Shamoon-Proofing Critical Infrastructure Companies

May 31, 2013 Yariv Lenchner

by Yariv Lencher

The Shamoon virus was designed with one thing in mind – causing mass destruction. It’s a malicious information stealing malware which also destroys infected machines by overwriting their Master Boot Record leaving no option to recover the data.

It’s been more than nine months since a person with privileged access to Saudi Aramco’s network unleashed the Shamoon virus and caused huge damage to the company’s computers. Nine months – and the virus still presents a grave threat to the critical infrastructure industry.

This is why it was so concerning when the Industrial Control Systems Cyber Emergency Response Team (ICS-CERT) recently released a recommendation on mitigation strategies for Shamoon. The malware is still active in the ether and could cripple critical infrastructure companies if introduced into their network.

It’s no surprise the mitigation strategies highlight the importance of controlling access and management of privileged accounts. The recommendation contains both tactical and strategic actions, many of which can be done by implementing Cyber-Ark’s solution for securing and monitoring privileged accounts and activity. These include:

Password Management (using Cyber-Ark’s Privileged Identity Management Suite)

  • Secure admin accounts
  • Ensure password policy rules are enforced and admin password values are changed periodically
  • Provide for separation of duties
  • Audit privileged credential access

Secure Privileged Access Control (using Cyber-Ark’s Privileged Session Management (PSM) Suite) 

  • Implement network segmentation – using Cyber-Ark’s PSM as a jump server
  • Secure remote access
  • Implement a coaching page with a click through acceptance
  • Keeping full log and screen recording of all privileged sessions and allow for real time monitoring of sessions
  • Establish Internet access proxies for servers and workstations
  • Minimize control systems network exposure by the usage of PSM as a jump server

There are some in the industry that insist that “IT Security vendors are seen as clueless on industrial control systems.” While that may sound like industry hype, it’s hard to ignore the fact that privileged accounts have been used in nearly 100 percent of all APTs – including Saudi Aramco. Shamoon is simply one example of the many attacks being perpetrated against critical infrastructure companies worldwide. If you’re concerned about Shamoon and other APTs that have crippled organizations, start by securing the primary target used to perpetrate these attacks – privileged accounts.

Previous Article
Are Cyber Attacks a Greater Threat to National Security than Physical Attacks?
Are Cyber Attacks a Greater Threat to National Security than Physical Attacks?

by John Worrall In March 2013, Director of National Intelligence James Clapper testified before Congress th...

Next Article
IT Harvest’s Richard Stiennon Focuses on the Keys to the Kingdom on
IT Harvest’s Richard Stiennon Focuses on the Keys to the Kingdom on

by John Worrall Richard Stiennon of IT Harvest has an interesting post on digital certificates and the path...