Volunteers from all over the world are headed to the front lines to fight shoulder-to-shoulder with Ukrainian soldiers. As we write this, 16,000 people: Former soldiers, emergency responders and civilians from countries including the UK, US, Canada and Europe are preparing to put their lives on the line in the largest ground war in Europe since the Second World War.
Among the brave Canadians headed into battle: A comic who makes satirical videos, a cook from Powell River, B.C., and an elite Canadian sniper who headed to the front lines with three other former Canadian soldiers to fight back against Russian forces.
While the good guys are headed east, the bad guys are headed west. In some cases, directly toward Canada. Only, these bad guys don’t want to attack you physically, they want to hold you hostage… with cyber attacks.
In an article by the CBC, titled: Canadian intelligence agency calls for ramped-up cyber defenses after Russia invades Ukraine, they wrote, “Canada’s cyber spy agency is warning power companies, banks and other critical elements of Canada’s infrastructure and economy to shore up their defenses against Russia-based cyber threat activity as the Western world responds to Moscow’s invasion of Ukraine.
In a statement on Thursday, the Communications Security Establishment (CSE) said that ‘in light of Russia’s ongoing, unjustified military offensive in Ukraine,’ it ‘strongly encourages all Canadian organizations to take immediate action and bolster their online cyber defenses.’
Dan Rogers, the associate chief at CSE, said the agency is watching for cyber threat activity directed at critical infrastructure networks, including those in the financial and energy sectors.
‘I would say, regardless of the context, we have seen, and called out, Russian cyber activity in the past as being reckless,” Rogers told a media briefing Thursday afternoon.
“When we have a situation like we have now with Russia engaged in a conflict, we want to make sure that Canadian institutions have every mechanism possible to help defend them.
His agency said it has been sharing cyber threat intelligence with key partners in Ukraine and is working with the Canadian Armed Forces through intelligence sharing, cyber security and cyber operations.
CSE has both active powers — allowing it to disrupt foreign online threats to Canada’s systems — and defensive powers allowing it to take action online to protect Canadian systems.
“I can’t speak to the specifics of operations or planning,” said Rogers. “I can say that CSE is ready. We do have cyber capabilities.”
The agency said that while it’s not aware of any specific threats to Canadian organizations related to events in and around Ukraine, it pointed to a historical pattern of cyber attacks on Ukraine and other countries.
In 2017, for example, CSE blamed Russian operatives for the NotPetya malware — which was primarily meant to target Ukraine but also attacked financial, energy, government and infrastructure sectors around the world.
Thursday’s warning is the third from the agency this year. It issued a threat bulletin in January and another earlier this month directed at critical infrastructure operators.
Earlier in the day, Prime Minister Justin Trudeau announced a new suite of sanctions on Russian entities after President Vladimir Putin launched a series of unprovoked attacks on Ukraine.
Christian Leuprecht, a security expert at the Royal Military College and Queen’s University, said Russian operatives will continue to try to find weak points.
The CSE statement is ‘clearly a signal that you need to make sure your people are working this weekend. You can’t just automate this,’ he said.
‘Russians have sort of this habit of going after critical infrastructure at times when nobody’s looking. So you know … on a Friday night.’
‘Mission critical’ systems
Ken Barker, a professor of computer science at the University of Calgary, said the threat posed by Russia ought to compel Canadian authorities to take cyber defenses more seriously.
‘If we feel compelled to do it now, we should have felt compelled to do it two weeks ago,’ he said.
‘Because ultimately, these systems are vulnerable and they’re mission critical to the country, so we really do need to make sure that we make investments in securing and protecting them as we go forward.’
Barker said one of those points of vulnerability is the linkage between operational and information technology systems.
‘It’s endemic throughout all of our critical infrastructures, whether that’s energy, hydro… anything that basically lights up the house or warms it,’ he said.
‘If nobody can get access to that physically, it’s safe in and of itself. The problem is what then happens is information technology is now linked to it to make it run more efficiently … So now you have what’s called the IT/OT vulnerability.’
CSE said operators should be prepared to isolate critical infrastructure components and services from the internet and internal networks if those components ‘could be considered attractive for a hostile threat to disrupt.’
It’s calling on vulnerable organizations to be more vigilant by monitoring networks to quickly spot any unexpected or unusual network behavior, and to have continuity plans for disruptions.
CSE is urging organizations to report any incidents.
It said it will keep Canadian organizations up to date on the threat through public alerts and protected channels.
