Cybersecurity warriors: frontline of defence

By Peter Glenn      | September 18, 2018

CC0 Creative Commons | Pixabay

The email came on a Friday. It seemed to refer to a previous message the Mount Royal University employee had sent to an outside vendor, with the subject line “What’s this?”

“A Word document was attached and I opened it, not being concerned. I honestly thought it was a reply to my earlier email sent to multiple parties,” the employee recalls. “When I saw ‘What’s this?’ I was really curious and wanted to figure it out. The vendor signature looked legitimate and I clicked on the attachment, not thinking much of it.”

After he clicked and downloaded, he was notified that the document was an older version of Word, and he needed to enable macros to continue.

“I enabled macros not really thinking too much about it. I trusted the email. It still didn’t dawn on me that this was an issue and that I might be infecting my computer. It wasn’t until I spoke with (the vendor) that evening that I realized something was wrong.”

The vendor told the employee that his email server had been hacked and that various businesses were receiving emails (allegedly from the employee) with malware attached. The next morning, a co-worker at MRU advised him that Information Technology Services (ITS) had come and taken his laptop. Having flagged the issue, ITS was able to stop the attack.

“I was impressed with how quickly they reacted, and I was quite embarrassed given the IT security training I had recently taken,” the employee says.

“I should have seen the signs in the email.”

Versions of the same story occur every day in a world where hackers and cybercriminals, many of whom stem from organized crime and some of whom are state-sponsored, are gaining ground and growing more sophisticated.

High-profile attacks have recently targeted Uber, Equifax, Yahoo and Nissan Canada, including ransomware targeted at the National Health Service in the U.K. In December, Russian-speaking hackers called the MoneyTaker group stole as much as $10 million from Russian and U.S. bank branches. Even such protectors as the U.S. National Security Agency (NSA) were scrambling in 2016 after a group called the Shadow Brokers publicly released the hacking tools the NSA uses to gather foreign intelligence.

IBM’s chairman, president and CEO Ginni Rometty has called cybercrime the greatest threat to every company in the world, while billionaire businessman Warren Buffett deemed it the world’s number-one problem, bigger than nuclear weapons. Even the energy industry has been identified as at high risk for attack.

Closer to home, an email phishing attack hooked staff at Edmonton’s MacEwan University in August 2017, resulting in the theft of nearly $12 million after criminals impersonated a large construction contractor and persuaded employees to change some banking information. In 2016 the University of Calgary paid $20,000 in ransom to hackers who crippled its systems.

The federal government has promised new rules to protect key infrastructure in the wake of increased attacks and a creeping feeling of cyberinsecurity. It’s a world of digital distrust where even Facebook titan Mark Zuckerberg tapes over his computer’s camera at the same time as his company denies it is listening to members without their permission.

While governments, businesses and large organizations, including universities, battle cybercrime at all levels, it is employees and their email practices who have proven to be the weakest link. But they’re also the key to combatting this scourge of the Internet age.

“A Word document was attached and I opened it, not being concerned. I honestly thought it was a reply to my earlier email sent to multiple parties,” the employee recalls. “When I saw ‘What’s this?’ I was really curious and wanted to figure it out. The vendor signature looked legitimate and I clicked on the attachment, not thinking much of it.”

After he clicked and downloaded, he was notified that the document was an older version of Word, and he needed to enable macros to continue.

“I enabled macros not really thinking too much about it. I trusted the email. It still didn’t dawn on me that this was an issue and that I might be infecting my computer. It wasn’t until I spoke with (the vendor) that evening that I realized something was wrong.”

The vendor told the employee that his email server had been hacked and that various businesses were receiving emails (allegedly from the employee) with malware attached. The next morning, a co-worker at MRU advised him that Information Technology Services (ITS) had come and taken his laptop. Having flagged the issue, ITS was able to stop the attack.

“I was impressed with how quickly they reacted, and I was quite embarrassed given the IT security training I had recently taken,” the employee says.

“I should have seen the signs in the email.”

Versions of the same story occur every day in a world where hackers and cybercriminals, many of whom stem from organized crime and some of whom are state-sponsored, are gaining ground and growing more sophisticated.

