March 30—Without a battlefield in the traditional sense on which to retaliate against Ukraine supporters like the U.S. and Europe, Russia may be taking to cyberspace. Cyber attacks can be a tremendously powerful tool in Putin’s arsenal. Chief Investment Officer Tony Roth and Mazars Principal and Cybersecurity Practice Leader Paul Truitt, look at the potential risks to our infrastructure and overall digital security.

PaulTruitt_cropped.jpg

Paul Truitt, Principal, Cybersecurity Practice Leader, CISSP, CISM, CISA, CEH, Mazars

Please listen to important disclosures at the end of the podcast

 

Russia, Cyber Attacks & the U.S.: How Afraid Should We Be?

Tony Roth, Chief Investment Officer, Wilmington Trust Investment Advisors, Inc.

Paul Truitt, National Cyber Practice Leader, Mazars

PAUL TRUITT: And that one person that clicks that link that grants the rights into your organization bypasses all of the perimeter security controls that you had in place and gains an attacker access to that workstation. That scares me. That keeps me up at night.

TONY ROTH: That was Paul Truitt, Principal and National Cyber Practice Lead at Mazars on why U.S. digital infrastructure is leaving itself exposed to potential malicious activity.

TONY ROTH: Welcome to Capital Considerations, the market and economic podcast that’s fully invested in your success. I’m your host, Tony Roth, Chief Investment Officer of Wilmington Trust.

With Russia’s military forces facing unexpectedly fierce resistance and condemnation on the global stage, there’s talk of nontraditional escalation. This could be nuclear, bio, chemical, hard things that we don’t even like to talk about, frankly. But there’s also one other category which are cyberattacks.

In the early days of the conflict we saw Ukrainian banks, other governmental agencies’ websites temporarily shuttered by Russian groups that were engaging in different kinds of cyber warfare. And with the U.S. playing a leading role in the global effort against Putin’s regime and their activities, the risk to our own infrastructure and digital security from a Russian cyberattack or series of attacks is also at play.

So, to help us dimension the potential outcomes from a cyberattack and the risks inherent in this space, we’re joined today by Paul Truitt. Paul is a Principal and the National Cyber Practice Lead at Mazars, where he specializes in identifying and mitigating security risks for clients in multiple areas of the economy, which include retail, healthcare, and manufacturing, and banking.

He holds numerous licenses and certifications in the space, including those of certified hacking forensics investigator, which sounds a little bit scary in and of itself, certified information security manager, and certified information systems security professional. Paul, thank you so much for joining us today.

PAUL TRUITT: Thanks, Tony. It’s a pleasure being here

TONY ROTH: So, Paul, let’s start with Mazar. Tell us, who is Mazars?

PAUL TRUITT: Sure. So, Mazars is a global accounting firm that has a large consulting practice. So, I’m part of the consulting practice within Mazars and, you know, we’ve been around, actually we just celebrated our hundredth-year anniversary.

TONY ROTH: So, Paul, one of the things that’s probably most remarkable about this idea of cyberattacks as it relates to the conflict that’s going on in Ukraine and Russia, is that we haven’t seen all that much activity that’s been particularly damaging. I mentioned at the outset that there was a set of attacks that were sort of fought off at the very beginning of the war. There was the Viasat attack, which brought down one of the main communication networks that was satellite-based in Ukraine.

But since then, there really hasn’t been an awful lot going on from a cyber standpoint. So, with all of the concern around cyberattacks, maybe the first place to start is, you know, where are they, what’s happening, and why aren’t we seeing more?

PAUL TRUITT: Sure. You know, from my perspective I think cyber has been an aspect of the overall war between Russia and Ukraine. There has been, you mentioned, a few of those circumstances on what they’ve done. But it’s much more been a ground warfare, right? I think, you know, they’ve been more focused on some of the, you know, military efforts rather than cyber efforts. I think a lot of that is really just based on the type of war that they’re having, not necessarily lack of capability or lack of interest in cyber as an aspect.

Cyber’s much more of a potential threat to Europe and the United States from an attack perspective, mainly because it’s significantly more difficult for Russia to have any kind of ground warfare within, you know, larger or more established countries. And so, you know, I expect that we do have much greater level of cyber risk here against the United States.

TONY ROTH: So, in other words, they just haven’t gotten to it yet.

PAUL TRUITT: Yeah.

TONY ROTH: They’re focused right now on ground warfare. They haven’t really gotten to it yet. But they, it’s not because they can’t do it.

PAUL TRUITT: No. I don’t think that that’s at all the case. Very recently there’s been additional chatter of potential attack against the U.S. or against other countries that are cooperating to assist Ukraine.

