While the federal government combats hostile foreign intelligence services seeking the country’s biggest secrets, hackers and fraudsters are keen on cashing in on the fear the novel coronavirus has created, targeting both individuals and businesses across Canada. The air duct folks are offering “special” air filters to protect from COVID-19, and “financial advisors” are offering financial aid or loans to help struggling businesses survive local shutdown orders. Meanwhile, work from home policies are in effect across thousands of companies, and the resulting IT sprawl is giving security leaders headaches and cyber criminals fresh new attack surfaces to chew on.
This week, leaders in the cybersecurity space had an opportunity to explain to the federal government that the cyber threats facing Canada haven’t evolved much since the pandemic began, and in fact, COVID-19 is yet another reminder that Canadians remain susceptible as ever to cyber attacks.
“Canadians need to develop street smarts around cybersecurity,” said Byron Holland, president and chief executive officer for Canadian Internet Registration Authority (CIRA), one of the witnesses appearing in front of Canada’s Standing Committee on Industry, Science and Technology (INDU) to discuss Canada’s response to COVID-19 earlier this week. He used the opportunity to reiterate a point that security pros have been hollering from mountain tops for years. “As Canada and the rest of the world enter an era where the internet has proven to be a lifeboat for the global economy, we believe Canada must do more to be a global leader in cybersecurity. We would encourage the government of Canada to dedicate more funding to cybersecurity research, solutions and platforms, to protect Canadians and ensure the security of our digital economy.”
CIRA recently launched a free domain name system (DNS) firewall service called SHIELD to improve privacy and security for individuals using computers, smartphones and tablets. The company says SHIELD is the first deployment of a national, public DNS over HTTPS (DoH) service in the world, and that the threat intelligence feed of the service will be provided by the Canadian Centre for Cyber Security. The official launch last month was preceded by an early access launch for highly vulnerable sectors, including healthcare, education, and small businesses.
When asked if CIRA moderates the content on .ca domains that the CIRA greenlights, Holland explained that content moderation falls outside of the organization’s mandate. The number of phishing websites skyrocketed by 350 per cent between January and March, according to Google. In Canada, these phishing attempts have taken the form of, among many others, fraudsters posing as members of the Red Cross asking for money, or the Public Health Agency of Canada providing “helpful” links about COVID-19.
“I’m in no way mean trying to skate out from the responsibility, but we’re a technical moderator not a content administrator,” he explained, indicating stronger content moderation would have to come from elsewhere, such as a law enforcement agency or the Canadian Radio-television and Telecommunications Commission.
Scott Jones, director of the Canadian Cyber Security Centre, confirmed to the INDU that cyber criminals are largely sticking to traditional cyber attacks such as ransomware campaigns, distributed denial of service (DDoS) attacks and business email compromise (BEC) scams, to take advantage of people’s fear around COVID-19.
Larry Zelvin, head of financial crimes and cyber fraud for BMO Financial Group, confirmed Jones’ assessment.
“You’re not seeing a lot of changes in tradecraft because what is old still works. As a matter of fact, it’s working really, really well, maybe better than before because people are fearful and they’re taking advantage of that fear,” he told IT World Canada. “And bad guys only need to be lucky once.”
Finance sector experiences 240% increase in cyber attacks during pandemic
The financial sector has always been a high-value target for cyber criminals, but between February to April 2020, amid the COVID-19 surge, cyberattacks against the financial sector in the U.S. and Canada have gone up by 238 per cent, according to VMware Carbon Black data.
Well-known trojans like Kryptik and malware such as Emotet have left their imprint across multiple sectors in recent months, including finance. VMware Carbon Black says these malware types are often used in longer, more complex campaigns where the end goal is to use operating system tools to remain invisible on one system (sometimes a supply-chain partner) while island-hopping to a larger, more lucrative target.
Attackers still exploiting old vulnerabilities, says NTT report
These attacks have, once again, brought to light the importance of strong identity access and management (IAM) protocols, Ray Boisvert, an IBM Canada security partner and former assistant director of CSIS, told IT World Canada.
“In this increasingly connected world where we have billions of devices and billions more to come in the next several years, we’ve been connecting to work through our smartphones after hours, but we’ve been stuck with a problem around identity access and privileged access management,” Boisvert said. “A lot of organizations aren’t focusing on this enough yet and don’t understand that getting identity access management right provides layers upon layers of security protection all across the network.”
IAM ensures that only authorized employees get access to the right resources across a highly heterogeneous technological environment. The IAM market size exceeded US$10 billion in 2018 and is estimated to grow at over 10 per cent CAGR between 2019 and 2025.
The pandemic has also exacerbated the issues around cloud computing. Boisvert pointed to a recent statistic from IBM’s X-Force Threat Intelligence Index showing that simple scans for exploits – such as cloud misconfigurations – were still in the top three ranked initial infection vectors, right next to phishing and stolen credentials. During the pandemic, he said he’s encountered multiple clients who have suffered by buying into the misconception that cloud providers are tasked with securing their data.
“It just shows that a lot of organizations have moved to the cloud-based on erroneous conceptions that the cloud provider is going to take care of their security, but that’s not necessarily true,” he said.
Canada has to speak up
Since mandatory breach reporting requirements came into effect under PIPEDA last November, the volume of reports has increased more than five-fold, according to the Privacy Commissioner of Canada. However, that’s still likely just a fraction of all the cyber attacks Canadians experience daily, witnesses told the INDU.
“Cyber crime is massively under-reported,” Jones said.
In addition to a final call to action, urging businesses to get their security plans in check to accommodate the new remote work force, witnesses before the INDU were adamant that Canadians can do something right now to improve their cybersecurity posture. Jones said a service like CIRA Shield can quickly discourage cyber criminals from launching an attack.
“One thing with many criminals is that they go after the lowest bar.”