Entrust President and CEO Bill Conner Joins Senator Jay Rockefeller, Secretary Janet Napolitano at West Virginia Homeland Security Summit & Expo

June 2, 2011

Senator Rockefeller listens as Bill Conner discusses the evolving cybersecurity threat landscape.

View on Flickr

Entrust President and CEO Bill Conner presented a keynote address at the West Virginia Homeland Security Summit & Expo on June 2, 2011. The event, hosted at Marshall University in Huntington, W.V., also included West Virginia Sen. Jay Rockefeller and Secretary of Homeland Security Janet Napolitano.

Conner discussed the evolving cybersecurity threat landscape and its impact on the nation, as well as the security and stability of our nation’s business community.

“Thank you, Senator Rockefeller. And thank all of you for being here today. I am Bill Conner, President and CEO of Entrust, the leader in identity-based security software solutions. On behalf of Entrust, thank you for the opportunity to participate in this unique and important event.

I am indeed humbled and honored to be back in West Virginia where, in 1977, I was one of two Arkansas representatives to the National Youth Science Camp. It’s exciting for me to be back and talking to you in a place where I began my deep appreciation and love of technology, nearly 35 years ago.

Global Arms Race

We all know that cybercrime poses a greater threat to the security of nations, corporations and individuals than ever before.

In the past, cybercrimes against businesses in the United States were used by hackers looking to make a political statement or to gain notoriety within the hacker community. But today, those efforts have been replaced by more sophisticated, sinister and damaging attacks from all over the world. That is why I believe that we must take a more global view of politics, law enforcement and technology in our efforts to solve this escalating problem.

Since I am a technologist by heart, training and soul — not a legislator, or in uniform — my role is to bring technology to the good guys and put it to good use. We must develop and deploy the best technology to enable and protect governments, enterprises and citizens around the world. Today, in the cyberworld, the balance in the arms race between the good and those who want to harm us is not even close.

A Constant Process

At Entrust, we are working around the world with small and large enterprises, governments and law enforcement agencies to enable technology for the good guys. We do this knowing that the total cost to deploy security is dwarfed by the cost of what is at stake.

It is important to recognize that this threat is not a Y2K type of event, where you spend once to solve a specific issue and see the threat pass. It is akin to a quality process that must be disciplined, measured and continually improved on a day-in, day-out basis. The challenge I face at the helm of Entrust is to make that possible for companies and governments in a cost-effective and uncomplicated way.

Evolving Trends, Advances in Technology

I believe, that in my lifetime, the most compelling development in science or technology has been the birth and growth of the Internet. This paradigm shift has delivered unprecedented opportunities for information, education, recreation, communication and commerce, while improving the quality of all our lives.

At the same time, we know that abuses of the Internet have led to crimes from identity theft and financial fraud to cyberterrorism. I have had an opportunity to work with many of my colleagues and policy makers in coordinating strategies to enhance the positive aspects of the Internet’s promise and to combat those who abuse it. It is now nearly 10 years after 9/11 and we have made tremendous progress. However, cybercriminals have continued to outpace our gains.

To put this in context, hardware technology follows Moore’s law; which states that capacity doubles and cost halves every 18 months. In the new cyberworld, software tools are changing in days not years — and in many cases hours or even minutes. That makes it a constant real-time battle.

Smart, Sophisticated Cybercriminals

We are facing extremely dangerous enemies armed with the most expensive and sophisticated hardware, software and boldness. They function in an environment where their white-collar crime — even if identified and apprehended — brings only minimal punishment. That is because most of these attacks are across sovereign borders.

Today, these borders are the very shield of protection against the organization and the capture of cybercriminals. When some of these ill-gotten proceeds from cybercrimes are routed to terrorists, the world’s security is threatened. We cannot allow cybercriminals to succeed. The cost in money, property and trust is far too great.

If allowed to go unchecked, they will continue to grow, find new ways of proliferating cybercrime or fraud, and thus finding new targets — both big and small, public and private.

I believe that greater international cooperation is necessary to apprehend and prosecute the cybercriminals that threaten our way of life. At Entrust, we are proud to partner with INTERPOL to accomplish this objective.

The good news is that technology and solutions exist today to thwart these cybercriminals. It just needs to be applied consistently and universally to deny the cybercriminals the easy access they have today.

Man-in-the-Browser Attacks

One area that should concern all of us is the amount of cybercrime targeting financial institutions and their corporate and individual customers. This is “big business” that’s worth hundreds of millions, even billions, of dollars on an annual basis. And this is a big problem that is escalating at an unprecedented rate.

