Posted on | July 30, 2012 | 7 comments
Small- and medium-sized business — SMBs – remain in the thick of the steadily rising tide of cyber attacks. Even as SMBs use cloud services to tap into support services, giving owners time to focus on what they do best, criminals are staying several steps ahead.
The bad guys have been quick to recognize and exploiting vulnerabilities in the Internet’s infrastructure, especially in web servers (SQL injection and cross-site scripting hacks) and web browsers (Adobe and java-script attacks.)
Bill Conner, president and CEO, of Entrust, sat down with LastWatchdog to describe what may be the most directly impactful attack SMB’s are facing, theft from online banking accounts. Before Conner joined Entrust, he held various senior executive positions at Nortel Networks, including president of Nortel Enterprise Networks and e-Business Solutions.
LW: What’s going on, at the moment, with ACH wire transfer fraud committed against SMBs?
CONNER: SMBs continue to present a sweet spot for cyber criminals. They have larger bank accounts than individuals and typically lack the institutional awareness and sophistication of larger enterprises in terms of information security.
The most common transfer attacks have been man-in-the-browser. Cybercriminals have become increasingly more sophisticated in delivering this malicious code. Initially, these attacks were carried out through mass phishing practices and evolved into more targeted spear phishing. Once infected with MITB malware, banking transactions can be transparently modified in the background without the end user or the bank being aware that fraudulent activity is occurring. Traditional security approaches such as device fingerprinting, IP geo-location and even One-Time-Password tokens are ineffective.
LW: So what major gains did the good guys make?
Conner: Better security solutions have been developed to detect/defeat these MITB malware attacks so fraudulent transactions could not be completed. This includes using multiple layers of security authentication and advanced fraud detection techniques during a transaction, and transaction verification before funds are transferred. For instance, banks that encourage the use of mobile devices to verify transactions “out-of-band” – that is to say, outside of the web browser session, are significantly mitigating the fraud risk.
Additionally, when we look at other channels such as mobile banking, leading organizations are deploying downloadable, dedicated mobile banking applications rather than using mobile browsers, as criminals will have to invest far greater effort to overcome the dedicated applications rather than a ubiquitous browser-based approach. Mobile applications can also leverage security measures inherent to the mobile platform and the mobile application store vetting processes.
Further, guidelines implemented by the Federal Financial Institutions Examination Council (FFIEC) for financial institutions that offer Internet-based products establish a baseline of standards that compel banks to begin implementing more security measures.
LW: How have those gains been countered by the bad guys?
Conner: Hackers continue to persist and are growing in numbers due to the availability of malware tools and access to user information through social engineering attacks that utilize seemingly mundane and innocent data obtained from popular social media sites like Facebook. This method consists of conducting social media research on specific individuals to dissect their lifestyle, habits and personality in order to customize a specific correspondence that deceives them into revealing sensitive and confidential information. With this information cybercriminals can have access to information that can help them engineer attacks and execute fund transfers to bleed accounts dry.
LW: How would you concisely describe the exposure of SMBs today vs. one year ago?
Conner: SMBs are in a much better position now because of the baseline regulations put forth by the FFIEC. A year ago, banks didn’t have to focus on information and security fraud issues for SMBs, because there were no implications for them. Now, by Jan. 2012, they can be audited to ensure they’re in compliance.
While there is room for improvement, at least there is a minimum standard in place to require financial institutions to have security measures that protect those most vulnerable, like SMBs. However, much like Moore’s law, cyber threats increase exponentially and therefore policies must evolve as much as possible to stay ahead of threats.
LW: What metrics, survey results or other case study synopses can you supply to support your description of the current state of attacks against SMBs?
While we cannot provide metrics on the success our customers are having against cyber criminals, anecdotally we can confirm that several national and international, top tier banks have been able to detect and defeat advanced MITB attacks keeping online fraud losses in the five-digit range, which is a great achievement and applies to their SMB customers as well.
LW: The American Bankers Association recently surveyed 95 banks and found attacks against SMBs up 260% in 2011 vs 2010; although average loss per theft was down 92%. What is your interpretation of this finding?
Conner: This suggests that security measures are working. The increase signifies there are simply more tools available to make these attempts and more people willing to try. Cybercriminals in pursuit of money are playing a numbers game. They are going to send out as many attacks as possible, as often as possible, which corroborates the 260 percent increase. The fact that less than half were successful supports that security is frustrating these attempts, at least for now. This is without question a cat and mouse game. Hackers will continue to innovate and information security developers must keep pace and strive to stay one step ahead.
LW: How does the emergence of cloud services aimed at SMBs factor in?
Conner: The cloud has introduced powerful solutions to SMBs that were previously the purview of large enterprises, such as CRM, without the expense or expertise required for deployment. By leveraging these world-class solutions, SMBs can benefit from the inherited security measures imbedded within these systems.
While username and passwords shouldn’t be relied on solely, utilizing this approach through a well-known cloud solution is still better than an SMB, without the know-how and resources, trying to go it alone. As an added layer of security, SMBs can work with companies like Entrust who offer information security solutions over the cloud with the same value proposition.
LW: How does wider use of mobile devices factor in?
Conner: Quite simply, there is less malware available to attack mobile platforms, making them inherently safer than PCs. Hackers want to focus resources where there is the most opportunity for success, which is the voluminous PC environment. In addition, mobile application developers learned valuable lessons from their desktop peers to write code that is more secure from the outset, which can make it more difficult for hackers to corrupt.
Because of this strong foundation, other security layers such as biometrics and digital certificates made specifically for mobile devices by information security companies can create identity credentials for stronger authentication.
Beyond applications, mobile phones can be leveraged to actually help increase security of online banking, as they can provide more information for real-time authentication and verification as to where transactions are taking place through geo-location, text, near field communication (NFC), etc. For instance, in some parts of the world, mobile phones can be used to read credit cards allowing you to physically see exactly who is receiving your information.
In short, these devices, with appropriate security layers in place, can provide better control and context for transactions than their PC-based brethren.