The cyber security record book has closed on 2018, and what a ghastly year it was.
It began with the acknowledgment of the Spectre/Meltdown vulnerabilities and ended with the revelation of an API vulnerability at Facebook and a huge breach at Marriott Hotels’ Starwood chain.
In between — and this is only a partial list of publicly-disclosed international issues — a database with some 340 million records belonging to U.S. marketing and data aggregation firm data broker Exactis was discovered open to anyone; Twitter urged all of its more than 330 million users to immediately change their passwords after a bug exposed them in plain text; 150 million users of the food and nutrition application MyFitnessPal were told their usernames, email addresses, and hashed passwords had been stolen; LocalBlox, a personal and business data search service, left a database exposed with 48 million records of detailed personal information on tens of millions of individuals and Ticketfly admitted names, addresses, email addresses and phone numbers connected to approximately 27 million accounts were accessed.
In Canada, more evidence that even stalwarts can be hit: Bell Canada acknowledged hackers accessed personal information of around 100,000 customers, and the Bank of Montreal and CIBC’s Simplii Financial were hacked. Meanwhile, a security researcher found an unprotected messaging server belonging to a fitness company called PumpUp left personal data exposed, one of several problems with those using the MQTT messaging protocol; another researcher discovered huge amounts of unencrypted personal data on Canadian and U.S. customers in servers and PCs for sale on Craigslist that once belonged to the bankrupt computer electronics chain NCIX; the company that oversees Ontario’s 407 toll highway began investigating an alleged insider theft of data involving 60,000 customers and ransomware stung the Ontario towns of Wasaga Beach and Midland, as well as the Quebec regional municipality of Mekina.
There isn’t enough space in this story to list the companies with clumsy staffers who in 2018 left corporate data exposed on Amazon S3 buckets.
There isn’t enough space in this story to discuss how social media was exploited in 2018 by foreign governments. (But here’s a link to a report on how it was done in the U.S. 2016 election.)
For those who looking for solid numbers on cyber attacks in this country, Statistics Canada issued the first government-backed study of business victims of cyber crime, which found just over one-fifth (21 per cent) of over 10,000 Canadian firms reported that they were impacted by a cyber security incident.
The safest prediction for 2019: More of the same, because companies still haven’t learned how to close vulnerabilities, encrypt and segregate data, oversee adequate staff training and plan for disaster recovery. (For a textbook report on what not to do, see this Congressional report into the Equifax breach.)
Don’t expect Ottawa to pass new cyber security or privacy legislation obliging companies to toughen up for two reasons: First, legislation either just came into effect — as of November 1 Canadian companies were forced to report serious breaches of personal data to customers and the privacy commissioner — or is about to — proposed changes to the Elections Act expected to be approved shortly will requiring online platforms to compile a registry of published partisan and election advertising messages advertising during election periods. Second, this is an election year. The government will want to pass what’s already on its list before the October vote.
Speaking of the election, expect the entire Canadian intelligence community — including the RCMP, the Canadian Security Intelligence Service (CSIS) and the Communications Security Establishment (CSEC) — to be closely watching for any indication social media is being used by foreign governments to manipulate public opinion.
Among the small bright spots in 2018 was the merger of several federal assets to form the Canadian Centre for Cyber Security, a one-stop shop for federal departments, the private sector and the public to find at least basic security information. How far the centre goes in public outreach and how deep its website goes with helpful information are still open questions. On the other hand we shouldn’t let provinces off the hook for their responsibility to be cyber security leaders as well.
In terms of legislation, two new laws highlighted 2018: In May, the European Union’s General Data Protection Regulation (GDPR) came into effect, which Canadian companies doing business there now have to follow; and in November Canadian companies began facing a mandatory breach notification law under amendments to the Personal Information Protection and Electronic Documents Act (PIPEDA). The federal privacy commissioner also now has the power to initiate an investigation based on a reported data breach — and possibly embarrass a company.
It’s too early to say what impact these laws will have on business. Neither the EU nor the federal privacy commissioner have yet to lower the hammer on an offender.
However, expect a lot of attention to be paid to four coming reports from the federal privacy commissioner:
—a commissioner-initiated investigation into the privacy management practices of six of the country’s data and list brokers. The OPC hasn’t named the companies, but a 2014 OPC research report said the Equifax and TransUnion credit bureaus and the Cornerstone Group (now part of Deloite Canada) were among the biggest at the time.
—a report on Statistics Canada’s proposed use of what it calls administrative data of taxpayers collected from Canada Revenue Agency to get insight into Canadians’ spending patterns;
—a report on the Canadian angle on the Facebook/Cambridge Analytica scandal;
—and a look whether the Canada Border Services Agency‘s searches of digital devices violates privacy rights.
