Welcome to Cyber Security Today. From Toronto, this is the Week in Review edition for the week ending Friday October 28th, 2022. I’m Howard Solomon, contributing reporter for ITWorldCanada.com.
This week’s discussion segment will have a roundup of coverage from our MapleSec conference last week, with IT World Canada CIO Jim Love, reporter Paul Barker and I reviewing some of the sessions we were at. They covered everything from ransomware to the roles of CISOs.
But before we get to that, a look back at some of the headlines from the past seven days:
A U.S. grand jury has charged a Ukrainian citizen with allegedly being involved with the distribution of the Racoon Infostealer. This is a malware-as-a-service operation that steals data from infected computers. It is alleged that more than 50 million unique credentials and other data was stolen from millions of victims. The accused man was arrested by Dutch authorities and is now awaiting an extradition hearing to the U.S.
A British man who allegedly operated a dark web market for stolen data called The Real Deal has been arraigned in a U.S. court in Atlanta to face trial. He had been extradited from Cyprus to the United States to face charges of selling stolen login credentials to several U.S. government networks including the Navy, stolen social security numbers and laundering cryptocurrency.
Another industry has been added to the U.S. government’s Industrial Control Systems Cybersecurity Initiative. It pushes certain industries to improve their cybersecurity. This week the chemical sector became the fourth sector under the program. The White House said that over the next 100 days U.S.-based chemical companies have to asses and at least start to address the potential exposure of high-risk chemical facilities to cyber attacks. Others with industrial control equipment in the program include electric, energy pipeline and water providers.
An Australian health insurance provider called Medibank admitted this week it was badly hit recently by a hacker. The personal information of all of its 4 million subscribers and those of its AHM division was recently accessed by a hacker. A significant amount of health claims data was also copied.
Google has reached an agreement with the U.S. Justice Department to better preserve customer information in foreign countries sought by American search warrants and subpoenas. This stems from a 2016 incident. At that time customer information held in Google data centres outside the U.S. was sought under American law by authorities for a criminal cryptocurrency investigation. Google fought the court order and initially won a decision saying it didn’t have to hand over information held in servers outside the U.S. However, several years later Congress clarified the law does cover foreign-held data by an American-based company. By then the data sought by the authorities had been lost.
Finally, developers using the open-source SQLite database engine in their applications are urged to install the latest version if they haven’t already done so. It fixes a 22-year-old serious vulnerability. The fix was released in June so should have been installed by now.
(The following transcript has been edited for clarity)
Howard: Joining now are Jim Love, ITWorld Canada’s CIO and host of the MapleSec conferences, and senior writer Paul Barker, who along with me covered some of the Maplesec sessions. Good afternoon guys.
Jim, the MapleSec conferences have been held for two years. But because of the pandemic it ran virtually. Last week there were combined live and virtual sessions. Tell us a bit about why you did that now and what MapleSec hopes to accomplish.
Jim Love: The pandemic allowed us to introduce a new country-wide event – it was virtual, but we could bring people in from coast to coast. We didn’t want to lose that. But we wanted to satisfy the desire, the need to get together in person…. So we gave the audience the best of both worlds. Our events team found a great location at the Aga Khan museum. Our technical team, despite the obstacles, put together a live broadcast to a huge virtual audience.
And we made a pact – to focus not on the doom and gloom or the reports and statistics. We committed that we wouldn’t just talk about technology. We wanted to share practical, actionable ideas and processes that could make our companies safer and more resilient.
Howard: Paul, start by telling us about some of the sessions you covered.
Paul Barker: One explored the complex world of ransomware. A key question that dominated discussion was what steps should an organization take when it comes to mitigating the impact of an attack.
The panel entitled, Ransomware Attacks: You don’t have to be a victim, was moderated by Epsit Jajal, the virtual chief information officer (CIO) of Ricoh IT Services and he was joined by panelists Maryam Asgariazad, director of information security at Alterna Savings and Credit Union Ltd. which has a network of 47 branches across Ontario, and Greg Markell, president and CEO of Ridge Canada, an insurance company that specializes in specialty risk management.
All three speakers brought a unique perspective to the conversation. Jajal and his firm were the external cybersecurity advisors, Asgariazad the end user who if there is an attack will be the one who must have some sort of Plan B in place, and last, but not least, there was Markell. A leading expert on the topic of cyber and privacy liability, he holds the keys to the castle in a sense for he is the one who decides if said firm qualifies for coverage.
Whether or not coverage is approved depends on many factors such as the level of preparedness prior to an attack occurring. Asgariazad and the bank she works for would likely qualify based on the fact a cybersecurity framework has been put in place.
