Canada’s nationwide cybersecurity event, MapleSEC, opened for a second year with a look at the threat landscape, appropriately titled ‘Standing On Guard’. Between the presentations and panels and a very active user chat, it was 90 minutes packed with an interactive as well as educational security experience.
Host Brennen Schmidt, a noted cybersecurity author and consultant, hosted the show, which also featured a keynote from Byron Holland, the president & chief executive officer of the Canadian Internet Registration Authority (CIRA). CIRA and IT World Canada (ITWC) are the founders of MapleSEC, which was created to have a strong Canadian event focused on cybersecurity
It was fast moving and there was a lot to capture, but fortunately, if you registered and missed part or all of it, you can always go back and re-watch the recordings of the event.
But for those who like to read, here are some things from my notebook.
2021 – New and More Sophisticated Threats
The first panel echoed the theme of the day – new and sophisticated threats are everywhere. Cara Wolf from Ammolite Analytics noted that “Anywhere there is a vulnerability, it will be exploited.” Jennifer Fernick, senior vice president and global head of research for the NCC Group, talking about the home and business networks that we all live on day to day, gave equally frank advice when she said, “Assume all networks are hostile.”
Darrin Horner, regional sales manager with OKTA, talked about “Cloudjacking” (cloud account hijacking) as a new threat. Cloudjacking is not dissimilar to regular attacks by credential stuffing, harvesting credentials, or capitalizing on reused passwords, but according to Fernick, it has an ominous twist. “The systems that enterprises are deploying as we become ‘public cloud first’ are now more homogeneous with very similar platforms….and the attack paths are more similar than they might have been for an ‘on prem’ model.”
Horner also pointed out that the IoT market, which would soon be in the trillions of dollars, was still a huge source of concern. All panelists acknowledged that IoT was still a huge risk area. Wolf warned that “the more connected IoT devices are, the more the attack vectors and the more possibilities for hackers to target are available.” Fernick stated that “we use IoT devices as a way to train our interns because we find it so easy to find vulnerabilities on those devices. That tells us something about the state of IoT security and it is worrying.”
Ransomware Remains Popular
Ransomware continues to be a huge and ever more sophisticated threat. Wolf noted there was a “171 per cent increase in the number of ransomware attacks” since the pandemic started. “We’re seeing more sophisticated attacks…either nation state sponsored or criminal gangs or terrorists and some of them are so sophisticated that they are using AI to mimic the voice or the email writing of CEOs.” The trickery we are witnessing is at a level “we’ve never seen before”
When asked if they thought ransomware could evolve further, Fernick said, “I think that ransomware doesn’t need to evolve much further to do tremendous damage. Ransomware attacks happen most commonly on unpatched networks with vulnerabilities that may be exploited to get a foothold on the network and…even when vendors provide patches to those vulnerabilities it often takes a long time for downstream companies that are using those products to actually apply those patches.”
As to what can be done about ransomware, Fernick was quite clear that even with all the effort in training and tools, “until as an industry we can radically improve vulnerability, triage and remediation…ransomware crooks will continue to ‘count their bitcoins’.” As to what will have an impact? “Realistically, policy-based responses like government sanctions to ransomware payment operators are much more likely to have an effect.”
Dr. Hadis Karimpour, associate professor & chair in secure and reliable networked systems at the University of Calgary, outlined how deep fakes utilize sophisticated deep learning models to replace a specific person or voice with another one in digital media. According to Karimpour, this can only get worse. She said, “honestly, right now, anybody who has a computer and access to the internet…can technically produce a deep fake.”
Is there any way to defend against it? Fernick noted that we have a kind of “arms war” going on, where as soon as detection improves, the deep fakes find new ways to beat the detection and on and on it goes.
But Wolf also noted that not all is lost. Humans still have a way of understanding context and behaviour if they are trained and choose to use that training. For example, if you see a video of your executive doing something out of character, you need to ask, “would that person really do that?” According to Wolf, we need training that makes people aware of what can happen and trains them to watch for the signs. When you do that, she says, “common sense prevails”.
Horner asked what one cybersecurity mistake people will still be making five years from now. The panelists seem to indicate that we’d have the same challenges well into the future. According to Hadis, users will “still click on links from unverified sources.” Fernick believed we will “still be treating security as something you add on at the end of the development process.” And Wolf noted that we’ll still see “a lot of gullibility on the human side.”
Even with this dismal view, all the panelists agreed that solutions like training and credential management were critical. But given limited resources and vast differences in user sophistication, they also added something we should all think about: we need to tailor our training and policy solutions. Or as Wolf put it, “we should identify users are most at risk and tailor our approaches to them. How can we train them? How can we protect them?”
