Black Hat 2015: Rebuilding IT security after a cyber disaster

it can be done with the right approach, according to security expert Christina Kubecka.

Speaking at Black Hat 2015, Kubecka, an IT security professional with more than 20 years of experience in government, military and private companies, described the process of rebuilding enterprise cybersecurity based on her experience working for Saudi Aramco after the company suffered a massive cyberattack in 2012.

Saudi Aramco is the largest oil producer in the world and was the world's most valuable company when it suffered an attack on August 15, 2012 that affected 30,000 workstation computers. Saudi Aramco noted that oil production had not been impacted, but Kubecka said that was because the company's security budget prioritized industrial control system (ICS) security rather than IT.

Kubecka said the Aramco family took the cyberattack as if someone had broken into their house and it left psychological scars. The Aramco family began to distrust computers and there was growing paranoia within the company. Employees went so far as to falsely Tweet about another attack because they couldn't log in to their computers.

Khalid Al-Falih, Saudi Aramco's CEO at the time, summed up the impact of the attack during an energy industry conference in 2013. "Never underestimate how dependent you are on your information technology and systems," Al-Falih said. "It's become like oxygen. You think you can live without it, but you can't."

Saudi Aramco completely isolated its network following the attack, Kubecka said, going as far as restricting access between computers, cutting off outside vendors, and even shutting down desk phones.

This was the environment that Kubecka came into when tasked building the first IT security unit for Aramco Overseas Company, a Saudi Aramco affiliate which provides all IT services for Saudi Aramco in South America and the EMEA region outside of Saudi Arabia.

Kubecka admitted that she had the benefit of a very large budget for this process, but gave tips that could be applied regardless of budget constraints. She also suggested that companies with severe budgetary issues would do well to collaborate in joint security ventures.

When it came to recruiting talent, Kubecka said the usual venues like networking and community conferences were useful, but she also found talented people through Reddit. She suggested that recruiters look past candidates with the "business image," certificates, or degrees and find those who work from home and display a real passion for the work even if their experience don't quite match up.

Kubecka noted that too often IT positions offer very little rest for employees, so she was cognizant to make sure schedules gave workers time to "go outside and see the sun." And, she said salaries aren't everything when it comes to budgeting; IT needs to make sure there is room in the budget for training.

"You need to be able to defend against today's threats with today's education," Kubecka said.

There is also a lot of value in having communication and openness between the IT security unit and the business units of a company, she said. Employees need to feel that IT is approachable, and Kubecka noted an idea from a coworker who suggested awarding those who reported potential security issues to IT.

On the other side, Kubecka said that IT needs to know more about the business than just "watching the packets." The more IT knows about how the business operates, the easier it is to spot abnormalities that could be threats to security.

Lastly, Kubecka said to never underestimate the power of being prepared. This includes processes for communication and emergency drills to prepare for an eventual cyber disaster.

"When you have an incident," Kubecka said, "it's going to be mass chaos. Try to plan ahead a little bit."