The policy itself, she said, focuses on five key elements: identify, protect, detect, respond and recovery.
A key piece of it revolves around a business impact analysis, she said, adding that it is imperative for “all organizations to know which functions are critical in order for the business to survive.”
The five-pronged approach would not only allow an IT department to know what data has been captured should an attack occur, but also implement an action plan that has been adopted well before the attackers swoop in on an organization.
Markell stressed that having the type of contingency planning that is now in place at Alterna, is not just a nice-to-have, it is a need-to-have if any organization hopes to qualify.
Much of that has to do with the sheer number of claims relating to ransomware and other cybersecurity attacks. According to Markell, the cyber insurance sector in Canada is the least profitable sector: “We have surpassed hail insurance,” he pointed out, “which is a pretty big feat and not one we should be proud of.”
He added that the adversaries “are advancing way faster than anyone can keep up with. They are well-run organizations and they are just that, organizations with full-blown HR departments and recruiting departments.”
Jajal recalled a phone conversation with a ransomware attacker that had a similar setup as a call centre. “You call a toll-free number, and the attacker replies, ‘oh, you are from ABC Company, Jake is handling your attack. I will put you through. At the end of it, they actually sent us a two-page security report outlining how they got in.
In terms of what to do once attacked, Markell recommends calling a lawyer, one who is trained in what best to do if a client becomes the victim.
They won’t provide any information on coverage, he said, but they will help “quarterback the situation” and propose steps that can be taken, be it reaching out to forensics companies that “are basically on standby to deal with these things and help support the IT security teams to figure out what, where, and how.
“Once you have the intelligence about what’s going on, and how it’s happened, then you can make informed decisions on how to handle it.”
What it comes down to is preparation and to that end there are key, practical steps that every company can take to prevent attacks and mitigate the damage when attackers do break through.
Howard: I’ve always thought that you defend against ransomware doing the same things you do for any cyber threat: Educate your users about the risks of clicking on links and opening attachments, make sure your software is quickly patched in order of its sensitivity, and making sure your data is encrypted so if it’s stolen it’s useless. Don’t forget about protecting corporate attachments that sitting in employees’ email inboxes. They contain sensitive information as well
Jim: I’m continually amazed at the sophistication and the innovation of ransomware gangs. But I’m also heartened by the “new realism” that companies seem to have.
Prevention is critical, but we need to accept that ransomware gangs are going to get through. So looking at how you are going to respond is important. Greg Markell said it best “contingency planning is not a nice to have, it’s a need to have.”
So, know your data, have good backups and test restoration, use multi-factor authentication and have user awareness and training, try to limit the damage with network segmenting, restricting privileged access, and have a tested incident response plan.
Paul: Another session was about a topic that probably keeps IT executives up at night – what to do about email havoc, which has been described by some security experts as one of our greatest areas of vulnerability.
The numbers certainly back up that claim. Over the course of 2022, according to Statista, an estimated 333 billion emails will be sent and received globally this year, 347 billion next year and 376.4 billion in 2025.
Stunning numbers and a key reason guest panelist Alkin Gorgun, field chief information security officer (CISO) for Cloudflare focused on the potential havoc all of that email activity that has and no doubt will cause an organization and how best to prevent an attack.
A key recommendation he put forward was this: No matter what email system is in use, organizations have to implement a Zero Trust strategy, despite the fact that users of Google Workspace, formerly known as G-Suite, and Office 365 contain native security controls.
“(They) are pretty good and they are getting much better at blocking those highly volumetric attacks. We can, in fact, stop about 95 per cent of (them) just with the native controls within these tools. The trouble is that the attackers are always evolving, they are always changing their methods and it is becoming a real problem.”
Asked “how email programs should be set up to eliminate the threats,” Gorgun said the answer lies in implementing new solutions. An example of the former revolves around emails that impersonate a CEO wiring a CFO for money, which is more problematic as a result of remote working where people at home “are more likely to click” on a tampered email when they should not.
Gartner, he said, recently released their market guide for email security, and they recommend that anything new, must contain AI or machine learning component: “What these new tools do is look at the way that people communicate in an organization through natural language processing.” communicate.”
I am a big fan of this recommendation from Gartner, which said, “Effective email security requires not only the selection of the correct products, with the required capabilities and configurations, but also having the right operational procedures in place.”
Jim – it’s important that we don’t forget about email. Most of us have a cloud email now and it’s important to remember that while these emails are more secure in their infrastructure, they don’t always protect you. We have Gmail and I can’t tell you the number of times I’ve seen the message “Gmail scanners are offline.” Microsoft 365 is sophisticated, but it has to be configured correctly. I’ve heard some security experts say that a vanilla install of Microsoft 365 is highly insecure – it needs to be configured. So my message is – email is important, don’t be complacent about it just because it’s in the cloud.
