Summit – Cybersecurity warriors: Frontline of defence

Cybersecurity warriors: frontline of defence

By Peter Glenn     

A styled photo of a computer screen with a bunch of code on it

CC0 Creative Commons | Pixabay

The email came on a Friday. It seemed to refer to a previous message the Mount Royal University employee had sent to an outside vendor, with the subject line “What’s this?”

“A Word document was attached and I opened it, not being concerned. I honestly thought it was a reply to my earlier email sent to multiple parties,” the employee recalls. “When I saw ‘What’s this?’ I was really curious and wanted to figure it out. The vendor signature looked legitimate and I clicked on the attachment, not thinking much of it.”

After he clicked and downloaded, he was notified that the document was an older version of Word, and he needed to enable macros to continue.

“I enabled macros not really thinking too much about it. I trusted the email. It still didn’t dawn on me that this was an issue and that I might be infecting my computer. It wasn’t until I spoke with (the vendor) that evening that I realized something was wrong.”

The vendor told the employee that his email server had been hacked and that various businesses were receiving emails (allegedly from the employee) with malware attached. The next morning, a co-worker at MRU advised him that Information Technology Services (ITS) had come and taken his laptop. Having flagged the issue, ITS was able to stop the attack.

“I was impressed with how quickly they reacted, and I was quite embarrassed given the IT security training I had recently taken,” the employee says.

“I should have seen the signs in the email.”

Versions of the same story occur every day in a world where hackers and cybercriminals, many of whom stem from organized crime and some of whom are state-sponsored, are gaining ground and growing more sophisticated.

High-profile attacks have recently targeted Uber, Equifax, Yahoo and Nissan Canada, including ransomware targeted at the National Health Service in the U.K. In December, Russian-speaking hackers called the MoneyTaker group stole as much as $10 million from Russian and U.S. bank branches. Even such protectors as the U.S. National Security Agency (NSA) were scrambling in 2016 after a group called the Shadow Brokers publicly released the hacking tools the NSA uses to gather foreign intelligence.

IBM’s chairman, president and CEO Ginni Rometty has called cybercrime the greatest threat to every company in the world, while billionaire businessman Warren Buffett deemed it the world’s number-one problem, bigger than nuclear weapons. Even the energy industry has been identified as at high risk for attack.

Closer to home, an email phishing attack hooked staff at Edmonton’s MacEwan University in August 2017, resulting in the theft of nearly $12 million after criminals impersonated a large construction contractor and persuaded employees to change some banking information. In 2016 the University of Calgary paid $20,000 in ransom to hackers who crippled its systems.

The federal government has promised new rules to protect key infrastructure in the wake of increased attacks and a creeping feeling of cyberinsecurity. It’s a world of digital distrust where even Facebook titan Mark Zuckerberg tapes over his computer’s camera at the same time as his company denies it is listening to members without their permission.

While governments, businesses and large organizations, including universities, battle cybercrime at all levels, it is employees and their email practices who have proven to be the weakest link. But they’re also the key to combatting this scourge of the Internet age.

Cybersecurity

warriors:

frontline of

defence

WORDS BY PETER GLENN
ILLUSTRATIONS BY EMILY EOM

The email came on a Friday. It seemed to refer to a previous message the Mount Royal University employee had sent to an outside vendor, with the subject line “What’s this?”

 

“A Word document was attached and I opened it, not being concerned. I honestly thought it was a reply to my earlier email sent to multiple parties,” the employee recalls. “When I saw ‘What’s this?’ I was really curious and wanted to figure it out. The vendor signature looked legitimate and I clicked on the attachment, not thinking much of it.”

After he clicked and downloaded, he was notified that the document was an older version of Word, and he needed to enable macros to continue.

“I enabled macros not really thinking too much about it. I trusted the email. It still didn’t dawn on me that this was an issue and that I might be infecting my computer. It wasn’t until I spoke with (the vendor) that evening that I realized something was wrong.”

The vendor told the employee that his email server had been hacked and that various businesses were receiving emails (allegedly from the employee) with malware attached. The next morning, a co-worker at MRU advised him that Information Technology Services (ITS) had come and taken his laptop. Having flagged the issue, ITS was able to stop the attack.

“I was impressed with how quickly they reacted, and I was quite embarrassed given the IT security training I had recently taken,” the employee says.

“I should have seen the signs in the email.”

Versions of the same story occur every day in a world where hackers and cybercriminals, many of whom stem from organized crime and some of whom are state-sponsored, are gaining ground and growing more sophisticated.

I should

have seen

the signs

in the email.”