Disinformation campaigns expected
While much of Thursday’s warning concerns IT teams, Leuprecht said Canadians also need to be wary of falling for fake reports online.
‘The average Canadian should be concerned about disinformation, misinformation and information laundering, all of which the Russians are actively propagating,’ he said.
A spokesperson for Canada’s domestic spy agency, the Canadian Security Intelligence Service, wouldn’t comment on operational matters but said the agency is working with its allies, including the Five Eyes partnership — an intelligence sharing partnership with the U.S., U.K., Australia and New Zealand — to investigate any foreign interference threats, such as state-sponsored disinformation campaigns.
‘Foreign interference has always been present in Canada, but its scale, speed, range, and impact have grown as a result of globalization and technology’ said CSIS spokesperson Keira Lawson in an email to CBC News Thursday night.
‘We are increasingly seeing social media being leveraged to spread disinformation or run influence campaigns designed to confuse or divide public opinion, interfere in healthy public debate and political discourse, and ultimately create social tensions.’
Leuprecht also said the average person also needs to be on guard against malware and phishing attempts.
‘Many people continue to work from home, so that makes them inadvertent conduits for bad actors to try to infiltrate corporations,’ he said. ‘So every Canadian in a way has a role to play here’.”
Top eight cybersecurity risks Canadians are facing
According to excerpts from an article by insurancebusinessmag.com, they wrote, “Recent studies have shown that Canadian businesses are increasingly being targeted in cyberattacks. The onset of the pandemic and the sudden shift to remote work has given rise to new cybersecurity threats.
A first-quarter survey by US cybersecurity firm Proofpoint revealed that nearly two-thirds of companies globally, including 63% of Canadian-based businesses, have seen a rise in targeted cyberattacks since their employees started working from home.
Of the Canadian firms that participated in the study, more than half, or 51%, admitted that human error was their biggest vulnerability as most attacks involved some sort of interaction with people. Email fraud was also identified as one of the top points of attack.
‘Last year, cybersecurity teams around the world were challenged to enhance their security posture in this new and changing landscape, literally overnight,’ said Lucia Milică, global resident chief information security officer at Proofpoint. ‘This required a balancing act between supporting remote work and avoiding business interruption, while securing those environments. With the future of work becoming increasingly flexible, this challenge now extends into next year and beyond.’
Meanwhile, a separate survey by the Canadian Federation of Independent Business (CFIB) found that out of its 3,040 members, almost a quarter have experienced a cyberattack since March 2020, when the coronavirus outbreak forced many businesses to transition to remote work.
About 5% of the respondents said the attack against them was successful. According to the report, this figure is equivalent to more than 60,000 small and medium-sized businesses, if the most recent data from Statistics Canada was considered.
The study also found that businesses that pivoted to remote working, made changes to their online presence, or those in the construction or manufacturing sectors were twice as likely to fall prey to a successful attack.
Top cybersecurity threats in Canada
To help Canadians prepare against cybersecurity threats, Privacy Canada – an organization of online security experts advocating for data privacy among all Canadians – gathered data from the Department of Public Safety and Emergency Preparedness and leading information security researchers to identify the top cybersecurity risks businesses and individuals are facing.
Here are some of the most common cyber threats many Canadians are exposed to, according to the group.
1. Phishing
‘Of all the known cybersecurity risks, this is one of the easiest for talented hackers to deploy, and it can be one of the most damaging to local businesses and their reputation,’ wrote Ludovic Rembert, head of research at Privacy Canada, in an article published on the group’s website.
He added that phishing attacks have become very effective as they take the form of fake emails, text messages, or dubious websites that ‘look like the real thing,’ making it easier to trick people. Rembert also cited research from the International Association of Privacy Professionals (IAPP) showing that between 84% and 92% of data breaches resulted from negligence or human error, which revealed why phishing has become a popular attack vector for cyber criminals.
2. Ransomware
As its name suggests, ransomware is a form of cyberattack that demands a ransom. Often, a malicious software locks and encrypts a device, demanding that a ransom is paid for access to be restored.
A recent example of a ransomware attack was the one that happened to software firm Kaseya in July, which the company said impacted between 800 and 1,500 downstream businesses. The attack, which was perpetrated by Russia-based hacking group REvil, caused widespread downtime to companies in 17 countries, including Canada, the UK, Germany, South Africa, Mexico, Kenya, and Argentina.
