Equifax. In one word that sums up the terrible year in cyber security 2017 has been.
Wannacry ransomware, which briefly spread in a number of countries but then through luck was crippled, was a contender.
But for sheer numbers nothing I wrote about beat the revelation in September that the U.S.-based international credit card rating had been badly stung: Personal data on just over 145 million Americans, 8,000 Canadians and over 693,000 people in the U.K. was accessed over two and a half months. The data largely included names, Social Security numbers, birth dates, addresses email addresses and, in some instances, driver’s license numbers and credit cards.
The CIO and CSO quickly retired.
It was tough to watch former CEO Richard Smith squirm as he testified before Congress on the breach. The – unencrypted! – data was stolen from an Equifax customer complaints portal, he explained. It was the only site that used Apache’s Struts web framework. A warning to patch the framework was received March 8. Company policy is that patches are to be installed within 48 hours. But due to “human error” by an unnamed person, the patch wasn’t applied.
On March 15 Equifax ran a scan of its systems which should have discovered the patch hadn’t been applied. It didn’t, which Smith described as a “logical error.”
A much more riveting explanation came from an investigation by Bloomberg News, which said an entry crew was behind the initial breach, and it then handed control over to a more sophisticated team of hackers. “By the time they were done, the attackers had accessed dozens of sensitive databases and created more than 30 separate entry points into Equifax’s computer systems. The hackers were finally discovered on July 29, but were so deeply embedded that the company was forced to take a consumer complaint portal offline for 11 days while the security team found and closed the backdoors the intruders had set up.”
Bloomberg said an internal analysis of the attack shows the hackers had time to customize their tools to more efficiently exploit Equifax’s software and to query and analyze dozens of databases to decide which held the most valuable data. “The trove they collected was so large it had to be broken up into smaller pieces to try to avoid tripping alarms as data slipped from the company’s grasp through the summer.”
Experts are divided on whether a nation-state was behind the attack.
In this country there were at least 33 publicly-reported Canadian data breaches, according to breachlevelindex.com. Top ones included
–1.9 million customer email addresses and 1,700 names and phone numbers from Bell Canada;
–information on about 1 million users of Canoe.ca between1996 to 2008, including names, email addresses, mailing addresses and telephone numbers filled in by people participating in contests, forums, comments pages or the hosting of personal pages;
–information on 1.6 million Canadians and Americans who use Vancouver-based Tio Networks, a subsidiary of PayPal, for online and mobile bill payments;
UPDATE: On Dec 21 Nissan Canada Finance said personal information of car buyers who financed their purchases through the company may have been exposed. It is contacting 1.13 million people. It became aware of unauthorized access 10 days ago.
–names, email address, and mobile phone numbers of 815,000 Canadian users of Uber were exposed in a 2016 hack of data on 57 million users. The company had been quietly sitting on news of the hack for almost a year;
– information on 95,000 online job applicants to McDonald’s Canada;
–email address of 50,000 municipal employees accidentally disclosed by the city of Guelph, Ont., as part of a lawsuit;
–information on 20,000 Dalhousie University – mainly alumni — was on a computer file accessible to the university’s faculty, staff and students. The university couldn’t confirm anyone actually accessed the file inappropriately;
–attackers don’t always go the direct route. A Canadian cyber security software and services company, Altair Technologies Ltd. of Mississauga, Ont., acknowledged that it was the victim of backdoor malware inserted into one of its products two years ago. It makes a log analyzer sold to telecom providers, military organizations, defence contractors, banks and IT companies.
However, there were dozens of other breaches of Canadian institutions where the organization gave no public estimate of the number of affected records. Until federal data breach reporting legislation kicks in – perhaps in 2018 – that will continue.
These include incidents at Canadian Tire, (customers were told “an unknown third party may have obtained your log-in information, including your email address and password information, from a prominent third-party website breach), several casinos, Loblaws (theft of rewards cards points), Shopper’s Drug Mart (theft of rewards cards points), and service provider KWIC Internet of Simcoe, Ont., (misconfigured Rsync instances across multiple servers led to a data breach), and WestJet (personal information of rewards card members).
–personal information of approximately 7,500 British Columbians held by the provincial government’s PharmaNet system, according to the Ministry of Health. A stolen doctor’s login credentials was used;
These incidents don’t include a Canada Revenue encrypted DVD that went missing between Ottawa and Whitehorse. Carleton University found USB keyloggers plugged into six classroom PCs, a reminder that physical security also has to be on the mind of CISOs. The university doesn’t think personal information was accessed.
Nor do the breaches include a list of Canadian organizations stung by ransomware, including an unknown firm in the financial sector who, a source told me, paid the equivalent of $85,000 in bitcoin to get access back to its data; another unknown firm, who a source told me paid $425,000 in bitcoin to recover its locked data; and users of MongoDB database hit by an attack.
A survey by data protection provider Datto of its Canadian managed security providers estimated that their small and medium customers here paid out $5.7 million to attackers in the 12 months that ended in Q2 2017.
Conferences in 3 countries
At this year’s SecTor conference in Toronto lots of good advice was passed around. Ken Muir of Vaughan, Ont.-based Uzado urged CISOs to get back to basics, two Scotiabank staffers talked of the importance of CISOs creating incident response playbooks, and cyber security guru Bruce Schneier warned government regulation of IoT is inevitable to solve security holes.