­— MRU EMPLOYEE CYBERATTACK VICTIM

High-profile attacks have recently targeted Uber, Equifax, Yahoo and Nissan Canada, including ransomware targeted at the National Health Service in the U.K. In December, Russian-speaking hackers called the MoneyTaker group stole as much as $10 million from Russian and U.S. bank branches. Even such protectors as the U.S. National Security Agency (NSA) were scrambling in 2016 after a group called the Shadow Brokers publicly released the hacking tools the NSA uses to gather foreign intelligence.

IBM’s chairman, president and CEO Ginni Rometty has called cybercrime the greatest threat to every company in the world, while billionaire businessman Warren Buffett deemed it the world’s number-one problem, bigger than nuclear weapons. Even the energy industry has been identified as at high risk for attack.

Closer to home, an email phishing attack hooked staff at Edmonton’s MacEwan University in August 2017, resulting in the theft of nearly $12 million after criminals impersonated a large construction contractor and persuaded employees to change some banking information. In 2016 the University of Calgary paid $20,000 in ransom to hackers who crippled its systems.

The federal government has promised new rules to protect key infrastructure in the wake of increased attacks and a creeping feeling of cyberinsecurity. It’s a world of digital distrust where even Facebook titan Mark Zuckerberg tapes over his computer’s camera at the same time as his company denies it is listening to members without their permission.

While governments, businesses and large organizations, including universities, battle cybercrime at all levels, it is employees and their email practices who have proven to be the weakest link. But they’re also the key to combatting this scourge of the Internet age.

 

SOCIAL ENGINEERING ­—

THE CYBERCRIMINAL’S

TOP TOOL


> Cybercrime can be high-tech, but the criminals who practise it often rely on base human emotions and frailties for their illicit gains.

When he worked as an agent with Canada Border Services Agency in the 1990s and 2000s, Kelly Sundberg, PhD, and a professor in Mount Royal’s Department of Economics, Justice and Policy Studies, was tasked with tracking down people in the country illegally who posed a threat to national security. To find them, he’d identify “gatekeepers” with access to broader sources of information; maybe a clerk at Blockbuster Video, or a pizza joint worker; someone he could trick into giving him an address or a phone number of the person he was looking for.

Many of the same methods used by law enforcement to gain information about people they are searching for are also used for nefarious purposes by cybercriminals to persuade victims to divulge personal information that can be used for fraudulent purposes. Gatekeepers hold the keys, Sundberg found.

Social engineering is the means by which criminals manipulate the public. They do it through the elements of surprise, fear, guilt, complacency, arrogance, curiosity and the desire to please.

“People just want to be helpful,” Sundberg says. “It’s easy for cybercriminals to research targeted individuals who are gatekeepers to data and information and who have network access, and then, once the criminals understand the processes in which they work and gain their trust, they develop a means to target them and send them a link. When (the victim) clicks on that link, all of a sudden their whole network is compromised.”

Cybercrime

is the

greatest

threat

to every

company in

the world."

­— GINNI ROMETTY, IBM’S CHAIRMAN, PRESIDENT AND CEO

A speed bubble with a glitchy graphic background

A savvy cybercriminal creates a web of deceit to ensnare their victim, maybe choosing a receptionist or an administrative assistant, and tricks them into revealing data, personal information on other employees, clients, students or patients. This is called spear phishing, and it can also involve theft of funds.

“If they find out a large organization has a large contract with someone else, and convince them to change the account or the coordinates for the money going in, all of a sudden you can have a significant loss of revenue through spear phishing, which is all predicated on social engineering.”

Human beings adapt and change according to situations, making them formidable adversaries. That’s why it’s essential employees and everyday users are armed with enough basic knowledge that they can be agile in their responses.

Looking at cybersecurity as part of a larger system — including both humans and machines — is vital.

Organizations spend vast sums on sophisticated software, firewalls and secured servers, Sundberg says. “But that’s all for nothing if you have one employee or one person in your organization that clicks on an unsuspected link or gives up information.”

Educating and empowering employees can result in a far greater defence. Instead of one firewall, you have hundreds or thousands of thinking workers engaged in combatting cybercrime as part of their daily routine.

In the end, Sundberg says, common sense can go a long way towards battling the cybercriminals.

“My rule of thumb is if you can’t talk to them on the phone, if you can’t find their number and call them, then there’s something wrong. We have become so ready to provide important data without actually knowing the person. We now feel we know people in a virtual setting. We say, ‘Oh no I know them. I’ve been chatting with them online for a month.’ Have you ever met them (in person)? No. So why would you give them all this information?”

 

EMPLOYEES:

THE PROBLEM AND

THE SOLUTION


> ITS training analyst Bernadette Pasteris is on the front lines of turning MRU management, faculty and staff into cybercrime fighting evangelists.