3. Distributed-denial-of-service (DDoS) attacks
According to security software giant McAfee, a DDoS attack is a “method where cybercriminals flood a network with so much malicious traffic that it cannot operate or communicate as it normally would.”
In April 2018, IT World Canada reported that the Royal Canadian Mounted Police (RCMP) had successfully shut down what investigators said was the world’s biggest DDoS-for-hire website. The Toronto-based data centre was said to have more than 136,000 registered users who often targeted banks, government institutions, law enforcement units, and victims in the gaming industry. The police said that website’s popularity stemmed from its ability to offer DDoS-as-a-service, with fees as low as €15, or about $23.44, a month at that time.
4. Zero-day attacks
A zero-day attack happens when attackers exploit a software vulnerability before the vendor becomes aware of it. Rembert noted how cybercrime groups take pride in discovering new exploits that defeat security measures.
One example he provided is the unidentified computer virus that infected Ontario’s Health Sciences North (HSN) network in January 2019. According to CBC News, the cyberattack forced 21 hospitals to shut down their IT platforms to prevent the malware from spreading.
5. Botnet attacks
Cybersecurity services provider Security Intelligence defines a botnet attack as a large-scale cyber attack carried out by malware-infected devices, which are controlled remotely. The firm adds that such attacks turn compromised devices into ‘zombie bots,’ for a botnet controller.
‘Unlike other malware that replicates itself within a single machine or system, botnets pose a greater threat because they let a threat actor perform a large number of actions at the same time,’ the company wrote in its website. ‘Botnet attacks are akin to having a threat actor working within the network, as opposed to a piece of self-replicating malware.’
Last January, CBC News reported that cybercops from Europe, the US, and Canada derailed a botnet that had been used by cyber criminals to install ransomware, steal data, and engage in financial theft across the globe for years. This led to the arrest of a Canadian member of the group, which had targeted the healthcare sector, municipalities, law enforcement units, and school districts mostly in the US. Half a million dollars in cryptocurrency was also seized.
6. Man-in-the-middle attacks
A man-in-the-middle (MITM) attack is a type of eavesdropping attack, where hackers interrupt an existing conversation or data transfer, according to software company Veracode. The firm said this type of attack happens when hackers insert themselves in the ‘middle’ of the transfer, pretending to be legitimate participants. This enables them to intercept information and data from the legitimate participants while also sending malicious links or other information in a way that might not be detected until it is too late.
7. Cryptojacking
According to Rembert, cryptojacking is a relatively new cyber risk that uses a ‘specialized kind of malware coded for the purpose of infecting a system and surreptitiously using its bandwidth, as well as its computing resources, to mine cryptocurrency.’ He added that attacks involving crypto jacking are expected to increase in the future, along with the popularity of cryptocurrencies.
8. Spam
Rembert describes spam as a ‘global issue that continues to worsen,’ adding that ‘spam emails and messages are not just nuisances [but can also] be weaponized for the purpose of distributing malware that steals personal information or recruits personal computing devices into botnets.’
In Canada, Rembert says the spam problem continues despite legislation that prohibits the distribution of commercial messages without previous solicitation.”
Key Considerations for Canada’s Forthcoming National Cyber Security Strategy
In an article by TripWire, they wrote, “On December 16, 2021 Prime Minister Justin Trudeau released mandate letters tasking his ministers of national defense, foreign affairs, public safety, and industry to develop a new ‘National Cyber Security Strategy.’ He specifically highlighted the need for the strategy to ‘articulate Canada’s long-term strategy to protect our national security and economy, deter cyber threat actors, and promote norms-based international behavior in cyberspace,’ as quoted by Global News.
The directive did not appear out of nowhere. Canada’s intelligence community has issued several key warnings of cyberattacks in the past few years. Back on March 19, 2020, for example, the Communications Security Establishment (CSE) released an alert revealing that cyber criminals and nation-state actors were actively attempting to exploit fears surrounding the COVID-19 pandemic to target Canadian healthcare organizations with attack attempts and data theft. Most recently, CSE released a report in which it revealed that more than half of Canada’s known ransomware victims for 2021 were critical infrastructure providers. The agency also confirmed that it had used its ‘legal authority to conduct cyber operations to disrupt foreign-based threats to Canada, including cybercriminals,’ per CBC News.
