Malware Attacking SCADA Systems - from USB Device

A really interesting article that I think we should all be aware of -Microsoft Investigating Windows Zero Day Trojan brings to light an even bigger threat to our overall ecosystem and economy from Cyber Terrorism.

For those that may not be aware of the importance of SCADA systems - you may want to recall the brown out a few years ago that took out the electrical grid from Ohio to New York. Many do not know that it was believed to be caused by a virus that was infecting the reporting system. These systems power nuclear plants, electrical grids, oil pipelines, etc.

This article brings to light very clearly that as a Global economy we have to think about the technologies we put in place and their impact. These types of viruses should not only be a concern for USB devices on SCADA systems but also those embarking on their Journey into client virtualization.

Why worry? Virtualization exponentially increases the threat of security risks to companies and our underlying infrastructure. How? VM sprawl and undetected/unregistered virtual applications that have security holes in their virtual operating systems. While SCADA systems are pretty locked down - if a USB device can communicate with the rootkit of the underlying operating system what about virtual operating systems that can go undetected by traditional inventory programs?

For VMs in the wild - they may not have inventory installed or be accessible on the client systems (not like VSphere in the datacenter) when the VMs are offline. Application virtualization poses an even greater threat here.

Typically inventory searches the registry for key elements that identify there is an application installed and Patch Management tools will apply the patch to the underlying OS. But if the OS is virtual unless it is specifically integrated or programmed to do so - the traditional tools will not see the virtual OS or be able to patch it. If the person using the virtual application has administrative rights to their machine - then the virus can continue to exploit the vulnerability within the virtual operating system and pass through to the underlying PC.

What are ways around this?

1. Lock down the PC - disallow administrative rights. This is hard to do of course for some organizations as many legacy applications still require administrative rights to function.
   
   
2. Register Virtual Application - ensure the virtual application allows you to register it with the underlying Operating system (For example with ThinApp they use ThinReg). Do not use technology from vendors that do not provide some mechanism for alerting the physical system that the application is there.
   
   
3. Ask you Inventory & Patch Management Vendors if they support that application type - some vendors do have integration with traditional tools such as SCCM, or BMC. Tools like BMC Bladelogic for Clients (Marimba) have the ability to provide inventory for applications deployed through their system. This is useful to at least provide base inventory when there is no clear out of the box integration. I would also recommend requesting support from the Systems Management Patch Vendors to provide some type of hook into these solutions to quickly patch them without repackaging. This last part is one of the biggest inhibitors to broad scale adoption of application virtualization beyond just a handful of applications.
   
   
4. Create Process with Service Level Agreements to patch the Virtual OS - Many companies I have worked with over the years have set SLAs to quickly apply patches to their many computers out there. How do they do it across dozens of virtual applications? It depends on the architecture of the virtual application. Make sure you work with your Vendors Services team to create a Disaster Recovery plan for Zero Day viruses such as this to ensure the Virtual OS receive the same patches on a monthly basis as part of your overall patch process.
   
   
5. Only run virtual applications in User Mode - When possible eliminate the administrative rights. Most of the SCADA systems are pretty locked down. What makes the USB trojan even more worrisome. Companies that are choosing to leverage application virtualization should take their overall imaging and rights management process to the next level. Now that you have technology that can lock down access rights - use it.
   

Some virtualization vendors will claim anti-injection etc. Which is great but you are only as strong as your weakest link. It is important to really think through the security ramifications prior to deploying virtualization technology (Virtual Machines or Applications) on clients. Make sure they fit into your existing SLAs and don't put your company at risk.

Regards,
Jeanne Morain
jmorain@yahoo.com

Enlightened - Virtual Reality

Many write about the myths, facts, and fiction of virtualization. Some espouse that it is a revolution that is sure to take over the current desktop and server paradigm. This week I was blessed to spend time getting a good solid dose of reality from the only view that really counts - the architects and engineers that use technology every day to solve real world problems.

As vendors we can learn far more by spending a couple of days with key users of products to determine what the next best steps are, where the market is really going and what matters most to the ones that use our products and sign the checks. In this hardened economy - it is time that we start to listen more and hype less.

Virtualization is a tool like other technology that will add benefit and unplanned complexity to current processes, systems, and workers. It is not until technologist solve real world solutions that the paradigm will really start to shift.

Routes to Virtual Reality

1) Start with a problem - like a problem application that has compatability issues, needs to support a legacy version of .Net or Java, etc. From the problem - determine which virtualization applies (Server, Desktop, or Application)

2) Cut the the Chase - Understand EXACTLY what is being sold. There are many different types of architectures and solutions that are often overshadowed by marketing fluff. Know the different types, pros and cons of each approach, true costs and then decide.

