#CyberFLASH: University of Ottawa missing hard drive with data on 900 students

university-of-ottawa-2The University of Ottawa has launched an investigation after an external hard drive containing the personal information of approximately 900 students disappeared earlier this month.

Current and former students have been notified of the possible privacy breach and an information line has been set up, the university said in a news release Wednesday.

Ottawa police and the Information and Privacy Commissioner of Ontario have also been notified.

The hard drive was used to back up personal information on individuals who accessed a university resource for students with disabilities or mental health issues applying for special academic accommodations.

Figuring out exactly what personal information was stored on the drive is one of the objectives of the investigation, the university said..

“The University takes its role in safeguarding personal information and using it in an appropriate manner very seriously. Measures have been put in place at SASS to reduce the risk of the situation recurring. The University is deeply sorry about this situation,” the university said..

Read more here

#CyberFLASH: Security framework released for industrial Internet of Things

leaked_data_focus_455234Security experts have warned for some time that the so-called Internet of Things opens many vulnerabilities when interconnecting industrial devices across a public distributed network.

Now C-level executives who aren’t sure what to do about it can consult a security framework published by the Industrial Internet Consortium, a group of over 240 vendors and associations including Schneider Electric, General Electric, Fujitsu, Intel, Kaspersky, Cisco Systems, Symantec, Microsoft and SAP. The framework emphasizes the importance of five industrial IoT characteristics – safety, reliability, resilience, security and privacy, as well as defines risk, assessments, threats, metrics and performance indicators to help business managers protect their organizations.

“Today, many industrial systems simply do not have adequate security in place,” Richard Soley, the consortium’s executive director. “The level of security found in the consumer Internet just won’t do for the Industrial Internet. In order to add security to an industrial system, you must make sure it won’t interfere with safety and reliability requirements. The (framework) explores solutions to industrial problems that have plagued the industry for years.”

Because Internet-connected industrial control systems (ICS) — everything from sensors on electrical grids and pipelines to medical devices — often link with enterprise systems, they are just as much a target for attackers as the servers, switches and routers on the corporate side. And if compromised the effect can be tremendous — possibly shutting down power stations, for example. Industrial Internet systems may also connect with intermediary organizations, so link encryption may not be a solution. Another complication is the devices have long lifetimes.

Read more here

#CyberFLASH: Cyberattack on biometric data poses security risks at border, documents warn

canada-refugee-processing-fingerprintsOTTAWA—Border officials warn a cyberattack on their facial recognition or fingerprints databases could result in barring innocent travellers from Canada — or letting the wrong people in.

In documents prepared for Public Safety Minister Ralph Goodale in November, Canada Border Services Agency officials said they need to “keep pace with emerging security vulnerabilities” to systems governing who can enter the country.

The agency’s growing use of “biometric” data — such as fingerprints, facial recognition, and retinal scans — was cited as an example.

“A malicious cyberattack, for example, could infiltrate the back-end of a biometric identification system and produce false acceptances and/or rejections,” reads the document, obtained by the Star under access to information law.

“Such attacks could disrupt border traffic flows and compromise the integrity of border controls. CBSA must protect Canadians from increasingly complex safety and security threats and continue to advance security monitoring in all technologies.”

Read more here

#CyberFLASH: New CGI insider threat advisory services help government and private enterprise address critical cybersecurity issue

workplace-privacyMONTRÉAL – Today, CGI announced an important new offering – delivering strategic advisory and implementation services to help global government and commercial clients address cybersecurity threats that come from trusted insiders, such as current employees, contractors or business partners.

In CGI’s annual Voice of Our Clients program, 965 in-person interviews with commercial and government organizations around the world identified cybersecurity as a top 5 issue. They stated that this threat is becoming increasingly important as they transform to customer-centric digital organizations.

CGI’s program enables global organizations to become more proactive in their approach to mitigating insider risks by focusing first on cultural and behavioral change so organizations and employees alike view seemingly normal, everyday actions of employees through an insider threat “lens.” The program helps organizations analyze and correlate disparate data sources to uncover potential risks and threats.

“An active insider threat risk management program should be an integral part of security for every organization,” said Michael E. Roach, President and Chief Executive Officer, CGI. “Emanating from our extensive work in the United States this critical capability is now available to companies and governments world-wide.”

CGI helps clients integrate an improved security posture into their culture in light of today’s ongoing security challenges. Insider threat program advisory services aid clients in defining a taxonomy for insider threat that reflects the organization’s culture and operations, mapping their risk profile, and creating a playbook for response and mitigation. The program uses sophisticated methodologies and creates a governance model for ongoing program management. CGI provides a wide range of program implementation services, from Insider Threat Program Office setup to ongoing monitoring services. Monitoring services can be provided as a managed service or on client premises.

Read more here

#CyberFLASH: Give management the right security metrics

krawczyk01.jpg.size.xxlarge.letterboxThere’s no doubt the C-suite and boards are paying increased attention to cyber security, hearing more frequently from infosec pros. But are CISOs communicating in a language the business side needs to hear?

There’s no shortage of security metrics, Torsten George points out in a Security Week column today, but what the business side needs to hear is not necessarily what security pros use when talking to each other.