TONY ROTH: One of the more intuitive lines of thinking that I always pursue is the idea that, well, we had Colonial Pipeline and we had the Solar Winds and, if you will, the way I conceptualize is that there were certain doors that were open that they walked through in order to perpetrate those attacks. I would have to imagine that all of the folks that are in the space, like yourselves, can see those doors and then advise their clients, okay, you’ve got to close these doors. And you start with a baseline where there may be 100 doors open and then you keep on closing those doors, keep on getting better at protecting from these kinds of attacks.

For example, in order to get into your website as a client at Wilmington Trust, you have to do double authenticate, double authentication. It’s not something that we had even a few years ago. So, I would imagine it’s quite a bit harder now.

So, isn’t it getting harder for these perpetrators to try to inflict this pain and harm on our digital economies or digital realities? Or is that not the case?

PAUL TRUITT: Yeah. So, harder, sure. I would say that it is much harder today than it probably was, you know, three, five, ten years ago. You know, it’s different vectors of attack that we’re seeing. It’s different types of attack.

You know, we’re not necessarily seeing a lot of open doors, as you described them. A lot of the open doors have been closed. The problem is we have a lot of filtered doors. And so, what is a filtered door, right? We have a lot of access that still needs to exist, right?

So, for a bank like Wilmington Trust to function, you do need to have a public internet-facing website. You need to have online banking for your customers to be able to perform transactions. You need mobile apps that can gain access into your environment. You need, just for business functionality you need email communications.

And then, let’s talk about some of the other points of potential risk. You have communications with third parties, direct interactions between, you know, a banking organization and any kind of, whether it’s for, you know, IT services type activities, monitoring services, or if it’s banking transaction-related activities of third-party communications and access. All of those channels that I just described are required to be open with other organizations or open to the world. You can put security controls on them, but they, the nature of being open in communication with the world leaves them potentially exposed if there’s a risk that someone might find or a threat that someone might find.

And, sure, are we constantly looking at those potential doors or those filtered doors and making sure that our filters are actually working and picking things up? At a larger organization, I’d say yes. At a lot of smaller organizations, we struggle. And so, those smaller organizations that don’t have dedicated security teams, that may not even have dedicated IT teams and they’re using third party services and support or maybe not doing that at all, those are easier channels in. And a lot of these larger organizations have relationships with those companies that potentially could lead the insecure organization to gain a hole into the secured or more secured organization.

TONY ROTH: It’s interesting when I hear you articulate this, that it makes me recall, Paul, the many times that I’ve been working to put in place enhanced services for our clients, whether it be using a third party, for example, to run enhanced performance analytics. And when we negotiate those arrangements, we don’t only negotiate the cost and the service level in terms of how frequently we want those statistics provide. But now, we spend a lot of time thinking about what type of protocols are being deployed and what type of oversight and refreshing and industry standards, etcetera, around the cyber security of that third party, because we’re starting to recognize that if they’re not safe, then we’re not safe because of those connections.

PAUL TRUITT: That’s right.

TONY ROTH: And I think that’s what you’re referring to, right?

PAUL TRUITT: That’s it. It could be the connection in that they’re required to have to interact with your systems. It could be that they have your data and they’re doing something processing data oriented. And so, in those scenarios you really don’t have control over their security architecture and design. You don’t have control over them letting you know in a timely manner that they had a data breach. You can have contractual obligations that wrap around that, and most larger organizations have a pretty good third-party management program. But you’re still trusting that third party in some way, shape, or form and unless you’re doing a really good job with a third-party management audit program, which I can tell you most banking institutions do a pretty good with that. But there is still risk associated.

I think it was yesterday or the day before, the announcement of Okta, which I don’t know if you’re familiar with Okta, but that’s a trusted third party that many organizations use for authentications. So, you enter your username and password and likely multifactor, so a token or something along those lines, into your Okta framework and then Okta as a third party has access behind that into a lot of your applications. It’s a frontend password safe for, you know, simpler terms, but it’s a little more advanced than that. And Okta had a data breach, right?

It was through one of their third parties. Someone breached the organization through the third party, and I think I saw—the numbers are varying, but I think I saw some significant portion of their customer base that was impacted by this data breach and potentially exposed. And so, this is a third party that’s a security firm that you trust, and you use to implement security protocols inside of an organization.

And, you know, was Russia behind that? I don’t think I’ve read anything as to understand exactly where the source was in that. Apparently, the breach happened back in January, and they just came clean with it, which is another scary aspect that we talked about a second ago of how quickly are your third parties letting you know that they had a data breach? And, you know, I’m not an Okta customer, so I don’t know if maybe they let customers know sooner than that and the public just didn’t find out until two days ago. But, gosh, January to the end of March is a long period of time to have a potential massive exposure on the frontend of a lot of organizations.

