Our annual Cybersecurity Year in Review traditionally starts with the choice of a word or phrase that sums up the last 12 months — ransomware, huge data breaches, supply chain attacks and so on.
Arguably, this year’s central event in Canada was something indirectly related to cybersecurity: The nationwide collapse on July 8th of the Rogers Communications internet and wireless networks. Some 2.92 million wireline and 10.242 million wireless customers were impacted.
It had nothing to do with a breach of security controls, but everything to do with one word that’s an essential element of cybersecurity, the word for 2022: Resilience. Or, the lack of it.
Rogers was unprepared. It argued that it was understandable: During a system upgrade there was an unexpected deletion of a routing filter in its core networks that overwhelmed router capacity, rendering them incapable of directing traffic. Unexpected because it had never happened in any other telecom network.
The root cause was in the different ways equipment from different vendors processed the update, Rogers officials told a parliamentary hearing. Rogers uses hardware from a mix of vendors to build its networks, and it didn’t anticipate that the removal of a routing filter would not be handled identically on hardware across manufacturers.
“There was no belief at the time, no information at the time that there [the update deployment] was going to be any issue,” Ron McKenzie, the company’s newly appointed chief technology officer, testified. “And what happened was when the code change was executed –- and the filter removed – the behaviour of the equipment in the way it’s designed between one vendor and a second vendor is very different.”
Organizations — we don’t know how many — that were prepared for a worst-case telecom network scenario would have had backup connectivity on other networks for at least some of their services.
But without that network resilience, some police, fire and 911 services that used Rogers for connectivity had impaired communications. Some hospitals canceled patient appointments. The debit card portion of the Interac network was down, forcing businesses to insist on cash or credit cards. Affected firms and government customers either resorted to paper processes or closed their doors.
Fortunately, it was largely a one-day event. The country’s financial or energy infrastructure didn’t collapse.
But the result was Rogers promising to spend $10 billion over the next three years to build out and improve its networks, including $250 million to separate its wired and wireless networks. In September, under pressure from the federal government, 13 telecom companies — including Rogers — signed a mutual assistance, emergency roaming and communications protocol agreement to ensure such a catastrophe doesn’t happen again.
The outage is an example of the need for IT, telecom and cybersecurity resilience by all organizations — and not just in Canada. It can briefly be described as “What’s my plan if things go wrong? What’s Plan B? What’s Plan C?”
The federal government signaled it will formally force the issue for critical infrastructure sectors with arguably the second major event of the year, the introduction in June of the Act Respecting Cyber Security (C-26), which includes the Critical Cyber Systems Protection Act (CCSPA). It provides a framework for the protection of critical cyber systems under federal jurisdiction that are vital to national security or public safety.
The first to be regulated would be the financial, telecom, interprovincial energy, and transportation sectors.
If passed, the law would require designated operators to, among other things, establish and implement cyber security programs if they haven’t already done so, mitigate supply-chain and third-party risks, report cyber security incidents and comply with cyber security directions, and exchange of information with government agencies.
This act would establish a baseline level of cyber security through a cross-sectoral management-based regulatory scheme applicable to designated operators.
Although introduced six months ago, the Liberal government still hasn’t pushed the legislation into a parliamentary committee for detailed discussion. With a minority government, it isn’t known when that will happen.
Already some opposition has emerged. The University of Toronto’s Citizen Lab says the excessive secrecy and confidentiality provisions imposed on telecommunications
providers threaten to establish a class of secret law and regulations. And an analyst at the Montreal Economic Institute argued C-26 lets Ottawa micromanage private companies’ cybersecurity programs. Look at how fast Rogers and the telecom industry responded to the outage, she said …
It was a year that started with cybersecurity analysts fearing the world would explode in cross-country cyberwar after the Russian invasion of Ukraine. That largely didn’t happen (so far, say cynics), although the war started with the StarLink satellite network across Europe being crippled, attacks against some European energy providers and dozens of other countries. Still, much of the cyber conflict has centered between Ukraine and Russia. There are lessons in what the Russian cyber offence and Ukrainian defence are doing, including … resilience.
Otherwise, 2022 was a year of successes and failures. The success included arrests of cyber gang members and the take-downs of criminal websites. The Conti ransomware gang shut their servers in June (after its source code was leaked, and after squeezing Costa Rica) but other ransomware and extortion groups have surfaced, possibly with the help of former Conti operators.
In November, Canadian police arrested a Russian citizen who they say is one of the world’s most prolific ransomware operators behind the LockBit ransomware gang. Regardless, LockBit shows no sign of slowing. In Feburary a Canadian judge sentenced an affiliate of the Netwalker ransomware gang to almost seven years for his role in attacks on Canadian organizations.
Some alleged members of the Lapsus$ extortion gang were arrested in the U.K in the spring, with another arrested in Brazil in October.
A task force in Ontario issued a report on the state of cybersecurity in the broader public sector, which is worthwhile reading for all provinces.