“Upper management and boards want to understand what the organization is doing to prevent security breaches and the effectiveness these measures, its exposure to future risks and threats, and what areas can be improved.” That means telling them things like the number of vulnerabilities discovered, the number of incidents and the average time a vulnerability remains unpatched isn’t helpful.

Better, he writes is to focus metrics that relate risk to the organization’s business goals — for example, on sensitive data that could be exfiltrated due to existing vulnerabilities or the financial impact associated with critical assets being rendered unusable by an attack.

Being a CISO these days can sometimes feel like a roller-coaster of never-ending crises. To some degree many problems can be solved through doing the basics, including keeping on top of patching and educating users. These aren’t big ticket items. But board level support is vital for solutions that may call for investment, ranging from penetration tests to multi-factor authentication and on.

Read more here

#CyberFLASH: Cybersecurity strategy hinges on fed-prov collaboration

Cyber-700x500Public Safety Minister Ralph Goodale will need to continue working closely with the provinces and territories if he wants to close the gaps in Canada’s cybersecurity preparedness and develop a plan for countering radicalization, security experts say.

Goodale and Justice Minister Jody Wilson-Raybould held their first meeting with provincial and territorial ministers in Quebec City Thursday to hash out concerns about public safety and justice issues. Among the topics they discussed were cybersecurity and counter-radicalization — or specifically, the need to get better at sharing best practices for protecting critical infrastructure and developing a policy framework to organize counter-radicalization efforts.

While there was little detail provided in the accompanying press release, researchers focusing on national security and terrorism say the fact that the new government is making a commitment to work more closely with the provinces and territories is a good sign.

“A lot of the critical infrastructure that might need protection is in the hands of the provinces and private sector,” said Wesley Wark, a professor focusing on national security at the University of Ottawa. “That’s really the root of this — vulnerability and, in their mind, inadequate measures by the previous government.”

Prime Minister Justin Trudeau tasked Goodale with leading a review of Canada’s state of critical infrastructure protection when appointing him to the portfolio in November.

The Canadian government had been the target of multiple high-profile cyber attacks during the former Conservative government’s decade in office — in 2011, attacks traced to Chinese IP addresses targeted the Treasury Board, the Department of Finance and Defence Research and Development Canada (DRDC).

Read more here

#CyberFLASH: Nuclear Threat Initiative gives Canada high score on cyber security

cra-passwords-security_211076204-e1402005190177Much of the world’s enriched uranium and plutonium is “too vulnerable to theft” and a cyber attack on a nuclear facility could “facilitate” either theft of nuclear material or sabotage, the Nuclear Threat Initiative warned in a recent report.

“Nearly 2,000 metric tons of weapons-usable nuclear materials remain stored around the world, much of it still too vulnerable to theft,” wrote Sam Nunn, Co-chairman and CEO of Washington, D.C.-based NTI, in a forward to the 2016 NTI Nuclear Security Index: Theft and Sabotage. “The risk is compounded by the fact that a terrorist group wouldn’t need much nuclear material to make a nuclear bomb.” [click image below to enlarge]

Nunn represented the state of Georgia, as a Republican, in the United States Senate from 1972 through 1996, serving as chairman of the Senate Armed Services Committee.

This year’s NTI index – Building a Framework for Assurance, Accountability and Action, Third Edition – was developed with The Economist Intelligence Unit.

Released Jan. 14, the index assesses the security of highly enriched uranium and plutonium, rating 24 countries – including Canada – with one kilogram or more of “weapons-usable nuclear materials.” It also rates 45 countries “with respect to the protection of nuclear facilities against sabotage.”

Of the 24 nations with weapons-usable nuclear material, nine, including Canada, received the maximum score for cyber security. Seven scored zero.

A cyberattack “could facilitate the theft of nuclear materials or an act of sabotage,” NTI warned. “For example, access control systems could be compromised.”

Countries were rated on a scale of 0 to 100, where 100 is the most favourable nuclear security conditions.

For risk environment, Canada scored 79.

Read more here

#CyberFLASH: A spear phishing attack that nearly worked

FEATURE-Phishing-SHUTTERSTOCK-620x250These days determined cyber attackers don’t fire broadsides at organizations they want to infiltrate — they take the time to find out who holds certain sensitive positions and targets them.

If the staff in your enterprise hasn’t got that message yet, there’s news story from the U.S. about a spear phishing attack that nearly tricked a firm’s comptroller CISOs could pass on to all employees so they understand.

The email seemed to come from the CEO about an upcoming acquisition, and asked the comptroller to work closely — in fact, “exclusively” — with a lawyer on the deal. The message was detailed, professional, right down to suggesting the company had already notified the U.S. Securities and Exchange Commission (SEC) on the deal.

There was no hyperlink or attachment for the comptroller to click on, which is usually the way malware is delivered. No, this attack was more crafty: The CEO authorized the comptroller to “proceed with any payments that (the lawyer) may request on my behalf. You need to keep this matter extremely confidential as you are the only one currently aware of the situation.”

Had the comptroller fallen for the scheme she likely would have forwarded a sizeable amount of money to who knows where.

Fortunately, the attacker made a mistake: CEO signed the email with his full name, which he doesn’t do. The comptroller was justifiably suspicious and checked.

Read more here

© 2013 CyberTRAX Canada - All Rights Reserved.
Sponsored by C3SA Corp.