The Doyle Report: Culture, Not Technology, Is the Key to Surviving a Cybersecurity Breach, Says Top Cyber Sleuth Brian Krebs
Just a few years ago, Brian Krebs was a little-known cybersecurity writer with a loyal readership of mostly geeks and freaks. Unless you were in the know, you had no reason to read his now world-famous blog, Krebs on Security.
That all changed after the mild-mannered Krebsbroke the story of 2013 Target security breach. Soon thereafter, his career and notoriety soared.
In article after article, Krebs detailed tales of corporate buffoonery and cyber intrigue. The mix was irresistible to “Corporate Joes” and security professionals alike. After outing some cybercriminals, the 14-year veteran of The Washington Post became a target of bad actors around the world. Rather than hide behind his blog, Krebs fought back. He tracked down previously unknown hackers and exposed corporate malfeasance the world over.
Not long after, The New York Times chronicled the various ways some hackers retaliated against him. One guy signed him up to 70,000 different email mailing lists. Another guy tried to ensnarl him in a police bust by sending heroin to his house and calling the cops. When Krebs called the perpetrator out, the hacker sent his wife a bouquet of flowers—the kind you send to funerals. Krebs went after the guy. Krebs identified hacker, tracked him down and helped send him to prison in Italy. Afterwards, Krebs wound up becoming pen pals with the criminal, though hardly friends. (After serving time in Europe, the hacker was extradited to the U.S., where he is now serving time in a prison in Newark, N.J.)
Krebs’ story of cloak and dagger brought him so much acclaim that Sony Pictures bought the rights to The New York Times story about him with the hopes of turning it into a “Jason Bourne”-style film about the cybersecurity world. The mild-mannered Krebs isn’t quite sure what to make of that idea, or the person who created a super fan website devoted to him.
Amid this backdrop, Krebs (pictured left) took the stage at the McAfee MPOWER 2017 Cybersecurity Summit event in Las Vegas. His first order of business during a keynote presentation? Address the question he gets asked most, especially at technology conferences showcasing the latest in cybersecurity software: Why are there so many data breaches today? Krebs believes technology isn’t to blame, but people instead.
“Doing security right has a lot less to do than having the right security tools in place… and a lot more to do with having the right culture,” he says. “The best way to be secure is to assume you are already compromised.”
Sadly, the percent of companies that adopt this mindset is small. Despite the hundreds of stories he’s written on hacks big and small, most companies simply deny that a major breach could happen to them. Krebs likens this thinking to a scene in one of his favorite films, “The Matrix.” In one pivotal scene, the protagonist is told he can take one of two pills, one red, the other blue. The red one, he is told, upends your world but reveals reality; the blue one helps you to ignore the truth. When it comes to cybersecurity, “too many executives essentially take the blue pill,” Krebs says.
Those that “take red” embrace a culture that is equal parts prevention, cure and openness. They assume, in other words, they have been hacked—or soon will be. They routinely conduct drills with “red teams” of engineers that look for vulnerabilities and “blue teams” of security specialists that look to improve defenses. They tell the truth about what they find and mind their Ps and Qs when it comes to upgrades, patches and new threats. They also educate and train their people, which are the cause of nine of every 10 cybersecurity breaches.
“Everyone gets penetration whether or not they are paid for the pleasure,” Krebs jokes.
Regardless of culture, Krebs is troubled by one thing above all else: why it takes some organizations so long to learn they have been breached. He often finds out that a company has been hacked before it does. Krebs is also able to pinpoint organizations that are being less than forthcoming about data breaches to customers, partners and investors. How? By trolling underground web sites where purloined data is put up for sale. (Krebs broke the Target story after comparing stolen credit card data up for sale on the Dark Web to retail store zip codes.)
What irks Krebs is the way everyone from the government to private enterprises to educational institutions and more rely for authentication purposes on static, personal data that has been compromised a thousand times over. “We have no business using this information for authentication, yet it’s still commonplace,” he says. Krebs, for one, moved his personal money from one bank to another after being told that his social security number was the only way the institution would authenticate him.
As for advice to practitioners, Krebs takes a simple, basic approach. He suggests security experts and technology professionals alike embrace the following:
- Assume you are compromised
- Think beyond compliance to achieve true security
- Know your employees even if it means monitoring their behavior
- Invest in two-factor authentication for partners and employees, especially on VPNs
- Hire and foster more cybersecurity talent
- Have regular fire drills to test your technology and, moreover, your business processes
- When compromised, secure what you have instead of reflexively adding more of everything, which will increase your attack surface
After sharing his list of practical steps, Krebs was asked what he would do if he found himself working for a customer or partner that didn’t have a proper cybersecurity mindset. “Go find another job,” he says, noting that there are roughly two job vacancies for every one person working in cybersecurity today.
Oh, and the worst breach and response to one ever? Hands down, Equifax, he says.
“It was a different dumpster fire every day,” Krebs says. “The company didn’t care [enough] and didn’t have a proper plan.”
Wise words for those who sell security technology for a living.