By Ted McIntyre
Stopping a determined cyber criminal is virtually impossible, but you can at least bar the door
My business is paranoia, and I’m more paranoid than most,” says Victor Beitner, founder and CEO of Toronto-based Cyber Security Canada.
Beitner, whose security consulting work has ranged from demonstrating to Royal Canadian Mint officials how easy it is to counterfeit a $20 bill to current cyber audits of major corporations, suggests it would be healthy for us all to be a little worried, because accessing your entire digital network these days is as easy as walking through an open door.
“Not long ago, we went into a renovation company in Toronto that wanted to know whether their network was OK. They had antivirus and their IT guys had installed several of the right tools,” Beitner recalls. “I said, ‘Everything looks fine on the outside—your computers and printers are working properly. But let’s do a little digging.’ It turned out that they had malware on their server—for at least three years.
“The average time between infection and discovery—while someone is in your system, taking their time—is about nine months,” Beitner explains. “And it will usually be an outside party like us, not internally, who discovers that their computer is talking to Brazil when they don’t have any business there.”
Such breaches are reaching epidemic proportions. The big ones, of course, are well publicized. They include Equifax, whose massive cyber attack last September divulged personal information and credit card details that affected as many as 143 million Americans and 100,000 Canadians; the 2013 attack on retail giant Target, which exposed data of 41 million customers and cost the company an estimated $105 million US; and Bell Canada, which was accessed in January—the second such breach in eight months—exposing information of as many as 100,000 customers. Sometimes it’s banking records that are stolen, such as JPMorgan Chase in 2014. Sometimes it’s even more personal than that, such as the divulging of client names of marriage infidelity facilitator AshleyMadison.com.
A recent string of phishing expeditions has regrettably hooked a number of home building and renovator clients in the UK. According to the Telegraph’s Money section, fraudsters have targeted building firms who lack secure systems and who could be using the same password for multiple online accounts.
“Criminals find builders’ email addresses online and run these through freely available software online in order to see if there are any known passwords associated with those accounts. If they obtain the correct passwords, fraudsters can then access the email accounts and send emails purporting to be from the builder or contractor,” the Telegraph reports. “By reading through previous email exchanges they can quickly understand transactions and find ways to trick customers into making payments to designated accounts.”
That’s what happened to London lawyer Arthur Mullinger. While travelling in France, Mullinger, who was expecting an invoice, was emailed by the subcontractor working on his third-floor extension and payment was requested. Mullinger promptly transferred £10,800 into the Lloyds bank account provided, unaware that fraudsters had infiltrated that renovator’s email.
Knowing how pervasive the hacking issue is in Canada has previously been hard to nail down. Prior to 2018, Canadian organizations were not required to disclose to authorities—or their customers—that they’d been compromised. But that loophole is being closed this year with new Ottawa legislation, as part of the Digital Privacy Act, including significant fines for those who fail to disclose.
PROTECTING FROM THE INSIDE OUT
It’s difficult for companies to avoid such breaches in the modern business world, where employees are constantly connected to social media, retail websites and other spurious webpages, either via their work computers or personal devices—particularly when a simple email can bring you to your knees.
“Many folks buy all this fancy hardware and think they’re protected. The problem is, they’re not,” Beitner says. “A $20 router can block most cyber attacks from the outside. An organization can spend $25,000 on a fancy firewall to protect it from external threats. But that’s not how most of the bad guys are doing it today. They’re doing it from the inside. And that’s a challenge, because people like to click on links. Everyone is in a hurry-up, get-the-job-done mode. Let’s say you email a supplier and an email comes back almost instantly that looks like it’s from that contact. You click a link on their email and you’re toast.”
The infiltration process can be frighteningly easy, Beitner cautions. “It doesn’t matter if the hackers are in Romania, the Russian Federation, Brazil, China or next door. There are free online tools available that they can use to test a website to see if they can break in. And this is all automated. Then they run an ‘exploit.’ For example, if it’s a CMS@ site, they can inject some code into the database, and anytime someone pulls up a page, they get infected with spyware, ransomware, anything. You now have control of their computers. Or you can use it as a jumping point and send phishing emails, such as ‘View your package at FedEx…’ The link usually takes you to a compromised website, which will redirect you where the bad guy wants you to go, which has an exploit kit built onto the site. By the time you’ve touched the link, you’re already doomed.
“If I wanted to (break into a home builder website), I could contact an OHBA custom builder and say I’m interested in a 10,000 square foot home. Then their brain shuts off and they’re thinking, ‘We’ve got a great potential client!’” Beitner explains. “We start a relationship by email, then I send them my list of features—but that Word document or pdf could be weaponized. They open it up and now I’ve got them. A lot of these websites also have a ‘careers’ menu, where you can send your CV as an attachment. Their HR people open it up, and now the hacker has access to all client records, employee information, maybe even direct deposit info—a potential gold mine.”
Some attackers do not linger in your system; they come straight to the point and demand money, essentially holding your network for ransom. Ransomware is a form of malware that restricts access to your computer or your files and displays a message that demands payment in order for the restriction to be lifted. The infection, which traditionally arrives via a phishing email with a malicious attachment or a website pop-up advertisement that just begs to be clicked, can come in the form of a locked screen or encryption that prevents you from opening files on your system’s hard drive and/or shared network drives, USB drives, external hard drives and even some cloud storage drives. Typically, users’ computer screens will display a notification that their computer or data have been locked, with a demand for payment to regain access.
