Canada Revenue Agency is beefing up its IT security just weeks after a phishing scheme tried to fool users about their refunds and as tax season gets under way.
The measures include a security awareness program for all of the Canada Revenue Agency’s (CRA) 50,000 employees and the implementation of an identity and access management program. CRA is also enforcing a policy that 15,000 laptops under its control be encrypted, and is rolling out a vulnerability assessment program to see where software patches may need to be applied.
Ken Canam, CRA’s director of IT security, said the agency has been exploring ways to improve the protection of data and applications following its compliance with the federal Management of Information Technology Security (MITS) standard, which was made mandatory by Treasury Board Secretariat two years ago. The CRA isn’t stopping there, though.
“You can be MITS-compliant, but you have to recognize that MITS is only a baseline,” Canam said. “You have to look at your organization and determine where you meet MITS and where it needs to be exceeded.”
Canam made his comments at GovSym, a public sector security event held in Ottawa last week by IT World Canada and founding sponsor Symantec.
The CRA is a mix of Windows servers, Unix and even Linux machines. A critical priority for the agency is scanning and ensuring the integrity of its NetFile online tax filing system. This is especially important, Canam noted, in light of a recent phishing scheme where Canadians were asked to click a link that promised a lucrative refund.
Mark Fossi, who leads the research effort around Symantec’s Internet Threat Security Report, said the CRA phishing scheme demonstrates the increasing sophistication of online threats.
“It’s not like it’s an e-mail about millions of dollars coming from Africa,” he said, referring to phoney e-mail messages purportedly from Nigera. “It’s reasonable amounts. Who couldn’t use an extra hundred bucks right now?”
Canam noted that the only thing that looked different from the real CRA site was a minor discrepancy in a French character.
The CRA is as focused internally as it is on citizen-facing applications like NetFile. Part of the CRA’s plan involves an enterprise security monitoring console, which Canam said looks for simultaneous access on the same account. “So if you were in Halifax and logged on, and then at the same time someone else logged on with the same ID in Toronto, that would send an alert and we could block that access,” he said.
Besides phishing schemes and online pranksters, Canam said the CRA was most concerned about bot nets and SQL injections. The agency is paying special attention to commercial off-the-shelf software, scanning it a minimum of three times for any issues, he said.
The CRA has is also using Entrust PKI security technology to allow employees to sign in remotely and to secure the more than 100 e-mails and federal documents that get sent to courts every day.