« SIEM ROI - How to prove it? | Main | Merchant Level 2 SAQ or ROC »

26 September 2010


Thomas Coats

This may be a bit of a rant, but, now that the dust has settled a bit, it probably would be a good idea to assess what Stuxnet means going forward for us in the Security community. While it is not the end of the world it definitely made cyber warfare or just plain physical sabotage using software a lot more realistic.

Just my two cents about this, this comes pretty close to the scenario from an old Tom Clancy Ops-Room novel. Those of us who have been involved in risk assessments have often been accused by management of tell nightmare stories. How many times have you heard. "This is a secure network so we don't to implement x y or z." That is bad enough when they claim the firewalls are good enough to justify weak passwords, but when the network was physically isolatee you tended to let them have their way.

The main lesson I am taking from this is that the simple controls that we have all forced on our networked colleagues are now strongly recommended for "secure networks" too. I mean things like strong passwords, change the vendor default passwords and keep your OS's up to date. Someone reintroduced virus distibution through sneakerware.

I like to say "know who your enemies are." but this time it really has demonstrated how vulnerable we are with so many uncontrolled devices out there, and I really mean embedded OSes on devices that never were meant to be updated or to have security built in, factory robots, SCADAs, DCMs. It is not the end of the world, and I suppose we should be thankful for the work, but it seems like a sisyphus parody.

Stuxnet is a game changer just like Nimda and Slammer were, but it is a bit worse because the playing field is not just the Internet and corporate intranets, it really is everywhere now. It makes my head hurt just to think of it.

The comments to this entry are closed.

About the (ISC)² Blog

As the certifying body for more than 100,000 information security professionals worldwide, (ISC)² believes in the importance of open dialogue and collaboration. (ISC)² established this blog to provide a voice to certified members, who have significant knowledge and valuable insights that can benefit other information security professionals and the public at large.

The (ISC)2 blog gives members a forum to exchange ideas and inspires a safe and secure cyber world by supporting the advancement of the information security workforce via a public exchange with a broad range of information security topics.

Whether an (ISC)² member chooses to participate in the (ISC)² blog is his or her own decision. The postings on this site are the author's own and don't necessarily represent (ISC)²'s positions, strategies or opinions. (ISC)² monitors the blog in accordance with the (ISC)² Blog Guidelines, but the bloggers are responsible for their own content – common sense and intelligence should prevail.

Other than links to the (ISC)2 website, (ISC)² does not control or endorse any links to products or services provided in this blog and makes no warranty regarding the content on any other linked website.

Those who post comments to (ISC)² blogs should ensure their comments are focused on relevant topics that relate to the specific blog being discussed. (ISC)² reserves the right to remove any post or comment from this site. Should you find objectionable content in this blog, please notify us as soon as possible at blog@isc2.org

Please click here for FAQs.

Please click here for the Blog Guidelines.