Entrust President and CEO Bill Conner Joins Congressman Burgess for Dallas Metroplex Cybersecurity Forum Presentation
Entrust President and CEO Bill Conner graciously accepted an invitation by U.S. Congressman Michael C Burgess to speak during a cybersecurity forum breakfast August 30, 2011, in Highland Village, Texas. Conner discussed the evolving cybersecurity threat landscape and its impact on the nation, as well as the security and stability of our nation’s business community
“I am Bill Conner, President and CEO of Entrust, the leader in identity-based security software solutions. On behalf of Entrust, we appreciate the opportunity to participate in this unique and important event. Specifically, I want to thank Congressman Burgess and the Chamber of Commerce for hosting this event, and thanks to all of you for being here today.
Congressman Burgess is one of the few Members of Congress that I have met with who is concerned about cybersecurity and is actively engaged in working on legislation to protect consumers and businesses from the range of threats we face. I applaud his leadership and interest in this matter and want you to know from what I have seen in Washington, you are fortunate to have him serving you. I wish more members shared his concern and were as committed to action as he has been. Thank you, Congressman Burgess.
Hacking for Harm
Experts agree that cybercrime poses a greater threat to the security of nations, corporations and individuals than ever before.
In recent years, cybercriminals have moved from a model of hacking for honor to hacking for harm — and increasingly, the most common victims of targeted cybercrimes are those who can least afford a major financial hit like small businesses. With the increased dependence of the Internet to conduct business, there is no surprise that cybercrimes — ranging from identity theft to financial fraud to cyber terrorism — have dramatically increased.
Online Security — The Ongoing Effort
At Entrust, we are working around the world with small and large enterprises, governments and law enforcement agencies to enable security software for the good guys. We do this knowing that the total cost to deploy security is dwarfed by the cost of what is at stake. It is important to recognize that this threat is not a date-specific type of event like the year 2000 technology issues where you spend once to solve a specific issue and see the threat pass. Cybersecurity is akin to a quality process that must be disciplined, measured and continually improved on a daily basis. The challenge I face at the helm of Entrust is to make this possible for companies and governments in a cost-effective and uncomplicated way.
I have the opportunity to work with many of my peers and policy-makers in coordinating strategies to enhance the positive aspects of the Internet’s promise and to combat those who abuse and attack it. It is now nearly 10 years after 9/11 and we have made tremendous progress. However, cybercriminals continue to outpace our gains with new tricks and technology of their own. That is why we must fight this on a national level and involve the government, enterprises and citizens.
No one is immune. This year alone, we have seen numerous high-profile attacks ranging from Northrop Grumman to Lockheed Martin to even security companies like RSA and Comodo being victims of breach. Sophisticated attacks such as these are clear evidence that organizations need greater security to thwart today’s savvy cyber terrorists. Our industry must be proactive in developing solutions that empower organizations to quickly respond to attacks without compromising day-to-day operations. It is also apparent that as a nation, we are not doing enough to protect our assets and personal information.
The Zone Defense
With football season kicking off, it seems to me that cyber defense is much like playing a zone defense in football — you don’t know what play the other team is calling, therefore, you need to defend against everyone. That means that we need first to understand what we are up against. If the offense sees a hole in your front line, they will take advantage of it.
Cybersecurity is much the same way — businesses do not know how they will be attacked. They don’t know if the threat comes due to a download from an employee surfing the Web, via an attack from within, or from a virus that may have entered the system on an email. What we do know is, that to win, your company needs to have a strategy to deal with the range of threats. If your company waits until they are hacked, it’s too late. Game over.
Cybercriminals will search for that open door and if they find it within your security measures, they will wreak havoc on your data and possibly divert your payments to the bad guys. Consider the amount of time it would take if you lost all your data to a cyber attack, not to mention the credibility your company would lose if a cybercriminal stole your customers’ personal information. What we have on our hands is cyber warfare being conducted by foreign governments, international crime rings and common thieves in the U.S. It takes everyone — government, major organizations, small businesses and individuals — working together to win.
To put this all in context, hardware technology follows Moore’s Law, which states that capacity doubles and cost halves every 18 months. In the new cyber world, software tools are changing in days, not years, and in many cases hours or even minutes. That makes it a constant real-time battle for all of us.
