Finding out that Canadian government networks were hacked, and that information was stolen is an embarrassment to all Canadians (me included!).
This is a story we hear again and again. Evil hackers from across the ocean gained access to our sensitive information using common social engineering tricks.
Embarrassment, frustration, fear and other f-words aside, this does highlight a couple of things:
1. Training: People, in this case, were the weakest link. The CBC reported that the two key factors leading to this breach were:
“The hackers, then posing as the federal executives, sent emails to departmental technical staffers, conning them into providing key passwords unlocking access to government networks.
At the same time, the hackers sent other staff seemingly innocuous memos as attachments.
The moment an attachment was opened by a recipient, a viral program was unleashed on the network.”
2. Data & network defense systems: Any organization that has to store sensitive information must have a series of safety nets. The goal of defense in depth is to make these attacks impossible or at the very least very very hard to execute. Being infiltrated because of a spoofed email with a malicious payload shouldn’t provide unfettered access!
What should have been done to prevent this sort of incident? Let’s start with the basics and work our way up (people/process/systems/measures).
People: Hire the right people — prefer quality over quantity. I have no doubt that our people are hard working, capable professionals so I will not comment on this one!
Process: There was definitely a process breakdown here. At no point should it be acceptable to send sensitive information over something like email that can be easily spoofed. And even if there is such a process, it should require proper email encryption and identity management systems to ensure that this information is useless in the wrong hands.
Systems: Anti-malware, host intrusion prevention and application control tools would have made executing known malware or code with malware characteristics hard.
Patch management would have alerted administrators to vulnerable older versions of Microsoft Office, Adobe Reader and Flash Player.
Network access control and client firewalls would have prevented unknown applications from accessing the network. Even if rogue software got installed on a device it should not have been able to communicate with its command and control.
Email security filtering would have prevented the spoofing of internal email addresses and blocked viral/suspect attachments. Keeping the threat outside your walls is always the best option.
Web protection systems would have blocked access to sites that were not needed for work purposes, blocked access to compromised websites, and detected web-based exploits before they ever hit the disk. This would have sealed another common attack vector.
Encryption and identity management would have made it very hard or impossible to read sensitive data even if access was possible.
Measures: Proper monitoring and alert systems would have alerted administrators of attempts to access the network or suspicious behavior from compromised devices. Intrusion detection systems and network behavioral monitoring would have identified anomalies in the network traffic like access from networks in China or access to servers outside of normal working hours.
All of this stuff is possible right now using products from Sophos and other vendors; it is inexcusable that millions of our hard-earned tax dollars can be spent making an artificial lake for some visiting dignitary, but not to protect our strategic information assets.
Make no mistake, these rogue entities are waging cyber-warfare on governments and organizations. They are well funded, well equipped and are after our information assets. Let’s build our cyber-security with that in mind!
To learn more about the latest threats seen by SophosLabs, download our Security Threat Report 2011.
Creative Commons image Kanada courtesy of ConvenienceStoreGourmet’s Flickr photostream, Canadian Swiss Army knife courtesy of schmish’s Flickr photostream and NASA command courtesy of nasa hq photo’s Flickr photostream.