TONY ROTH: So, it sounds like while we’re closing doors and if the environment in which we operated was static we could probably get to a point of very high security fairly quickly. But the reality is we live in an environment where the digital space is entirely dynamic, not static, and it’s…

PAUL TRUITT: That’s correct.

TONY ROTH: …Constantly changing and constantly importing new innovation in order to improve and be competitive. And it’s through that process that we open new doors as we close the old doors.

PAUL TRUITT: Absolutely. I mean even look at internet of things, IoT-related risks, right? I mean the Alexa device that sits inside your home is a new innovation, but it’s a new vector of attack into your—and that’s on the home residence. But there’s probably a lot of Alexas sitting on company networks that we don’t realize or camera footage that’s connected to, you know, a security control system that’s now on the, on your network and potentially a vector of attack within your organization.

So, sure. I mean we are constantly changing, constantly adapting.

TONY ROTH: Yeah. I mean my wife has famously within the little ecosystem of my tiny family of four people, for years and years and years, she said I don’t want any Siris or Alexas on any devices in my house listening to what I’m doing. And, of course, she’s talking and then all of a sudden unwittingly, Siri or Alexa responds to her, because someone’s phone was on, listening to this conversation and, of course, she got very, very paranoid due to that. So, it’s there’s always a, an unperceived, if you will, boogieman or big brother or some type of entity watching over your shoulder, even in your own house now and you have to be careful.

PAUL TRUITT: Absolutely. And the number of devices inside of your home, I mean, you know, let’s put the business aside for a second and look at the threat vector inside of a home residence. And, by the way, you can multiply that tenfold or more inside of an organization. But in your home, you know, five years ago you probably had an Xbox, an earlier days Xbox. You might’ve had your, some kind of smart television that was, you know, one or two of those in your home. So, there was maybe five, eight devices.

Today, I’ll bet there’s 50 devices in every one of my neighbors’ homes, non-technology people that just have—they have a Ring doorbell, they’ve got a smart TV in every room.

TONY ROTH: Right, Nest.

PAUL TRUITT: Yeah. I mean they’re very, very connected, cameras throughout homes. And those are vectors of attack or potential attack inside of a home that potentially puts you at risk or in harm’s way.

TONY ROTH: Let’s focus on the United States, only because they’re probably, you know, in the center of the crosshairs from a Russian standpoint given the perceived role they see us playing in this geopolitical scenario.

What are the kinds of attacks that are keeping you up at night? Is it shutting down the coolant system on a nuclear plant? Is it somehow preventing the Defense Department or the defense systems from operating effectively? Is it something else?

PAUL TRUITT: Yeah. So, I mean I’ll be honest with you. All of those things scare the—scare me. But there’s a ton of vectors of attack that a lot of our clients see on a day-to-day basis. The most common that we’re seeing right now that I expect will continue to grow in impact because of how easy it is to perform is ransomware attacks. Or let’s step back from that. It starts typically with a phishing attack.

And so, you know, all the controls that you described, all those doors that you close, well, your weakest point is the one person in your organization that falls for something from an inbound email communication, right? Whether it’s, you know, the silly things of, you know, click here to see the dancing kittycat or, you know, click here because your—and what did—I just received one this morning that said something about my order on my credit card, it was qualified for some kind of a coverage or something. And I think the goal was to get me to click the link to actually link into my credit card account. And I assume that I would have had my username and password skimmed in the process of that.

Which, you know, those threats or those type of attacks are being performed every day all day long against people that are within organizations, whether it’s your own personal email communication, whether it’s your business email that receives them. And that one person that clicks that link that grants the rights into your organization bypasses all of the perimeter security controls that you had in place and gains an attacker access to that workstation. That scares me. That keeps me up at night. And how quickly can I flag that? How quickly can I see that for my client and stop that type of a behavior? Because I can’t always stop the initial vector of attack. What I can stop is I can stop the behavior that happens once that occurs.

So, you know, there’s elevation of privilege that happens. There’s an attempt to see what else is going on in the environment, where else can they grow their footprint. We can see those behaviors as long as the organization has, you know, monitoring services, has good endpoint detection services. There’s a number of technologies that can really help flag those activities.

TONY ROTH: So, what are the harms there? What are their goals, their objectives? I think of it as a set of outcomes that they can accomplish that don’t result in any monetary or other benefit accruing to them directly, but rather create profound disruption to us as their enemy. So, classic example, shut down the electrical grid or the water supply. You know, we can’t function as a society. Anarchy breaks out. You know, we’re living in a dystopian scenario, right, taking it to an extreme here.