Let me give you one example of a real-world threat that we have encountered that has not received as much attention as data breaches yet and should concern you and your enterprises here in West Virginia. The threat is called “man-in-the-browser” and targets mid- to small-sized companies.

The problem arises when someone in your organization is surfing the Web and accidentally installs software that opens a door for criminals. The software may install when an employee has visited an infected website or simply clicked a pop-up ad or notification. Regardless, once the malware is installed it is extremely difficult to detect.

This malware sits dormant, waiting for someone on the system to log in to your corporate bank account online. When it sees that URL pass by, it wakes up and begins to intervene transparently in whatever transaction is being conducted.

Let me explain how man-in-the-browser malware works.

  • A controller wishes to initiate a payment to Vendor A in the amount of $1,000
  • The malware “wakes up,” translates payment into six different transactions totaling $100,000
  • The bank sees the six transactions totaling $100,000 and asks the controller to confirm the transaction by entering a one-time passcode (OTP) to authenticate the transaction
  • The malware re-translates six transactions back to $1,000 and a single transaction
  • The controller sees original request for Vendor A to be paid $1,000
  • The controller then enters one-time passcode to authenticate the transaction and hits enter to send back to the bank
  • Unfortunately, malware accepts the one-time passcode and re-translates it back to $100,000 for the six different transactions to multiple accounts
  • The bank then sees the account’s OTP and assumes it is a set of authorized corporate transactions and executes them for $100,000
  • Now, both the corporation and the bank are missing $100,000

This kind of threat can happen in Huntington, Charleston or any other town. And it can and does happen to smaller enterprises. I’ll talk more about that in our panel discussion later.

There are inexpensive and intuitive tools to combat this kind of threat, but to get to that point, there has to be an awareness that such threats exist. That is why this forum today and the work of Senator Rockefeller in Washington are so vitally important.

The First Step — A Basic Defense

So, at the end of the day, the questions remains, “what are small and large enterprises, financial institutions and governments to do?”

First, in my mind, are the cybersecurity basics — or table stakes, as you might call them, for online security. Your employees must have at least basic training on security practices to protect sensitive business information, communication and transactions.

Organizations also need to ensure that computers and networks are protected from viruses, spyware and other malicious code. A firewall must be in place — not only at the point of connection to the Internet but on all computers, including laptops used to conduct company business. And, finally, the proper settings must be routinely checked for vulnerabilities and attacks.

Education and these types of perimeter security solutions provide the first basic layer of protection for your business and your employees.

Another key to cybersecurity across an organization pertains to the downloading of software. I cite Brian Kreb’s blog from May 20 — “Krebs’s 3 Basic Rules for Online Safety” — where he gave three basic rules for online safety in this area.

First, “If you didn’t go looking for it, don’t install it.” You are taking a great risk by downloading software that you don’t directly know.

Second, “If you installed it, update it.” Basically, keep up with new versions of software because they include updated security for vulnerabilities that have been found in earlier versions.

And finally, “If you no longer need it, remove it.” Unneeded software can slow down your machine and eventually open it to a wider array of breaches. In the end, it is all about keeping networks, computers and devices protected to help thwart the opportunity for someone to breach your infrastructure.

Identity-Based Security

Finally, to truly secure your environment, you need identity-based security. You cannot have security and trust without knowing who or what is on both ends of a transaction.

To have that trust you must understand how digital identities are changing. Today’s identities go well beyond people and how we have traditionally thought of identity. Digital identities now include kiosks, servers, routers, mobile devices, applications, ATMs and even power meters.

This next generation of digital identities, including devices and application objects, will dwarf human identities in the next five years.

Identity-based security brings this all together with right level of security, enablement, risk and compliance to any transaction — regardless of identity type.

So, what do you need to know to secure identities?

You need to control physical and logical access to your facilities, computers, networks and any other devices that house important information or have access to your networks. And, increasingly, you will need to manage the “mobile” access of smartphones and tablets. Mobility has come of age and is the next wave of innovation for good and for bad.

What I have outlined is a layered security approach, which is necessary to ensure that the right level of security is being applied to the access or transaction that is being requested. Identity-based security solutions, like those from Entrust, help you do just that.

A Thank You

Let me close by expressing on behalf of Entrust and our employees our deep appreciation for Senator Rockefeller’s leadership on the issues of homeland and cybersecurity. Sen. Rockefeller’s championing of cybersecurity issues is finally leading to progress in this very important area for all Americans.

While the world is very aware of physical terrorism, it is awakening to the next big issue that forever affects us all. You and I are indeed fortunate to have Sen. Rockefeller on point with us fighting on the cyberfrontier.