At the annual conference of Ontario’s Municipal Information Systems Association, security expert Rafal Rohozinski said Canadian towns and cities aren’t prepared for the coming global clash of restless young, urban mobile users, the rise of the digital economy, online social networks and cyber security. Also at the conference David Boyle, manager of IT infrastructure operations at the city of Guelph, Ont., talked of taking advantage of the Wannacry attack to upgrade the city’s patch management.
More conferences … At RiskSec, TMX Group CISO Bobby Singh said the best awareness program makes cyber security personal. “The intention is to get users to understand how to protect corporate data as they protect their financial data in their personal life.” Meanwhile at the annual International Association of Privacy Professionals experts I interviewed said the biggest mistake Canadian businesses make after a data breach is not facing up to it.
Then there was RSA Conference in San Francisco, where I had an informative interview with Ronald Sugar, former chair and CEO of American defence contractor Northrop Grumman and currently on the boards of Apple Inc. and energy provider Chevron Corp., on the worst presentation he’s seen a CISO make to a board. Also at the conference a SANS Institute trainer said stubborn infosec teams may be the reason users don’t absorb awareness training.
Finally, I was in Israel for a tour of local cyber security companies and the annual Tel Aviv Cybertech conference. This piece sums up what I heard.
Help coming for SMBs
There was good news for Canadian small and medium businesses, which usually don’t have the manpower and dollars to match the infosec teams of larger companies: Cyber NB, a wing of the New Brunswick government aiming to make the province a cyber security hub, has quietly announced it is adopting for use in this country the U.K. government’s Cyber Essentials program certifying small and mid-sized companies have met certain minimum security standards. Firms that pass the certification get to put the Cyber Essentials logo on their Websites and marketing material. The program hasn’t officially rolled out yet – will Ottawa incorporate it in the new national cyber strategy to be announced early next year? Also, the Council of Better Business Bureaus has promised that early next year it will release the first in a series of online modules small firms can download with practical guidance for better securing themselves.
One of my personal highlights was being invited to be on the media panel at an international cyber crime police summit in Ottawa. The cops I spoke to there are frustrated at the lack of resources they have – the RCMP alone fielded 11,518 calls in 2016 dealing with cyber crime. “We need to be realistic in espousing expectations to the public – what the government and police can and cannot do,” Scott Doran, director general for federal policing for criminal operations including online crime, told me in an interview.
Canadian police are hoping Ottawa will fund a National Cyber Crime Co-ordination Centre to maximize resources. Will it be part of the new national cyber security strategy to be announced early in 2018?
Remember the huge data breach of Canadian-owned international dating site Ashley Madison in 2015, where hackers released records of some 36 million members, plus application code and corporate email? New CISO Matthew Maglieri told the monthly Toronto Area Security Klatch how the company is trying to build a leading data privacy and information security program to regain user trust. “Our journey is just beginning,” he told me. “We have to continuously improve.”
Canadian experts in industrial control systems (ICS) took some time to explain prior to a Montreal conference their worries about this country’s readiness to face cyber attacks on ICS/SCADA devices.
The threat future quantum computers could break today’s encrypted data made for two stories, with Michele Mosca, co-founder of the University of Waterloo’s Institute for Quantum Computing telling me CISOs have to start preparing for the eventuality. NIST is now evaluating algorithms companies may soon be able to use to meet the problem.
Book for Canadian cyber pros
Toronto lawyer Imran Ahmed released a book for the C-suite and lawyers called Cybersecurity in Canada, to help answer questions about buying secure IT products, privacy law and breach response. In addition to listing best practices organizations can implement before and after a data breach or cyber attack, contributors also author chapters on cloud computing, supply chain procurement, cyber insurance, obligations of the board and management, dealing with law enforcement and handling customers and the media after an incident.
Among the interesting people I interviewed was Alissa Johnson, vice-president and CISO of Xerox Corp., who once said “no” over a technology issue to President Barak Obama when she was deputy CIO at the White House. “Sometimes,” she said, “we fall into a trap of making decisions based on how our culture will accept cyber security: ‘I can’t implement multifactor authentication or digital rights management. That’s going to be difficult for my company.’
“A lot of times you’ve got to turn that around and make the culture understand what is needed for good security governance. It’s not the other way around. That shift changes how you do your security investment, your risk appetite.”
Another senior infosec woman I interviewed, Rinki Sethi, senior director of information security at Palo Alto Networks, talked about the boy’s club in IT, which led to interviews with other women in the field.
For CISOs who want ammunition for more resources from their boards, a report paid for by IBM figured the average cost of a data breach suffered last year by 27 Canadian companies was $5.78 million, or $255 per lost or stolen record. Of the companies studied on average it took firms 173 days to identify a breach, and 60 days to contain it.
Don’t know how to measure your organization’s security maturity? Nicholas Johnston, Toronto-based vice president of the global data risk group at Duff & Phelps, an international consultancy, will get you started in this piece.
As always, Verizon Communications’ annual data breach report makes informative reading. In an interview Gabriel Bassett, the senior information data scientist on the report’s team, said one problem is CISOs feel they can’t be as good as defenders as hackers are at attacking.“The things that happen commonly,” he emphasized, “are the things you can do things about.”
Feel black and blue after an attack? Read why Haydn Johnson, a Toronto-based consultant and security researcher, told me having a Purple Team could make sense.