Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday December 10th. I’m Howard Solomon, contributing writer on cybersecurity for ITWorldCanada.com.
In a few minutes I’ll be joined by Dinah Davis, the Canadian-based vice-president of research and development of managed service provider Arctic Wolf, to discuss some of the news from the past seven days. But first a look at the headlines:
The Canadian government urged organizations to take fighting ransomware more seriously. The government knows there were at least 235 ransomware incidents against Canadian firms or individuals up to the middle of November.
In related news Palo Alto Networks said a survey of Canadian organizations willing to pay after being hit by ransomware were forking over an average of $458,000.
And Canadian police arrested an Ottawa man who they believe was behind a large number of ransomware and other cyber attacks.
Separately, a news service reported the Cerber ransomware strain is back circulating after having been quiet for two years. New attacks are being seen against organizations using Atlassian’s Confluence collaboration servers and those using GitLab servers for application development.
Not surprisingly, ransomware will feature high in the discussion Dinah and I will have.
We’ll also talk about some recommendations from Canada’s privacy commissioner on what shoppers should look for when buying internet-connected toys for youngsters.
Also this week the government acknowledged that the IT network of Canada’s head of state, the Governor General, was hacked. It isn’t saying how the intruder got past security controls.
Microsoft said it had disrupted the activities of a China-based hacking group by seizing websites it used to spread malware. Most of the targets were government agencies, think tanks and human rights organizations.
Google said it had disrupted a botnet of 1 million compromised Windows computers and servers. This botnet’s malware stole passwords, data and secretly installed cryptomining applications on victims’ devices.
As part of October Security Awareness Month a Canadian company that offers a phishing simulation service runs a global test to see how employees are doing. The results of this year’s test, released this week, aren’t encouraging: Almost 20 per cent of participants fell for a test phishing lure sent to their inboxes. Of those who clicked on a link and went to a fake website, just over 14 per cent went on to download a payload that could have been malicious. It’s another sign that awareness training has a long way to go.
Speaking of phishing, researchers at Proofpoint have detected another email campaign aimed largely at universities in Canada and the U.S. Many of the messages have COVID-19 related themes with links to fake university websites. These sites are supposed to have information about the Omicron variant or about COVID tests. However, the websites are imitations of real university sites. The goal is to steal student and faculty usernames and passwords. A warning: Some of the messages come from compromised university email accounts so to victims they look authentic.
(The following is an edited transcript of my discussion with Dinah. To hear the full conversation play the podcast)
Howard: The big theme of today’s podcast is ransomware. First let’s get into the Canadian government’s letter to businesses. It’s one way to grab headlines and the attention of the public and the private sector. But the real actionable part though was the release of a Ransomware Playbook that companies can use as a guide for defending against and recovering from ransomware I think that could help a lot of firms. What did you find most useful?
Dinah: I thought it was really well done. The language was clear. I’m a little biased because I’ve read a lot of that kind of stuff, but I found the language accessible. I really liked that they described what ransomware is, and not only that but put in a whole section on should you pay the ransom? They basically say it’s entirely up to you but you should always report it to your local police, paying doesn’t guarantee that you’re going to get access and payment could be used to fund other illicit activities. And even if you do pay the threat actors might still demand more money continue to infect your devices, retarget your organization with a new attack or leak or sell your data. I did like that they touched on that and gave people a little bit more information about you know how to make that decision.
Howard: I found it really interesting that the first recommendation for defence is having a good data backup plan. What are the important elements of safe backup?
Dinah: There are three different ways. Do a full backup each time you need, do a differential backup that only copies data that has changed since the last backup, or you can do an incremental backup, which stores only data changed since the last full or differential backup. If you do differentials you have to remember when you need it you will have to start with the first backup and run them all the way through. The benefit is you back up quickly. The disadvantage is it could take you a while to get [all the data] back up.
Howard: The Playbook also says that having a secondary backup to the cloud can also be helpful but it also warns that the cloud provider can be hacked.
Dinah: Yes. You have a few options. You can store it online but use your own physical space (but) you have to manage it yourself. If you are using a cloud provider you do open your risk up anytime you’re adding in more vendors. You’re adding up openings for supply chain attacks. But you can also store them [backups] offline where you put a backup in the cloud and then disconnect entirely, which can be very good because then attackers can’t get to those backups.
Howard: We’ve talked about this before but backups have to be tested regularly. Not only for their integrity but so staff are familiar with the process so if you’re in a crisis and hit by ransomware — or any kind of attack you have confidence that you can go for the backups.
Dinah: Absolutely. You want to be practicing. You don’t want the first time you’re trying to recover from backup to be when you have to recover from backup.
