The fact is that as chilling as Alperovitch's report may be, it doesn't
tell the whole story. While the victims of many of these attacks
eventually found and remedied the malware intrusions, little has been
revealed about this publicly. No general alarm was
apparently raised in the halls of government or industry at least
before McAfee discovered the command-and-control server. One of the
primary purposes of the report was to make public the breadth and depth
of this single set of related attacks.
What's perhaps the scariest part of this whole situation is people
targeted people in this attack all enabled it by doing one of the
things they should be teaching the employees in their companies never
to do. They opened a suspicious email to give the malware access to
their computers. It's hard to overstate how important it is to instill
the proper level of suspicion into employees. Surely by now the amount
of damage that's been caused and the amount of loss that's been
incurred by careless actions on the part of employees sould motivate
companies and agencies to train their employees not to do this.
Perhaps an equally scary revelation is these attacks all
happened to unpatched Windows-based computers. In other words, the
attacks were enabled through exploits that could have been prevented
simply by updating Windows and the installed Windows security software.
None of these preventative steps is expensive or even difficult.
Updating Windows is free. Updating security software is free, except
for the annual subscription. Taking care of both these tasks isn't
hard. In most cases it's automatic.
Training your employees isn't free, but it's not hard or expensive.
Neither is managing the right level of access to your network. You
can't have a secure network if everyone is a system administrator, even
on their own machine. And while it does take an investment in time and
money buy the right enterprise security software, the right firewalls,
and the right encryption tools, that investment is relatively low
compared to the risk of losing your most precious information.
Ask yourself whether you want to be the cyber-patsy chosen by the
agents of a distant foreign government who want to steal your
organization's most strategic information. But that's exactly what you
will be if you happen to be the weakest link in your organization's
security cordon with an unpatched PC and a lame password that provides
easy entry to the network with the right level of access. Then all they
have to do is send you a cleverly disguised spear-phishing email that
with your single mouse click opens the back door to your employer's
As an alternative, think about whether you or your company take
security seriously. Do you actively train your employees about the
dangers of email? Do you ensure that your computers at all levels are
kept updated? Have you made sure that your security software is in
place, properly configured and updated? A quick look around any office
is almost certain to reveal at least one computer running an unpatched
version of Windows XP. That alone could open the door to a massive
security hole that could give away all that your company has worked to