The Biggest Cyber Security Threat is Apathy

Posted by C Henry on Tue, Mar 7th, 2017

Famed cybersecurity blogger and former Washington Times reporter, Brian Krebs, was one of the invited speakers at the Aruba Atmosphere conference in Nashville, TN last week.  His presentation entitled 'The Cyber Security Challenge of IoT' was one of the most well attended seminars of the two-day conference.  Mr. Krebs’s blog is widely read across the world.  Though he writes about all facets of cybersecurity, he tends to focus on the subject of the dark web and the profit seeking cybercriminals that frequent it, most of which reside in Eastern Europe.  Besides his writing, Mr. Krebs’s journalistic research has uncovered a number of breaches including the attacks on Target, Home Depot and Neiman Marcus.  As a result, he has many sponsors that finance his research.

He is hated, yet well respected by the hacker community.  His identity has been stolen on six separate occasions by Eastern European cybercriminals who also continue to bring down his website.  His life has been threatened as well as numerous attempts made to frame him.  As one example, his adversaries spoofed a 911 call, which queried a SWAT team to his home.  Sony Pictures has plans on releasing a movie based on Mr. Krebs, who reportedly blogs with a 12 gauge shotgun by his side.

When the hacker is no longer an attacker

“The people behind the keyboards are your weakest endpoints,” he stated as he began his presentation.  “Companies need to invest time and resources into end user education, yet even then, there will always be some people who click anything.”  He went on to explain how every IT department needs to probe and test their users because the hackers are.  It is imperative to find your weakest links (employees) before cybercriminals find them and breach your network and intellectual property.

“Once infiltrated, the hacker is no longer an attacker,” he said.  “He is a user and once he is operating from within your network, it is extremely difficult to detect his presence.”  He compared this to a game of chess or checkers in which a player is able to promote a piece that reaches the back row of his opponent to the piece of his choice.  For a hacker, the piece of choice is the CEO, CFO or Enterprise Administrator user account.  Cybercriminals today are very patient upon infiltrating an enterprise.  Instead of striking immediately, they take their time to learn the culture of the company and learn the nuances of how targeted executives communicate with one another. 

Law firms are often attacked to get client information. 

Although System administrators and HR are the two most popular targets for a breach, companies are breached for a multitude of reasons.  Law firms are often attacked, not to obtain the intellectual property of the firm, but to learn about their clients.  This information can be then sold to other organizations who may be in negotiations with these same clients, informing them of their weaknesses.

The focus of his presentation was how IoT is changing the spectrum of cyberattacks.  One blaring example is account takeover risk.  Credential stuffing has been a growing threat as approximately 90% of all login activity on Internet-facing systems at Fortune 100 firms is attributed to credential stuffing.  Until recently however, credential-stuffing attacks have been relatively easy to detect as tens of thousands of logon attempts are originated from a single IP address.  Once exposed, connections from these malicious IP addresses can simply be terminated.  With IoT however, huge botnets are now used to funnel password requests through hundreds or even thousands of devices.  Rather than a single device supplying thousands of password requests there are thousands of devices attempting one password request every hour. 

“We need more verifiable systems to verify who people are,” he stated.  “Static identifiers such as father’s name, address, birth place, etc., are completely irrelevant now.”  He explained that a hacker can find anything about anyone basically over the age of 35 for as little as $4 in bitcoin.  In fact, Mr. Krebs made a challenge to the audience that if someone in attendance gave him $4 and a business card with an email address, he would email them a complete profile report on them.  A couple of people after the presentation took him up on this challenge out of curiosity.

DDOS attacks

IoT has propelled the use of DDOS attacks, as cybercriminals have been able to easily harness and snare hundreds of thousands of IoT devices to form botnet armies of unprecedented size.  DDOS attacks are being levied upon organizations as a form of censorship he iterated.  Sites such as his which attempt to expose these organizations and their methodologies are regularly attacked in an attempt to bring them down.  There is even a market on the dark web for online DDOS services in which companies or individuals can hire out DDOS attacks to interrupt the online service of competitors.  One such nefarious organization called vDOS was organized by two Israeli teenagers who earned more than $600,000 in two years for helping customers coordinate more than 150,000 so-called DDOS attacks designed to knock Web sites offline.

At the end of his presentation, Mr. Krebs opened up the forum to questions.  One member of the audience asked him what the biggest cyber threat was today – BEC attacks, ransomware, DDOS?  Mr. Krebs then answered, “The biggest cyber threat is apathy!” 

Article was supplied by IT Pro, Brad Rudisail who attended Brian Krebs talk at the Aruba Atmosphere conference.