But that’s one side of the continuum. The other side is trying to go and appropriate funds out of a bank account and maybe ransomware somewhere in between perhaps. Where do you think we’re most exposed or where do you think the biggest threats are right now?

PAUL TRUITT: Yeah. And look. I think, let’s take Russia out of the picture for a second and we’ll put them back in in a minute. But take that out of the picture and I think most of what we’re seeing today is attacks against organizations in not necessarily a targeted fashion. These are blanket attacks against individuals and organizations. And, honestly, the attackers are tending to take whatever they get on the other side.

So, you know, gaining access is hopefully going to give them, at minimum, an individual that’s going to follow their request and commands, right? I was just talking to a family friend. Somebody ransomware—or they didn’t. I’m sorry. They phish attacked their mother and they walked; they took their identity. They got them to go to the store and get them a gift card. They went through all these things. It just got them some level of monetary information.

Well, that’s probably because when they got to the other side of whatever they were doing, it wasn’t a business. It wasn’t something that was more interesting. So, let’s use the advantage of the opportunity of whatever we have and be opportunistic and take some cash.

The bigger win is when they get to a business on the other side that’s interesting. And so, again, I don’t know that a lot of these type of attacks are targeted. They can be. But most of them seem to be much more just opportunistic in nature and they’ll take whatever they can do. If they find it’s a company, a lot of times they’ll take that next step to try and perform ransomware and see if they can get, you know, instead of getting the $4,000 they might’ve got from an individual from whatever they stole, they’re going to try and get $4 million by or maybe a million or whatever they end up trying to put ransomware out there and take your data and potentially use that to their advantage.

TONY ROTH: Paul, this is a dimension of this. How many successful cases of ransomware perpetrated by, you know, foreign sources would you think happened last year in the United States? Because probably most of them don’t get reported, right?

PAUL TRUITT: Hundreds and hundreds of thousands.

TONY ROTH: Really?

PAUL TRUITT: I mean the organizations impacted by ransomware, if—I’ve got to think more than, I don’t know, between last year and this year I’ll bet a quarter or more of organizations have had some level of ransomware attack. I get a call almost every day from one of our clients that’s had a ransomware attack. And some of them are minor, some of them are more significant than that.

It could be an individual’s machine. It could be some servers. It could be their entire data center. And, you know, it’s a variable. But and it’s happening to organizations that have strong security programs.

TONY ROTH: When you say an attack, are you saying a successful attack?

PAUL TRUITT: A success.

TONY ROTH: Or just an attack?

PAUL TRUITT: A successful attack.

TONY ROTH: Successful attack where they’re actually able to extract value, direct value from their behavior.

PAUL TRUITT: And we’re seeing it more in the small to mid-market than we are in enterprise. That kind of goes down the path of the reasons and the things we talked about earlier, which is whether it’s an attempt to exploit those organizations and use them as a vector into the enterprise or whether they’re just finding it easier and more opportunistic to attack the mid-market because they don’t have the same level of security control and third-party monitoring services that these larger organizations have.

TONY ROTH: If I’m a customer of one of these large multi-estate electrical grids, does that mean that they’re likely to be better protected than a smaller outfit or a small local water company. Are the bigger companies running our economy, are they going to be, you know, do you think they’re better protected, or do you think that we’re really from an infrastructure standpoint here really at quite great exposure?

PAUL TRUITT: Yeah. So let, let’s look at that question in two different ways, because what I shared from an opportunistic perspective, in an opportunistic nature I would say that they’re probably less likely a target. And the reason for that, the bigger companies. The reason for that is because they’re not probably listening on the easy path. And so, you know, take it the same thing as in your community with your doors locked and maybe an alarm system sign in your front yard. You’re less of a target because you’ve made an investment in making sure your doors are locked and you’ve got a sign out front that says monitored by ADT.

Well, your neighbor down the street still has the default Kwikset door lock, not that Kwikset’s a bad company. But it’s, you know, it’s the door lock that probably came with the home. It’s probably a lower class than maybe the one that you invested in to upgrade. And you don’t have the sign out front that says you have an alarm system.

And so, that home down the street is likely going to be broken into before yours is. But does that mean yours is not exposed or at-risk? No, it doesn’t. It just means it’s not as exposed as that person down the street. It’s the same thing with a lot of organizations. If you’ve got good monitoring services and good controls in place, you’re probably less likely to see an impact unless you’re targeted as a potential point of concern.

So, that’s the today model. But the tomorrow model or a threat that’s coming from Russia of trying to impact the United States, that’s drastically different and that changes the game a good bit, because that large organization now becomes a bigger interesting target.

