As a former board member and current advisory board member for the Los Angeles chapter of ISSA, I am always interested in community events being organized by what I believe is one of the best information security associations presenting a wealth of topics and information while serving a variety of roles around the world.
A good friend and chapter president for ISSA in Phoenix, Cody Wamsley, recently alerted me to an information security conference he and his group are organizing for February 2018. The event matches its name in that it brings some of the top security titans together to talk about the information security trends, challenges, and failures our society is experiencing. Joined by Frank Abagnale, Ann Barron-DiCamillo, and Kevin Mitnick, the opening keynote for the event will be delivered by none other than Brian Krebs.
I wanted to get a sense for what Brian plans to talk about during his keynote, so I grabbed a few minutes of his time the other day with the hopes of catching even just a glimpse for what’s on tap. At first, I thought it was going to be a short call in that when I raised my first question to Brian. When asked about the topics he will cover, he said “it’s hard to say … it’s so far out that a lot can happen between now and then; plus, I focus on making each presentation unique to each conference.”
Fortunately, there’s much more to Brian’s work than the latest and greatest breach. Having both investigated and even personally experienced a variety of attacks over the years, Brian has a unique position of having a view of a world most don’t get a chance to see. Brian has insights into industry trends, attack motives, and the often mismatched mindsets of the professionals that are paid handsomely to follow these same trends and prepare for the pending attacks. It is with this in mind that Brian shared with me three main topics he’s confident will come up in some shape or form during his keynote presentation:
- Organizational accountability
- A reality check on IoT
- A different perspective on virtual currencies
Below are a few of the highlights.
Brian kicked off our conversation by telling me that he thinks today’s security professional needs a mindset shift away from traditional security measures of old.
“We need to stop building higher walls,” he said. “This hasn’t worked and still doesn’t work.”
Brian expanded on this view that protection isn’t the end-all-be-all of information security—providing more detail for a view that may not be a welcome one, but one that does force security professionals to change the way they think—“start with the assumption you are breached,” he said.
This shift in mindset, as Brian suggested during our call, could be a liberating experience for many as it could allow for security teams to leverage their professional maturity to put their best foot forward—an attribute that must be learned and earned through in-the-trenches blood, sweat and tears.
“There is no easy way to get maturity,” said Brian. “Organizations typically don’t get religion until it hurts—they need first to say ‘Ouch! That hurts! I don’t want that to happen again!’,” he added.
However, organizations might be overlooking some candidates that could bring ready-made, in-the-trenches maturity from which the security team could benefit.
“Organizations can hire people that have experienced a breach,” said Brian. “These people probably know more than someone who hasn’t been through such an experience.”
Internet of Things
The Internet of things—and the security and privacy threats that come with these things—are not going away anytime soon. They will continue to be a hot topic when Brian speaks at the upcoming ISSA Security Titans event in Phoenix.
In fact, attacks we’ve seen thus far—such as the one we experienced with Mirai—are nothing compared to what is possible.
“A lot of these compromised IoT devices are in countries that may not have as much bandwidth to push at a target that the criminals in control of those hacked systems would like to push,” said Brian.
The future of distributed denial of service (DDoS) attacks could prove interesting given this perspective.
An area of technology and risk that baffles Brian lies in the world of virtual currencies such as BitCoin. With the rapid growth in value comes a massive increase in the use of this technology-enabled form of money—and with this, Brian has some concerns many might not have considered.
“There seems to be a ridiculous amount of people pouring a ton of money into virtual currencies,” said Brian. “I even see companies stockpiling bitcoins to deal with ransomware.”
However, what may have seemed like a reasonably-small investment could now equal 100’s of thousands of dollars given Bitcoin’s sixfold increase for the year.
“Many don’t know what they are getting themselves into—they simply see a pot of gold and take the risk,” said Brian. “It’s akin to playing a game of craps without knowing the rules.”
The trouble here isn’t the potential for losing the value in a coin crash; it could be far worse than that.
“With this value comes a massive target on their backs,” said Brian. “People and companies didn’t sign up for what could come with this new-found wealth.”
This point sounds very ominous. I can’t wait to hear more when Brian speaks in February.
Meet Brian in Phoenix
And, speaking of seeing Brian speak—I have seen Brian speak. Suffice to say; he has some spectacular stories to share. I would encourage you to take the time to join the group at the ISSA Security Titans event in February. While only Brian knows all of the nitty gritty stuff he will dig into during his opening keynote, we at least know a few of the topics he will cover.