#CyberFLASH: How a Canadian university is overhauling its approach to IT security

GettyImages-556421117The day an organization is successfully attacked is memorable for most IT professionals. David Shipley has no trouble remembering the date of the one he faced as a Web site administrator at the University of New Brunswick.

“Mother’s Day 2012,” he promptly says when asked about the incident. The attackers didn’t get very much, but it led to the start of a four-part holistic overhaul of the university’s IT security, an effort which is half way to completion.

“By the end of this we’ll be much-better positioned to deal with the threats we face,” says Shipley, now director of strategic initiatives for the UNB’s cybersecurity team.

The four prongs include a persistent security awareness campaign for the roughly 14,000 students and staff on two campuses; a data governance program to classify all documents; an overhaul of the network and security architecture and a new IT security policy.

The network overhaul is a multi-year project which started last summer. Recently the university put out an RFI to industry vendors for designing what Shipley calls a “next-generation architecture.” He suspects first product acquisitions of what could be up to a $2 million spend will start this spring after the design is approved.

Meanwhile the security policy, which will covers UNB’s approach to protecting information and information systems and it how will respond to cyber security incidents, is in the final draft stage.

Read more here

#CyberFLASH: Cybersecurity and M&A – Part Three: Cyber Insurance

10712553Cyber Insurance Coverage

An important preliminary note on cyber insurance is that cyber insurance is often confused with technology errors and omissions insurance (commonly called “Tech E&O” insurance). Tech E&O insurance protects providers of technology services or products, such as software designers and manufacturers, whereas cyber insurance protects consumers of those products and services.4

Generally, cyber insurance is divided into first party coverage protecting the policyholder, and third party coverage protecting from third party claims against the policyholder.

First party policies may cover:

  • the costs associated with investigating the scope of the breach and taking steps to mitigate against the damage caused by the breach;
  • the costs of providing notice to individuals whose identifying information was compromised;
  • public relations services to counteract the negative publicity that can be associated with a data investigation;
  • the costs of responding to government investigations;
  • the costs of replacing damaged hardware or software, or remediating existing systems;
  • legal costs and other related expenses, such as regulatory fines;
  • the costs of responding to parties vandalizing the company’s electronic data; and
  • business interruption costs

On the other hand, third party policies may cover claims:

  • for permitting access to identifying information of customers;
  • emanating from the impacts which a security breach may have on a third-party system;
  • for transmitting a computer virus or malware to a third-party customer or business partner;
  • for failing to notify a third party of their rights under the relevant regulations in the event of a security breach; and
  • for potential “advertising injury,” i.e., harms through the use of electronic media, such as unauthorized use or infringement of copyrighted material, as well as libel, slander, and defamation claims.

Read more here

#CyberFLASH: Military hard drive containing personal information found by Halifax man

11-1A hard drive containing information believed to belong to the Canadian military is sitting in the closet of a Halifax man.

“It seemed to me like some of the documents contained information on personnel that I probably, or nobody, should be able to access unless they had the proper clearance,” Pete Stevens told Global News Friday.

Stevens found the hard drive at a recycling depot in Dartmouth almost a year ago. When he finally went to use it, he was surprised by what he found.

“I ran a recovery software and I basically saw some files that, basically, should have been deleted from the previous owner.”

The hard drive contains hundreds, if not thousands of pages of information. According to Stevens, he was able to locate encrypted emails, training manuals and blueprints within minutes of searching the drive.

Most of the information appears to be from the years 1999-2006 and deals with HMCS Halifax.

David Fraser, a privacy lawyer in Halifax, says no matter how old the information is, it’s not supposed to wind up in the hands of someone without proper clearance.

Read more here

#CyberFLASH: Security predictions 2016: More ransomware, tougher cyber insurance

image-2Twelve months ago when I became ITWorldCanada.com’s contributing writer on cybersecurity the state of things was pretty bleak: 2014 marked another record year of data breaches, there was no miracle technology that would seal the cracks in an enterprise and every expert was predicting attackers would find new ways to get around defences.

As I look ahead to 2016 every expert I talk to says attacks will continue to find new ways of getting around defences, there’s no miracle technology coming that will seal the cracks in an enterprise and it will probably be another record year of data breaches.

In the face of that what’s a CISO to do?

For one thing, continue sealing the cracks in the enterprise the old-fashioned way: Security awareness training, using two-factor authentication wherever possible, network segmentation, limiting the number of people with administration privileges and access to sensitive data, patching, increase spending on intrusion detection and prevention (including analytics), be part of a threat intelligence (either formally by buying a service, or informally with colleagues) and solid backup and restore. On top of that, have a tested disaster recovery plan.

In addition, be aware of certain trends experts say will mark 2016 as different from the year before. Here’s some of them:

–The evolution of technology means IT departments more than ever have to understand what business units want, and then propose secure ways of doing it, says Bob Hansmann, director of security analysis and strategy Ratheon Websense security labs.

Read more here

#CyberFLASH: IIROC publishes resources to help dealers increase cybersecurity preparedness

B97375091Z.120141001155319000GS36SSNI.11TORONTO – The Investment Industry Regulatory Organization of Canada (IIROC) today published two resources to help IIROC-regulated firms protect themselves and their clients against cyber threats and attacks.

The Cybersecurity Best Practices Guide provides an enterprise-wide risk-based framework of industry standards and best practices that IIROC-regulated firms can apply to heighten awareness and manage cyber risks in an evolving environment. The Cyber Incident Management Planning Guide is a complementary tool for firms to prepare effective response plans for cyber threats and attacks. These resources were produced by a leading security consulting firm, engaged by IIROC, which has worked with other Canadian financial services regulators on cybersecurity matters.

