Have you ever wondered what it's like to break the news of a massive data breach? Be the target of the Russian mafia? Brian Krebs, of Krebs on Security, is the most recognizable name in the information security news arena.
I am very excited that Brian has committed to presenting the opening keynote for the 2015 Rocky Mountain Information Security Conference (RMISC). As we look forward to Brian coming to town in May, I eagerly requested the chance to interview him as a part of my Colorado=Security podcast interview series.
My questions are bolded, and Brian's answers are paraphrased below.
How did you get into journalism originally? And how did you end up getting to write for the Washington Post?
My association with The Washington Post actually started when I was 9 years old, when I helped with and later acquired a rather lengthy paper route from my siblings, delivering The Post to a network of more than 200 homes in my neighborhood.
As a teenager, I was quite active on my high school newspaper. At one point, the educator who oversaw the paper intimated she wanted to make me editor of the publication, but I think I was frankly too interested in girls, spending time outdoors, and other things to take that seriously.
In 1995, a year after graduating with a liberal arts degree from George Mason University, I was in a dead-end job that I absolutely abhorred, and a good friend of mine who'd just gotten a job stocking supplies in The Washington Post newsroom said he thought he could probably get me a job in the Post's circulation department. I was excited about the prospect of working in or near a major metropolitan newsroom and possibly revisiting my brief stint as a reporter, but I wasn't wild about the idea of answering phones all day. My friend told me he'd started in the Post's Circulation Department answering phones, and that if I graduated at the top of my class (they divided up customer service reps into teams there) in customer service, I could probably land a job sorting mail in the newsroom as a copy aide. That was enough for me, and after six months I'd graduated top of my class and applied for a job as a copy aide, which I got. Since I could type more than 100 words per minute, they had me split my time between delivering mail and faxes in the newsroom and taking dictation from reporters in the field. After doing that for about 16 months, I got a job as an editorial aide on the Editorial page, responding to letters to the editor and occasionally helping with the layout of that section.
I had a variety of editorial aide positions at The Post until 1999, when I accepted a job as a full time writer for a Post-owned tech newswire called Newsbytes. When The Post sold that off in 2002-2003, the three of us Newsbytes reporters in the Washington, D.C. Bureau were mercifully folded into washingtonpost.com. There I wrote about tech policy, and increasingly about security. In 2001, my home network had been completely compromised by a computer worm, and I sought to learn all I could about security at that point. By 2004, when the Blaster Worm caught the world off-guard and caused Microsoft's famous Gates memo on rearchitecting the company around security, I was surprised that security was not a full-time beat at The Post. In 2005, I was given, I think, the second blog at the site then, Security Fix. I ran that blog until 2009, when washingtonpost.com was merged with the Dead Tree Edition of the paper and they eliminated my job.
I've heard you tout the advantages of being an independent investigative journalist. For those of us outside the world of journalism, what's the difference, and why does it matter?
Much of journalism is following the reporting of other journalists, and grinding out new copy that advances the story in incremental or dramatic ways. This is as it should be, since there is always more to the story, and each piece that runs is merely a rough draft of history, as they say.
One of the things I enjoy about being independent is that I don't have to follow the story du jour or chase other reporters' scoops; more often than not, I am making a decision about what *not* to cover. Instead, I can invest the time and energy into developing stories that nobody else has, with a vantage point that is hopefully unique.
The caveat here is that this sort of journalism is very expensive—both in terms of the time commitment involved and the resources. The great risk inherent in all investigative journalism is that you spend weeks or months chasing a lead or hunch and wind up with little that is useful from a story perspective, beyond perhaps having developed some new sources for a future piece. But because cybersecurity—and more specifically cybercrime—is such a rich and deep field and so intertwined with nearly every aspect of modern life, it is usually not difficult to find timely, compelling and unique stories to tell if you know where and how to look.
At what point did you become interested in information security? Was that before or after you left the Post?
I detail this in the "About the Author" section of KrebsOnSecurity.com, but I got pretty massively hacked, and decided I didn't want that to happen again. Along the way of learning how not to be a victim again, I was fortunate enough to be introduced to a ton of razor-sharp people who lived and breathed this subject, and were passionate enough about it to share their knowledge. It's an obsession that took hold of me then and hasn't yet released its grip.
You've become well known for getting your hands dirty—finding your way into the hacker community and listening to their conversations. Tell me about the learning curve; how high is the barrier to entry?
Depends on how far down the rabbit hole you want to go. There is a tremendous amount the average person could learn just by spending time on (not even interacting with) many popular cybercrime forums - some of which, by the way, aren't terribly difficult to get into. But going deeper requires a willingness to acquire at least a passing knowledge of another language such as Russian or Mandarin, I think. Even with these language skills mastered, it takes time to get acclimated to the lingo, norms and rules of the underground, and it's easy to incur an infraction that gets one banned from a community after much hard work getting into it.
That said, most of my work on the forums is done just by listening and lurking. Very rarely do I interact with people on or in these communities. Much can be learned just by observing. Unfortunately, some communities routinely ban users who do not participate in some material way, or at least contribute to the discussion in a way that furthers the interests and goals of the more active participants.
You're known for breaking stories story about high-profile breaches. How do you know about them first?
Depends on the breach. Some of the bigger ones are not easy to hide. It's a bit like pushing a giant boulder off a cliff into a still pond and then trying to rebuke the ripples. When a major cybercrime event happens, it usually manifests itself in quite noticeable ways in the underground. In the case of the Target breach, for example, one fraud shop began moving batches of millions of fresh, new stolen credit and debit cards onto the market every other day. This is not a normal occurrence, and it's difficult to hide that kind of breach. That's because the fraudsters know the goods they have to sell don't age well, and that they need to move this product as quickly as possible. So, in those cases, they don't try to hide it; they just get more creative and aggressive about selling it.