TONY ROTH: So, if you think about our country, you think about the private sector and the public sector, I would have to believe that the Goldman Sachs and J.P. Morgans and Microsofts and Pfizers, the premier companies are going to rank the highest in terms of their overall ability to deflect these threats. Whereas, the government, now whether the Department of Defense is different than the rest of the government I don’t know, but the government would probably be less well run, less efficient, perhaps less well-funded. So, when you think about the electrical grid and the water system, those would probably be more at-risk than the world of finance, private finance, etcetera.

PAUL TRUITT: Potentially. You do have controls that have been defined and analysis that’s been run against some of those government organizations. We saw a set of controls that were improved by the federal government within federal agencies after some of the breaches recently that happened. There was kind of that spat of data breach at the end of last year that created a lot of concern within the federal government. And so, we did see some improvements made there.

But, sure. You also have a from a desired attack perspective, I’d say financial services and something that would impact human life or put the—put chaos, mass chaos in the U.S. for citizens as the most desired targets in a cyber warfare type thing. So, you know, if we were looking at where is that potential risk or impact, those are the two vectors of attack. And, you know, both of those entities, so a electric grid really—so, maybe electric manufacturing, power manufacturing or a grid or a banking institution, whether it was wealth management or, you know, retail banking, whatever it may be, those style organizations have third parties that they’re working with. So, even if they’ve put the right controls in place, there’s potential avenues of coming into those organizations through a third party.

And the other thing to keep in mind is we just talked about ransomware type activities or we talked about phishing attacks and that’s still a vector of potential attack that all it takes is getting in the door and leaving yourself quiet once you’re in the door and then going at it once you’ve got, you know, a half-dozen, dozen, you know, two dozen hosts inside of an organization that you’re trying to gain access to. So, is it possible that, you know, U.S. banks, U.S. national infrastructure organizations already have bots that are accessible that have been exploited that just no one’s actually done anything with that are sitting dormant right now? Very possible.

And so, if Russia has those at their disposal, they’ve made purchases on the dark web to buy access into some of these organizations, they may already have vectors in that they can launch all at once, which creates tremendous amounts of confusion and generates, you know, your incident response plan that you may or may not have a good attack response to.

TONY ROTH: So, really the only way to be safe and you get paid to be circumspect, right? So, that’s your job. But is to, you know, really live off the grid. You have to have solar panels on your house. You have to have well water. You have to have a septic tank and a big fence around your house and then you’re self-sufficient. But absent that, you’re going to be exposed, right? I mean that’s fair. But though you don’t live that way, right? You, you’re probably on the grid and all that.

PAUL TRUITT: Oh, absolutely. Absolutely don’t live that way. And, I’ll be honest, I don’t want to live that way. So, you know, I love the freedoms of this country. And so, am living my life in a way that I’m not worried about things that I actually know more about than I probably should.

And so, you know, but there’s a reality that you can’t run a business that way. It won’t function. Can you run a—one segment of the Department of Defense that way? Probably, right? You could be completely disconnected. You could have, you know, no cell phones in the building when you come in. And, but it’s no way to live. It’s not a happy place to be.

And so, you know, I would say that’s the only way to be completely safe. But there are ways you can put controls in place to be able to quickly identify. Can you stop someone from getting in the door of your organization? No. If—I don’t care how many walls you have up, if you’re connected to the internet and someone is bound and determined to gain access to you, they can gain access.

What you can, however, do is have the right controls in place and the right technology and the right people watching those behaviors to flag potential things that are causing risk. And so, if you can quickly respond, you can stop that from happening and spreading inside of your organization.

TONY ROTH: So, what is the risk to us as individuals that are clients of these top institutions, you know, Wilmington Trust and M&T Bank, one of the top 10 or 12 banks in the country now, the J.P. Morgans and Goldmans, etcetera? Do we worry every day we wake up and say, well gee, is the balance in my account still going to be there or will there have been a bot that went into the system and erased everything overnight? I mean how do we calibrate for that in our lives?

PAUL TRUITT: Yeah. I mean, look. Is it possible? Potentially, right? But there’s enough checks and balances within systems like that to make sure that, one, you know, you’ve got backups of your systems. Banking institutions are, for the most part, doing a pretty good job, especially the larger banking institutions are doing a very good job of making sure that they’re quickly responding, they’re identifying potential malicious behavior or potential anomalies in their systems.

And so, I think the risk is relatively low of waking up in the morning and having, you know, the balance changed or disappearing inside of your account. And if it does for whatever reason, I think there’s enough controls in place, at least in my experience, that they’re going to be able to recover that in a pretty easy way.

