Cyberwar is happening now: turn your sysadmins into heroes
Information security is right on the cusp of a "huge shift" in the way things are done in the US, and, by extension, around the world. The next few months will be "transformational," Paller told security professionals in Sydney yesterday.
Paller's message? "Stop paying people to tell you what to do. Pay people to do it."
Things began changing after the revelation of the Operation Auroraattacks against Google, Adobe, Northrop Grumman, and other companies, as well as espionage against the oil industry, in early 2010.
"It caused a lot of CEOs to figure out that their security guys didn't have a clue," Paller said. Despite successful security audits, if Google were vulnerable, then surely they were, too?
"There was a sense of 'I don't know who to trust anymore.'"
The Stuxnet attack against centrifuges, used by Iran's nuclear program, was reported just months later.
"Once you throw a cyberweapon out that destroys rotating equipment, other people who you don't like have software that runs the same control systems — Siemens SCADA systems — that run your rotating power generators. And there are no backup power generators in Australia or the United States," Paller said.
Things have picked up in 2012.
"One of the largest companies in the United States told me that in April they were having about 1000 attacks in the first quarter, then 5000 in the second quarter. These are major attacks, not port scans," Paller said.
"The big thing is the shift that happened about a month and a half ago, and that was the move from info theft and DDoS [distributed denial of service] to damage," he said.
"Some of the newer attacks [are] actually causing a lot of people to lose sleep, big time. Not little sleep, and not little people."
Case in point? The attack against Saudi Aramco, Saudi Arabia's oil company, which was revealed in mid August. Around 30,000 computers had their master boot record destroyed, requiring physical visits to rebuild them all.
"This is real damage. That's the same kind of problem you'd have if you hit it with a bomb. Not literally, but close enough, in terms of the amount of rebuilding you have to do," Paller said.
Though the threat is great, Paller said that the solution can be surprisingly straightforward — even when the security officer has no direct authority. His case study was the US State Department.
The head of security has no authority over systems administrators in embassies, because they report to the ambassadors. But he can measure the risk across the organisation's networks through automated vulnerability reporting, turning that into a metric that put disparate problems onto a common scale, and communicating that data daily.
"He delivered to every sysadmin, every day, the one or two things they needed to do to lower the risk on their machines," Paller said.
Sysadmins typically have just 20 minutes each day to spend on security, according to Paller. The key to getting things done is making sure that the day's tasks can be done within that timeframe, and providing clear instructions.
Using this technique, the US State Department could show that 90 percent of its machines were patched for a certain Internet Explorer vulnerability in just 11 days. By comparison, the US Department of Defense, using a traditional command-and-control approach, had patched only 65 percent of its machines after four months — and because this was being reported by sysadmins manually, they may have been lying.
Paller said that the brilliance was not reporting the data to Secretary Clinton until the program had been running for six months — meaning that systems administrators were seen to be delivering clear, measurable progress.
"This is how you move a massive organisation around the world forward in security. You don't do it by writing them a report. You don't do it by yelling at them. You do it by empowering them to make the fixes, and you make them heroes instead of bums," he said.
As for knowing what to do, Paller praised Australia's Defence Signals Directorate (DSD) and its Top 35 Mitigation Strategies. An updated version was launched on Thursday.
DSD reported that more than 85 percent of targeted intrusions can be defeated by implementing just its top four strategies.
"The is the first time any government I have ever seen put white space on a list," Paller said. "First do the top four. When you are done doing the top four, evaluate the others ... it takes such guts to put white space in a list."
Paller emphasised that it's essential to get systems administrators onside. They have the hands-on skills to patch machines and lock down networks.
"You have people claiming security isn't a technical problem? Find those people and shoot them," he said.