The epicenters of other breaches are far more difficult to determine from the data that ends up for sale in the underground. Breaches involving Social Security numbers, medical and healthcare records, for example, are notoriously difficult to trace back to the compromised entity—simply by virtue of the fact that so many organizations hold or handle this information about us. Also, these records are not like credit cards—few of us are going to cancel our SSN and get a new one in response to a breach. Consequently, the data has a far longer shelf life, and the fraudsters who sell it often are content to let it sit on the shelves until someone comes asking for it. Even so, often there are telltale indicators in the data itself that provide clues to its origin. Often, the trick is posing as an interested and qualified buyer, and convincing the seller to part ways with a sample of the information he has for sale in order to do the analysis needed to tell who got hacked.
You've become ubiquitous in the security executive circles. How do you feel knowing that many CISOs joke about 'getting a call from Krebs' when they discuss being breached?
I suppose it's kind of a back-handed compliment, in that I'm the guy nobody wants to talk to. But in reality, they're far more likely to get a call from law enforcement, which seems to be doing a lot more of these notifications every day. Unfortunately, very often when I make the call, the victim company has already been notified by law enforcement. Almost invariably, this means that the victim organization's data (and that of their customers) not only went missing, but that it is actively being sold, traded or shared on the underground markets.
You have certainly changed the way security is reported and discussed. What are your plans moving forward? How do you plan to innovate and improve on what you're already doing?
This is a question that is probably best left unanswered in-depth, for a variety of reasons (at least for my part). But I will continue to strive to create original content that is useful, timely and as easy for my mom to understand as it is compelling to a seasoned security pro. That is a never-ending challenge, and it's a balance I strive for in all my stories.
Ultimately, I'd like to be more successful in corrupting more of my mainstream media colleagues into going out on their own and delving into this subject deeply. I would never shrink from more competition on that front, and to the contrary strongly believe that there would be even more exciting opportunities for collaboration between and among some my very skilled and passionate journalist colleagues.
Do you have any advice for current CISOs? What are we doing wrong, and what can we do better?
Most failures in security can be traced back to a failure to explain—in *very* simple and succinct terms—how security contributes to the bottom line of the organization. No executive or board wants to hear about what can't be done or reasons why the business should be in any way restricted from achieving its goals.
The job of the CISO is part diplomat, part technocrat, part salesman, and part scapegoat. Not all CISOs are cut out to wear and juggle these various hats, and that's an all-too-common unfortunate reality. Ultimately, it is the job of these shape-shifters to devise ever more crafty ways to educate the board and senior leadership about the criticality of security in helping the organization achieve its overall goals, while hopefully avoiding major catastrophes along the way.
In journalism and in the practice of law this the practical equivalent of "leading the witness" or "lobbing softballs," but in reality it's about the reverse: It's about presenting scenarios that force decision makers to ask certain questions. More specifically, it comes down to helping leaders get to the point where they're compelled to ask intelligent questions about how the goals of the security folk fit into the overall goals of the organization. And there's the rub: Often, higher-ups don't ask because either they don't want to know the answer, or (more frequently, I think) they're afraid that their ignorance of the subject will show in the way they ask the questions in the first place. Finding subtle yet persistent ways to help them acquire the knowledge and appreciation of the subject matter so that they feel comfortable asking those questions is the hard part.
Fundamentally, that leading process is about deftly explaining how the organization can learn and profit from the mistakes of competitors. I'm a huge fan of the "Despair" de-motivational franchise, which seeks to lampoon the can-do, motivational slogans often championed by executives and other high-powered people. My favorite is the one with the picture of the half-out-of-water shipwreck which carries the punchline: "IT COULD BE THAT THE PURPOSE OF YOUR LIFE IS TO SERVE AS A WARNING TO OTHERS."
The greatest compliment that CISOs and CSOs often give me is that I help them scare their bosses into taking their jobs seriously, and I think to a certain degree—indeed, if from nothing more than a keen sense of self-preservation—this comes naturally to CISOs/CSOs. But unless one also has a plan to propose in the event of such teachable moments—a way to shamelessly capitalize on the brief attention to the subject that such events offer—then these are wasted lessons and opportunities indeed.
What would you say to someone looking to get into security? Is it a good career path? What disciplines would you specifically recommend (or recommend against)?
That probably depends on what one wishes to do with one's skills. On the bright side, specializing in security is a bit like taking up a career in healthcare: the prospect of unemployment for anyone with a strong mastery and specialization in either of these fields anytime soon is fairly close to nil. So we've got that going for us... which is nice.
From the perspective of a CISO or CSO position, it's probably at once the best and the worst career anyone can contemplate, for all the right and wrong reasons. I know a fair number of these executives at different companies pretty well, and I can tell you they are some of the most passionate, hands-on, articulate and frustrated people I know. They have to be: If they're not—they're not allowed to be—busily looking for a new job pretty soon.
The more you know about cybersecurity and cybercrime, the harder it is to see things in black and white. On the other hand, the greater and broader your knowledge, the easier it is to explain the criticality of this subject to those who perhaps aren't as nuanced in the topic -- whether they be readers or executives. For better or worse, these are the tensions that tear at anyone steeped in—and responsible for educating others on—cybersecurity.
Read more at https://inforeck.wordpress.com.