Now, is it possible that you might wake up in the morning and not have access to that banking institution? And so, that’s a lot more likely scenario in my view is a denial-of-service attack, some type of an exploit that causes the bank to have to disconnect from the internet and potentially disconnect from transaction-related activities. That’s possible. I think it’s a temporary problem more than a permanent problem though.

TONY ROTH: I probably, in a biased way, certainly in a proud American way, you know, like to think we built the internet, right? So, we built the internet. It primarily ensues from American companies and if anybody knows how to tamper with it and engage in mischief it should be us.

But there’s something about the way our society is structured relative to some of these more, let’s call them malign actors out there, actor being Russia, North Korea, China, where we live in a certain structure with a certain level of baseline ethicality, and we have a certain level of employment. And so, we don’t have a lot of, if you will, excess marginal actors in our society and looking for some kind of reward, whether it be from the state or whether it be directly through these activities.

We don’t have a lot of players like that are somehow tacitly sponsored or somehow promoted by the state. Whereas, in a country like Russia or China there’s tens of thousands or millions of people like that probably that are idle, that are smart, that have a computer, that are engaged in that kind of behavior. And so, when I think about, well gee, how come we’re not doing the same thing back to them, well, we probably are but it’s probably only happening for the most part within the context of the NSA or, you know, one of our actors. It doesn’t really have that same level of prevalence just due to the way our society is sort of set up and the way it operates. Am I on to anything there do you think or how do you react that that picture I’ve painted?

PAUL TRUITT: Yeah. So, you’re right. I would say that, you know, if you look at attack maps, there’s a number of different organizations that post kind of where defense lines are being run. I think Fortinet is a good one that is out there that has their whole network of Fortinet firewalls out there within organizations globally that are showing threat-based behavior or attack-like behavior in a map where it sort of looks like a missile coming in from different places. And the vast majority of those attacks are coming from overseas, similar places, certain countries, certain zones that have less restrictions, less laws associated with that type of behavior hitting the United States.

It’s a—we’re a common recipient of attack. We’re not necessarily the sender. We are in some cases. We do see some within country type stuff and we see—and some of that’s politically driven. There could be a variety of reasons we see that behavior within the U.S.

But yeah. I mean are we a bigger target because of that? Potentially. I would say that we’re also doing more from a spend perspective of having good guys. So, while you may have more attackers within foreign countries, you have—and I don’t know what the actual stats show, but I would expect we are hiring more defenders of security within the U.S.-based organizations because of the size, because of the complexity, because of the just value of our assets to defend against those guys.

And so, you’re seeing a lot of that type of back-and-forth. And, you know, maybe we call it the bad guys versus the good guys, right? And it doesn’t always mean that the bad guys will win if we have equal number of good guys defending us here in the U.S.

TONY ROTH: So, I mean it almost sounds like then that the height of your defense if you’re a wall, right, is only going to be as good as your response to the last set of attacks. And so, conversely, if the bad guys, those states are not really being attacked as much. They should be vulnerable. And so, if we decided, we being the U.S. government let’s just assume, right? Let’s just assume we don’t have a lot of history of truants going out and sua sponte committing these acts. But the government should be able to then say, you know what? We’re going to ramp up our efforts and be offensive vis-à-vis Russia and they should be pretty vulnerable. Is that not the case?

PAUL TRUITT: I would tend to agree with that. I wouldn’t expect that we would have a lot of walls up against us if we attacked other countries that are threatening to us. And so, you know, we have not taken the offensive that I know of. Although, there may be government activities going on behind the scenes where we are probing organizations or probing government entities to determine what potential vectors of attack could we use in the event we need to.

So, I would expect that we have folks, and you mentioned the NSA and whatever other three letter agencies have hacking folks engaged with them and there are plenty of those. I would expect that they are out there evaluating where they might take an attack if we used cyber as a vector of war.

TONY ROTH: I mean the way we tend to think in this country at least, we tend to think that if we engage in the behavior, then we endorse the behavior. So, we’re therefore going to refrain.

PAUL TRUITT: Yeah. I mean, look. I think cyber being an aspect of war is somewhat new. if we were to take an offensive approach to Russia or North Korea, is that deemed an act of war and does that get retaliated with both cyber and, you know, actual, you know, weaponry warfare, you know? And so, I think we’ve got to be careful of how we approach that and what we use in order to, you know, perform those type of attacks.

And, you know, I would say that as of right now we’re more of a defensive front and that defensive front can change into an offense if threatened or if we feel as though we need to become more offensive. So, you know, I truly believe that we have the—that ability and we have plenty of people who are defending in this country that have the capability of attacking. And, you know, those of us that are in, you know, penetration testing type roles inside of the, inside of this country that are performing services for, you know, firms helping figure out what risks exist, those same people could be spun around the other direction and help the U.S. government and whatever other entities in order to perform offensive attacks.