Streamlining Cyber Security Strategy
It is great to see the initiative here to build a National Cyber Security Strategy in Canada. However, the key here will be how swiftly can Trudeau’s ministers develop and implement that strategy. Cybersecurity threats are evolving quickly, and as we have seen most recently with Log4J, sometimes they need to be addressed very quickly. It will be important for this National Cyber Security Strategy to include things that ensure a well-built foundation of best practices.
The good thing is that Canada does not need to reinvent the wheel. Why would they when they can look to best practices such as the Center for Internet Security’s Critical Security Controls (CIS Controls) as a basis for their work? Version 8 of the CIS Controls even breaks down those security measures into three Implementation Groups that organizations can use to achieve increasingly mature levels of cyber security hygiene.
***The critical information from Version 8, can be found in the links below…
The CIS Controls (formerly known as Critical Security Controls) are a recommended set of actions for cyber defense that provide specific and actionable ways to stop today’s most pervasive and dangerous attacks.
CIS Control 1: Inventory and Control of Enterprise Assets
CIS Control 2: Inventory and Control of Software Assets
CIS Control 3: Data Protection
CIS Control 4: Secure Configuration of Enterprise Assets and Software
CIS Control 5: Account Management
CIS Control 6: Access Control Management
CIS Control 7: Continuous Vulnerability Management
CIS Control 8: Audit Log Management
CIS Control 9: Email and Web Browser Protections
CIS Control 10: Malware Defenses
CIS Control 12: Network Infrastructure Management
CIS Control 13: Network Monitoring and Defense
CIS Control 14: Security Awareness and Skill Training
CIS Control 15: Service Provider Management
CIS Control 16: Application Software Security
CIS Control 17: Incident Response Management
CIS Control 18: Penetration Testing
How Can the CIS Controls Drive Cyber Security in Canada?
If we take a quick look at the CIS Controls, we see that a key building block is understanding which devices resources need protection. That’s why the first two CIS Controls emphasize the importance of building an inventory of enterprise assets and of software assets. These resources include standard IT assets that most organizations have deployed on the production side of things. But they can also include Operational Technology (OT) and other specialized equipment used by critical infrastructure. With more remotely connected users than ever, it also involves a barrage of Internet of Things (IoT) devices that could be anywhere in the country. Those devices could be anywhere in the world accessing services within Canada.
So, in addition to the technical considerations I’ve already touched upon, policy makers must ensure that this National Cyber Security Strategy considers foreign and domestic policy as the evolution of the Internet continues to shrink our borders.
Some Important Questions to Consider
Once that high-level strategy is created, the Canadian government must answer several questions. How does this National Cyber Security Strategy translate into technical controls that can be widely implemented? And how can it help to secure funding that critical infrastructure providers and other organizations can use to protect identified critical assets?
If we look at sectors such as healthcare, manufacturing, and energy, we see that many of those responsible for securing their devices are underfunded and understaffed. So, will this strategy include measures to train more cybersecurity professionals? Implement mandates for compliance to security requirements? Provide funding to organizations in these critical sectors to boost their cyber security posture? Those questions remain to be answered. We’ll need to wait until the National Cyber Security Strategy is released.
Another aspect to consider is that if there is a new compliance requirement, the strategy will need to include provisions to ensure that the compliance does not merely consist of checking off a box. The controls that are implemented need to provide actual value to improving the risk posture of individuals, organizations, and the country overall.
Finally, Canada should not limit its training to cybersecurity professionals only. On the contrary, it can also focus on bringing better cybersecurity awareness to the greater population of Canada. This can be enacted through universal cybersecurity awareness training that begins in primary education and reinforces basic cyber hygiene throughout the primary and secondary school curriculum. Empowering individual citizens to know what to look for and how to better use their connected services is another way of providing greater cybersecurity for the entire country.
Looking Forward
Global News noted that there is no deadline for the delivery of Canada’s new National Cyber Security Strategy. Trudeau did tell his ministers that he expects to receive regular and public updates on their progress, however. We at the State of Security will keep you informed about those updates and what they mean for cybersecurity in Canada going forward.”
At Adaptive Office Solutions, cyber security is our specialty. When you know your technology is being looked after, you can forget about struggling with IT issues and concentrate on running your business. By making an upfront investment in your cybersecurity, you can lower your costs through systems that are running at their prime; creating greater efficiency and preventing data loss and costly downtime.
To schedule your Cyber Security Risk Review, call the Adaptive Office Solution service hotline at 506-624-9480 or email us at helpdesk@adaptiveoffice.ca