We are facing a wide range of extremely dangerous enemies armed with expensive and sophisticated hardware, software and boldness. They function in an environment where their white-collar crime, even if identified and apprehended, brings only minimal punishment. This is because most of these attacks are across sovereign borders around the globe.
The good news is that technology and solutions exist today to thwart these cybercriminals. It just needs to be applied consistently and universally to deny cybercriminals the easy access they have today.
Shortcomings of FFIEC Guidelines
Let me give you a specific example. The Federal Financial Institutions Examination Council (FFIEC) recently updated its guidance for financial institutions offering Internet-based products and services. Unfortunately, these guidelines only hit at the minimum level of security and are already outdated. Just like the ones they put out in 2005, the guidelines do not place accountability for implementation nor do they mandate any specified timeframe. You may ask why this is important to you. This is putting your business at risk when you conduct business online with your bank.
Diagramming Advanced Malware
With that in mind, here is one example of a real-world threat that we have encountered that has not received as much attention as data breaches. It is, however, one of the biggest cybercrimes and threats today. The threat is called ZeuS or SpyEye, which is a “man-in-the-browser” malware that targets mid- to small-sized companies. This is a threat you should be aware of and concerned about here in Flower Mound and Lewisville.
The problem arises when someone in your organization is surfing the Web and accidentally installs software that opens a door for criminals. The software may install when an employee has visited an infected website or simply clicked the red “x” to close a pop-up ad or notification. Regardless, once the malware is installed it is extremely difficult to detect. In fact, the malware is crafted to avoid detection by antivirus tools.
This malware sits dormant, waiting for someone on the system to log in to your corporate bank account online. When it sees that bank URL pass by, it wakes up and begins to intervene transparently in whatever transaction is being conducted.
Let me explain how it works.
- Your corporate controller initiates an online payment to Vendor A for $10,000.
- The malware on your PC, laptop or tablet sees the bank URL and online payment. It then “wakes up” and translates that payment into, let’s say, six different transactions totaling $100,000.
- The bank then receives the request for these six transactions totaling $100,000 and asks the controller to confirm the transactions by entering a one-time passcode (OPT) to authenticate the transactions.
- The malware intercepts this request and re-translates the six transactions back to the original single transaction for $10,000.
- The controller sees the original request for Vendor A to be paid $10,000.
- The controller then enters a one-time passcode to authenticate the transaction and sends it back to the bank.
- Unfortunately, the malware accepts the one-time passcode and again re-translates the single $10,000 transaction to the six transactions totaling $100,000.
- The bank then believes it is a set of authorized corporate transactions based on the passcode the client provided and executes those transactions for $100,000.
- Now both the corporation and the bank are missing $100,000.
This is the kind of threat that can happen in Highland Village, Flower Mound, Lewisville or any other town, and it doesn’t just happen to multinational companies. It can and does happen to smaller enterprises.
Malware Hitting Home
Let me give you a nearby, real-life example. Plano-based Hilary Machinery, one of the largest machine tool distributor service organizations in the southwest, had $800,000 drained from its bank accounts in two days. It wasn’t the company’s financial institution that discovered the error. It was Hilary Machinery itself.
Between November 9 and 10, 2009, PlainsCapital Bank received fraudulent wire transfer instructions from a group that infiltrated the bank accounts of Hilary Machinery. Some of the transfers involved sums in excess of $100,000, while others were as small as $2,500. Each transfer was made to a different account, which was highly unusual, and outside the norm for the company. PlainsCapital Bank was able to recover all but approximately $200,000 of the lost funds.
Now, who is responsible for the loss was a matter of question. Hilary Machinery believed that PlainsCapital should have been held liable, sued the bank and demanded repayment of the remaining $200,000. In turn, PlainsCapital counter-sued, saying their security was, in fact, reasonable by industry standards and that it processed the wire transfers in good faith. The lawsuit was eventually settled, but the point is that this could have happened to any small business in terms of the attack and fallout.