Towards a More Privacy Enabled Internet
Unfortunately, in Canada we often hear about where we are behind in technology or what we are doing wrong in security and privacy. Yet there are some good things happening as new forces emerge to build a more private and secure internet. Two of those entities were present at MapleSEC.
Mark Gaudet, the general manager of cyber & DNS with CIRA, led a session that showed how Canada and CIRA are once again leading the way, this time partnering with Mozilla Firefox.
CIRA has always been at the forefront of privacy. It has clear policies that protect the privacy of Canadians. It has led the way in keeping internet traffic within Canada to the greatest degree possible (you can’t prevent all ‘hops’). It offers the Canadian Shield, a free DNS service that provides support for DNS over HTTPS. (For Simpson’s fans, this has the wonderful acronym DOH)
Now CIRA has partnered with Mozilla Firefox to further increase Canadians’ privacy protection. Just how this is done was explained by Eric Rescorla, chief technology officer – Mozilla Firefox, who was one of the key guests on day one of MapleSEC 2021.
Rescorla explained that DNS is “an essential part of the internet, turning text into numbers like “the phone book of the internet”.
But DNS is more dangerous than a phone book. DNS data contains a lot of information about what you do on the internet – where you go and what sites you visit. To continue the analogy, DNS not only contains information about your “phone number” but it also knows everyone you are calling. But DNS also knows a lot more than that, from what devices you use to where your kids go to school. All of this information is available and easily found. But, as Gaudet noted, “most people are not aware of how much data leaves their network through DNS and what it tells you.”
The seemingly dated analogy of the phone book is even more appropriate, because as Rescorla also noted, DNS hasn’t really been updated in a way that can seriously protect privacy since the internet was built. Or as Rescorla put it, “DNS…is a dinosaur.”
Canadians are fortunate in that CIRA, who runs our .ca domains and more, has strong policies to protect our data. But there are plenty of devices or “resolvers” that are logging our information. This ranges from household devices to coffee shops to the large DNS providers that are consolidating more and more of our information. World-wide, there are many, many devices logging our data that don’t follow CIRA’s strict policies and where our DNS information can be freely exploited.
DNS over HTTPS is an attempt to solve some of the problems with DNS. Basically, it encrypts the request to the DNS server so that no-one can see it.
CIRA and Firefox are helping to create a world where our information is more private and having an influence on how our data is stored and used. Firefox’s program requires that “resolvers” in their program must support their privacy policies. That has the effect of moving away from the large, consolidated DNS ‘data sponges’ to regional DNS partners that support privacy of their users.
Privacy is becoming a more and more popular idea in Canada; Gaudet noted that Firefox will be at over 1 million users by the end of this month.
These solutions extend beyond individuals and into enterprise computing as well. CIRA’s Canadian Shield also has a corporate version for enterprises. Likewise, Firefox has built in some key elements that make it an enterprise solution as well. It will, by default try to use a trusted provider, like CIRA. But first, Firefox will check an enterprise network and where needed, use trusted devices in that corporate network. This is essential to making some corporate devices function properly.
Although this partnership is a great step forward, more needs to be done to ensure our privacy. Firefox and CIRA both also offer “filtering resolvers” which will filter blacklisted domains. Again, there are both individual and enterprise solutions that filter to ensure that threats and malware sites are blocked out.
Future developments include what Rescorla termed “oblivious HTTPS.” Currently, when you connect to a DNS server with Transport Layer Security (TLS), that connection indicates what domain you are trying to connect to. When that happens, Firefox will answer a service called “encrypted client hello” which suppresses or hides that information.
As much as has been done, there is always more. As Rescorla noted, “this is not one technology. It needs layer after layer of work to improve security. ”
Exploring those layers will be something we hope to do over the rest of MapleSEC. Day one had some great tips on how to improve your security posture in a video with Keith Mokris from Palo Alto Networks. Proofpoint cybersecurity evangelist Brian Reed also had a presentation to wrap up the day. Both of these are available on the site and if you missed them, they are short and to the point.
Before I end this diary, I’d be remiss if I didn’t mention the great chat we had going. There were lots of questions and comments through the day, with many people asking and answering questions, and live questions for some of the presenters. I couldn’t capture all of what happened; sometimes you just have to be there. MC Brennen Schmidt led a quiz, this one sponsored by Citrix, which has been part of the fun in every MapleSEC event.
But I did manage to capture and check out some links that people contributed. I checked them out before sharing them. Bonus points if you know how I did it.
This was a cool article on decentralization of the web:
More info for those who want to know about DNS over HTTPS from CIRA
If you want to know about Canadian Shield
And something that was just fun.
That’s all folks! (for Day 1 anyway)
That’s my user diary for Day 1 of MapleSEC. If you have comments, smash that ratings button below and you’ll be able to send me a direct note with your comments.
Stay safe and see you on Day 2.