Brian Krebs at TMG Executive Summit: Financial institutions have to empower security leaders
Cybersecurity expert says threats will get worse before they get better
DES MOINES, IA (July 7, 2016) — TMG Executive Summit keynote speaker Brian Krebs told a room full of credit union and community bank leaders that layers of technology are not enough to stop a data breach. Instead, the investigative reporter insisted, security is only as effective as the people managing it for you.
“Organizations buy into the idea that doing security right is layering on the right mix of technology software and services, and that this magic combination will block 99 percent of attacks,” said Krebs, mastermind behind the popular Krebs on Security blog. “It’s just not true. It’s very expensive to do security right, and that’s partly because the actual security of your organization comes from security specialists.”
Using Target’s 2013 data breach as an example, Krebs said the company had all the right technology in place, and some of it was even providing alerts. According to Krebs, however, “There were no people in the seats to tell them what those alerts were saying.”
“There’s no substitute for the human,” said Krebs, who added that fundamentally, cybersecurity challenges don’t change all that much from year to year. “Different organizations face different threats, but one of the stubbornly static truths of breached organizations is that they had all the data telling them they were hacked, but no one looked at it until after the incident.”
It’s not uncommon, Krebs said, for an organization to look at its event logs for the first time after someone like him gives them a call. He devotes a lot of energy to breach notification. Comparing the experience of being notified of a breach to the five stages of grief, Krebs says the people he notifies are almost always in denial. “Those with a high degree of security maturity skip through the first stages and go straight to depression,” Krebs said to a roomful of nervous laughter.
To investigate the ever-evolving methods used by cybercriminals to steal and profit from stolen data, Krebs spends a great deal of time doing what he describes as “lurking on forums to get an idea of what’s coming.”
Phishing, he said, is becoming increasingly sophisticated, even though some cybersecurity experts talk about it as a solved problem. Over a span of three weeks, Krebs notified several different companies of phishing threats facing their C-suites. He had seen actual communications spoofing CEO email addresses on the dark web. No one from any of these vulnerable organizations returned his calls.
According to Krebs, cybercriminals are so good at their tricks thanks in part to the emergence of sophisticated criminal call centers, which staff people who speak multiple languages 24×7. “If you want to change someone’s billing address or cash out an account, but you don’t speak their language, you hire these guys,” said Krebs. “For $10, you give them a script and they run through it for you.” For this reason, Krebs says he’s interested to watch how financial institutions execute voice biometrics strategies in their overall security plans.
As for stolen credit cards, Krebs believes we are in “a historic glut of credit card data.” It’s never been easier to buy stolen credit cards, he says, largely due to an explosion of sophisticated and criminal-centric fraud sites intent on delivering a great experience for the criminal element. “They have refocused their entire business on customer service,” said Krebs. “If you buy 100 stolen credit cards and only 50 work, that’s poor service. So they want to change that and are pre-testing the cards for their customers. Also, they are watching what kind of cards you like to buy and then they will target market. The business acumen of these criminal marketplaces has been fun to watch.”
As the U.S. moves toward full implementation of EMV, Krebs expects card-not-present fraud to increase, but noted the more critical threat is account takeover. “This is why we should be looking at improving authentication. The way we do things today – saying ‘You must be that person because you know their social security number’ – that’s bananas.” Ransomware and distributed denial of service attacks will increase, as well, Krebs said.
Krebs concluded his hour-long talk by coming back to his point about the importance of human security leadership. The head of security, Krebs advised, should always report to the COO, CEO or the board of directors. Organizations with what he calls a high degree of security maturity have created separation between IT and security: “The surest way to deny your security people any say is to have them report to the head of IT.”
TMG is dedicated to creating customized, technology-driven card processing and payment solutions for credit unions and community-based financial institutions across North America. Innovations in fraud management, loyalty programs, alternative payment systems and analytic reporting, and the competitive advantages they create, have helped TMG forge a new standard in offering cutting-edge credit, debit, ATM, prepaid card products and a P2P payment solution. For more information, visit www.tmg.global.