The institutional cybersecurity education push began with the need for organizations to be compliant with credit card industry security standards, but has grown along with the rate of cybercrime. That effort has included enrolling all employees in an online training program and using the Mount Royal website as a portal to information on creating strong passwords, safely working remotely, identifying phishing emails and providing general security tips.

There are also workshops catering to those who learn in an interactive environment, a regular ITS newsletter that warns of and details the latest cybercrimes and scams, and, more recently, a “phishing program” that seeks to hook unsuspecting employees so they can learn first-hand about this technique and how to prevent it. The program gives IT good information on how to improve its education offerings, as well as a chance to provide training on the spot.

If an MRU employee clicks on a link in one of these fake phishing missives, they receive a message telling them what they’ve done and red flags what they should look for next time. Pasteris also focuses on “inbox hygiene” — making sure inboxes are being cleaned out.

With the

internet we

are inviting

more and

more

strangers

into our

homes."

­­— BERNADETTE PASTERIS, MRU ITS TRAINING ANALYST

A hand grips the edge of a old CRT TV that has been cut in half.

“The idea of the program is to give people skills,” Pasteris says. ”It’s to say, ‘Hey, we’ve noticed you’ve been struggling and we want to support you.’ And then these are skills they can take home and share with family and friends and just make part of their everyday life.”

Crossover from work to home is important as the influence of the Internet on our lives increases. The Internet of Things, with its growing list of home devices that include the Nest Learning Thermostat, Ring doorbells, Amazon Echo, Google Home and the Apple HomePod promise to make our lives easier, but come at a cost.

“We’re getting more and more electronics in our homes,” Pasteris says, “and it’s just going to get worse. So we really have to start thinking differently about how we interact with our technology and we have to be cognizant of the fact that with the Internet we are inviting more and more strangers into our homes.

“What I really want is for people to trust less, be a little more paranoid and a whole lot more aware.”

 

 

Keep your

data safe

SECURE MOBILE DEVICES

Lock your screens when you’re not using them, password protect any portable drives and treat your mobile like it is cash.

CONSIDER FOUND PORTABLE DATA STORAGE TO BE DANGEROUS

Don’t just pop a data stick into your computer to see what’s there. It could have malware loaded on it.

BE SUSPICIOUS OF ANYONE ASKING FOR INFORMATION THEY SHOULD NOT HAVE OR SHOULD ALREADY KNOW

This is the first step for cybercriminals using social engineering. Verify a caller or emailer is using contact info you know is legit.

SECURE YOUR LOGIN CREDENTIALS

Make your passwords long, strong and unique, don’t share them; instead memorize them or store them in a password management program or in a locked cabinet or drawer. Don’t use your work passwords or username for other sites.

STORE DATA ON A BACKED-UP DRIVE

Don’t store valuable data on your desktop.

CONSIDER ANY UNEXPECTED EMAIL SUSPICIOUS

Don’t feel compelled to click on every link or attachment if you are not expecting them. Call the sender directly using a number you know is bona fide, or head to their website using a URL you know is OK.

GIVE EMAILS WITH LINKS OR ATTACHMENTS UNDIVIDED ATTENTION

If you are distracted, you are more likely to miss phishing red flags.

CYBERSECURITY

CHAMPIONS


> A squad of “Cybersecurity Champions” has been enlisted to model good online behaviour and advocate for cybersecurity at Mount Royal.

“They take the training, subscribe to the newsletter and then they exhibit the right behaviours: locking their screen, having their phone password protected, all of those behaviours we want people doing,” Pasteris says.

Cybersecurity Champions have focused on a series of themes, starting this academic year with creating passwords that are long, strong and unique.

Now the focus has shifted to enabling two-step verification for Mount Royal University emails for an added layer of security. There is also a push to make people comfortable with ignoring emails that seem troublesome.

The program also helps ITS’ budget, as more Mount Royal staff do things right, the less the University needs to spend on big safety technologies. When it comes to students, the challenge is greater.

“With students, it’s a bit different,” Pasteris says. “I engage them on Main Street with my little kiosk and try to get them to register for the newsletter, I’ll also try to engage them in different aspects of cybersecurity. But everyone’s schedules are so packed, it’s hard.”

While Mount Royal’s cybersecurity training is considered a success, as registered by a reduction in the number of calls to the ITS Service Desk for resets, the battle is far from won.

“The evolution you’re seeing now is the two-step attack,” Pasteris says. “They’ll nail you first with something like ransomware and while you’re distracted dealing with the ransomware they’ll come in on another vector where they’ll hit you with a data breach where they actually take your data. They’re not just encrypting it. Our guys do an amazing job, but if you’re hit from seven different sides at once, something’s going to give.”

 

 

FLUFFY CLOUDS

OR BIG IRON?


> One reason we seem so susceptible to social engineering and cybercrime may lie in the way we view computers, devices in general and the growing cloud in particular.

