Welcome to Cyber Security Today. This is the week in Review edition for the week ending Friday, Arpil 28th, 2023. I’m Howard Solomon, cybersecurity reporter for ITWorldCanada.con and TechNewsday.com in the U.S.
In a few minutes guest commentator David Shipley of Beauceron Security will be here to discuss recent news. But first a look back at some of the week’s top stories:
Welcome to Cyber Security Today. This is the Week in Review for the week ending Friday, April 28th, 2023. I’m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com and TechNewsday.com in the U.S.
In a few minutes I’ll be joined by David Shipley of Beauceron Security to discuss significant news from the past seven days. But first a look back at some of the headlines from the last week:
Canada’s financial regulator said the country’s biggest banks and insurance companies will have to undergo supervised super-penetration tests ever three years. That’s to test their response to cyber attacks. David and I will discuss whether other sectors should also have to face tough outside scrutiny.
As a member of the Canadian Chamber of Commerce’s cybersecurity council, David was recently in the nation’s capital talking to the government about its cybersecurity and privacy legislation, and he’ll bring us up to date on that.
And he’ll also have thoughts about a new report on a tactic by ransomware gangs to get around EDR protection.
Also this week, NBC News said hackers who broke into the Minneapolis Public Schools’ IT system earlier this year have been circulating an enormous cache of stolen files. They appear to include highly sensitive documents on students and teachers. Some of the documents have been openly posted on Twitter and Facebook.
Truman State University in Missouri is recovering from what it called a virus attack. The attack started a week ago today. By Wednesday internet access had been restored. But the university said faculty will likely need to reduce or eliminate assignments and other graded work in order to meet end-of-semester deadlines.
A U.S. judge has given Google a temporary restraining order blocking the IT infrastructure that helps distribute of the Cryptbot malware. Google believes the malware has compromised about 670,000 computers around the world. The restraining order is part of a lawsuit against distributors of the malware, which includes compromised versions of Google Earth Pro and the Chrome browser.
In Wednesday’s podcast I reminded IT administrators with PaperCut print management servers in their environment to install the latest version. That’s because two vulnerabilities are being exploited. Later on Wednesday Microsoft revealed that the Clop and LockBit ransomware gangs are doing the exploiting. That update has been available for weeks.
The RTM ransomware group has created a Linux version of its malware. Researchers at Uptycs said it infects Linux, network-attached storage and VMware ESXi hosts.
An Iranian-sponsored threat group known by a number of names, including Charming Kitten, has a new piece of malware. According to researchers at Bitdefender, it is tailored for targeted organizations. It has hit victims in the U.S. and Europe. The primary goal of this malware is to infect Microsoft Exchange servers.
And a Texas man who posed as a U.S. General as part of a US$1.5 million online romance scam against seniors has been sentenced to more than three years in a federal prison.
(The following is an edited transcript of our discussion of one of the news topics. To hear the full conversation play the podcast)
Howard: Joining us this week from Ottawa is David Shipley. Hi there. I want to start with the decision by Canada’s financial regulator that the country’s biggest banks and insurance companies have to run what I call super-penetration tests. I would hope these institutions — as the most well-heeled corporations in the country — already do simulated cyber attacks with their own red teams. But now every three years they will have to do what’s called Intelligence-Led Cyber Resilience Testing (I-CRT). What’s the difference between an I-CRT and a regular red team test? First, an I-CRT test is done by an outside contractor or consulting company. That means it’s independent. Second, it’s called intelligence-led because the consulting company will do some threat intel to frame the test. Third, the parameters of each test will be overseen by the regulator, the Office of the Superintendent of Financial Institutions, or OSFI. The idea isn’t new. It was created by the Bank of England and versions have been adopted by financial regulators in several European countries and Australia David, what do you think of this idea?