TONY ROTH: So, Paul, what do you recommend that our clients do to protect themselves?

PAUL TRUITT: Yeah. And let’s talk about it from a personal first. You talked a little bit earlier about online banking and the fact that Wilmington Trust and others have multifactor authentication or you—two forms of authentication. Make sure that you’re using that, right? I mean that’s the number one thing that I would propose is a lot of banking institutions have the capability of allowing you to use what’s called multifactor. And I’ll describe that for a second, because if you’re not familiar with it, it’s really your username, your password, and something else that you have that identifies who you are, whether it’s a text message, which I’m iffy on whether I think text messaging is the right second factor, but some kind of a token of some sort that you have that others don’t have that allows you to protect your accounts.

If you don’t have that turned on, you’re, you are at risk and you’re not taking advantage of the security controls offered to you by most financial institutions. If your financial institution doesn’t offer multifactor authentication, I would exit that financial institution. I would move your money or do not set up an online account.

And so, that’s my first piece of it. I would say the second piece of it is, you know, be wary anytime anything comes to you that you didn’t solicit. Whether it’s a phone call, whether it’s an email, whether it’s a, you know, a letter that comes in the mail, whatever it is, if you didn’t ask for it, you can’t guarantee that it came from the person that they say they are because it arrived into your inbox or into your mailbox or into your phone without you asking for it. So, the immediate reaction is simple. I’m sorry. I don’t give information to inbound phone calls or inbound communications. I’m going to call the number that I know, that I trust, that I believe is the right answer on the back of your credit card, on the—on your bank statement, on other communications that you have, on the corporate website of the organization. Make that phone call to validate that something is real, and it is not just clicking a link. So, always assume that it’s not real or that it’s false until you prove otherwise.

And then, you know, talking a little bit about a business, because I think a lot of your clients are probably business owners or involved in some kind of a business entity. And so, I think it’s very, very important for our small to midsized companies to make sure that you’re doing security testing, you’re performing some kind of analysis against your organization for what potential threats exist. How easy is it to exploit your organization? Are there things listening on the public internet that shouldn’t be that can be cleaned up? Do you have segmentation? So, is there walls inside of your organization to stop potential threats from moving around in the environment? And have you had a third party evaluate that and test that for you?

You know, that’s extremely important to be doing as an organization. And have you done any kind of a, an incident response test, right? So, you know, asking the question within your organization of if something happens, did we identify it, did we see it quickly, and did we test to see what we would do when that happens and how we would respond and is that written down somewhere?

And so, you know, these type of threats and these type of activities, the faster you respond, the more consistently you respond, and the less you response, like what’s the slogan, chicken with your heads cut off, right? If you’re running around aimlessly as a response strategy, you will not do what you’re supposed to do. You should have a defined structure and approach and be able to handle that as an organization.

TONY ROTH: Well, recently I purchased a charger for a device. And I bought it from Best Buy, and they sent it. And then, it wasn’t the right voltage, So, we had to figure out what to do with it.

So, we called up Best Buy. And, you know, I was engaging in this experience in a very sort of almost dismissive kind of amused way because, because they’re asking me, you know, Tony, what’s your shoe size? We want to know, you know, which of these cities are you associated with just so I can return, you know, get a new $9 charger. If I was talking to, you know, Fidelity maybe or someone like that, okay, this would be appropriate. But this is Best Buy. Who cares, right?

But, you know, for all I know they’ve already got enough information on me that if I didn’t authenticate myself in the right way there’d be some consequence. So, you know, even that I should probably take more seriously, because you never know how this sort of web of connections is actually going to lead to different outcomes.

PAUL TRUITT: Sure. And at least in that scenario, it was solicited. It wasn’t unsolicited, right? You were at the point of presence.

TONY ROTH: That’s right.

PAUL TRUITT: You, and so you knew the third party was legitimately Best Buy because you were in the Best Buy store. So, in a scenario that someone were to call you from Best Buy and say, hi, this is Paul from Best Buy, we need to reset your account. That’s where you get really wary.

I remember walking into a, some kind of rental place and they wanted my Social Security number. And I said, well, that’s interesting. What do you need my Social Security number for? They said, well, it’s on the form. That’s not a good reason-so there’s no reason to give them any of that information.

