Shamoon-Proofing Critical Infrastructure Companies
May 31, 2013 | Uncategorized | Yariv Lenchner
by Yariv Lencher
The Shamoon virus was designed with one thing in mind – causing mass destruction. It’s a malicious information stealing malware which also destroys infected machines by overwriting their Master Boot Record leaving no option to recover the data.
It’s been more than nine months since a person with privileged access to Saudi Aramco’s network unleashed the Shamoon virus and caused huge damage to the company’s computers. Nine months – and the virus still presents a grave threat to the critical infrastructure industry.
This is why it was so concerning when the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently released a recommendation on mitigation strategies for Shamoon. The malware is still active in the ether and could cripple critical infrastructure companies if introduced into their network.
It’s no surprise the mitigation strategies highlight the importance of controlling access and management of privileged accounts. The recommendation contains both tactical and strategic actions, many of which can be done by implementing Cyber-Ark’s solution for securing and monitoring privileged accounts and activity. These include:
Password Management (using Cyber-Ark’s Privileged Identity Management Suite)
- Secure admin accounts
- Ensure password policy rules are enforced and admin password values are changed periodically
- Provide for separation of duties
- Audit privileged credential access
Secure Privileged Access Control (using Cyber-Ark’s Privileged Session Management (PSM) Suite)
- Implement network segmentation – using Cyber-Ark’s PSM as a jump server
- Secure remote access
- Implement a coaching page with a click through acceptance
- Keeping full log and screen recording of all privileged sessions and allow for real time monitoring of sessions
- Establish Internet access proxies for servers and workstations
- Minimize control systems network exposure by the usage of PSM as a jump server
There are some in the industry that insist that “IT Security vendors are seen as clueless on industrial control systems.” While that may sound like industry hype, it’s hard to ignore the fact that privileged accounts have been used in nearly 100 percent of all APTs – including Saudi Aramco. Shamoon is simply one example of the many attacks being perpetrated against critical infrastructure companies worldwide. If you’re concerned about Shamoon and other APTs that have crippled organizations, start by securing the primary target used to perpetrate these attacks – privileged accounts.