“Active management of cyber risk is critical to the stability of IIROC-regulated firms, the integrity of Canadian capital markets and the protection of investors,” said Andrew Kriegler, IIROC President and CEO. “That is why we consulted with the industry, engaged security experts and developed concrete resources to help firms better manage their cyber risks.”

This initiative follows from previous work IIROC conducted including a survey of its membership, a table-top exercise, as well as input from industry representatives. IIROC also reviewed approaches used by other domestic and global financial services regulators.

In addition, IIROC is developing a cybersecurity program to work with dealers to increase their cybersecurity preparedness.

IIROC is the national self-regulatory organization which oversees all investment dealers and their trading activity in Canada’s debt and equity markets. IIROC sets high quality regulatory and investment industry standards, protects investors and strengthens market integrity while maintaining efficient and competitive capital markets. IIROC carries out its regulatory responsibilities through setting and enforcing rules regarding the proficiency, business and financial conduct of dealer firms and their registered employees and through setting and enforcing market integrity rules regarding trading activity on Canadian equity marketplaces.

Read more here

#CyberFLASH: Web Hosting Canada adds expanded cybersecurity protection to its small business web hosting solutions

Q9DataCentreMONTREAL – Web Hosting Canada has selected the .CA D-Zone Anycast DNS from the Canadian Internet Registration Authority (CIRA) to deliver a Canadian-first DNS service for small businesses.

Key facts

  • This made-in-Canada DNS solution, combined with a newly built cloud server infrastructure and web hosting solutions with datacentres on both the east and west coast of Canada, completes Web Hosting Canada’s portfolio of Canadian-focused hosting services.
  • Web Hosting Canada is delivering their Canadian customers enhanced protection from DDoS attack against their DNS. With a global network of servers and an expansive Canadian footprint, the .CA solution also helps to reduce latency for websites and improves the performance of web applications for Canadian users.
  • Although the Internet is a global market, according to research from the Strategic Council published in the 2015 .CA Factbook, 77% of Canadian Internet users support Canadian business whenever possible. Creating a compelling and Canadian web presence can help give companies an advantage and with .CA domains, Canadian-based servers, and made-in-Canada DNS, Web Hosting Canada can help small businesses ensure that their Internet footprint is firmly rooted in Canada.

Executive quotes

“As Canadian entrepreneurs ourselves, the Web Hosting Canada team is keenly aware of the unique needs that many Canadian businesses have. We have designed hosting, cloud and DNS solutions that are not only based in Canada, but designed to help Canadian businesses succeed online.”

– Emil Falcon, CEO at Web Hosting Canada

“Many global DNS and hosting providers ignore the Canadian market. As part of our role in encouraging a better Canadian Internet, CIRA has been a long-time champion of infrastructure options built for Canada first. We are pleased that Web Hosting Canada sees the value in investing in Canada and is helping small businesses choose technology solutions that are closer to home.”

– Dave Chiswell, vice president of product development at CIRA

Read more here

#CyberFLASH: Customers at Sheraton, Westin, other hotels hit by data-stealing hack

NYBZ120-15_2013_124926_highIf you stayed at a Sheraton, Westin or other Starwood hotel in the US or Canada this past year, you’ll want to keep an eye on your credit or debit card account.

Starwood Hotels and Resorts Worldwide said this week that point-of-sale systems at more than 50 of its hotels had been infected with malicious software. The malware, installed at gift shops, restaurants and other locations, let hackers make off with payment card data, including cardholder name, card number, security code and expiration date.

The company said in a statement that it has removed the malware and “implemented additional security measures to help prevent this type of crime from reoccurring.” It also said there’s no indication at this point that its guest reservation or preferred-guest membership systems were affected. The company added that there is no evidence that customer PINs or contact information were captured.

A list of affected hotels includes facilities in major cities, such as the Sheraton New York Times Square hotel, the Westin Michigan Avenue Chicago, the Westin Los Angeles Airport and Le Centre Sheraton Montreal. The Walt Disney World Dolphin hotel was also hit. Timing of attacks varied from place to place, but the earliest listed happened in November 2014, with the most recent occurring in March of this year.

Read more here

#CyberFLASH: Ransomware, bogus emails from your ‘boss’ mark growing skill of cyber-criminals

03748212-700x500Cyber-criminals are hacking into corporate computer systems and using the public profiles of top executives to fine-tune email scams that are duping Canadians out of hundreds of millions of dollars each year, a CBC News investigation has discovered.

“It came on the scene in a massive way, from virtually nothing to $19 million in 2014″ in losses reported, said Daniel Williams of the Canadian Anti-Fraud Centre, a federal government agency.

He also says that research by the CAFC and police suggests that less than three per cent of these email scams ever gets reported, meaning the incidents and the losses are probably much higher.

“Most probably in the range of $500 million to $1 billion,” Williams says. “It’s big, big money. It’s very organized, very sophisticated crime groups with a lot of resources putting a lot of effort … really on an industrial scale.”

Police and security officials warn that among the newer, more sophisticated tricks criminals have learned is how to customize forged emails by using insider information and the names of CEOs and accounting staff to pull off increasingly convincing scams.

These criminals are also netting larger and larger payouts by targeting financial industries, law offices and medium-sized businesses with malicious software that can freeze computer hard drives and hold a company’s data for ransom.

‘Ransomware’

“It was just a regular email from a co-worker, and with a voicemail attachment. So I proceeded to click,” one woman told CBC News about her experience at a mid-sized investment firm in downtown Toronto.

Her computer froze immediately after clicking the attachment.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.