TONY ROTH: We’re running out of time, unfortunately. This is fascinating. I’m going to summarize three takeaways, I think one is that we’re at great risk from cyberattack and the risk is actually playing out in ways that are not even transparent to us. In other words, there are companies, well, we’ve learned here today that are the subject of just ransomware alone much less different other forms of cyberattack, like denial or service denial or many other different types. When you add it all up, almost every company out there is being attacked through the internet and a lot—a meaningful percentage of them are successful.

And the second takeaway is that the risk is perpetual. And that’s been hard for me to really appreciate personally. I’ve always thought in, within the paradigm that, okay, so the door is open, we learn, we get better, we close the door, we batten down the hatch, we’re okay now. And the reality is that as soon as we open a door we’re—close one door, we seem to be opening two or three new doors in terms of the number of devices that we interact with and the embedded flaws in the new software that we’re using, the number of additional service providers we’re using and the flaws that they may have, especially if they’re less rigorous. And it’s the threat is really interconnected across the ecosystem.

And then the three, third takeaway is that it pays to be paranoid. It pays to be extremely vigilant on a personal level and to ensure that we’re not giving information to anybody unless we should be giving information, we’re not doing anything that will in an untoward way allow people to access our information when we’re not even aware of it. And one of the things that’s interesting is that when we evaluate companies now from an ESG standpoint, environmental, social, and governance, we include cyber security and when we’re evaluating enterprises. And we look at the quality of their cyber security program as best we can in evaluating whether that enterprise is a good enterprise to invest with. So, we think about it from an investment perspective in a pretty active way here at Wilmington Trust and we take these issues very, very seriously.

So, with that, Paul, I want to thank you so much for being here today. It was really, a really fascinating conversation.

PAUL TRUITT: Absolutely. Thanks for having me.

TONY ROTH: I want to encourage everyone to visit wilmingtontrust.com for a full roundup of our investment and planning ideas. And you can subscribe to Capital Considerations on Apple Podcast, Spotify, Stitcher, or your favorite podcast channel to ensure you receive future episodes. Thank you all for listening today.

Disclosures:

This podcast is for information purposes only and is not intended as an offer or solicitation for the sale of any financial product or service or recommendation or determination that any investment strategy is suitable for a specific investor.

Investors should seek financial advice regarding the suitability of any investment strategy based on the investor’s objectives, financial situation, and particular needs. The information on Wilmington Trust’s Capital Considerations with Tony Roth has been obtained from sources believed to be reliable, but its accuracy and completeness are not guaranteed. The opinions, estimates, and projections constitute the judgment of Wilmington Trust as of the date of this podcast and are subject to change without notice.

Wilmington Trust is not authorized to and does not provide legal or tax advice. Our advice and recommendations provided to you is illustrative only and subject to the opinions and advice of your own attorney, tax advisor, or other professional advisor.

Diversification does not ensure a profit or guarantee against a loss. There is no assurance that any investment strategy will be successful. Past performance cannot guarantee future results. Investing involves a risk and you may incur a profit or a loss.

Any reference to company names mentioned in the podcast should not be constructed as investment advice or investment recommendations of those companies.

Facts and views presented in this report have not been reviewed by and may not reflect information known to professionals in other business areas of Wilmington Trust or M&T Bank and may provide or seek to provide financial services to entities referred to in this report.

M&T Bank and Wilmington Trust have established information barriers between their various business groups. As a result, M&T Bank and Wilmington Trust do not disclose certain client relationships or compensation received from such entities in their reports. Investment products are not insured by the FDIC or any other governmental agency, are not deposits of or other obligations of or guaranteed by Wilmington Trust, M&T Bank, or any other bank or entity, and are subject to risks including a possible loss of the principal amount invested.

Wilmington Trust is a registered service mark used in connection with various fiduciary and non-fiduciary services offered by certain subsidiaries of M&T Bank Corporation including, but not limited to, Manufacturers & Traders Trust Company (M&T Bank), Wilmington Trust Company (WTC) operating in Delaware only, Wilmington Trust, N.A. (WTNA), Wilmington Trust Investment Advisors, Inc. (WTIA), Wilmington Funds Management Corporation (WFMC), and Wilmington Trust Investment Management, LLC (WTIM). Such services include trustee, custodial, agency, investment management, and other services. International corporate and institutional services are offered through M&T Bank Corporation’s international subsidiaries. Loans, credit cards, retail and business deposits, and other business and personal banking services and products are offered by M&T Bank, member FDIC.

© 2022 M&T Bank and its affiliates and subsidiaries. All rights reserved.

Private market investments are only available to investors that meet the U.S. Securities and Exchange Commission’s definition of qualified purchaser and accredited investor.

Subscribe to Capital Considerations on your favorite podcast channel

apple.png   googleplay.png    spotify.png    stitcher.png    Soundcloud