About Me

My photo
Hello, my name is Ian Ali, I am a Lead IT Security Consultant with RRIT Security Consultants Inc. Over the next while I am going to review technical IT security articles and break it down for non-technical and technical readers alike so everyone can understand what they need to do to stay safe online.

Friday 4 September 2020

CRA Cyber-attack and ITSG33

 

CRA Cyber-attack and ITSG33 

In this article we will have a look at the CRA Cyber-attack and ITSG33[1] which was developed to help government departments ensure security was considered from the start.

According to the CBC[2], Fraudsters exploited a security vulnerability in the Government of Canada website and took advantage of login credentials exposed through previous hacks.

According to the CBC news report “Fraudsters exploited a security vulnerability in the Government of Canada website and took advantage of login credentials exposed through previous hacks to conduct a series of cyberattacks that compromised the personal information of thousands of Canadians”. 

From our analysis we can see that two actions occurred here:

  1. There was a security vulnerability in the website which hackers exploited and
  2. Login credentials were used which were exposed during previous hacks

ITSG33 comprise three components:

Management

Operational and

Technical

In this article we will select one control from each component to discuss how effective these controls will be in mitigating risks of a hack.  


The first control we will look at is: Vulnerability scanning (Management)

 According to the control:

(A) The organization scans for vulnerabilities in the information system and hosted applications and when new vulnerabilities potentially affecting the system/applications are identified and reported

(B) The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:

  1. Enumerating platforms, software flaws, and improper configurations
  2. Formatting checklists and test procedures; and
  3. Measuring vulnerability impact

(C) The organization analyzes vulnerability scan reports and results from security control assessments

(D) The organization remediates legitimate vulnerabilities in accordance with an organizational assessment of risk

(E) The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies) 

Scanning is recommended to take place at least every 30 days.  Response time for review of the scans is recommended to be within 30 days.  Vulnerability analysis for customized software applications may need to include static, dynamic, or binary analysis.

There are a few questions we need to ask:

  • Was the appropriate scanner used to scan the website for vulnerabilities?
  •  If so, were the results reviewed and by the appropriate personnel?
  • Were recommendations made based on the scans performed?
  • Were these recommendations implemented and in a timely manner?

The second control we will look at is: Security awareness and training policy and procedures (Operational) 

According to the control:

(A) The organization develops, documents, and disseminates to organization-defined personnel or roles:

    (a) A security awareness and training policy that addresses purpose, scope, roles, responsibilities, management commitment, coordination among organizational entities, and compliance; and

    (b) Procedures to facilitate the implementation of the security awareness and training policy and associated security awareness and training controls

(B) The organization reviews and updates the current:

    (a) Security awareness and training policy and

    (b) Security awareness and training procedures

This control is recommended to take place at least on an annual basis.  If security program policies and procedures are implemented at the organization level, there may not be a need for system-specific policies and procedures. 

There are a few questions we need to ask:

  • Are there policies and procedures in place at the organization level?
  • Are they comprehensive and valid?
  • Are they reviewed at least annually and by the appropriate personnel? 

The third control we will look at is: Adaptive identification and authentication (Technical)

According to the control:

(A) The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations

Adversaries may compromise individual authentication mechanisms and subsequently attempt to impersonate legitimate users. This situation can potentially occur with any authentication mechanisms employed by organizations. To address this threat, organizations may employ specific techniques/mechanisms and establish protocols to assess suspicious behavior (e.g., individuals accessing information that they do not typically access as part of their normal duties, roles, or responsibilities, accessing greater quantities of information than the individuals would routinely access, or attempting to access information from suspicious network addresses). In these situations when certain pre-established conditions or triggers occur, organizations can require selected individuals to provide additional authentication information. Another potential use for adaptive identification and authentication is to increase the strength of mechanism based on the number and/or types of records being accessed.

The questions we need to ask are:

  • Was there a type of mechanism employed to assess suspicious behavior? For example, bank account information being changed by individuals in a short period of time
  • Were these anomalies being reported in a timely manner?
  • Were these anomalies being reviewed and appropriate action taken in a timely manner?
  • Was there a mechanism in place to correct these anomalies?

These are just a few of the questions we need to ask not just as a governmental organization but large, medium, and small businesses as well.

Next, I will be posting a webinar on the CRA Hack, stay tuned!
Posted by at

No comments:

Post a Comment

Subscribe to: Post Comments (Atom)