INE was thrilled to have Brian Krebs join day one of our redefINE keynote event earlier this week! If you missed it live, we've included a detailed recap below.
Brian is an independent investigative reporter who focuses on cyber crime. He previously worked with the Washington Post where he became well-known for his hard-hitting stories on high-profile data breaches. These days, his main focus is publishing security news stories on his award-winning website, KrebsOnSecurity.com.
With such a strong background in cyber security, his fireside chat gave redefINE attendees the opportunity to hear insights from one of the industry’s most well-known journalists. Joining him was INE Chief Content Officer, Neal Bridges who has decades of cyber security experience, including establishing the USAF’s first cyber function training unit.
To kick off the chat, Brian dove into what he believes are the most common factors leading to today’s cyber attacks. He specifically mentioned stolen credentials, poor management, and the lack of DNS traffic logging as key contributors to the growing threat faced by organizations around the world.
In an article recently published by Aljazeera, it was noted that stolen credentials are what gave hackers the ability to compromise the Colonial Pipeline networks. It is believed hackers were able to successfully access the company’s network through a single employee password which was pulled from a list of leaked passwords found on the dark web.
Instances such as this are why Krebs believes humans will continue to be one of the biggest cyber security vulnerabilities. One way to circumvent this, he says, is to remind employees of the importance of the work they are doing as well as the significance of the information they have access to. Stressing such ideas will reinforce the importance of taking security measures seriously in an effort to prevent an incident occurring that may have serious implications on an employee’s job or the jobs of those around them.
While indicating the critical nature of an employee’s job is a key component of ensuring appropriate safety measures are taken, Krebs noted employees who are well trained can help organizations spot threats. When asked how important it is to have a well-trained workforce, Krebs said “It’s hard to put a value on it until it’s gone.”
One piece of advice Krebs gave the audience was to focus on developing skills through self-directed learning and to get involved in communities or activities allowing you to surround yourself with like-minded people. “Focus on honing and developing your hands-on and problem-solving skills and you will be way ahead of the pack,” Krebs said.
On an organizational level, he says companies should be looking for applicants who can creatively solve problems, instead of basing their hiring decisions on those with the most degrees, certifications or time in the field. “Years of experience isn’t a very good yardstick anymore,” said Krebs. “Organizations should focus on applicants with hands-on knowledge and applicants who can demonstrate those skills.”
Recent cyber attacks have put cyber crime back in the spotlight, leading many companies to realize the importance of having a workforce prepared for anything. “If you’re fortunate enough to have the responsiveness and personnel, you can stay ahead of the hackers or run alongside them,” he said.
Bridges closed the fireside chat by asking Krebs what CISOs should focus on the most to help ensure the integrity of their cyber defense strategy. In his response, Krebs highlighted the importance of maintaining an asset inventory, building a well-trained incident response team, drilling your breach response and hiring a team to help respond to media in the event an incident occurs. Most importantly, Krebs said stakeholders should ensure they are all on the same page and speaking the same language.
If you’d like to hear more valuable insights from Krebs, you can visit his website at KrebsOnSecurity.com.
If you’re interested in cyber security training for you or your team, you can learn more about INE’s red and blue team training as well as our free Cyber Security Awareness training for teams.