Renowned investigative journalist Brian Krebs of Krebs on Security took to the stage this week at Oktane16 to discuss all things cybersecurity as day one of the conference drew to a close in Las Vegas.
“When the folks at Okta asked me to speak here, I said ‘what do you think I should talk about?’ and they said ‘well, why don’t you speak about some of the crazy stuff that cyber-criminals have done to you, those are really interesting stories?’ I said I generally don’t really do that in my talks. So then they said ‘why don’t you talk about the challenges you see in your reporting about authentication and authorization’ and I got to thinking about it, and decided I could kill two birds with one stone because some of the craziest things that have happened to me over the last five years really come down to just abject failures in authorization and authentication.”
Krebs pointed to an example when, back in 2013, an individual running a major cybercrime forum hatched a plan to buy heroin and have it sent to his house, with the intention of setting him up as a drug addict.
“Well these guys didn’t figure out that I was already on their forum, and they posted the tracking number for the drugs on the forum! Anyway I called the cops.”
A similar incident occurred on Christmas Eve last year when somebody hacked into his PayPal account. How did they do that?
“Well they just called up Paypal and said they were me, gave them my name and date of birth and social security number. Once they got in they tried to send my entire balance to a 17-year-old hacker who went to work for ISIS.”
Krebs’ point was that, whilst there is no silver-bullet for protecting against all types of threats, a large number of the worst data breaches we have seen over the last few years could have been stopped or at least lessoned if the organizations involved had more of a clue of who and what was going on in their networks.
“I don’t think it’s too much of a stretch to say that improving the way we do authentication, moving away from the status quo, is probably going to be one of, if not the, biggest challenges we face as a society for the next couple of generations.”
Krebs explained that there’s a truism in security, and that is, when left to its own devices, every network has a tendency to push security out to the endpoint.
“The weakest part of almost any organization’s network is the furthest endpoints on that line – the users.”
The truth is, said Krebs, most commercial authentication systems today rely on the secrecy of information that should not be considered private anymore. “Your information is out there.”
Moving on to discuss the importance of the human in security, Krebs argued that too many enterprises have an over-reliance on technology, and not an adequate number of security staff members to do the daily blocking and tackling required of competent incident response teams.
“There’s no substitute for the human, and all organizations need to be spending more to figure out ways to attract and retain cybersecurity professionals who can help them.”
Looking forward, Krebs said that there are a few key threats that he expects to see continue to peak over the coming years, signaling a mind shift in how hackers go about their work and seek gains for their exploits.
“What we started to see over the last year is the bad guys getting a lot more savvy about how they do their secure checking stuff, and basically running large distributed botnets of hacked computers and in many cases we’re talking about tens of thousands or hundreds of thousands of computers. I think we can expect to see a lot more of that going forward.”
What’s more, he added, ransomware will become more targeted and cyber-criminals will spend more time figuring out how much they can demand for information and bypass underground forums altogether, going straight back to the company they stole from in the first place.
Likewise, extortion-based denial of service attacks will also increase in size and target a wider range of enterprises – they are no longer isolated to banking organizations as was the case in the past.
So, what shifts need to happen to combat these risks? Krebs believes the answer lies with companies taking more steps to meet their compliance obligations and considering what they should be doing on an ongoing basis to think more like the attackers.
“If an organization is advanced in its security maturity level, leadership will be in the habit of asking some very hard questions on a regular basis. These may be questions they don’t even want to know the answers to, but they’re mature enough to know they need to be asking them.”
Indeed, the most important question is assessing how much is spent trying to keep the bad guys out, versus how much is spent on trying to respond as quickly and immediately as possible.
“Hackers are very good at exploiting faulty assumptions, they do it all day long, and it’s really what they thrive on. So, as you leave here and go home, ask yourself what assumptions your organization is making, and see whether those assumptions still hold water,” he concluded.