Wednesday, June 12, 2019

Will the CBP have to report to the Canadian Privacy Commissioner?

I haven't written in awhile, not for lack of options or subjects, mostly lack of time.

The last few months have been riddled with new business relations who are being hit with advanced Ransomwares.

Something has changed in the last year, and these attacks have clearly gone from fully automated to hybrid and manual.

So be warned, the bad guys will outsmart you.  They will figure out how your backups work and remove them.  They will take their time to figure you out and find the weakest link.  One attack replaced the backup systems DLL file and continued writing backups... with all zero bits.... which compared correctly at verification so the backups seemed to work fine.  The attackers waited over a month to deploy their ransomeware.

But on another subject, Will the US Customs and Border Protection agency (CBP) be above the law?

Will our privacy commissioner impose our new disclosure law on the CBP?

You see, turns out the CBP has been tracking our vehicles and our faces at border crossings.  Also turns out that security was weak and hackers got into all that information and left with it.

Since November 1st 2018, Canadian law dictates that breaches impacting privacy be reported to the privacy commissioner and that EVERY affected person be notified if there is a risk of harm to the individual.

The key thing, is that they worded the law in a way that gives a lot of room for wiggling out.  They used the term "significant harm".

Now it gets worst (or at least more interesting), it was actually a subcontractor who had the breach, but the CBP doesn't want to name the contractor.   Well not to worry, it looks like the friendly hacker community is taking care of that and it is a company called Perceptics

Turns out:  "Initial information indicates that the subcontractor violated mandatory security and privacy protocols outlined in their contract," CBP said in a statement.

So back to my overwhelming ransomeware events.  When someone calls me in the middle of a panic because of a ransomeware, I already know what the bad news is:

1) Turns out our backups didn't work since last June... 2018
2) Turns out our malware detection system was not configured correctly
3) Turns out we have to pay the ransom and have no idea what a Bitcoin is

But here is the kicker, 9 out of 10 times, it was a subcontractor that had the most contributed to the breach and failure of IT systems.

a) We thought the backups were good

b) We thought the backups were running

c) We thought our systems didn't have 6000 Shekels of exploitable vulnerabilities

d) We didn't know that a Shekel was an ancient measure of mass equally as old as our IT infrastructure and capacity to be resilient to failure

e) We didn't realize that we opened up our network across all protocols to a third party because management pushed the IT guys to open up the firewall because the F'n project must be delivered on time

f) We didn't realize that our really good IT guys are actually really good IT guys based on the perception that they keep the lights on and as far as security goes they do not have the knowledge or luxury to handle security adequately

Anyways, you get the point.   Everyone is always surprised when they get hit by a Ransomeware but the security experts are certainly not surprised and often your own IT staff aren't either because it dawns on them that their technology debt equates to a security debt which therefor results in large security exposures.

So lessons learnt here.....
1) Trust but verify your third parties

2) Do not blindly prioritize projects and ensure you have security oversight and firm checkpoints

3) Have VERIFIED and OFFLINE backups

4) Have storage technologies that are not integrated at the OS level (no AD integration, completely isolated like iSCSI) and ensure that snapshotting features are in place (with adequate storage you cheap bastards)

5) And while we are at it, make sure your security countermeasures have all their features turned on, because that my friends is really really embarrassing.

Now, I'm still curious.... and would certainly love to hear our privacy commissioner on this CBP breach of data.

Silence......  crickets......  and soon forgotten data breach....

It isn't called data breach this month folks !


Eric Parent is a senior security expert, specialized in coaching senior executives.  He teaches CyberSecurity at l'Ecole Polytechnique and HEC Universities in Montreal, and is CEO of Logicnet/EVA-Technologies, one of Canada's oldest privately owned security companies.

Follow Eric on:
Twitter @ericparent
LinkedIn :  EVA-Technologies

No comments:

Post a Comment

Are we even trying over at BRP

This will be a short blog entry.  Essentially, a general observation. If your enterprise was breached and screenshots of user account passwo...