We spoke to four cyber security or privacy experts for their predictions:
David Senf, founder and chief analyst at the Toronto cyber consultancy Cyverity:
The well-known shortages in the number of cyber security personnel needed by business, the number of infosec pros with above average skills and in business investing in security technology will turn gaps into a crisis, he predicts. “Without a federal/provincial push it’s going to be status quo from a labour, skills and investment perspective.”
“The gaps continue to grow. And I think it’s important to label it a crisis because you’re going to increasingly see more private data exposed, more companies secrets exposed that limit us competitively in the global marketplace”
Among the difficulties infosec pros will face this year is the increasing use by threat actors of machine learning and artificial intelligence to automate and hone attacks. For example, he said, spearphishing attacks will get better as criminals use machine learning.
Ann Cavoukian, Expert-in-Residence at Ryerson University’s Privacy by Design Centre of Excellence:
“2019 promises to be an eye-opener for privacy” for several reasons she said. Countries are starting to enact legislation to comply with the GDPR, which “represents a significant raising of the bar for privacy and the return of personal control of one’s data to the data subject.” GDPR urges Data Protection by Design and by Default (known as Privacy by Design) so “the sky’s the limit,” she said.
Meanwhile, after federal privacy commissioner Daniel Therrien called upon the government to upgrade PIPEDA a parliamentary committee responded with a “promising report” entitled, ‘Towards Privacy by Design.’
At a time where privacy concerns are at an all-time high, and trust is at an all-time low, more and more companies are seeking Privacy by Design Certification to restore trust and gain a competitive advantage, Cavoukian said.
“So I predict positive gains for privacy in 2019, with the increasing growth of decentralization and SmartData. But we must always beware of what may be around the corner, keeping our eyes wide open to threats that may be arising. One such threat is governments seeking to create backdoors to encryption, in an effort to crack the code. On the heels of Australia having enacted such a measure, let us not lose sight of this practice spreading.”
Imran Ahmad, a partner at law firm of Blake, Cassels & Graydon LLP, who specializes in cybersecurity, privacy and technology law. He’s also a member of the Canadian Advanced Technology Alliance’s Cyber Council.
Privacy enforcement will increase now that the federal privacy commissioner has more investigation power under PIPEDA, especially with respect to mandatory breach reporting and breach record-keeping requirements.
“Last year we noticed a marked increase in cyber security incidents resulting from the malicious actions of staff. This trend is likely to continue in 2019. Organizations will need to work with their HR departments to properly vet and monitor staff conduct within the organization.
Data exfiltration attacks will target cloud applications. Specifically, cloud-native attacks targeting weak APIs or ungoverned API endpoints to gain access to the data in software-as-a-service applications.
Finally, expect to see more ransomware targeting desktops with open remote desktop protocols (RDP) applications.
Ahmed Etman, managing director for security at Accenture Canada:
“In 2019 I believe we’re going to continue to see more structured programs to control and limit the exposure of [corporate] data to reduce the risk from shadow IT.” These include better network visibility and clearer processes that lines of business have to follow before staff can adopt cloud services.
Firms with industrial control systems are increasingly adopting Internet-connected devices. Expect these companies to focus on improving and integrating these operational networks with traditional IT security as attackers try to exploit.
Companies will also see more attacks on their supply chains, so infosec pros have to pay attention to what their partners are doing. Attackers are getting “very creative” in this area, he said.
Finally, infosec pros will take another look at their cloud security strategy, both their current controls for what they already have in the cloud as well as for workloads about to go into the cloud.
Jeff Pollard, enterprise security analyst at Forrester Research:
Botnets will fraudulently generate revenue that rivals a Fortune 1000 business. Botnets now have a core set of capabilities that attackers can easily exploit. As a result “we will see massive botnets generating tons of money.” Defenders have to understand the threats they face are automating faster than you are, he said, and incorporating bot management that into their risk assessments.
Forrester also sees U.S.-China trade war will increase economic espionage against Western firms after a period of decline. “You can take [China’s] five-year plan and use it as a bit of a guidebook to the industries that will be hacked.” The latest plan calls for Chinese companies to invest in biotechnology, energy, autonomous vehicles, 5G wireless technology, robotics, aerospace, and agricultural machinery. Western companies in those sectors are warned.
Finally, expect one high-net-worth individual’s residence — and possibly their business — to be infiltrated through their connected home devices. That’s because hackers know these devices — from voice-commanded assistants to Wi-Fi routers to Internet-connected TVs — can be poorly secured.
Conclusion: Buckle up, it’s going to be a bumpy ride. Or, buckle down and get to work.