Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday June 24th, 2022. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.
In a few minutes Terry Cutler, head of Montreal’s Cyology Labs, will be with us to discuss recent events in cybersecurity. But first a quick look at some of what went on in the past seven days:
Microsoft issued an analysis of Russian cyber tactics against countries outside of Ukraine, saying not only are espionage attacks up but so are propaganda efforts. Terry will have some thoughts.
We’ll also look at the Cloudflare outage this week caused — ironically — as the company was upgrading its infrastructure for better resiliency.
A U.S. bank admitted finding a data breach that occurred last December, after it also acknowledged being hit by ransomware in January. Both attacks involved the theft of personal data of over 1 million customers. Terry and I will discuss if the earlier attack should have been discovered sooner.
Elsewhere, researchers at Forescout released a report on 56 vulnerabilities in operational technology products used in industrial settings from nine manufacturers The point in part was to show some security issues that aren’t thought of as traditional cyber vulnerabilities have to be considered by IT leaders as risks.
The Mega encrypted cloud storage service has released a security update to fix a number of severe vulnerabilities that could have exposed customers’ data, even if it was scrambled.
Nine people in the Netherlands were arrested after police in Belgium and Holland dismantled an organized crime group involved in phishing, fraud, scams and money laundering. Victims were sent email or text messages that appeared to come from their banks. When they clicked on links they went to phony bank sites and logged in, giving away their usernames and passwords. Police believe the crooks stole millions of euros from this scheme alone.
And researchers at Zscaler warned that a threat actor is trying to trick American organizations that use Microsoft Office into giving up their usernames and passwords. Victims get emails with a link to a supposed missed voicemail message. Those who click on the link get sent to a Captcha page that would give them confidence in the security of the message, and then be sent to a fake Office login page where their credentials would be scooped up.
(The following transcript has been edited for clarity. To hear the full discussion play the podcast)
Howard: Joining us now from Montreal is Terry Cutler.
Let’s start with the Microsoft report on Russian cyber activity against countries supporting Ukraine. The report has two themes: One is that Russian intelligence agencies are increasing their espionage activities against governments such as the U.S. and Canada. The other is a warning to expect that Russian groups’ ongoing propaganda campaigns to sow misinformation in countries on a number of issues, such as COVID-19, will be used to support Russia’s version of why it attacked Ukraine and undermine the unity of its allies. What did you think when you read this report?
Terry: It’s clear that the bad guys have it together. These guys are co-ordinating, they are talking to each other. This report really screams out that we need a more co-ordinated comprehensive strategy to work together. It’s going to require the public sector and private sector and maybe even nonprofits to work together. But here’s a challenge: We’ve been saying this for years the forensics guys aren’t talking to the pen testers, the pen testers aren’t talking to the CISOs, there’s no compliance pieces. We need to have a more collaborative approach and that would stop these attacks from happening, because if you look at information security today, it’s easy to see that many of the techniques that are used for defense are somewhere between not working and barely working at all. That’s why it’s going to require more collaboration with folks like the telecom companies, Microsoft and Cisco because these guys have so much visibility into what’s happening on the network.
Howard: Cyber war in terms of data theft and espionage against government and non-government agencies isn’t new, nor is the use of misinformation. Are the public and private sectors in North America prepared for these kinds of attacks?
Terry: It’s gonna be very very difficult. We can’t do it alone — most companies don’t have the time money or resources to deal with this stuff. Not to mention there’s so many attacks flying at us from various locations at the same time. And of course we don’t control social media platforms, so we can’t block these misinformation ads. So we’re going to need a more collaborative approach. We’re going to need maybe a centre of excellence where the top senior cyber security guys can collaborate and push this information down to governments as well as not-for-profits and small businesses on how to protect themselves.
Howard: But isn’t that what the Canadian Center for Cyber Security and the U.S. Cybersecurity and Infrastructure Security Agency do?
Terry: For sure. We just got to figure out why small businesses and such are not paying attention. That’s the part that that’s a bit concerning to me because a lot companies that we’re interviewing right don’t know about some of the technologies they can use to help protect their businesses from ransomware.
Howard: It’s interesting the report says that Microsoft is most concerned about government computers that are running on-premise rather than in the cloud. The advantage the cloud offers any organization is that the service provider is responsible for installing security updates on applications, so the odds of an attack leveraging an unpatched server go down. However, governments have a lot of sensitive data and understandably they feel that information can be better protected on-prem. Is Microsoft pushing the cloud for its own purposes? They run the Azure service, which of course is a big provider. Or does it have a valid point?
Terry: This is the perfect example of outsourcing … We’re seeing so many attacks on machines that are on-premise, like the Exchange attacks. These could have been avoided by having companies update their software. Microsoft is saying let us protect your environment by uploading that into the cloud. But there’s a lot of boxes that have to get checked because of data security and privacy. Does your business operate in both Canada and the U.S.? Do you have to work with [data residency] compliance regulations? And there can be access control problems. We’ve seen an issue with Microsoft where they enabled too much access and people were able to download some sensitive content. There could also be some incompatibility if they apply some of these patches — maybe it will break things. All these have to be taken into account [when going to the cloud].