International co-operation through groups such as Interpol and Europol led to almost 1,000 suspects arrested and the seizure of almost US$130 million worth of virtual assets; a crackdown on social engineering scams; the seizure of DDoS attack sites; the seizure of the Raidforums marketplace; the arrest in Greece of the alleged leader of the Zeus cybercrime group; the arrest in Amsterdam of a man allegedly behind the Racoon infostealer malware; the shutting of the infrastructure behind the FluBot Android spyware; the closing of a VPN service favoured by crooks; the dismantling of SSNDOB Marketplace, which sold stolen U.S. Social Security numbers, and more.
Against these, there were failures, defined as cyber attacks that vacuumed up everything. For example, in October a ransomware gang made off with personal information of 9.7 million current and former subscribers of Australian private health insurer Medibank. That pales beside the claim that data on 69 million players of the Neopets game was copied by hackers.
The FBI was embarrassed to acknowledge its contact list of 80,000 people in critical industries was compromised; so was the network of Canada’s head of state, the Governor General. The government has said nothing about what the intruder accomplished. Nor has it said much after the federal Global Affairs department was hit by an attack in January and the House of Commons IT infrastructure was attacked in October. I was told there was no evidence at the time MPs accounts were compromised.
Going by publicly-reported accounts in this country, at least six municipalities, six education institutions and two hospitals were hit by cyber attacks this year.
News emerged in July that account information of 5.4 million Twitter users copied late in 2021 had been put up for sale on the dark web. This week there was a report someone was selling data on 400 million Twitter users, also believed to have been scraped last year.
Among the bigger victims in this country: Amnesty International Canada, which acknowledged a threat actor was in its system for 17 months; meat processor Maple Leaf Foods, which was hit by ransomware; and the Empire supermarket chain.
“We can’t say it was a good year looking at what happened around the world, especially the Ukrainian war,” said Ismael Valenzuela, BlackBerry’s vice-president of threat research and intelligence.
“In general we have seen more attacks, more complexity of threats, and cybercriminals have been collaborating with nation-states, making the threat landscape more complicated to navigate.
“Nobody’s out of scope — not-for-profits, hospitals, educational systems. To me, that’s the worst because it directly affects our lives.”
Often BlackBerry finds many of the incidents it investigates aren’t sophisticated attacks, he added. A big problem is violating what he called critical security control number one: Not knowing where your hardware, software and data assets are. If you don’t know where they are, how can they be protected?
Another problem is attitude. “A lot of people think they can add multifactor authentication and anti virus and this — and the have the basics covered,” he said. But, he added, “there are a lot of knobs that you have to be adjusting continuously [in cyber defence] and unless organizations understand that, they can’t cover the basics”
Every CISO should have a threat model for their organization, he said. “CISOs need to realize they cannot defend against everything, and every organization has something that interests an attacker — intellectual property, steal your data, destroy or hold your operations for ransom, or use you to attack others. Going back to the basics, I don’t see many organizations have this clear — ask, ‘what are the threats that can have an impact on my organization?’. And then ask, ‘what am I going to do?'”
The good news? “Companies are investing more, not just in technology but also in training. I think there is a better understanding that this is not just something we solve with technology, but also that we need more cyber defenders, we need more people in the trenches … We’re talking more about cyber defence, techniques and strategies. The U.S. government is pushing a lot of this through its Zero Trust Architecture [for federal departments]. There is still a big gap between what governments are pushing for and what private industry is picking up, but if you look at what Canada, the United States, and other countries are doing, they’re pushing private industry in the right direction.”
For Johannes Ullrich, director of research, SANS Institute, the worst vulnerabilities in 2022 were
–Follina, CVE-2022-30190, a high-severity vulnerability in Microsoft Office suite of products that is easy to exploit for remote code execution (RCE) attacks;
—ProxyNotShell, CVE-2022-41082, and CVE-2022–41040 a collection of vulnerabilities that can be chained to gain control of Microsoft Exchange email servers [Note: CrowdStrike just discovered an exploit for getting around ProxyNotShell mitigations];
–and vulnerabilities found in security appliances from F5, Citrix, and others that threat actors were quick to exploit. For example, in November, three holes were found in Citrix ADC and Gateway products, and in May, the U.S. warned about one in F5’s BIG IP appliance, followed by a warning in July about another flaw.
The biggest mistake infosec leaders make, he said, is trying to hunt in their IT environments for the latest in the never-ending announcements of vulnerabilities instead of focusing on the fundamentals. “Security is best if it’s boring; you don’t want it to be exciting. Just focus on the basics, focus on operations and ignore a lot of the chatter and noise around you.”
As for 2023, both had interesting predictions. The huge layoffs in the IT sector may benefit CISOs who are desperate for talent, said Ullrich — if they and HR departments widen their criteria for hiring. It may be a challenge to get your HR department to understand some people have valuable IT skills without security certifications, he said.
Valenzuela sees “a continuation of what works” for threat actors, “because attackers are lazy. If something works, why change it?” The best defence, he said, is continuous IT network monitoring.