SMBs at Risk
Unfortunately, this example shows how vulnerable small- and mid-sized businesses can be and demonstrates the potential fallout of not having a strong cyber defense. There is no clear law or legislation that protects your company, or provides guidelines on what you, your vendors or your financial institution need to have in place, to protect sensitive data.
It also varies from state to state, so the burden is on each company to figure it out relative to their situation and possible exposure. It often comes as a surprise to companies I speak with; small- and mid-size businesses do not have the same protections as individuals. Again, it falls on your shoulders to ensure you are protected.
And just because you are a small business doesn’t mean cybercriminals aren’t going to target you. In fact, according to the Federal Communications Commission, three of every four small- and mid-sized businesses report being affected by cyber attacks.
An employee may get an email that looks valid and opens it, clicking on a link. It turns out to be a phishing scheme and your company is compromised. It’s happened time and time again with an array of targets including the University of Wisconsin-Milwaukee, a Dallas-based business telephone equipment company, a Missouri dental practice and even cities such as Brigantine, New Jersey.
The good news? There are inexpensive and intuitive tools to combat this kind of threat. So what are small and large enterprises, financial institutions and governments to do?
First, in my mind, are the cybersecurity basics — or table stakes, as you might call them — for online security. Your employees must have at least basic training on security practices to protect sensitive business information, communication and transactions.
Organizations also need to ensure that computers and networks are protected from viruses, spyware and other malicious code. A firewall must be in place — not only at the point of connection to the Internet but on all computers, including laptops used to conduct company business. And, finally, the proper settings must be routinely checked for vulnerabilities and attacks.
Education, coupled with dedicated perimeter security solutions, provide the first basic layer of protection for your business and your employees.
Another key to cybersecurity across an organization pertains to the downloading of software. I cite Brian Kreb’s blog from May 20 — “Krebs’s 3 Basic Rules for Online Safety” — where he gave three basic rules for online safety in this area.
First, “If you didn’t go looking for it, don’t install it.” You are taking a great risk by downloading software that you don’t directly know.
Second, “If you installed it, update it.” Basically, keep up with new versions of software because they include updated security for vulnerabilities that have been found in earlier versions.
And finally, “If you no longer need it, remove it.” Unneeded software can slow down your machine and eventually open it to a wider array of breaches. In the end, it is all about keeping networks, computers and devices protected to help thwart the opportunity for someone to breach your infrastructure.
Finally, to truly secure your environment, you need identity-based security. You cannot have security and trust without knowing who or what is on both ends of a transaction.
To have that trust you must understand how digital identities are changing. Today’s identities go well beyond people and how we have traditionally thought of identity. Digital identities now include kiosks, servers, routers, mobile devices, applications, ATMs and even power meters.
This next generation of digital identities, including devices and application objects, will dwarf human identities in the next five years. Identity-based security brings this all together with right level of security, enablement, risk and compliance to any transaction — regardless of identity type.
So, what do you need to know to secure identities?
You need to control physical and logical access to your facilities, computers, networks and any other devices that house important information or have access to your networks. And, increasingly, you will need to manage the “mobile” access of smartphones and tablets. Mobility has come of age and is the next wave of innovation — for good and for bad.
Lastly, you need to ask your financial institution how your business is protected should it become a victim of a cyber fraud. You may be surprised that current regulations leave many small businesses unprotected as we saw with the case of Hilary Machinery. The ball is in your court.
You cannot assume your business accounts are covered under the same federal protection as consumer accounts. Any business needs to ask its bank what current security measures it has in place. For the reasons I outlined earlier, the threats are constantly changing and, therefore, you need to make sure your accounts are protected against the latest threats. Financial institutions must invest in security platforms that provide the flexibility to implement new approaches and adapt to future challenges.
What I have outlined is a layered security approach, which is necessary to ensure that the right level of security is being applied to the access or transaction that is being requested. Identity-based security solutions, like those from Entrust, help you do just that.
A Special Thank You
Let me close by expressing, on behalf of Entrust, our deep appreciation to Congressman Burgess for allowing us to speak to you on the important issue of cybersecurity. He is an important advocate on The Hill for cybersecurity — especially when it affects SMBs like yours. I hope that I have given you some real-world tips to help secure your business.
Thank you for your time.