High-profile attacks have recently targeted Uber, Equifax, Yahoo and Nissan Canada, including ransomware targeted at the National Health Service in the U.K. In December, Russian-speaking hackers called the MoneyTaker group stole as much as $10 million from Russian and U.S. bank branches. Even such protectors as the U.S. National Security Agency (NSA) were scrambling in 2016 after a group called the Shadow Brokers publicly released the hacking tools the NSA uses to gather foreign intelligence.

IBM’s chairman, president and CEO Ginni Rometty has called cybercrime the greatest threat to every company in the world, while billionaire businessman Warren Buffett deemed it the world’s number-one problem, bigger than nuclear weapons. Even the energy industry has been identified as at high risk for attack.

Closer to home, an email phishing attack hooked staff at Edmonton’s MacEwan University in August 2017, resulting in the theft of nearly $12 million after criminals impersonated a large construction contractor and persuaded employees to change some banking information. In 2016 the University of Calgary paid $20,000 in ransom to hackers who crippled its systems.

The federal government has promised new rules to protect key infrastructure in the wake of increased attacks and a creeping feeling of cyberinsecurity. It’s a world of digital distrust where even Facebook titan Mark Zuckerberg tapes over his computer’s camera at the same time as his company denies it is listening to members without their permission.

While governments, businesses and large organizations, including universities, battle cybercrime at all levels, it is employees and their email practices who have proven to be the weakest link. But they’re also the key to combatting this scourge of the Internet age.

SOCIAL ENGINEERING ­—

THE CYBERCRIMINAL’S

TOP TOOL

> Cybercrime can be high-tech, but the criminals who practise it often rely on base human emotions and frailties for their illicit gains.

When he worked as an agent with Canada Border Services Agency in the 1990s and 2000s, Kelly Sundberg, PhD, and a professor in Mount Royal’s Department of Economics, Justice and Policy Studies, was tasked with tracking down people in the country illegally who posed a threat to national security. To find them, he’d identify “gatekeepers” with access to broader sources of information; maybe a clerk at Blockbuster Video, or a pizza joint worker; someone he could trick into giving him an address or a phone number of the person he was looking for.

Many of the same methods used by law enforcement to gain information about people they are searching for are also used for nefarious purposes by cybercriminals to persuade victims to divulge personal information that can be used for fraudulent purposes. Gatekeepers hold the keys, Sundberg found.

Social engineering is the means by which criminals manipulate the public. They do it through the elements of surprise, fear, guilt, complacency, arrogance, curiosity and the desire to please.

“People just want to be helpful,” Sundberg says. “It’s easy for cybercriminals to research targeted individuals who are gatekeepers to data and information and who have network access, and then, once the criminals understand the processes in which they work and gain their trust, they develop a means to target them and send them a link. When (the victim) clicks on that link, all of a sudden their whole network is compromised.”

“

Cybercrime

is the

greatest

threat

to every

company in

the world."

­— GINNI ROMETTY, IBM’S CHAIRMAN, PRESIDENT AND CEO

A savvy cybercriminal creates a web of deceit to ensnare their victim, maybe choosing a receptionist or an administrative assistant, and tricks them into revealing data, personal information on other employees, clients, students or patients. This is called spear phishing, and it can also involve theft of funds.

“If they find out a large organization has a large contract with someone else, and convince them to change the account or the coordinates for the money going in, all of a sudden you can have a significant loss of revenue through spear phishing, which is all predicated on social engineering.”

Human beings adapt and change according to situations, making them formidable adversaries. That’s why it’s essential employees and everyday users are armed with enough basic knowledge that they can be agile in their responses.

Looking at cybersecurity as part of a larger system — including both humans and machines — is vital.

Organizations spend vast sums on sophisticated software, firewalls and secured servers, Sundberg says. “But that’s all for nothing if you have one employee or one person in your organization that clicks on an unsuspected link or gives up information.”

Educating and empowering employees can result in a far greater defence. Instead of one firewall, you have hundreds or thousands of thinking workers engaged in combatting cybercrime as part of their daily routine.

In the end, Sundberg says, common sense can go a long way towards battling the cybercriminals.

“My rule of thumb is if you can’t talk to them on the phone, if you can’t find their number and call them, then there’s something wrong. We have become so ready to provide important data without actually knowing the person. We now feel we know people in a virtual setting. We say, ‘Oh no I know them. I’ve been chatting with them online for a month.’ Have you ever met them (in person)? No. So why would you give them all this information?”

