In your opinion, which company or person has had the biggest impact on the information security industry within the last 10 years, and why?
My vote? The man (or woman) most instrumental in taking the concept of Stuxnet and turning it into a coded and devastatingly deployed reality.
Agent.btz might have woken the Pentagon up and led to the creation of US Cyber Command, but it was Stuxnet that woke everyone up to the real capability, deviousness and reach of the underworld’s cyber elite. It was an understated and incredibly complex attack;
It was smart, understanding the security rules humans are prone to break to gain access to and infect the first workstations. Endpoint zero was probably compromised by a coerced insider, or agent of the attackers who defeated physical security controls to plug a USB device into a computer in the geographical vicinity of the target.
It was efficient and exceptionally well resourced, using multiple zero day vulnerabilities (zero days are like Krugerrands to the hacker community and it’s virtually unheard of to “waste” more than one on a single exploit attempt) to ensure rapid spread via removable storage and network connections. It was patient, waiting for a maintenance engineer to go on-site to a target plant (the most well-known of which was Iran’s Nantanz uranium enrichment facility) with an infected laptop. It was stealthy, hiding itself while looking for the right Siemens centrifuge control programs. It was subtle when triggered, accelerating or slowing centrifuges and manipulating valves to mimic mechanical failures. It displayed exacting foresight, replaying good readings to sensors, not to dupe operators, but to defeat safety systems.
The repeated attempts to diagnose and repair faults cost Iran an estimated 30% of its uranium processing capability during 2009-2010, affecting approximately 1,000 centrifuges. The virus is still out there in the wild, mutating and spreading and is credited with causing other subsequent disruptions to industrial sites.
Subsequent analysis suggests it was not as effective as the responsible parties might have hoped, but that’s not the point. The advent and discovery of what was dubbed the world’s first weaponized virus, has changed how we think about malware forever. There are still big effective sticks like DDOS attacks, but the bleeding edge of cyber defence is about these kinds of complex advance persistent threat. Exploits where cause and effect are often so effectively separated by time or design, few can detect, quickly analyse and effectively neutralize them.
These are not every day attacks, but they are the bogeymen the spooks have nightmares about (except when they’re the ones who created them) and they are marketing gold dust for the exploding cyber security industry. For those of you in that trade you should give thanks every day to whoever gave us Stuxnet. Because of him (or her) you are not going to be short of work for a very long time.
Sarah Clarke | @S_Clarke22
To find out more about our panel members visit the biographies page.