Howard: It’s not just scanning email for malicious attachments. As I talked about encrypting email earlier, in every company employees send sensitive information to each other – for example, monthly reports on who’s behind paying bills. A report like that might have people’s names and credit card numbers. In a travel agency people’s names, birthdates and passport numbers might be sitting in emails. Companies need to have security policies about things like that. It’s important to remember that a hacker can get a lot of information from compromising the email of the right person.
Paul: I covered a fireside chat with Tom Jacoby, who founded a British Columbia-based company s called, IOSecure Internet Operations Inc, which began in 1994 and then as now it was an IT services company that focused on online security …
Jacoby said the key to any successful cybersecurity initiative … can be crystalized in four key words: People, Policy, Platform and Program.
“Ultimately all of our success in business comes down to our people,” he said. “It’s an overused phrase,” but he added that having the right people with the necessary skills, the training and the proper communication skills is paramount.”
Many challenges happen, said Jacoby, because of a lack of communication: “Are the technologists in the company, communicating with the lines of business, to keep both the business secure and the business operating?”
And it is not only IT professionals of an organization that need to be aware of security, so too must support staff, particularly the personnel who might physically guard a physical building.
Jacoby recalled a “strange experience” that happened to him a few years ago when he was doing a project for a large telco provider in Canada: He needed access to a particular part of the building, He had no reservation or appointment. He just showed up at the door at 6:45 in the morning in this warehouse in a part of town that was not particularly safe.
But he looked the part: He had a suit on, a tie, a briefcase, a laptop, and probably more importantly, knew the name of a relevant project. he said. So he was escorted inside and dropped off at the equipment I needed to work on.
Right next to him was the central office phone switch, which is critical infrastructure for a large city. “I was left alone with it for the day,” he recalled. “I didn’t want access to it – it had nothing to do with what I was doing. But there it was … the point being that all of our staff throughout the organization are key to our security success. And we have to make security more approachable, not scary.”
Howard: One of the sessions I covered was the keynote address by Nick Aleks, senior director of security at Wealthsimple, a Toronto-based online investment management service. He argued that information security leaders should be proactive rather than reactive to cyber threats.
By that he means always be thinking about what you’re going to do if something bad happens, not how you’re going to prevent it from happening
So, for example, instead of doing tabletop exercises, penetration tests and security audits once or twice a year, they should be done quarterly — or more often if your team has the capability.
He argued a good strategy starts with having a security champion in every department, a person who becomes part of the IT security team. They will feed intelligence back — ‘We’re seeing a lot of this kind of attack’ — and in turn they will be part of an attack response and containment effort.
He also said infosec leaders don’t necessarily need to invest in a breach attack simulation tool or hire a penetration testing firm: Just look deeply at your last big cyber incident. In addition to finding the root cause and ensuring it doesn’t happen again, the team should ask how effective it was in responding.
IT and security teams shouldn’t hoard intelligence, Aleks added. Instead it should be shared with other organizations. He didn’t say, but I think he meant threat information should be shared where appropriate through, for example, industry associations, approved networking groups and police. The idea is the more intelligence you know about the better you can fight threat actors. He didn’t mention it, but one place is the Canadian Cyber Threat Exchange. Depending on the size or your organization membership can be as little as $500 a year. In the United States there a number of industry-specific information-sharing and analysis centers, or ISACs.
Jim: I loved his presentation. I think the quote from him was that cybersecurity isn’t a competitive advantage, it’s something we should all share in for the greaeter good is right on in that.
Also loved his comment about not needing penetration testing tools or simulations. if you have the budget and you can get great tools, good for you. But you can do a lot with a simple tabletop exercise and that focus on making it real.
Paul: I have a question for both of you: What I find a little confusing is this constant need to tell people to do some sort of review about their operations, be it quarterly or whatever .
Howard: I think one of the problems that an IT or security leader face is they’ve got to do the day-to-day things and I think that just takes up a lot of time — and before you know it 30 days have passed. If you want to do regular reviews and tabletop exercises and audits you really have to set aside time for it.
Jim: And it’s not just that you do a review, It should test your capability and that’s the most important thing … I personally walk in and tap somebody [on the IT team] on the shoulder and say, ‘Restore a file. I want to see you do that.’
Howard: Jim, Paul, that was a really good summary of a very good event. Thanks to both of you for appearing on the show this week.
You can follow cybersecurity today on Apple Podcasts, Google Podcasts or add us to your flash briefing on your smart speaker.