For example there are 3 different distinct application virtualization architectures:

• Agent Based - Agent connected directly into the OS kernal
• Individual Bubble Base - Agent embedded into the virtual application
• Hybrid - Virtual Agent that lives in memory and manages the virtual bubbles

3) Don't believe the hype - there is a lot of misinformation because of the "hype" around virtualization, cloud computing and the market in general.

• Application virtualization is NOT running an application inside a virtual machine. It IS isolating the application from the underly OS just as machine virtualization isolates the OS from the Hardware.
• Desktops and Servers are vastly different. Servers are many users to a single system while desktops are single users to single applications. Each have unique requirements and require a different approach.
• Evolution not Revolution. This is not the time to support the rip and replace approach. The physical tools, paradigms etc will be alive and kicking for quite some time - customers want a single pane of glass - not multiple agents, interfaces, and added complexity that will increase the work load of already overstretched IT Staff.
• Hybrid is the ONLY way to go - Hardware & Network can't dictate business continuity- Desktop users are highly mobile and will have little patience or time to deal with large downloads, increased network costs, or not being able to do their job due to technology failure. User based targetting is key to addressing the mounting challenges, regulations and risks facing IT today.

The 4 C's of Universal Clients - in or out of the Cloud

From a Human Factors approach - the new paradigm shift both in and out of the cloud is more user centric around Universal Clients for the desktops. The monolithic era of tightly coupled OS, Applications and Data can no longer survive and thrive in today's technology dependant world.

Let us not forget Vista and why although many of us have either worked with or for large organizations that wasted significant man hours and investment planning to migrate - the actual adoption of the platform was delayed and/or rolled back. Why? Many cite application compatibility, usability, and impact to business continuity. ALL are factors for ease of use. Perhaps if the definition is more around the 4 C's of universal clients (Client, Continuity, Compliance, Control) it may be less generic and more easily defined in terms of context, content, and user. Another big factor not mentioned in these threads but that is of grave concern is compliance to security, regulatory and business directives particularly when acts are being passed like in Massachusetts that call for encryption during transport etc for individuals within their state and other acts that indicate you must adhere to state laws - see attached.

The 4 C's defined (in or out of the cloud )- but can easily be applied here are

1. Client - Mobile, Ubiquitous, Easily Access Apps & Data that follow end user
   
2. Continuity - Enable business continuity and up time - provide disaster recovery, least impactful to end user and there business (reboots costs businesses millions in lost productivity)
   
3. Compliance - Adhere to key directives for regulatory (COBIT, SAS70, ISO), security, and business directives. Includes everything from patching, limiting execution, ownership.
   
4. Control - Systems need to be locked down for IT, Easily managed, accessed for range Admins (SME-Enterprise),Encrypted, and Flexible for end users to still to their job.
   
   We all know everything is relative and there are good points to be made in this thread - but let's not loose sight that no two clouds will be exactly alike or even usage - what is required for an external cloud in Healthcare around medical billing may be different for Imaging, etc based on the context in which the user is trying to perform their function and the criticality of their role. If someome makes a mistake or are delayed in getting someone's bill out that is a minor annoyance but the later could be life or death. Opera tickets are entertainment and although valid in the context in which presented - does not fully reflect the magnitude of how the cloud can help or significantly impact a business.
   
   Regards,

Jeanne

www.installfree.com
http://universalclient.blogspot.com/

From: Miha Ahronovitz To: cloud-computing@googlegroups.comSent: Sunday, May 17, 2009 9:50:00 AMSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud
> I should put "cheap" into the cloud definition as well, because if it is expensive, then people will not use it.
Cheap , like "ease of use" is in the eyes of the beholder. A ticket to the opera costing $100, is expensive if I am a penyless student.
A gala of $ 1,000 is very cheap, if I have a net worth of $10M.
My father said: "Expensive" it is not how much it costs, but how much money you have".
If you want to make everything "cheap", just make more money.
Both "the ease of use" and the "affordability" should be laser pointed to the users from your business plan.
Everett point is a good point.
Miha
From: Raul Palacios To: cloud-computing@googlegroups.comSent: Sunday, May 17, 2009 12:43:34 AMSubject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud
I agreetipical MS mantraeasy ... is a word that should be used that often ....
From: Ricky Ho
Sent: Thursday, May 14, 2009 11:39 AM
To: cloud-computing@googlegroups.com
Subject: [ Cloud Computing ] Re: I still don't fully understand why "ease of use" is a criteria of cloud
By applying your argument, I should put "cheap" into the cloud definition as well, because if it is expensive, then people will not use it.1) you are mixing "desirable characteristics" with "definitive criteria".2) there are other motivations that you have ignore. I may use something that is very difficult to use if it provides high value to me.3) "ease" is a subjective measurement. Something that is difficult to me may be very easy to you.
Rgds,Ricky