ORLANDO, Fla. — At an event where predictions of tomorrow’s technology held center stage — algorithms operating cars, smart machines helping call center agents do their jobs better, “robo-bosses” evaluating our performance — it’s telling perhaps that the first speaker was Brian Krebs.
Krebs, the investigative reporter who broke the story of the 2013 Target security breach, told a crowd of CIOs and senior IT executives at this year’s mammoth Gartner Symposium ITxpo that many victims of cyberattacks had the information right there in their event logs — they just didn’t have the curiosity to check them.
“I guarantee you the fraudsters don’t suffer from this — they’re infinitely more curious by nature,” said Krebs, a former Washington Post reporter who now dogs cybercriminals on his website Krebs on Security. “And their curiosity really knows no bounds.”
You say you’re secure — are you sure?
The problem organizations have, Krebs said, is a “perception-reality gap.” They think they’re doing what they need to do to secure their systems and their networks — they have virus and firewall protection in place, they regularly install software patches and they secure email. But those conventional approaches are no match for who Krebs calls the bad guys, who have multiplied over the past few years and as a result are innovating at a rapid rate.
To cite two examples, operators of underground marketplaces for stolen identity card information are vying with the competition by giving customers discounts when they buy in bulk and even profiling them using analytics to offer the types of card numbers they prefer — MasterCard over Visa, say.
Organizations aren’t keeping up in their security practices, Krebs said, because they want the benefits of technology but are reluctant to put in the unglamorous work of continuously monitoring their networks and shoring up weaknesses. And they don’t want to spend more than they have to.
“Traditionally, organizations have spent an inordinate amount of their scarce security budgets trying to meet security compliance obligations that they may have,” he said. What they should be doing is looking for ways to attract and keep talented security folks.
For Shirish Patwardhan, co-founder and CTO of Indian software company KPIT Technologies, the issue hits close to home.
“All my company is compliance-based,” he said. And he knows that won’t stop breaches. “It’s very dangerous because this is going to go on and on.”
Patwardhan said the type of preventive approach Krebs prescribed isn’t promoted enough among organizations. People are people, he said, and if security breaches don’t happen to them, they don’t happen, period. “It’s just a human inclination,” he said.
‘Everyone gets hacked’
The clarion call for heightened vigilance echoed in other chambers at the conference. In a keynote speech describing a “post-app” economy of algorithms that do jobs once done only by humans, Gartner analyst Peter Sondergaard spoke ominously about threats facing all organizations today.
“Everyone gets hacked in the new world. It’s only a matter of time,” he said, adding that 71% of organizations have had to switch on disaster-recovery or business-continuity procedures over the past two years. “Minor problems are constants and major incidents are inevitable. Be ready.”
It was a sentiment not lost on Robert Juckiewicz, vice president for IT at Hofstra University.
“We worry about it every day,” he said. Security has become one of his organization’s highest priorities, but there’s an added layer of complexity and difficulty at educational institutions.
“The purpose of education is to create and disseminate information. That goes counter to security,” he said.
While at the conference, he talked to a peer in an accounting firm who said the practice there is to block everything. “At a university, you can’t do that. You should be able to look at anything.”