On December 9, 2019, I was honored to represent the Pittsburgh Chapter of ISACA and Schneider Downs as the leader of Pittsburgh’s Information Security Day event at the Rivers Casino. The event was decreed as such by the Mayor of Pittsburgh, Bill Peduto, and had record attendance of more than 500 professionals. The day featured various speakers from both the local Pittsburgh business community and experts from around the country who flew in to give their advice and speak about important cybersecurity matters.
The highlight of the day was a fireside chat with cybersecurity investigative journalist, Brian Krebs. Mr. Krebs is a leading cybercrime journalist (formerly with the Washington Post) and New York Times bestselling author of Spam Nation. He has been featured on leading media outlets, including 60 Minutes, CNN, FOX, ABC News, and in The Wall Street Journal, Forbes and Bloomberg Businessweek. Currently, on his popular security blog, www.KrebsOnSecurity.com, he exposes information that can’t be found anywhere else, shedding light on the digital underground and dangerous activities of profit-seeking cybercriminals who make billions off of pharmaceutical sales, malware, spam, heists and data breaches, like the ones at Adobe, Ashley Madison, Target, and Neiman Marcus that he was the first to uncover.
I had the honor of sharing a fireside chat with Mr. Krebs, where we talked a little bit about his career and a number of important cybersecurity topics. Below are some key takeaways I’ve prepared: from information I learned while preparing for this event, and in my conversations with Mr. Krebs along the way, and finally, from advice he shared during our fireside chat:
- Being an investigative journalist for cyber seems pretty tough!
Mr. Krebs described how there is no shortage of companies being breached and there is a lot of information out there. He described that his process entails finding new and unique stories or angles to uncover, not just writing about what everyone else had already covered. He also enjoys getting to the heart of the matter and shedding light on those responsible. As an example, here is a story that he wrote regarding the Russian nationals that were indicted recently right here in Pittsburgh by U.S. Attorney Scott W. Brady:
https://krebsonsecurity.com/2019/12/inside-evil-corp-a-100m-cybercrime-menace/ - Don’t let your first computer incident be a real one.
Mr. Krebs discussed how he often calls on companies that are experiencing an incident or they don’t know they’ve had one yet. In these cases he often finds that organizations aren’t well versed on how to handle these situations and could benefit from incident response testing and a more robust plan for when the seemingly inevitable occurs. - Don’t underestimate the attackers.
In his investigations, Mr. Krebs often gets to see the underlying economics of the cyber-crimes that occur. Some of the most lucrative attacks out there are simple business email compromise attacks whereby the attacker essentially just asks the target for money (pretending to be someone else) and they comply. Other than that, attacks like large-scale ransomware attacks are also very lucrative if the ransoms end up being paid. The attackers that we are up against are well funded and well run organizations, and their capabilities are very advanced.
