Canadian organizations lag in security: Fortinet

Canadian organizations have nothing to boast about when it comes to securing their networks and devices, says a researcher security solutions maker Fortinet Technologies Inc.

“Canadian businesses are not doing a particularly good job of keeping their infrastructure devices up to date and patched with the latest security patches.” Richard Henderson, a Burnaby, B.C.,-based security strategist at Fortinet’s FortGuard research lab, said in an interview. “This continues to be a song that the security industry in general has sung for a long time.”


Henderson came to the conclusion after doing research that accompanied a report issued today on the increasing number of government-sponsored advanced persistent threats (APTs) around the world.

As part of his work Henderson pulled raw data from thousands of Fortinet firewalls and gateways in Canada and compared it to other raw data from around the world. He also did some simple sleuthing around the Web to see if Canadian organizations have buttoned up their Internet access.

Fortinet defines APTs as sophisticated attacks, usually coming from government agencies, aimed at damaging or stealing data from other governments, companies or individuals.

APTs that have hit this country include the 2011 attack on the federal Treasury Board, finance department and defence department triggered by phishing emails that appeared to come from other government employees.

Once discovered Ottawa had to shut down some of its networks for some time to cleanse them of the malware and determine what was stolen.

APTs use common hacking techniques – email requests that dupe people into giving up passwords, clicking on supposedly legitimate Web links, scanning the Internet for open ports — the report says.

In addition to data theft, people behind APTs are also looking for Internet-connected SCADA (supervisory control and data acquisition) systems that run everything from traffic lights to oil field pumps.

Henderson said he found Canadian companies are just as unprepared as other nations in protecting SCADA devices from being used to attack and organization.

 “A lot of these things are wide open and willing to be exploited,” Henderson said. They never were designed for Internet connectivity in mind, but some manufacturers have offered “bolt-on” solutions that are nothing more than serial port converters with Ethernet ports or a cell phone modem that allows them to be remotely managed.

However, a number of organizations fail to put these devices behind firewalls, gateways or routers, Henderson said, let alone connect them with virtual private networks (VPNs).

If the devices use older, unpatched software they’re almost an open door to an organization.

And it isn’t hard to find these holes, Henderson said, by using a tool like the Shodan search engine, which searches for computers based on operating system and IP address.

“If you’re lucky they ask for authentication,” he said of some systems. “I found a couple devices where if you connect to a tenet port through a command line it will send you into a root shell without any authentication whatsoever.”

Other devices showed a login screen, but access could by gained with the username “admin” and no password. Sometimes the password is “password.”

Some organizations have thought about security but aren’t following it through, Henderson said. For example he found a system with a Web user interface that gave access to a group of SCADA devices running an old version of Apache Web server.

Once the attacker knows that, he can search the Internet for known vulnerabilities of that server and tailor a payload for an attack.

“What’s the point of having any security whatsoever?” he asked.

Unfortunately, he said, some companies believe in “security through obscurity” – the notion that there are so many devices on the Internet who would find ours.

There are only a few groups globally that have the capability, skills,

funding and infrastructure to launch an APT: they include the U.S,. Russia, China, Israel and possibly Syria, Iran and North Korea.

Fortinet says the best way to protect against APTs is with a multilayered defence that includes the usual IT strategies such as intrusion prevention and data lead prevention, but also training staff.
(EDITOR’S NOTE — This article was edited after publication to remove an erroneous statement regarding network penetration of a particular company. Fortinet says it is not aware of any such network penetration.)

Would you recommend this article?


Thanks for taking the time to let us know what you think of this article!
We'd love to hear your opinion about this or any other story you read in our publication.

Jim Love, Chief Content Officer, IT World Canada

Featured Download

Howard Solomon
Howard Solomon
Currently a freelance writer, I'm the former editor of and Computing Canada. An IT journalist since 1997, I've written for several of ITWC's sister publications including and Computer Dealer News. Before that I was a staff reporter at the Calgary Herald and the Brampton (Ont.) Daily Times. I can be reached at hsolomon [@]

Featured Articles

ADaPT connects employers with highly skilled young workers

Help wanted. That’s what many tech companies across Canada are saying, and research shows...

Unlocking Transformation: IoT and Generative AI Powered by Cloud

Amidst economic fluctuations and disruptive forces, Canadian businesses are steering through uncharted waters. To...

Related Tech News

Tech Jobs

Our experienced team of journalists and bloggers bring you engaging in-depth interviews, videos and content targeted to IT professionals and line-of-business executives.

Tech Companies Hiring Right Now