SANS Diary: Stuxnet Analysis by Marcus Sachs (Version: 1)

We normally don’t write diaries about analysis published by others since most readers also use rss, Twitter, Facebook, and countless other alerting services.  By the time we note an article it’s already “old news.”  But I want to take exception to our internal policy and point out a very interesting analysis by Symantec of the Stuxnet malware.  In particular, watch the demonstration they put together that shows how it works.  While the demo is for Stuxnet, it brings home many of the techniques that have been perfected over the past two years to bypass firewalls, intrusion detection systems, and other classic defense mechanisms.

Why is this important?  Well, we need to start rethinking how we are going to defend our networks in the coming years and decades.  Layers of defense are, of course, important – but what should those layers be?  I’m afraid that many organizations are still defending themselves as though it’s 1998.  Firewalls and other “blinking light” mechanisms are not enough.  Neither is patching, changing passwords,  shutting off unneeded services, or any of the primary best practices we’ve been preaching as as security professionals for many years.  We need a new “layer” to add to our defensive strategies.  But what is that layer?  If you have ideas, please use the comment link below to add them to this diary.

Marcus H. Sachs
Director, SANS Internet Storm Center

About these ads