Every year, the Upper Midwest Security Alliance (UMSA) puts on a security conference in the Twin Cities called Secure360 that's always full of great information. The keynote presenter is always someone well known in enterprise security, and this year it was Brian Krebs.
Krebs, for those who are unaware, is the writer of KrebsOnSecurity.com, a website that frequently breaks the news of data breaches such as the ones that hit Home Depot and Target. Today he was providing data and predictions on the future of security.
Security Tools
One of the first ideas he touched upon was that, although we're at a security conference where vendors are trying to sell products to make your organization secure, the fact of the matter is that security is about people, not products. Indeed, if you purchased every product being sold on the market, your organization would not be magically become impervious to attacks and in fact would probably become less secure due to the fact that there wouldn't be enough time to properly utilize the tools.
He likened many security folks selling products and services to 1800's medicine: Slap up a sign selling a cure and people will rush to buy your snake oil. While the situation may not be quite that bad, he brings up an excellent point in that organizations are better off hiring top notch people to implement and run a security program rather than buying the latest wiz-bang gizmos.
To help illustrate the point, he described the recent Target breach. The organization had spent more money on security than anyone else in their industry vertical, but the bad guys still successfully infiltrated Target. Why? They had all of the proper tools, but not enough quality people to review and respond to the alerts and logs that the tools were generating.
Spam and Phishing
Perhaps unsurprisingly, phishing is still a very common attack vector when it comes to attacking a company. Indeed, he covers this extensively in his latest book, Spam Nation. A common attack is to register a domain name that is similar to that of your victim (neowln.net, for example), then send and receive email messages through that domain with the intention of tricking the victim into thinking it's really neowin.net.
Taking this one step further, it's not uncommon for attackers to mix phone calls in with the email. For example, in one instance the hackers sent an email to the CFO purporting to come from the CEO of the company, requesting a fund transfer but adding that a trusted someone will be calling in the near future with the specific details. Apparently the bad guys actually have call centers that, for a mere $10, will call the victim to finalize the social engineering attack. These call centers even have staff capable of speaking in whatever language is required, and the hacker simply needs to hire a "female who speaks French" and they're off to the races.
Customer Service
Everyone likes good customer service, and it appears that the bad guys are no different in that regard. As the cost of an illegal credit card continues to hover around $5, shops that are selling these products are trying to differentiate themselves by providing good service to those buying the illicit goods. One way the vendors try to keep customers happy is by checking the validity of the cards before selling them. While this costs between ten and twenty cents per card, it helps ensure they haven't already been canceled.
Another thing these vendors are doing is providing a generous "return policy." If you purchase 100 stolen cards and half of them end up being canceled, the good shops will provide refunds or give you new cards to try. The really good shops go one step further and, like Amazon, predict what types of cards you like based on your previous purchase history. For example, using analytics they may be able to determine you prefer Discover cards issued to women with expiration dates in 2017. It's all very interesting, but also a little creepy.
Who's buying these stolen credit cards? Surprisingly, gang members are the most likely at this point. They purchase a credit card for $5, pile up $800 worth of fraudulent charges, then sell the merchandise elsewhere for cash. This provides far less risk than selling drugs: If you're caught with drugs, you could go to prison for 20 years or more, whereas the laws on stolen credit cards are generally far less stern. This is especially true in the United States where the privacy laws have not been updated since the 1980's.
Future Attacks
The keynote went on to present Brian Krebs' vision of what to expect in future attacks. While none of it was revolutionary, there is still cause for concern.
The first prediction is that hackers will stop selling data on the black market and will instead sell it back to the victims themselves. We're already seeing some of this with Cryptolocker and Cryptowall type attacks. However right now the malware and attackers don't determine the value of the data, instead charging a flat fee for both grandma's recipes and a Fortune 500 company's data.
Currently, organizations are primarily concerned with preventing data from being stolen but, as I predicted last year, in the near future the bad guys will be not only attempt to steal data, but will also be simply destroying it. While today you may get an email demanding payment to prevent a distributed denial of service (DDoS) attack, in the future it's probable that the email will demand even more to prevent destroying data instead.
Another near future attack deals with insider threats, people within an organization who will sacrifice company security for personal gain. Apparently Krebs is already seeing information on illicit forums where information on disgruntled employees can be found (or purchased) for use in targeted threats. A bad guy can send the employee a few hundred dollars to "accidentally" drop their access badge somewhere, for example.
What should you do?
There are many things that an organization can do to protect itself, but the first order of business is to get out of the mindset of protection and instead realize that you will eventually be breached because the bad guys only have to win once to take over your network. Instead, be sure to focus on detection at least as much as prevention.
Without going into much detail, he emphasized many things that quality organizations should be doing:
- Segment your network: If a bad guy gets in, make it hard for them to move around.
- Restrict sensitive parts of the network: Similar to above, but block access to parts of the network that not everyone needs to access
- Robust penetration testing: Either hire quality consultants or if you're skilled, attack your own company (with permission!), looking for weaknesses in not only technology, but also people and process.
- DDoS: Be sure you have a DDoS mitigation strategy in place before you're attacked.
- Dedicated incident response teams: Be sure your team knows how to respond to incidents, again, before you actually have an incident.
Conclusion
Overall, Brian Krebs gave a very informative keynote that not only explained what's happening on the "Dark Web" now, but what may happen in the near future. Despite this, the security field is still a great, fast-paced career track and for those with inquisitive minds, can make for a very rewarding career.
Images courtesy of Shutterstock: Phishing; E-Commerce Shopper; Fingerprint
1 Comment - Add comment