At its simplest, cloud computing refers to on-demand network access to a shared pool of servers. But the term “cloud” is troubling to Randy Connolly, a professor in the Department of Mathematics and Computing at Mount Royal University.

“Do people understand what it is? Probably not,” Connolly says. “The problem with the term ‘cloud computing’ or ‘the cloud’ in general is that from the very beginning it was a marketing metaphor. If there was going to be a Lifetime Academy Award for the most inappropriate and misleading metaphor, cloud computing would definitely be in the running.

”The Internet in general and cloud computing in particular are not composed of magic water vapour, but a whole lot of stuff.”

Physical stuff, including millions of kilometres of wires and millions of devices including servers, routers, switches and hubs, such as it contained in specialized environments using massive amounts of power, Connolly says.

One of the great myths of the Internet age, he argues, is that it is in any way green. “I want to scream every time I see such nonsense,” he says.

A better term, he says, one used to describe the typical enterprise computing environment in the 1970s (think large mainframe computers and “dumb” terminals in offices), is “big iron.”

The spread of cloud computing and communications technology could use as much as 50 per cent of global electricity in 2030. Yet we seem to regard the cloud as a force solely for good, and perhaps that benign image of computing leads to us letting our guard down, Connolly says.

In terms of data safety, Connolly sees the cloud as a mixed bag.

“State-sponsored security threats are now the norm, thus the quantity and quality of threat sophistication has been amplified incredibly,” he says. “This change has coincided with the widespread move to cloud computing. Within the field of computing security, the key question has moved from, ‘How can we keep intruders out?’ to ‘Once they’re in, how do we minimize the damage?’

“Clearly, moving one’s computing from in-house to globally available-to-everyone cloud infrastructure potentially makes your data significantly less safe. On the flipside, outsourcing your security to the large cloud providers, who can presumably hire the best security minds, might actually be the sanest choice in today’s threat-rich environment.”

Connolly also says privacy concerns around the cloud need to be looked at in a broader historical perspective, and points to a fascinating Jonathan Franzen essay, “Imperial Bedroom,” that argues this generation lives in a world with more physical privacy than ever before.

“This doesn’t mean we should ignore the privacy issues around the cloud; rather we do need to have a broader historical perspective on how privacy has or is changing due to the cloud.”

Signals in

the noise

> The last line of defence remains an organization’s firewall, and the people who run the back end of Mount Royal’s computer networks are especially attuned to cybersecurity, with sophisticated check-in and check-out procedures.

“We just assume that every transaction will be compromised, so we make sure everybody goes through certain hurdles and we build in fail-safes,” says Mount Royal’s chief information officer, Michael Barr. “We have good hygiene and good behaviour, but we have to take it up a notch, because if you own the system and you get compromised, it’s obviously way more serious. So we’re very focused on that.”

Barr is also looking to the future with powerful analytic tools.

“The question becomes, ‘How do we invest in the next generation of tools of predictive analytics to constantly be looking at our environment and detect signals in the noise?’” Is there an anomaly out there that would make us kind of suspicious that something weird has just happened?”

Cybercriminals are getting better and better at blending in, but Barr says now and then a little blip announces their presence. ITS staff try to force would-be hackers to do awkward things to reveal themselves.

A cut-out of an electrical static skull being inserted into an envelope.

“You don’t just break into our system. You do some unnatural things and in doing so raise the probability that we’re going to find you, that you’re going to reveal yourself. This is the latest generation of what’s going on in the world trying to figure out cybersecurity. It’s fascinating stuff, big-time math, machine learning, big data, artificial intelligence, all to keep us safe.”

Barr says the number of brute-force attacks coming through the firewall is close to zero, but that Mount Royal’s defences get probed upwards of 1,000 times a second. “There are millions and millions and millions of events a day. There’s no way a human could process all that information. It’s just not possible. It would take you a lifetime to do it.”

Meanwhile, while large businesses are loathe to co-operate, even on security, post-secondary institutions in Canada have banded together to improve their chances by sharing information.

“It’s probably one of the most valuable sources of information in the country outside of CSIS (Canadian Security Intelligence Service) or law enforcement,” Barr says. “We may see something happen at the University of Regina and usually within a few minutes the community is notified and you get a heads-up.”

Better education in the end means less time, effort and money spent on more expensive solutions.

“I know a lot of other organizations have just given up on humans, so all the money goes into the most expensive software and hardware that is out there to basically make up for the fact that you’re going to screw up,” Pasteris says. “We don’t have those financial resources available, but we know that we can hit that human element. It’s the best bang for our buck.”

 

Read more Summit


Modus operandi

The how and why of Mount Royal. This story peels back the layers of Mount Royal, exposing its intimate inner-workings.

READ MORE