Krebs: Most Firms Fail to Take Simple Cybersecurity Measures

Well-known security researcher Brian Krebs gave a fascinating but scary talk about the current state of cybercrime, in a presentation yesterday before the opening of the Gartner Symposium in Orlando.

Talking to a group of CIOs and other IT executives, the author of the Krebs on Security website and the book Spam Nation said there is a big "PR gap" between the perception and reality of cybercrime. "The light at the end of the tunnel isn't a way out," he said. "It's an oncoming train."

In particular, he said that the bad guys have done a better job of sharing information than CIOs; even older versions of reports like the Verizon Data Breach Investigations Report often do a good job of explaining how systems were breached, with information that remains relevant. In many of the recent hacks, he said, a simple perusal of the security logs would have alerted the companies that they had a problem.

Krebs spent most of his time talking about attacks on credit card information, mostly focusing on malware aimed at Point-of-Sale (POS) systems. He talked about how over the past two years, the bad guys have not only improved their attacks on such systems, but made the underground markets for buying and selling credit card information more sophisticated and "customer friendly."

In many cases, street gangs are turning to credit card fraud as a quick way of turning a $10 to $20 investment into $800 to $1,000. Not only is this profitable, he said, but it's inherently less dangerous and risky than dealing drugs, and is often seen as a "victimless" crime because the account holders are typically not liable for the charges.

Krebs noted problems such as the number of POS systems with Web browsers, and how this is a very common vector of attack. He said the transition to chip-and-pin credit cards is not to going solve the problem, citing how in other countries, that transition has led to an increase in e-commerce fraud, new account fraud, and account takeovers.

Much of this comes down to identity and privacy, and he noted that a lot of people's unchanging personal information (such as addresses and Social Security numbers) is now available. He said that when it comes to computer systems, they can be secure, fast, or easy to use: pick two. Most people have chosen not to focus on security, he said. As a result, there are lots of places on the Web to find out personal information on people, and he called on the government to adopt stricter privacy rules, such as used in most other countries.

Krebs and suggestions

In the end, Krebs cited five areas where he thought companies could make the most progress in fighting cybercrime. He is a big believer in network segmentation, saying the security in most companies is like a candy bar: "hard and crunchy on the outside, soft and gooey on the inside."

Instead, he suggested making the most sensitive parts of your network accessible only to those within the organization with a particular need. Companies should set up a dedicated incident response team, review the news of other breaches to see what lessons they can learn, do repeated drills on what to do in case of a breach, and include their partners in security planning.

It's good advice, but things that often get overlooked in the day-to-day push to do new projects in IT. Balancing these priorities is a key issue for many of the IT executives I talked to at the conference.