This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
This Website Uses Cookies
By closing this message or continuing to use our site, you agree to our cookie policy. Learn More
This website requires certain cookies to work and uses other cookies to help you have the best experience. By visiting this website, certain cookies have already been set, which you may delete and block. By closing this message or continuing to use our site, you agree to the use of cookies. Visit our updated privacy and cookie policy to learn more.
Security Magazine logo
search
cart
facebook twitter linkedin youtube
  • Sign In
  • Create Account
  • Sign Out
  • My Account
Security Magazine logo
  • Home
  • News
    • Security Newswire
    • Technologies
    • Security Blog
    • Newsletter
    • Web Exclusives
  • Columns
    • Career Intelligence
    • Security Talk
    • The Corner Office
    • Leadership & Management
    • Cyber Tactics
    • Overseas and Secure
    • The Risk Matrix
  • Management
    • Leadership Management
    • Enterprise Services
    • Security Education & Training
    • More
  • Physical
    • Access Management
    • Video Surveillance
    • Identity Management
    • More
  • Cyber
  • Sectors
    • Education: University
    • Hospitals & Medical Centers
    • Critical Infrastructure
    • More
  • Exclusives
    • Security 500 Report
    • Most Influential People in Security
    • Top Guard and Security Officer Companies
    • The Security Leadership Issue
    • Annual Innovations, Technology, & Services Report
  • Events
    • Industry Events
    • Webinars
    • Solutions by Sector
    • Security 500 Conference
    • Security 500 West
  • Resources
    • The Magazine
      • This Month's Issue
      • Digital Edition
      • Archives
      • Professional Security Canada
    • Videos
      • ISC West 2019
    • Photo Galleries
    • Polls
    • Classifieds & Job Listings
    • White Papers
    • Mobile App
    • Store
    • Sponsor Insights
    • Continuing Education
  • InfoCenters
    • Break-in Prevention
    • Building AppSec in Enterprises
    • Video Management Systems
  • Contact
    • Editorial Guidelines
  • Advertise
Home » Nothing Personal, It’s Just Business
Trends Column

Nothing Personal, It’s Just Business

Mark McCourt
March 5, 2012
Mark McCourt
KEYWORDS cybercrime / security risk management / Small to Medium Business (SMB) security
Reprints
No Comments

While the Security 500 may have CSOs, CISOs and CIOs leveraging state-of-the art-technology to prevent cybercrime, the real arms race is upon the Security 50,000 (small and medium business or SMBs). And while the large organizations, if impacted, will have sway with their banks and made whole, the SMBs are more likely to end up the victim of crime, often without recourse.

While this may sound like an IT issue (which is the reason cybercrime is so rampant and ill defended), it is truly a business issue that requires solutions at the corporate risk and security levels. From an economic view, America is losing money, intellectual property and jobs.

During testimony at a recent Congressional hearing titled, “Cybercrime and the Private Sector,” Entrust President and CEO Bill Conner discussed what is actually happening to US businesses that do not have adequate protections against advanced cyber criminals. It was fascinating and frightful, all at once.

The most critical risk SMBs face is known as “man in the browser” software and it is the leading cause of theft today. This is cloaked software that your desktop antivirus software or operating system will not detect or disable. Typical SMBs are not protected.

Conner noted these key points:

  • Both countries and organized crime are involved, namely in Ukraine and Russia.
  • There is no legislation or regulation directly addressing this issue.
  • There is no clear case law regarding this issue.
  • This is not a threat; thefts are occurring daily to U.S. SMBs.
  • Cybercriminals are operating large, sophisticated businesses.
  •  A significant public/private partnership is required to mitigate this risk.

The original “man in the browser” spyware, Zeus merged (yes, like a corporate merger) with SpyEye in 2010 (the Zeus investors took their money and got out like any typical venture capital firm). In February 2011 SpyEye and Zeus were developed into a new product that can be purchased with 24/7 support. The criminals no longer have to be great programmers or hackers; they simply need to be criminals. Once purchased, SpyEye will help the criminals vector their attacks on specific businesses, banks or geographies. If you haven’t guessed this by now, SpyEye is a major, criminal enterprise with next generation software.

Byron Acohido wrote in USA Today last August (when SpyEye was first released) that Damballa Corporation research identified within the first week of it being available, 14 cyber-rings took advantage by sending commands to tens of thousands of infected PCs in the U.S. and Europe.

And it is widely available. The article noted, “SpyEye normally sells for up to $10,000. But, as of last week, the latest, most powerful version of SpyEye could be acquired for just $95.”          