Howard: The Playbook also says having an incident response plan is vital and we’ve talked about this before. Incident response plans have a lot of parts to them. Can you go through what’s needed?
Dinah: The Playbook provides a really nice checklist for you. It which starts with doing a risk assessment, which is looking at all the different pieces of your infrastructure and your apps and what risks you actually have. Then they encourage you to go through your security policies and procedures — how are they working, where are there potential holes? A key element is also the response team. You want to make sure you have built up who’s going to be on it? You also have to train all the people on what they’re going to need to do. Another key piece is to identify all the stakeholders that need to be connected [after the incident is discovered]. Do you need to put out press statements about what’s happening? How? Finally, you actually want to develop a recovery plan. If we are breached this is what we would do [to recover IT]?
Defensively, you want to manage the user and administrator accounts, always applying the principle of least privilege to ensure that users only have the access and privileges they need to carry out their job functions and no more. Have a separate system for administrative work from regular user activity.
Howard: One thing that experts have told me on incidents response is that you should consider having a second internet provider to help restore your IT systems. If you use Rogers have an extra Bell account, for example, and that way if your main internet connection crashes you’ve got the backup internet account. That way your IT department can start to restore things. In addition, the IT department should have at least one laptop with network and data recovery tools for the IT team tucked away and because the ransomware attack may take out the entire organization’s PC systems. You’re going to need at least one computer and perhaps a backup cell phone for restoration and communications.
Dinah: You definitely want to have a communication mechanism set up that’s not through your regular corporate email channel because it may be compromised. Maybe you have a Slack channel or something like that.
Howard: The government’s ransomware advice also talks about the importance of following basic cyber hygiene and basic cyber controls in order to reduce the risk of being attacked.
Dinah: They gave a really good list of cyber security controls that you need to consider for your company. The first thing they mention is that you want to establish a perimeter of defence: Consolidate your internet gateways and checkpoints because the fewer places hackers can get in the less likely it’s able to happen. Monitor everything that’s coming in and going out. That’s all fairly complicated if you’re not a very big company, but you can also hire someone to do this.
You also want to know what your baselines are: What does your traffic normally look like, what does it look like if it’s being attacked? Another control is to implement logging who’s signing into your systems. You also want to make sure you’re conducting penetration testing. Segmenting your network can be a really great way to reduce the blast radius of an attack. Don’t allow the people in your company to use macros, especially not in Excel or Word. And patch, patch, patch, patch, patch. You always want to get the latest possible software on your systems.
Lock down your system and only allow specific applications to be used by members of your of your company. Apply password management, including using MFA (multifactor authentication). Here’s a new one that I did not know about: Using a password vault for administrative accounts. These passwords are cycled and synced with your systems, letting you only use a password once. Implement technology to protect your email domains from email spoofing. That can be as simple as putting the word “External” on any email that comes from outside of your organization.
Howard: The ransomware advice that the government distributed this week also mentioned the cost of paying ransoms. The government report said the average ransom that has been recently paid by Canadian victim organizations is $200,000. Coincidentally, this week Palo Alto Networks released a survey that it had done earlier this year and said that the average ransomware payment in this country is more like $458,000 — and remember that’s the average. Eight per cent of those surveyed said that they had paid between $1 million and $5 million dollars. And that doesn’t include the recovery costs of buying new computers or the cost of reimaging your existing computers and the cost of lost business.
Dinah: Not only that but 41 per cent of businesses hit with a ransomware attack take at least a month to recover. Fifty-eight per cent said it took more than a month to recover, 29 per cent said more than three months. So the impact is big.
Howard: We’re going to leave ransomware and turn to something perhaps a little more cheerier and that’s holiday shopping, specifically shopping for internet-connected toys for youngsters. The privacy commissioner of Canada put out a guide this week with some recommendations.
If you do decide to buy some kind of smart toy you want to make sure you’re securing that device, so one of the best practices for any IoT kind of technology is to put it on a guest wireless network, not the same network as your computers on that your phone is on. That way an attacker can’t easily jump from one thing to another. Make sure to change the default passwords, PINs or usernames on the device. One of the most common things that happens is hackers will try and take over a device with the default username and password. And don’t let children use their real names online. My daughter is 13 and she’s on a few different websites. But never under her own name. I’ve really drilled into her that it’s very important that to keep your privacy and watch you share online.
It is important to have a conversation with your kids about privacy on the internet. I remember when my daughter was about 5 or 6 and she was messaging back and forth with her best friend and she accidentally posted something she shouldn’t have. Her friend’s mom then messaged me. So I explained to my daughter that anything you post on the internet, anything you send in a private message, any picture you send can come back to you. Imagine that picture blown up as a giant poster in the middle of your classroom. If you are not okay with that then don’t put it on the internet.