CRA Cyber-attack and ITSG33
In this
article we will have a look at the CRA Cyber-attack and ITSG33[1]
which was developed to help government departments ensure security was considered
from the start.
According to
the CBC[2],
Fraudsters exploited a security vulnerability in the Government of Canada
website and took advantage of login credentials exposed through previous hacks.
According to the CBC news report “Fraudsters exploited a security vulnerability in the Government of Canada website and took advantage of login credentials exposed through previous hacks to conduct a series of cyberattacks that compromised the personal information of thousands of Canadians”.
From our analysis we can see that two actions occurred here:
- There was a security vulnerability in the website which hackers exploited and
- Login credentials were used which were exposed during previous hacks
ITSG33 comprise three components:
Management
Operational and
Technical
In this article we will select one control from each component to discuss how effective these controls will be in mitigating risks of a hack.
The first control we will look at is: Vulnerability scanning (Management)
(A)
The organization scans for vulnerabilities in the information system and
hosted applications and when new vulnerabilities potentially affecting the
system/applications are identified and reported (B) The organization employs vulnerability scanning tools and techniques that facilitate interoperability among tools and automate parts of the vulnerability management process by using standards for:
(C)
The organization analyzes vulnerability scan reports and results from
security control assessments (D)
The organization remediates legitimate vulnerabilities in accordance with an
organizational assessment of risk (E) The organization shares information obtained from the vulnerability scanning process and security control assessments with organization-defined personnel or roles to help eliminate similar vulnerabilities in other information systems (i.e., systemic weaknesses or deficiencies) Scanning
is recommended to take place at least every 30 days. Response time for review of the scans is
recommended to be within 30 days. Vulnerability
analysis for customized software applications may need to include static, dynamic,
or binary analysis. There are a few questions we need to ask:
|
The second control we will look at is: Security awareness and training policy and procedures (Operational)
According
to the control:
(A)
The organization develops, documents, and disseminates to organization-defined
personnel or roles: (a) A security awareness and training
policy that addresses purpose, scope, roles, responsibilities, management
commitment, coordination among organizational entities, and compliance; and (b) Procedures to facilitate the
implementation of the security awareness and training policy and associated
security awareness and training controls (B)
The organization reviews and updates the current: (a) Security awareness and training
policy and (b) Security awareness and training
procedures This control is recommended to take place at least on an annual basis. If security program policies and procedures are implemented at the organization level, there may not be a need for system-specific policies and procedures. There are a few questions we need to ask:
|
The third control we will look at is: Adaptive identification and authentication (Technical)
According to the control:
(A) The organization requires that individuals accessing the information system employ organization-defined supplemental authentication techniques or mechanisms under specific organization-defined circumstances or situations |
Adversaries
may compromise individual authentication mechanisms and subsequently attempt
to impersonate legitimate users. This situation can potentially occur with
any authentication mechanisms employed by organizations. To address this
threat, organizations may employ specific techniques/mechanisms and establish
protocols to assess suspicious behavior (e.g., individuals accessing
information that they do not typically access as part of their normal duties,
roles, or responsibilities, accessing greater quantities of information than
the individuals would routinely access, or attempting to access information
from suspicious network addresses). In these situations when certain
pre-established conditions or triggers occur, organizations can require
selected individuals to provide additional authentication information.
Another potential use for adaptive identification and authentication is to
increase the strength of mechanism based on the number and/or types of
records being accessed. The questions we need to ask are:
These are just a few of the questions we need to ask not just as a governmental organization but large, medium, and small businesses as well. Next, I will be posting a webinar on the CRA Hack, stay tuned! |
No comments:
Post a Comment