“How it works is real simple and very complicated,” Conner said in his testimony. He explains: “A controller at an SMB goes online to their financial institution and moves $10,000 to a supplier through their online bill pay. Once entered, the Man in the Browser software wakes up and changes the payees from the one supplier to six mules. And changes the $10,000 to $100,000. The bank sees the request to pay $100,000 to six different payees and it sees good security. The user name and password are correct. The account information is correct. The IP address is correct. The bank sends a confirmation to the business using a 30-year-old security technology, including a one-time use password that is valid for 30 seconds. The software wakes up again and changes the payment request from six payees back to one and from $100,000 to $10,000. The controller sees the request as accurate and hits the confirmation button. The $100,000 is gone. The bank loses it, the business loses it, the supplier has not been paid and the six mules funnel that money back into organized crime.”

Unlike personal banking where individuals are protected by the FDIC, the SMB is protected by NOTHING.

As an example, Conner shared the story of an SMB that had only done four transactions within the last year and had a $500,000 limit on its account. Its account experienced 20 transactions within six hours totaling $2,000,000. The bank claimed they did not do anything improper and the Court sided with the bank.

SMBs are not educated on the business risk or the technology available and banks are not taking appropriate measures. While Conner’s testimony ended with the realization that a very serious private/public partnership must be launched to combat this cyber arms race, it is clearly upon you in the Security 50,000 to recognize this as a business risk, not an IT problem. The “man in the browser” is a criminal, but a businessman first. Stealing your money is their business.

Subscribe to Security Magazine

Recent Articles by Mark McCourt

A New Year's Prediction: The Internet of Things Changes Everything

As Risks Expand, So Does Security's Responsibility

How the Security Evolution Turns to Prediction

John Dailey: Life Happens Here

Gary Gagnon: Unique-ness

Mark McCourt is the publisher of Security magazine.

Related Articles

Just Do It: Should CSOs Wear Nikes?

Security 500 Trends: Thanks for Nothing

Related Products

The Database Hacker's Handbook: Defending Database Servers

Related Events

The Global Security Operations Center: Boeing’s Approach to Securing its People and Business

You must login or register in order to post a comment.

Report Abusive Comment

Subscribe For Free!
  • Print & Digital Edition Subscriptions
  • Security eNewsletter & Other eNews Alerts
  • Online Registration
  • Mobile App
  • Subscription Customer Service

More Videos

Popular Stories

Dispelling the Dangerous Myth of Data Breach Fatigue; cyber security news

Major Retailer Macy's Is Hacked

ransomware-enews

British American Tobacco Suffers Data Breach and Ransomware Attack

server room, cybersecurity, penetration testing,

Explained: Firewalls, Vulnerability Scans and Penetration Tests

cyber network

How to Achieve Cybersecurity with Patience, Love and Bribery

cybersecurity-blog

European Hotel Group Suffers Data Breach Impacting 600,000 Hotels Worldwide

SEC2019_Everbridge_1119_360x184customcontent

Events

December 17, 2019

Conducting a Workplace Violence Threat Analysis and Developing a Response Plan

There are few situations a security professional will face that is more serious than a potential workplace violence threat. Every security professional knows and understands that all employers have a legal, ethical and moral duty to take reasonable steps to prevent and respond to threats of violence in their workplace.
January 23, 2020

The Value of a Unified Approach to Critical Event Management

From extreme weather to cyberattacks to workplace violence, every organization will experience at least one, if not multiple, critical events per year. And in today’s interconnected digital and physical world, the cascading safety, brand, and revenue impacts of critical events are more severe.
View All Submit An Event

Poll

Emergency Communications

What does your enterprise use to communicate emergencies to company employees?
View Results Poll Archive

Products

Effective Security Management, 6th Edition

Effective Security Management, 6th Edition

 Effective Security Management, 5e, teaches practicing security professionals how to build their careers by mastering the fundamentals of good management. Charles Sennewald brings a time-tested blend of common sense, wisdom, and humor to this bestselling introduction to workplace dynamics. 

See More Products
SEC500_250x180 clear

Security Magazine

SEC-December-2019-Cover_144px

2019 December

This month, Security magazine brings you the 2019 Guarding Report, featuring David Komendat, Boeing CSO, and many other public safety leaders to discuss threats and solutions for 2020 and security officer training. Also, we highlight Hector Rodriguez, Director of Public Safety and Security at Marymount California University, CCPA regulations, NIST standards, VMS and much more.

View More Create Account
  • More
    • Market Research
    • Custom Content & Marketing Services
    • Security Group
    • Editorial Guidelines
    • Privacy Policy
    • Survey And Sample
  • Want More
    • Subscribe
    • Connect
    • Partners

Copyright ©2019. All Rights Reserved BNP Media.

Design, CMS, Hosting & Web Development :: ePublishing