January 9, 2017

I’ve had several requests for a fresh blog post to excerpt something that got crammed into the corner of a lengthy story published here Sunday: A list of immutable truths about data breaches, cybersecurity and the consequences of inaction.

Here’s the excerpt requested from yesterday’s story:

coecopy“There are some fairly simple, immutable truths that each of us should keep in mind, truths that apply equally to political parties, organizations and corporations alike:

-If you connect it to the Internet, someone will try to hack it.

-If what you put on the Internet has value, someone will invest time and effort to steal it.

-Even if what is stolen does not have immediate value to the thief, he can easily find buyers for it.

-The price he secures for it will almost certainly be a tiny slice of its true worth to the victim.

-Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”

They may not be complete, but as a set of truisms these tenets probably will age pretty well. After all, taken as a whole they are practically a model Cybercriminal Code of Ethics, or a cybercrook’s social contract.

Nevertheless, these tenets might be even more powerful if uttered in the voice of the crook himself. That may be more in keeping with the theme of this blog overall, which seeks to explain cybersecurity and cybercrime concepts through the lens of the malicious attacker (often this is a purely economic perspective).

So let’s rifle through this ne’er-do-well’s bag of tricks, tools and tells. Let us borrow from his literary perspective. I imagine a Cybercriminal Code of Ethics might go something like this (again, in the voice of a seasoned crook):

-If you hook it up to the Internet, we’re gonna hack at it.

-If what you put on the Internet is worth anything, one of us is gonna try to steal it.

-Even if we can’t use what we stole, it’s no big deal. There’s no hurry to sell it. Also, we know people.

-We can’t promise to get top dollar for what we took from you, but hey — it’s a buyer’s market. Be glad we didn’t just publish it all online.

-If you can’t or won’t invest a fraction of what your stuff is worth to protect it from the likes of us, don’t worry: You’re our favorite type of customer!

57 thoughts on “Krebs’s Immutable Truths About Data Breaches

  1. B. Brodie

    -If nobody we know can use it, it’s no big deal. We’ll just smash it, encrypt it or erase it so you can’t use it either.

  2. Akbee

    Brian. Thank you! I am going to print this in a PDF and hand it out to everyone I come in contact with. This is the best advice for the rampant stupidity exhibited by so many who should know better and do better.

    1. Fin-Man

      You could print it on paper and hand it to everyone you meet. If you would send me a PDF, I wouldn’t open it.

  3. IRS iTUNE cards (real)

    Krabs “Miscreants Ten Commandments of Data Breaches “

  4. vb

    One more…

    -Don’t put anything on the Internet that you never want to be public knowledge. That includes sending it to “the cloud”.

    If it is on a device connected to the internet it’s potentially public knowledge.

    1. Ava

      You dont need to put it on line. If you don’t your bank, retailer, tax office, employer, government probably will for you.

    2. thenortonsetup

      OK we didn’t put it online nor on cloud. But the device in which you are keeping it, is that secure. You never connect that device to the internet?
      Its means you put or not, you are always in danger when it come to IOT.

  5. Linda

    I know this is all true. So, every time I pay bills online, I’m opening myself to hacking. I’ve installed anti-virus software, encouraged my bank to incorporate TFA, do not use a Cloud account…do I have to go back to writing checks and mailing them. How do I decide the level of risk that shadows my online banking and purchasing.

    1. Bart

      What is important to remember is that a service offering by a bank, or credit card issuer, or any other organisation, will have implicit and explicit liability protection. Banks cannot go back to human tellers, so in general they will compensate account holders for fraught if reasonable protection measures were applied.
      Same is true when you use a credit card. If card holders were always dinged for fraught, card us would drop through the floor. It would be a good way to force merchants to implement a payment infrastructure, because we would stop shopping at all the hacked stores. But the card issuers don’t like that idea; hence protection.
      What is needed is a better legal framework with explicit definition of liability, responsibility, and protection measures. Right now this is all shrouded in fine print that nobody reads. Something simple and understandable. PCI/PA-DSS is great, but the average user does not understand. They get spooked by the idea that somebody will still their contactless PAN, which is probably the least of your worries.

      1. Santa Claus

        Actually end users (consumers) do pay through higher prices at the merchants for their stupidity. So it goes.

    2. Randomhacker

      Don’t sweat it. Like the man said your protected. The best thing to do on your end is to use good passwords. Be very careful of the sites you visit. There are several good products that check url’s. Be wary of emails. A company will never ask for your password this means that if you get an email asking you to login from one of your accounts. Do not click it. Be aware of any suspicious messages on any medium. People sometimes share links that are not theirs.