David Shipley: I think it’s a fascinating evolution and has some significant benefits in terms of making sure that red team exercises are as realistic as possible and can provide regulators with more precise examples of how organizations are handling real vulnerabilities and risk in these federally-regulated financial institutions’ critical business functions. I think it’s also interesting because it requires firms to hire companies that can do two different parts of the I-CRT. Ideally, first they have to select a threat intelligence provider. Second, it’s strongly recommended they hire a different independent provider of red team services. They’re handed an intelligence package of here’s how we [the threat intel provider] think this organization is vulnerable: ‘Here’s a [threat actors’] profile,’ … that maps some of the real-world examples of initial access brokers and actual criminal gangs. I like that part of it. And if the institution decides to combine the threat intelligence gathering and red team into a single contract it has to demonstrate sufficient controls that there’s not going to be any unproductive co-operation between the two. These assessments are recommended to be conducted every three years or after a major cyber incident. And the Office of the Superidentend of Financial Institutions has a role in approving the scope. That’s really notable because while a lot of organizations will hire an independent third-party team to do their pen testing — even if they have a really good red team in-house — games can be played with how projects are scoped. What was really interesting about the framework document that OSFI published was regarding scope and the sample graphic of the test workflow. The I-CRT took a clear shot at banks’ reliance on major third-party cloud service providers, which is one threat scenario I’m sure will get tested more as well. It’s clear from the implementation framework that OSFI provided that large banks and large insurance firms have to maintain intense levels of secrecy so their [defensive] blue teams can never get wind of the test for fear it’ll skew their reactions. That can be a challenge given this entire process is scope to take between 24 and 36 weeks to complete from the start of the [test] scope discussions and the committee formed each institution to the final results being presented back.
Howard: The message from the regulator is, ‘You guys are vital to the nation. We’re not going to let you fool around behind closed doors with your cyber tests.’
David: This is where I get to disagree with you a bit for once. I like to look at this [tougher test] as a compliment and not a chastisement. I think it’s an example of what I will refer to as this [the financial sector] is the NHL, the pro league, where the regulation is appropriate for the most mature sector in Canada when it comes to cyber defense. I don’t think [this type of test] is appropriate necessarily for firms that aren’t at this level of experience and capacity, without having internal red teams and blue teams. It should be seen as the pinnacle of maturity and should be seen as congratulations: You made it to the ultimate league. I’ve had a chance to work with this sector over the last five years and I can tell you there are great leaders and fantastic teams in our large banks. Are they perfect? No. But find me a perfect security team anywhere. They’re dedicated, reasonably resourced with decent senior management buy-in and support. I haven’t seen any other sector in the country come close to where the banks are now. Have Canadian banks had bad days in the past? Absolutely but considering the massive amounts of shots on goal that they get every single day I think they’ve done remarkably well.
Howard: A key part of this Canadian test is that there be red team service providers who will do the test — and these I assume will be cyber security companies that specialize in red team attacks. The framework set out by the OSFI doesn’t say who these companies can be. I assume big tech or consulting companies that already do this work will be applying, and the regulator will choose if they’re qualified. In Europe, the European Central Bank envisions that only qualified companies who are certified can do the red-teaming.
David: The OSFI framework doesn’t explicitly speak to a pre-qualified list or certification; the bank or the insurer is still responsible for selecting the red team — and paying the bill for that red team as well as the threat intelligence provider. But OSFI will be consulted in the selection of that group — and by the way, scoping has to be completed before they go and pick the vendor, which I think is a really good idea. While some big firms have some pretty amazing red teams for hire, I have seen some pretty spot-on smaller players who specialize in sectors like banking. It would be a shame if the selection limited banker and insurers from accessing the best talent — and I don’t think that’s OSFI’s intention.
Howard: The independent testing firm that ends up getting chosen by the Canadian institutions will have to report to the institution on what it tried to do in the test and whether it succeeded or failed, and it also has to report the results to the regulator — but without including sensitive information.
David: That part is absolutely critical. Trust is the name of the game, and if one of these service provider firms violates the trust — to either the bank or the insurer or OSFI — this whole model starts to fall apart. And also, given this is designed to push the limits of realism while putting in as many controls as reasonably possible to prevent actually causing harm, the lessons learned and gory details may be incredibly sensitive and we wouldn’t want a recipe for how to hack a bank or insurer leak into the wrong hands before any holes or issues have been successfully closed or resolved. And most of the big banks and insurers are publicly traded and are highly sensitive to information that could inappropriately affect share prices. So I think making sure that how this is handled carefully is absolutely critical.
Howard: Should this approach, this super-penetration test, be adopted voluntarily or by government regulation in any country by other critical infrastructure sectors like energy producers and distributors, telecommunications companies, hospitals, water utilities, local governments or more?
David: In short, no. You wouldn’t put a peewee hockey team in the NHL playoffs. Maybe the telcos who are the most mature in Canada would be able to play at this league right now. But remember the telcos actually aren’t regulated the way the banks are. They don’t have a regulator until the changes to the Telecommunications Act in Canada and the critical infrastructure cybersecurity bills, C-26, are passed. They’ve never had regulator scrutiny like OSFI for cyber. And it’s going to take years to build up the regulator maturity in Canada’s Innovation, Science and Economic Development (ISED) department, the federal department that’ll be responsible for cyber regulation of telcos [if C-26 passes]. The same goes for energy. And frankly, as more details become clearer on the recent pipeline incident in Canada — which we still don’t know if it was a big or small pipeline player — the one thing that’s clear is that we’re also years away from this NHL-level game.
