareness Training is just the ticket to get there.


Topics: Cybercrime

Subscribe to Our Blog

Comprehensive Anti-Phishing Guide

Get the latest about social engineering

Subscribe to CyberheistNews