    3. Brad

      One of the points I think Brian is making is that WHEN you do stuff online you need to at least spend “a small fraction of what those assets are worth to secure them”. Based on what you have said, you are making a good effort at that. You are not the “favorite customer” of the cyber-criminal, and so you will have proportionately less targeted attacking on your stuff, and it is proportionately less likely that the attacks that do take place will succeed. Now, if you are transacting hundreds of thousands of dollars worth or are a corporate officer etc. then what you need to do will go up. It is a risk/reward equation for us because it is an effort/reward equation for them. We can’t get away from that even with checks and snail mail.

    4. Anon

      “… I’m opening myself to hacking. I’ve installed anti-virus software, …”

      The latter opened your PC and all its treasures to (mostly trivial) hacking! AV software offers almost no protection, but suffers from the worst flaws. Dump it!

      1. Not that guy

        That’s terrible advice, nobody listen to this person.

    5. Steve

      checks are no better – they are easy to replicate with fewer protections. Granted they are not online – at least until the merchant scans them to send them electronically to the bank.

  6. Shane Xin

    Thanks Krabs, I’m going to spread these valuable words within my group.

  7. unknown

    Here’s another….

    – Network security is not and never will be a “secure it once and you are done” task.

    Good network security requires constant never-ending vigilance, monitoring, updating, maintenance, and basically “effort”.

  8. John

    In politics they should worry less about who hacked them and more about why they got hacked in the first place. Hillary Clinton was surrounded with poor security practices for whatever reason they did not take security seriously. They became easy targets of which they should have known they would be.

    1. Jay

      Her server wasn’t hacked. State Department servers were.

      1. Chris

        I thought the server was wiped before being handed over. That was the issue with whether the emails not handed over were relevant of not. I’m not sure there was any analysis of whether or not it had been compromised at any point.

      2. Jamison

        The state department servers didn’t have anything to hack on them. She used her own insecure server for highly classified information. I’m sure after a lifetime in politics that she didn’t know how to handle classified information. We should probably train everyone who works with classified information.

        1. Mike

          No one she did not authorize got any email or other files off her server. That is what I would call ‘secure’. She is the one whose email is not on exhibit on Wikileaks. If you have any proof her server was truly insecure, as opposed to parroting Hannity’s talking points, please do us all a favor and provide it.

          1. JCitizen

            Good point – but in my experience, a weak target isn’t as interesting to nation state ‘crackers’ as a stronger or more obviously notable target. That may be the unintended genius that Hillary unwittingly committed.

    2. Ed

      You can rest sure the RNC servers and email accounts were hacked too. The perpetrators chose only to release the DNC data on how political sausage was being made in order to influence an elections. The RNC doesn’t have an special expertise against cyber attacks from state sponsored hackers.

  9. EstherD

    Here are several more, written from the bad guy perspective.

    It’s not a level playing field. Not even close. We call all the plays, and you get to play defense. And we use a playbook that changes so rapidly that you’re always going to be a day late and a dollar short.

    You’re always going to be out-manned. No matter how much money you have to spend, there will always be more of us outside trying to break in than you can possibly hire to keep us out. And most of us don’t have a family or work regular hours, either.

    You’re always going to be outgunned. You have to get EVERYTHING RIGHT to keep us out. We only have to find ONE MISTAKE and we’re IN! And we’re more highly motivated to seek out those holes and exploit them than your staff ever will be to find and plug them.

    1. Randomhacker

      It’s not level because these idiots built their castle on sand. They want to make money and push unsecured products and use improperly trained staff. Security has lagged because they would also rather buy lifelock for customers if they do get hacked rather than put the money where it needs. These companies don’t care about you. Well some do. They sell your information just like hackers do. The difference is you agree to it.

  10. Jay Libove

    Brian, while all of this is true, and the way it is stated is good for getting people’s attention, it’s missing one of the key psychological motivators which we need to use in order to convince the everyman that s/he is in fact a ‘target’ of all of this, probably which should be the very first rule in the list:
    “It’s not personal. We’re automated. We find everyone, without fail.”

  11. David W

    Thanks. Works for the Board and moms and dads (oh, and the kids)

  12. Mike

    If one were to follow this list to their logical conclusion, the result essentially is a warning against cloud storage and backup. If you think about, it’s pretty much also a warning against using any kind of IoT device (Nest, Fitbit, etc.). This also would include creating accounts around the web for things like yahoo, playstation network, and product registration which is part of the process for new Sony, Samsung, and LG smart tv’s.

    Various Hollywood celebrities have experienced this in a very direct way.

    Whereas this is a good list. Will anyone actually listen and understand? Some will. Most wont. Most people wont even care. It is this apathy why social media has become what it is. People get bothered when thieves break in but rarely seem to care anything about security that prevents thievery in the first place.