I want to take a second and own a mistake that I made on our podcast two weeks ago. I evaluated that the Zarya gang was unlikely to have the skillsets to do a complicated hack of an industrial control systems data system, and it wasn’t likely they gained physical access to the Canadian pipeline company. The Canadian Communication Security Establishment, in a rare move on their part but what is probably just karmic balance for me, on April 13th confirmed the threat actors had the potential to cause physical damage. They didn’t, but they had the potential. And based on images of the threat intelligence that were posted by media and a re-read of that analysis, it gave an important clue the critical control system was exposed to the internet via an IP address. So what makes more sense now is how Zarya — a script kiddie-level entity — stumbled and its way into a control system because it was wide open. So, to stick to my hockey theme, the Russian peewee hockey team scored an open goal on an open net in critical infrastructure. Which should send shivers down spines. The potential for many more open nets in the energy sector keeps me awake at night.
As for hospitals, water utilities and local governments, we hit on our next problem: There’s no regulator for them in this area. There’s not the expertise that OSFI would have to implement this kind of framework. Does that need to change? Yes, but that’s a decade-long journey that has to start at provincial legislatures, who, aside from Quebec, aren’t paying attention to cybersecurity. It has a ministry of cybersecurity. Other provinces would need a surge of budget to pull that off.
Howard: That leads us to the annual meetings that the Canadian Chamber of Commerce had in Ottawa this week with Members of Parliament on government policies. One topic was proposed privacy legislation reform. The other is Bill C-26, which is the proposed cyber security legislation that will initially cover four critical infrastructure sectors. It doesn’t cover penetration tests, but it does oblige companies in these four sectors to report breaches of security controls, to keep records of how they implement their cybersecurity program and how they mitigate supply chain or third-party risks. You’re the co-chair of the chamber’s cyber security council. What did you learn about the government’s timetable for privacy and cybersecurity legislation?
David: I have had the pleasure of being the co-chair for the cyber council along with John De Boer,[ senior director of government affairs and public policy] from Blackberry. We had an excellent few days. We met with senior leaders from Innovation and Economic Development, Public Safety Canada, National Defence, Prime Minister’s Office and more. While I’m still pretty new to this level of sort of dialogue between industry and government, and maybe I’m not cynical enough, but as a crusty cybersecurity guy I was genuinely impressed with the level of interest depth and commitment displayed by senior several civil servants to this as a critical national security issue. They get it, and while it’s easier to dunk on government … they are working hard and this is just how fast the process works. There is a move to drive C-26 and the national cybersecurity strategy, of which C-26 is a part, but there are other aspects ahead with an aspiration that C-26 will get into serious committee work this June. There’s still the potential for the law to get finalized and passed before the end of the year, but that window of opportunity is pretty tight and could close. It will require support from all of the political parties and relatively fast work in Canada’s Senate to actually make this happen. But as we discussed, we can’t move the overall maturity and security posture of critical parts of the Canadian economy without it,
With respect to C-27 [the overhaul of the Personal Information and Electronic Documents Act] the timeline is not as clear because it will need to touch so many different committees. And it has both a privacy component and AI regulation, which are at different stages of maturity.
Howard: The cybersecurity legislation, Bill C 26, was introduced last November. Admittedly this is a minority government and dealing with COVID was a government priority. But is the government moving fast enough on this legislation?
David: I wish we were where we are right now five years ago. We’re behind, there’s no doubt about that. But we’re not in behind in all areas. As we’ve covered, banks are already at a high level of maturity, and I don’t lose sleep there. Telcos, while they’ve been industry-led and more voluntary, deserve a nod for decent work particularly given the number of cyber threats pounding away at them. The other sectors need this regulation to make sure they get investment in cyber. They need this because otherwise they’re not going to get the money to invest in cyber. If we can get C-26 and the C-27 privacy law components this year — splitting out the AI side — that would be a huge win. The firms involved with the Chamber’s cyber council have been supportive of getting this done and getting it right. There’s no one yelling at government that we don’t need this. The message has actually been quite clear. We want to see this succeed and this can help protect all of us in Canada. But we need all the political parties to prioritize this as a national security issue and to get this to the next level. Because make no mistake, the DDoS attacks this month against the federal government, several Canadian ports, one of its largest energy utilities and the pipeline hack I’ve referenced were the opening shots of the game — not the final ones. This was what we expected Russia to do to us last year now [after the West responded to the attack on Ukraine]. They’re finally getting on the ice with us and we better lace up our skates.
