Stuxnet Case Study Report
•
If you were designing security for Natanz, what prevention and detection methods would you recommend?
•
The very first protection/prevention method I would recommend is disabling BYOD (bring your own device) options for USBs and other storage devices. By having this security setting in place Natanz would have been able to thwart the entire attack. Secondly as far as detections go I would recommend setting up alerts for when multiple centrifuges are spinning at the same very specific rates. I would also recommend disabling auto updates or user driven updates for systems, meaning one would have to be a high privileged admin to push updates to systems. Going in hand with this, I would recommend setting up alerts for when a system is updated out of band from any scheduled updates. •
Iran air-gapped their actual control systems. This causes operational issues and is therefore avoided in all but the highest security environments. Given that it failed anyway, would you still use it? If not, what would you lose by not doing it? If so, how would you detect a compromise of your air-gapped environment?
•
I would keep it air-gapped but add more detections and preventions to the systems. As mentioned in 1, I would completely shut down the ability to insert USB storage devices anywhere in the system. On top of this, I would set up alerts to notify the system admin when someone attempts to insert a USB storage device. Other detections I would include are new executables, account privilege escalation, and new DNS queries made from within the system. •
The zero-day attacks in this case were published earlier, but not known to the vendor. Is there a way to protect against this?
•
I think it would be practically impossible to protect against zero-day
attacks that are unknown to the vendor. Almost all customers don’t have the money or the time to prowl the internet for zero-day discovery papers. Customers fully expect to get security and vulnerability news directly from the vendor, otherwise they do not pay attention to obscure security news floating around the internet.