    1. Randomhacker

      That’s a bad attitude to have. Information like this needs to be spread. We share it to become stronger, and we share it with the companies that make unsecured iot devices. Awareness of the dangers are key to mitigation of the issues. It’s the lack of this information in the mainstream that is killing us. This isn’t just about one person’s stuff. We are a nation of people with stuff. Do you want to be the weakest link. Believe it or not some people don’t know. If your not going to be apart of progress you will be run over by it.

  13. John

    Everyone who posted a comment on how vulnerable we are is connected to the internet. It appears that we don’t practice what we preach.

    1. Randomhacker

      I see this information has not hit its mark with you. There are ways to hide yourself online my friend. Also you have to remember not everyone here is a sheep. By vigilance over what you do and how you do it, and by securing your devices and network things are a bit safer. Using VPN’s IP randomizers proxies it makes it harder to locate your device, and then there are several tools to keep your devices monitored and save. It’s up to you to protect yourself.

      1. Mike

        I know it is up to me to protect myself. I’ve been saying that very thing for a long time. I know I can do a better job at protecting myself than MS or Apple can. It is my stuff and I will take care of it myself.

        I am not suggesting at all that people not know these things. Quite the opposite. I completely agree with Krebs on this. I also know that this site isn’t filled with sheep…..that’s why I’m here.

      2. Mike

        I’m sorry, it looked like you were responding to me. Perhaps that goes back to the “themes” thing Krebs has talked about. It difficult to see the lines.

  14. Jim

    And, how do you tell, if it is a hack? Vs. A spider? Both are constructed the same, both do the same.
    And all os’es include the famous “update” prior to use. Which includes the famous “am I genuine”, with a list of what’s on the computer to update.
    I’m, betting, that includes a list of documents, pictures, and other unrelated information so important to the hackers, is security updated to the latest versions?

    1. Randomhacker

      A hack and a spider are not the same. One scrapes for data, and can be notified in a file called robot.txt that the crawl can’t go to certain areas. A hack involves exploiting a vulnerability either in hardware or software or person to gain unauthorized access to a system. Then you have to elevate privileges to have more power and then create a backdoor if need be and scrub logs. A little more to that, but you get the gist.

  15. Matt Sharkey

    Great points. Good news is some companies are starting to realize these truisms, bad news is it’s usually after the breach.

  16. null

    Access is Everything.

    Prof for an independent study in computer security, 1982.

  17. Dan

    Here is another one that I live by:

    – If it is created by men, then it can easily be broken by man.

    So no matter how much you spend on security there is always someone or something out there wanting to break what you have to show the world they can, and then you are back to square one.

  18. Terrence Peabody

    This kind of investment is better off being implemented by a government. Whether or not a government is properly structured to implement the policy and program is a separate question.

  19. JCitizen

    Yeah, and if politicians would concentrate on that, instead of finger pointing because of their weakness, maybe something good would come of it!

  20. chrismaz

    One of my favorites came from a cybersecurity/data scientist:

    “If the good guys can see it (your data), the bad guys can see it too!”

  21. Scott E

    A contribution to desktop user section of the code of ethics handbook.

    – If you wouldn’t pick up a found french fry on the ground and stick it in your mouth and eat it, then why would pick up a found USB drive and stick it in your computer?

    Hope you won’t be enforcing the copyright on the “Krebs’s Immutable Truths About Data Breaches” because they will get a lot of use.

  22. Dave

    –Nothing stored in the cloud is EVER deleted. Even if you delete it, it’s still there.

    Disk space is free. Disk fragmentation is expensive.

  23. Dave

    –Expect that your own people will go rogue. Your ops team is probably skilled, dedicated and honest. Don’t trust them.

  24. TM

    Watching DC is like watching two teams of firemen chopping each others hoses and high fiving each other as the house burns down. Not one of that field of mediocrities understood the urgency of network insecurity.
    Break out your mesh nets.

  25. Boi Sletterink

    With regard to the value of assets: just because you don’t see how your assets can be of value to others, doesn’t mean they can think of ways to monetize your assets. Don’t underestimate the cybercrooks’ creativity.

    See also Brian’s great overviews about the value of a hacked PC and account.

  26. Bluejay

    – There are two kinds of organizations: those that have been hacked, and those that don’t realize they’ve been hacked.

  27. Sean

    – If your computer/device can connect to the internet, then your computer/ device *is* on the internet and can/will be hacked

  28. Ron G

    “Organizations and individuals unwilling to spend a small fraction of what those assets are worth to secure them against cybercrooks can expect to eventually be relieved of said assets.”

    My father, may his soul rest in peace, had a different way of saying the same thing as above. He was quoting someone else, I think. Not sure who, but here’s the way that he always used to put it:

    “A fool and his money are soon parted.”

Comments are closed.