While a cyber attack similar to the one that compromised three key federal departments will almost certainly happen again, the damage can be limited if the government acts to break down technology silos and implement selective two-factor authentication measures, according to Canadian security experts.
The attack, which reportedly originated from computers in China, targeted economic data in the federal Finance department, Treasury Board, and Defence Research and Development Canada, CBC News said Thursday. The hackers used an “executive spear-phishing” attack, which involved sending bogus e-mails to pass themselves off as senior executives to lower ranking government bureaucrats.
The social engineering technique was aimed at requesting passwords to ultimately gain access to government systems.
Following the news of security breach on Thursday, Prime Minister Stephen Harper told reporters that Canada has “a strategy in place to try and evolve our systems” to deal with cyber attacks.
For Terry Cutler, a co-founder and chief security evangelist at Montreal-based Digital Locksmiths Inc., that strategy should start with tearing down the silos between federal government departments by appointing a cyber security chief or advisory board that can oversee security readiness and carry out risk assessment tests.
“If nobody is working together, you’re always going to have this problem,” he said. Cutler added the government could either put together an internal team to handle this or outsource the role.
Auditing and testing functions also need to be consistent across these silos, Cutler said, as this is the only way to truly find out where potential weak links and security holes are throughout the various departments.
James McCloskey, a senior analyst with London, Ont.-based Info-Tech Research Group Ltd., agreed that a centralized cyber security lead is a good idea, but he felt multi-factor authentication technologies could be the most effective solution.
While the foundation of strong end user awareness can help stop most attacks, an organization is only as strong as their weakest link, he said.
“There would be systems that could greatly benefit from multi-authentication systems,” McCloskey said, adding that while a single password approach would work for lower risk systems, government users accessing sensitive personal and taxpayer data should be better protected.
Two-factor, or multi-factor, authentication requires staff to provide an additional hardware or software token to access their e-mail or other business apps. In the case of a software token, an enterprise user could generate a one-time token with their smart phone to be used in conjunction with their regular password.
McCloskey also stressed the need for better training programs across all government departments. “There should be a frequent and targeted set of messages to keep it at the top of mind for employees,” he said.
“For example, ‘we don’t ask for passwords and we never will,’” he added.
This, Cutler said, could be the most important issue for the government going forward to actually combat social engineering attacks. “Humans are so trusting and try to be helpful as much as possible,” he said. “Especially if you call them at 4:59 as they’re ready to leave the office.”
You need to continually drive home the risks of social engineering attacks and keep them alert, Cutler added.