With the explosion of mobile devices and the exponential growth of big data that flows into the digital cloud, cybersecurity has failed to keep up with the evolutionary toolkit used by hackers. Add new regulations on governance, compliance, and the protection of data and the need for security beyond email "phish" training and anti-virus products are crystal clear.
On February 1, three high profile data breaches made headlines. For four months Chinese hackers chiseled away at the New York Times corporate network and email accounts; similar attacks penetrated the Wall Street Journal; and now 250,000 user accounts on Twitter were hacked.
That's a ton of negative press on the vulnerability of corporate networks in a two-day haul by hackers.
Evidently, none of these multi-billion organizations, which are suppose to be at the cutting edge of technology (disclosure: I have a Twitter account and I read both newspapers online), have invested enough time, money, and resources to defend their systems. Not properly, anyway.
Security offerings from RSA tokens (their tokens were recently hacked) and other products have come up short. The scale and frequency of the breaches prove that.
Security tools do different tasks to fight many weak points that hackers can enter and do damage.
Besides hard RSA tokens that cost $75 a piece, can break, get lost, be stolen, and run out of battery life, anti-virus software, for all their perceived benefits, have failed miserably. Email phish training of the workforce won't work. Not when companies have new employees every month. A hacker only needs one person out of thousands to get inside a corporate network by email.
Each day thousands of breaches occur among consumers and businesses worldwide. Most aren't aware of the malware on their desktop, mobile device or network, while many others don't report it due to the opportunity cost to their reputation.
Email, fake websites (10% are fake), and file attachments that look like real corporate, legal, and government documents are all pathways to get inside the company to steal information or plant malware.
"Amateurs hack systems, professionals hack humans."
A leading security expert made that statement at a cybersecurity meeting I attended in New York last fall. The message stuck.
So why do corporations invest in ephish training when it only takes one employee to get inside their networks? Wouldn't it be cheaper and more effective to conceal the employees' keystrokes--cloaking the data entered on any browser device--from hackers peering remotely over their shoulder than training each new employee?
In exploring ways on how to improve the massive gaps in corporate defenses and reduce both the size and virulence of cyberattacks, I sat down with George Waller, Executive Vice President of StrikeForce Technologies, Inc., (NASDAQ: SFOR).
Energetic, focused, and from Brooklyn, Waller stated, "98 percent of the data breaches that occurred over the past year could have been prevented if the businesses had the right security tools."
He went on: "There are three main needs for companies to protect their data and networks. Secure access points. Secure the desktop. Secure mobile devices." In the latter, the rise of the workplace BYOD tsunami will make securing those devices and data sets all that more important, as digital workflow will change the way we work.
StrikeForce Technologies is an eleven-year-old company that has grown steadily with the phased rollout of its three core products: Protect ID®, Guarded ID®, and its new smartphone release Mobile Trust™.
The StrikeForce Story
In 2000, George Waller, a co-founder and original CEO of StrikeForce, was in search of his next act after a solid career in software. He met Ram Pemmaraju, who was a Chief Architect at Bell Labs', and saw Pemmaraju was far ahead of the curve, that's when the StrikeForce Story began. Ram stepped into the role of CTO and Chief Scientist and continued the development of a revolutionary new way to authenticate a user, "Out-of-Band Authentication" something that he had already been working on for years. In 2003 Ram and George asked Mark L. Kay to join the company as the CEO. Kay's history speaks for itself: he spent 26 years at JP Morgan as the CIO and Managing Director of worldwide operations. Mark, Ram and George are driven by a common goal to "make the world a safer place for people to compute."
"In the early days, authentication was really only used for VPN remote access and done via expensive RSA Keyfob tokens," Waller explained. "We knew that the concept of Out-of-Band Authentication was both, more secure than tokens, and easier to deploy to millions of users. We knew that we were onto something really big.
"In an out-of-band authentication process, the user sends their username and password over Internet Protocol (IP), however, the authorizing pin-code is sent via a totally separate channel, i.e. the telephony network. We surmised that hackers could penetrate one channel, but not both."
So StrikeForce took their ahead-of-the-curve technology to the federal government. "It was 2002, and the government said they weren't interested, noting that the old generation cellular network had too many dropped calls and mobile phones didn't have the best connections. We forged on, developing multiple methods and expanded our technology offering."
The StrikeForce Security Suite
In the world of multi-factor authentication (MFA), StrikeForce has eight out of band methods to authenticate one's identity. They also have soft tokens and hard tokens embedded into the devices.
Mr. Waller recalled a story at a security Conference in Brazil, where he compared his hard token system to that of a competitor. After they both successfully verified their identities on the network, on the laptop, and on a mobile device, he said, "I took their hard token, dropped it on the floor and stomped on it, breaking it. And the competitor said, 'Hey, what are you doing?' and Waller replied, 'Now go ahead and authenticate your credentials again?'"
Obviously the competitor couldn't do it, to which Mr. Waller flashed a Brooklyn smile to prove his point on StrikeForce's secure access.
"There are two key differentiators from our products compared to the competitors. First, our platform can sit 100 percent on-premise, off-premise in the cloud, or in a hybrid," he explained. "Second, we have been awarded the patent for out-of band authentication; we have two other patents pending. We also offer sixteen different methods of authentication that all of the big security companies combined can't offer."
The Need to Cloak Data
Hackers use an arsenal of tools from click jacking to screen scraping, but their path of least resistance is to sit anywhere in the world and watch users type keys remotely, copy each data entry stroke, and steal names, identities, and information. StrikeForce's GuardedID® protects against all three forms of polymorphic keylogging Trojans.
Mr. Waller showed a demo of the data-cloaking device that turns strokes of any key into random numerical gibberish for a hacker to see, which makes data entry by the user completely invisible from theft. The keystroke encryption technology will be available for Apple users this spring.
Mobile Trust™ protects access, ensuring the right person comes in. "Protecting access control is a multi-prong approach," Mr. Waller said. "When you buy a smartphone device your data is unencrypted with a clear text cache file stored in device. That can be hacked. So encrypting the users data entry is important. It's time the consumer and the enterprise protect the keys to their kingdom--their sensitive data and information."
On the triple hacking that occurred prior to the interview, Waller shook his head, and said, "Had the Times and Wall Street Journal been using our ProtectID® out-of-band authentication technology along with our GuardedID Anti-Keylogging technology, they wouldn't have been hacked."
Until email is phased out with new collaboration tools, out-of-band authentication combined with cloaking data is a proven way to thwart hackers that consumers and corporations should invest in to protect their assets.