Howard: And then there are the regulations that the cyber security legislation needs. So when can we reasonably expect this legislation to take effect?
David: Best case scenario, no sooner than 18 months. That’s not probably the most likely scenario. It’s probably closer to 24 months — and that doesn’t mean the respective regulators for each of the four federally regulated sectors [energy, telecommunications, banking and transportation] are ready. OSFI, for banking, is ready. The others aren’t even close to where OSF is.
Howard: And then there’s a proposed overhaul of the private sector privacy legislation.
David: On C-27 there’s a strong desire from the business community to see Canada get on with privacy legislation, which has actually been worked on in various incarnations through various legislative sessions over the past few years, to get us to privacy-by-design GDPR-like equivalency. [Meaning the EU General Data Protection Regulation. The EU requires countries whose firms collect data of EU residents have privacy laws that are equivalent to the GDPR, which came into effect in May 2018. PIPEDA is not equivalent to GDPR. C-27, the Consumer Privacy Protection Act, would be.] Generally, I think folks [in the business community] feel pretty well consulted on that legislation. And while there’s hope for some relatively minor tweaks on the privacy component before it becomes law, there’s much greater comfort with the level of consultation on the privacy component compared to the AI component. There’s a strong push for the government to slow down and do more consultation on the proposed AI law because hundreds of millions of dollars in Canadian AI investment is currently up in the air because of the lack of clarity, even if that means splitting the AI law off from the privacy law so we can get the privacy law out sooner.
Howard: The federal privacy commissioner has not weighed in yet on the new proposed privacy legislation. He’s already said he prefers is a right to privacy. That’s not included directly in this legislation. His comments [before a Parliamentary committee] may have quite an influence on the timing of the passage of this legislation.
David: They [MPs] have an incredible amount of respect for the privacy commissioner. I think the point about privacy is a fundamental human right is correct. But if we’re going to go that far it should be in the Charter of Rights, and there’s no hope and hell of us opening it up in this country because we can’t have a mature discussion about the Constitution or the Charter without devolving into an absolute nightmare. I would rather have the law I can get than the law we aspire.
Howard: Ransomware. You are one of the people who think that we need to have a big forum or webinar involving the public and private sector to discuss of ransomware and the ways that organizations should be fighting it.
David: I have been banging the gong loudly, annoyingly probably at this point, about the need for Canada to have its own national ransomware summit. We we keep showing up to the Americans’ party, which is cool. But we haven’t had a conversation with our own country. Why does that matter? Because helping set the context for the Canadian public is more than just the daily bombardment of headlines. What can government do — and they can’t do it all. What can the private sector do — and they can’t do it all. And what do we want to change about this story? The American model has demonstrated the success that come from this partnership from openly talking about it. And I think that’s also how we build the political campaignThat’s needed to motivate the parties to get moving on laws like C-26 and C-27 and demonstrate that we can make our own Canadian policy and technology solutions to this growing threat and contribute to the international conversation.
Howard: Certainly that would help raise awareness of what businesses can do to fight ransomware. By the way, this month marks the second anniversary of the creation of the international Ransomware Task Force. It was a group of experts, largely American, but international in that they came up with recommendations for action by the public and the private sectors. Next Friday, a week today, May 5th, they will hold a day-long seminar on what’s happened since the issuing of that report two years ago. It’s being sponsored by the Institute for Security and Technology.
David: It was President Biden in the United States who kicked off the ransomware conversations in response to the absolute disaster that was the Colonial Pipeline attack that could have been so much worse, and the JDS Meats hack as well. I would love to see the Prime Minister and the Prime Minister’s Office lead the conversation [here] …
Howard: Finally, speaking of ransomware Sophos released a report this week about a new attack tool that ransomware gangs have been using. It disables endpoint detection and response (EDR) clients by using an outdated version of a Windows driver … With EDR disabled the attacker can deploy a backdoor or ransomware on a victim’s IT system. Here’s the thing: In order to use this tool the attacker first has to have administrator access to the system.
David: I think this is another great and timely example for everyone to continue to stay skeptical that any one or combination of technology solutions alone can provide you with 100 per cent security assurance of avoiding a cyber incident … It reiterates that good defense requires depth of people, process and technology. If you’re not investing the same attention in people and process controls as you are in technology, bad things will continue to happen.
[Don’t want to wait for a Canadian summit on ransomware? Read the Canadian Centre for Cybersecurity’s Ransomware Playbook. And remember, there’s nothing new in fighting ransomware. The same cybersecurity controls needed to defend against any cyber attack work for ransomware. Need help? Start with the Cyber Centre’s Baseline Cyber Controls for SMBs.]