Brian Krebs – renowned security journalist and the author of KrebsOnSecurity.com blog.
I wouldn’t wanna stress this comparison too much but even the way these cyber gangs splice up, what they steal is very evocative of the drug gangs, considering that a major component of these ‘Cloud cartels’ really is large-scale information harvesting and theft. And whatever these guys cannot use, they will sell in bulk. So for example, they often sell the identities that they’ve stolen in mass, they’ll sell it for a very low price per identity. That information, once it’s sold, is sold to another buyer; it usually gets separated out even further, by bank, by region before it’s resold yet again in one form or another, like the refining process of cocaine actually, when it’s choked into bricks and further parceled out into a kilo, broken up into packages. And then it’s resold on a regional, geographic level to dealers who then adulterate it and do all kinds of other stuff, and sell it in even smaller quantities.
I say all this because it seems to me there is a huge need for people to take the threat from Internet security and organized crime gangs a lot more seriously, rather than the tendency today, which is to view a virus infection (if it happens to be caught) as an isolated event. And it seems to me there is a great need among organizations, and individuals alike, to change their mindset when it comes to thinking about cyberthreats. On an organizational level, the focus really needs to be on protecting the data that’s a value, and companies need to change their mindset from the sort of fortress mentality, you know, and just accept the fact that the bad guys are going to get in; and basically putting in place systemic protections that limit any damage that they can do when they get in.
The banks, the financial industry – they’ve been leaders on this particular approach to cybercrime for many years. And if you ask the guys that do damage control for them, they will tell you their main focus is on identifying where the crown jewels live, making sure they have good visibility on who has access to that, and very clear visibility on what’s leaving the company.
So as far as concrete steps that Internet users can take, I would suggest a few things. I think we are long past the stage where people can rely on a single technology, whether it be antivirus or firewalls or whatever, to save them. The biggest question I get from users is “Well, Ok. So my antivirus says that it detected so and so threat, but I don’t know whether that means I’m safe, if it fixed the problem, if that’s been resolved, what do I need to do next?”. And, you know, the unfortunate truth is that it’s not that simple to answer anymore. And that applies whether you’re a regular Internet user or you’re part of a corporate network.
You know, there are basic security precautions that regular Internet users can take to prevent these kinds of problems, and the truth is that using (this is gonna sound kinda basic) but using something other than Internet Explorer to browse the web is a giant step forward for most people. And that’s not to bash Microsoft at all, it’s just a recognition of the fact that Internet Explorer is really tied to so many other things in the Operating System; that exploits that are designed to attack IE have a much greater chance of success. Adding protections like NoScript Add-on for alternative browsers like Firefox and being extremely paranoid about any Emails that entice you to click on a link or download an attachment – these can block a majority of the attacks out there today.
In the enterprise, however, the situation is a lot more complex unfortunately. The user doesn’t always have control over the software that’s on the machine, and at the end of the day people have to get work done, right? And as we all know the enterprise doesn’t really stop at the borders of the company’s network. People take work home, they access files remotely, and so there really is a real blurring of the lines between where company’s network resides and where the home user’s network resides, because the two often overlap. I would say organizations have a tendency to focus on unsophisticated attacks from hackers because they are, generally speaking, the noisiest and the easiest to detect. But that focus can really overlook some of the infiltrations and attacks that tend to be more systemic and have higher economic impacts on the compromised entity.
From where I sit, business would be wise to spend more of their scarce resources on first identifying the data that they have that’s a value to the attackers, and making sure that there’s a strong awareness about what’s going out of the network. So particular attention needs to be paid to those employees who have access to the company’s crown jewels (the data that really makes up value of those companies), whether it be the company’s internal data or the keys to that company’s online banking credentials. There need to be more layers beyond username and password that grants access to this information.
Read previous: Brian Krebs talks in Panda Security Blogger Summit. Part 1.