Till
now no security vendor has been able to come up with an anti-dote for the dreaded "Flame" virus.
Iran has claimed to have devised a fix for the same but, has not publicly
released it. And come to think of the complexity of this Malware, it will take a long time before the virus and it's affects are thoroughly checked and the fix publicly released.
However, we can take precautionary measures to keep ourselves safe. The basis of a secure environment is to have the layered approach to security- Secure the Perimeter, the Core and the Endpoints.
Your perimeter is usually secured by a firewall and we need to make sure that the policies are robust enough to check any brute force attacks from the Net, make sure if it is a UTM to deploy the security features like IPS, GAV, Anti Spam, Application security control, DLP, etc; What you really need to worry about is securing your application environment and the server farm because the Flame virus once infects an entity will eventually wipe out all your data and make the storage inaccessible and irretrievable. For this, the best bet is to have a Web Application firewall reside just outside your server farm, it might not detect the flame virus but, will be able to catch the behavior as it would be intrusive in nature and pretty similar to any bot mechanism. We also need to keep in mind that the reason why this virus is complex is due to it's usage of a wide array of stealth mechanisms and the diversity in the scope of it's attack. Also, this virus typically resides on your endpoints and does the maximum damage from your internal resources by spying, collecting data and sending to rogue elements on the internet. Hence, it would be best to deploy a DLP solution so that unauthorized access to your file system or database can be prevented. Secondly, deploy a host AV/spyware solution to atleast mitigate any rogue connections and transfers to the internet and LAN. Thirdly, educate your users on desisting from accessing any dubious websites on the net. Create awareness on healthy usage on their resources. Make sure that any suspected automated actions performed on their PC/Laptop or server is notified immediately, these can be monitored under event manager or by digging deeper with applications like Wireshark.
However, we can take precautionary measures to keep ourselves safe. The basis of a secure environment is to have the layered approach to security- Secure the Perimeter, the Core and the Endpoints.
Your perimeter is usually secured by a firewall and we need to make sure that the policies are robust enough to check any brute force attacks from the Net, make sure if it is a UTM to deploy the security features like IPS, GAV, Anti Spam, Application security control, DLP, etc; What you really need to worry about is securing your application environment and the server farm because the Flame virus once infects an entity will eventually wipe out all your data and make the storage inaccessible and irretrievable. For this, the best bet is to have a Web Application firewall reside just outside your server farm, it might not detect the flame virus but, will be able to catch the behavior as it would be intrusive in nature and pretty similar to any bot mechanism. We also need to keep in mind that the reason why this virus is complex is due to it's usage of a wide array of stealth mechanisms and the diversity in the scope of it's attack. Also, this virus typically resides on your endpoints and does the maximum damage from your internal resources by spying, collecting data and sending to rogue elements on the internet. Hence, it would be best to deploy a DLP solution so that unauthorized access to your file system or database can be prevented. Secondly, deploy a host AV/spyware solution to atleast mitigate any rogue connections and transfers to the internet and LAN. Thirdly, educate your users on desisting from accessing any dubious websites on the net. Create awareness on healthy usage on their resources. Make sure that any suspected automated actions performed on their PC/Laptop or server is notified immediately, these can be monitored under event manager or by digging deeper with applications like Wireshark.
very good! keep going
ReplyDeleteVery comprehensive and informative! Have you witnessed any instances of flame infection?
ReplyDeleteHey Ujvala, yes indeed. Have witnessed it in the middle east region. That too with several key Govt entities.
Delete