Security executives believing they can prevent mass leakage of personally identifiable information (PII) must adjust their expectations because most PII is already available on the dark Web and even on public indices, high-profile security journalist Brian Krebs has warned.
Calling out ‘dark web scan’ services spruiked to US audiences by former New York City major and President Donald Trump lawyer Rudy Giulani, Krebs opened the second day of the AISA National Cybersecurity Conference showing that he had been able to buy Giuliani’s personal information – as well as his own – through legitimate public-web sources “for the price of a caramel macchiato at Starbuck’s".
“It’s all out there,” said Krebs, who rose to worldwide fame after breaking the story about the massive hack of US retailer Target and has frequently become the news after being targeted by hackers and chosen as the subject of a mooted upcoming film.
“You have static information about yourself that you maybe think should be private or secret,” Krebs continued. “But if we’re relying on these static identities for authentication, then we’ve missed the memo that all this stuff is already out there – and that your network has been breached 100 times over.”
The dark web certainly shouldn’t be dismissed given its role in facilitating the sale and purchase of PII, intellectual property, passwords and credit cards. However, Krebs said, administrators need to respond to that threat by shifting the goalposts – by, for example, moving away from a reliance on easily-compromised passwords that are available for purchase online in their millions.
Reflecting the industry’s changing perspective on passwords is a new posture by Microsoft – which years ago was arguing that password abuse was misunderstood and fixable, but has pushed away from passwords within Windows 10 and Azure and now offers as part of its official vision “a world without passwords”.
Even as technologists look for ways to reduce the value of credentials to cybercriminals, many companies are working at cross purposes by buying into ransomware demands based on simple cost-benefit calculations.
“People don’t understand how pervasive it is for corporations to pay off extortionists,” Krebs said, citing recent Code42/Sapio Research figures suggesting that 73 percent of CISO are stockpiling cryptocurrency in case they have to pay off ransomware – and that 64 percent believe they will have a public breach in the next 12 months.
“Nobody likes to talk about it for obvious reasons, but it all comes down to economics,” Krebs said. Many companies “have been hit and could have restored from backups, but they say the process would have costed $20,000 and taken two days – whereas the extortionists are just asking for $2000; all the company has to do is pay them, and they’re back in business. It’s all about the money at every step of the way.”
Many businesses were making it easy for extortionists through sloppy data-handling practices – such as copying a database into a public cloud storage service and leaving it without password protection in the belief that it is invisible to others.
Such databases are anything but invisible, Krebs said, and with criminals actively searching for them it’s only a matter of time before data gets exposed – as happened to him when speaker bureau All American left details of its high-profile customers’ contracts available in a cloud storage bucket.
Such data is not only being found online but may be downloaded, deleted, and replaced with a ransom note for its owners. But even then companies need to move quickly, Krebs warned, noting that some cybercriminals are searching for such ransom notes and replacing them with their own account details.
When this happens, “you just paid somebody that didn’t have your data to begin with,” Krebs said. “It’s a comedy of errors, but this is happening every day.”
Taking a more proactive stance
With hackers in the driver’s seat when it comes to choosing the manner and time of engaging with victims, Krebs said, companies thinking they can make themselves impervious are kidding themselves.
“A lot of organisations are still run by people these days who think it’s possible to keep bad guys out of your network,” he said. “If this is the case in your organisation, you’re probably not in a great position to tell when you get hacked. And if you give a hacker 2 months inside your network, they are going to find a way to make you pay for it.”
Regular penetration testing and phishing tests of users offers valuable help – if not in blocking hackers, at least in identifying the users that are most likely to click on malicious attachments no matter how much education they receive. These users can then be targeted with more pointed education, enforcement, and security efforts.
The key for CISOs, Krebs said, is to stop being surprised about getting hacked – and to be as proactive as possible to minimise that damage.
“Companies that have their heads screwed on right, fully understand and are aware that everyone gets hacked – and in some companies it’s often multiple times per day. The reason you don’t read about it all the time is because those companies anticipated it – and they’re paying people to get up in the morning and to go patrol the network.”
“They assume there will be a constant stream of people getting a foothold in their networks – and it is only by quickly identifying and neutralising these attacks that they have any prayer of stopping a small cut from metastasising into a giant haemorrhage.”