Howard: What about Russian cyber influence operations on social media. Microsoft says they currently go for months without proper detection analysis or public reporting. What should be done about that?
Terry: If you’re talking about social media we’re reliant on the big tech firms to do their due diligence. But we’re seeing a lot of these exact issues happening on network systems companies. The biggest goal right now is to get visibility into the environment. A perfect example is health care, where we’re constantly battling with these guys [threat actors] because they’re still using legacy technology. They don’t have the proper detection processes in place. They have to piece everything together. Maybe the logs aren’t working properly, they’re not getting all the information so they to have technology to allow them to to look at the networking cloud.
Howard: Let’s move on to the Cloudflare issue. Cloudflare is a content delivery provider. On Tuesday morning more than a dozen of its data centres were knocked offline for almost two hours affecting a number of major websites. The cause was a change in network configuration they were doing at the time that was meant to increase Cloudflare’s resiliency. What’s the lesson here — testing wasn’t thorough enough?
Terry: I think it’s good old human error. Going back to my days at Novel, we worked with big firms like aerospace. I remember being on-site when we did a major configuration change, a firmware update, and someone’s error caused a re-initialization of the SAN (storage area network). It actually erased all of their data — like terabytes of data wiped out. It took almost two weeks to get this thing back online. In this case what happened was they were deploying a new IP address range and I guess they forgot to make some changes and it may have locked out some other engineers from correcting the issue. We learned later on that they were stumbling over each other’s changes, so it took almost an hour and a half to get them back up and running. I think we’ve seen a similar issue also with a web hosting company. They made a change to a core router … and it knocked the entire web hosting community offline. Human errors can be very costly.
Howard: So there’s no substitution for test, test, test and test before you implement.
Terry: It goes to show that human errors are still the weakest link.
Howard: Speaking of getting things wrong, that’s the allegation against Michigan-based Flagstar Bank. The bank has acknowledged that it was hacked last December. That’s one month before it suffered a ransomware and data theft attack. A commentator at the SANS Institute for security training this week suggested that when the bank hired a third party to determine the scope of the ransomware incident it should have also done a wider investigation into possible overall security gaps at the bank. The fact that Flagstar is now acknowledging there was an earlier hack suggests that that wasn’t done, otherwise it it would have found the December hack.
It sounds like one lesson is if you’ve been hacked you better take the time when you’re remediating to look at the possibility that there’s more than one security issue.
Terry: Here’s the issue that we see, especially when we’re doing a lot of incident response and dealing with cyber insurance. Cyber insurance companies will only help you get your data back up and your system is running. If you have new fixes that need to be installed they’re not going to pay for that. They’re only going to bring you back to a point just before the hack. This means if you don’t fix other holes [by yourself] you’re going to get hacked again. Then you get getting phishing attacks, banking scams and such, which is one of the reasons why I launched the Fraudster mobile app for consumers.
Howard: What’s your practice when you’re doing an investigation after someone has called you in they’ve been hacked? Is it common for them to say, ‘While you’re here do an overall security audit just to be sure that things are okay?’
Terry: It is so a lot of times when we do the investigations. We can always provide recommendations –‘This could have been avoided if you segmented this off, had you replaced this operating system with these versions, or patched this.’ There are always recommendations, but in the end it’s always the customer that has to follow these recommendations.
Howard: Finally, last week David Shipley got to comment on Canada’s proposed cyber security legislation. I’m going to give you an opportunity to comment as well.
Terry: It’s a really good step in the right direction. What’s really good is that any smaller businesses, or any organization that wants to deal with banks or critical infrastructure firms, have to go through a cyber security scrutiny exercise to make sure they’re protected because the last thing we want to see is these companies being breached by a third party … On the other side, we know they’re still facing an uphill battle where they [small firms] have got to find the right expertise because there’s such a shortage of cyber security folks. It’s very expensive to deploy some technology. It is a step in the right direction, but we’re still away [from the best security].
Howard: Initially the legislation only applies to the banking finance, telecom and energy sectors. Is that too narrow?
Terry: No, it’s a good start because if these guys ever suffer a data breach it will have the biggest impacts. So it’s important these guys are properly secured.
Howard: The other thing that’s crucial in this legislation is incident reporting to the government. Does that give you any pause?
Terry: When a data breach occurs there has to be an investigation into what was taken. Right there it could take one to four weeks to possibly establish, so you get a delay. And then public reporting could also cause fear. If you’re an energy company an attack gets [publicly] disclosed, it is that going to cause some panic? What if they don’t disclose? Are there going to be any fines? As we’ve seen in the past, the fines for data breaches haven’t been very strong in Canada. It’s been kind of like a tap on the back. The legislation has to have teeth in order to help turn the sinking ship around in cybersecurity.
Howard: There are still detailed regulations on this to come, and I don’t think that IT leaders and CISOs have yet to see the impact that this legislation may. There will be hearings in the fall and we’ll see what the government has in mind.