EMPLOYEES:

THE PROBLEM AND

THE SOLUTION

> ITS training analyst Bernadette Pasteris is on the front lines of turning MRU management, faculty and staff into cybercrime fighting evangelists.

The institutional cybersecurity education push began with the need for organizations to be compliant with credit card industry security standards, but has grown along with the rate of cybercrime. That effort has included enrolling all employees in an online training program and using the Mount Royal website as a portal to information on creating strong passwords, safely working remotely, identifying phishing emails and providing general security tips.

There are also workshops catering to those who learn in an interactive environment, a regular ITS newsletter that warns of and details the latest cybercrimes and scams, and, more recently, a “phishing program” that seeks to hook unsuspecting employees so they can learn first-hand about this technique and how to prevent it. The program gives IT good information on how to improve its education offerings, as well as a chance to provide training on the spot.

If an MRU employee clicks on a link in one of these fake phishing missives, they receive a message telling them what they’ve done and red flags what they should look for next time. Pasteris also focuses on “inbox hygiene” — making sure inboxes are being cleaned out.

“The idea of the program is to give people skills,” Pasteris says. ”It’s to say, ‘Hey, we’ve noticed you’ve been struggling and we want to support you.’ And then these are skills they can take home and share with family and friends and just make part of their everyday life.”

Crossover from work to home is important as the influence of the Internet on our lives increases. The Internet of Things, with its growing list of home devices that include the Nest Learning Thermostat, Ring doorbells, Amazon Echo, Google Home and the Apple HomePod promise to make our lives easier, but come at a cost.

“We’re getting more and more electronics in our homes,” Pasteris says, “and it’s just going to get worse. So we really have to start thinking differently about how we interact with our technology and we have to be cognizant of the fact that with the Internet we are inviting more and more strangers into our homes.

“What I really want is for people to trust less, be a little more paranoid and a whole lot more aware.”

Signals in

the noise

> The last line of defence remains an organization’s firewall, and the people who run the back end of Mount Royal’s computer networks are especially attuned to cybersecurity, with sophisticated check-in and check-out procedures.

“We just assume that every transaction will be compromised, so we make sure everybody goes through certain hurdles and we build in fail-safes,” says Mount Royal’s chief information officer, Michael Barr. “We have good hygiene and good behaviour, but we have to take it up a notch, because if you own the system and you get compromised, it’s obviously way more serious. So we’re very focused on that.”

Barr is also looking to the future with powerful analytic tools.

“The question becomes, ‘How do we invest in the next generation of tools of predictive analytics to constantly be looking at our environment and detect signals in the noise?’” Is there an anomaly out there that would make us kind of suspicious that something weird has just happened?”

Cybercriminals are getting better and better at blending in, but Barr says now and then a little blip announces their presence. ITS staff try to force would-be hackers to do awkward things to reveal themselves.

“You don’t just break into our system. You do some unnatural things and in doing so raise the probability that we’re going to find you, that you’re going to reveal yourself. This is the latest generation of what’s going on in the world trying to figure out cybersecurity. It’s fascinating stuff, big-time math, machine learning, big data, artificial intelligence, all to keep us safe.”

Barr says the number of brute-force attacks coming through the firewall is close to zero, but that Mount Royal’s defences get probed upwards of 1,000 times a second. “There are millions and millions and millions of events a day. There’s no way a human could process all that information. It’s just not possible. It would take you a lifetime to do it.”

Meanwhile, while large businesses are loathe to co-operate, even on security, post-secondary institutions in Canada have banded together to improve their chances by sharing information.

“It’s probably one of the most valuable sources of information in the country outside of CSIS (Canadian Security Intelligence Service) or law enforcement,” Barr says. “We may see something happen at the University of Regina and usually within a few minutes the community is notified and you get a heads-up.”

Better education in the end means less time, effort and money spent on more expensive solutions.

“I know a lot of other organizations have just given up on humans, so all the money goes into the most expensive software and hardware that is out there to basically make up for the fact that you’re going to screw up,” Pasteris says. “We don’t have those financial resources available, but we know that we can hit that human element. It’s the best bang for our buck.”