“Sometimes the notification states that authorities have detected illegal activity on your computer, and that the payment is a fine to avoid prosecution,” notes the Government of Canada’s Get Cyber-Safe campaign. In either case, the government suggests that you do not pay the ransom: “These threats are meant to scare and intimidate you, and they do not come from a law enforcement agency,” the Get Cyber-Safe site explains. What they do recommend is contacting the Canadian Anti-Fraud Centre, as well as a reputable computer technician or specialist to find out whether your computer can be repaired and your data retrieved. “The ‘ethical’ criminals have a business,” Beitner notes. “They have a toll-free call-in centre. A guy answers the phone and says, ‘Here’s the process—how to get the bitcoin (the web’s digital, anonymous currency) and how to pay it. Fifty percent of people pay the ransom.”
That 50% included the University of Calgary, which paid $20,000 in June 2016 after a ransomware cyber attack crippled its computer system. A similar breach later that year wreaked havoc on Ottawa’s Carleton University network. Trouble is, it’s hard to find an honest criminal these days.
“About 20% of those who pay actually do not get the keys,” Beitner says. “The money is gone and the data on their computer might be unrecoverable. Worse, once the criminals are in your computer, they’ll usually copy and steal your data—banking info, CAD drawings, trade secrets—anything they can use or sell.” One of the first steps in preparing for such hacks is for business owners—or personal computer owners, for that matter—to regularly back up data with a removable external storage drive.
Protocols for web surfing and social media should also be established within the office. Employees should additionally be mindful that even protected work-owned devices used outside the office can expose a business to the loss of sensitive information to malware and to other threats, cautions Get Cyber-Safe.
“For example, using public networks on a mobile device to send and receive business information can allow your private data to be viewed or used by unauthorized people.” And try using older technology once in a while. Call to verify financial requests. Yes, it takes a few extra minutes, but it can save you massive headaches down the road and will also reassure your clients that your company takes cyber security seriously. Sometimes, however, you can take all the right precautions and still be compromised by a trusted third party.
That’s what happened with Target, whose records were initially accessed on Nov. 15, 2013 due to a hack of Fazio Mechanical Services, a Sharpsburg, Pennsylvania provider of refrigeration and HVAC systems that worked at a number of Target locations. Beitner admits they had a similar case of an Ontario HVAC company that was breached via a contractor with which they worked—and that “was the guy who tested their software and did the patching! (The hackers) got him through his android tablet,” Beitner relates. “We had another client that develops websites—they were inadvertently compromising their clients’ sites because they used tools that are free and usually not vetted.”
When all else fails, it’s nice to have cyber insurance to fall back on. And while it often requires that you do your due diligence—“Do you have antivirus on all your computers and are they always patched? Do you have a firewall on your computer? Do you have backups?”—Federated Insurance’s basic home builder policy doesn’t actually contain those prerequisites in its wording.
“Across all of my clients, I know of six or seven who have said, ‘Yeah, that’s happened to me,’” notes Federated Insurance Senior Risk Service Coordinator George Hurst, who has an undisclosed number of OHBA clients whose networks have been compromised in the past—predominantly with ransomware attacks.
“Typically, emails come disguised as a wholesaler bill, and once the company opens it, they’re done. Then they get asked for so many bitcoins to release their information or else the (hacker) will trash it all.” Federated introduced cyber coverage last May, adding $100 annually to its home builder policy for those who wish to partake. The policy will pay up to $5,000 for extortion and $50,000 if your computer system is destroyed, and will also address lost business time and for the notification of others that your network has been hacked. “It’s basically getting you back to the safe operational mode you were in before,” Hurst explains.
“The problem is, once they hack in, they might be accumulating confidential information and selling it on the dark web,” Hurst notes. “Then you have identity theft claims that you could get sued over. That’s where cyber liability insurance comes into play.” Depending on the security the builder has and the nature of the files that could be accessed, the liability policy could range anywhere from $1,000 to $3,000. Hurst cites a small store chain in Ontario that was hacked. “It destroyed some of their financial records and shut down four stores for a while,” he relates. “It would have cost them tens of thousands, but fortunately they had the bigger policy in place.”
Even if your website does not store any critical information, you should still play if safe, Beitner stresses. “The website is the face of the company, the first thing people see; and if someone figures out a way to inject a script into your website, they can redirect traffic, capture all the transactions and visits and any contact info and information from clients.”
And it usually takes more than your typical IT department to ward off attacks, says Beitner, who notes that 50% of hacked companies aren’t even aware that their systems have been breached. “We are getting calls every day for security assessments. We’re going into law firms and medical practices and finding live attacks occurring inside the network. They have great IT people, but they’re too busy making things work properly and don’t look for the indicators.”
Indeed, nearly three-quarters of IT professionals in Canada feel strongly that some of their security solutions are outdated and inadequate, according to software giant Citrix Systems’ 2017 security report, “The Need for a New IT Security Architecture: Global Study.” In the report, Canada and South Korea (at 40%) were cited as the least confident that their organizations have the right policies and procedures in place to protect data and their infrastructure. Meanwhile, nine out of 10 Canadian respondents believe that employees’ use of social media in the workplace has a negative impact on security—15% higher than the global average.
So should companies treat cyber health like their own bodies and conduct annual check-ups? “A computer check-up is good, but it only works for a day,” says Beitner. “I think the next evolution in the world of computers is constant monitoring—someone looking at the traffic, the logs, firewall alerts.”
For all his expertise, though, even Beitner says even he’s not safe from digital intruders. “I wipe my systems fresh every couple of months—my phones, tablets, laptops. I may or may not have a higher IQ than most, but there are people out there with IQs that are off the charts, and if they want, they have the time and resources to figure out a way to hack me.”
So why should companies bother investing time and money to protect their networks if no one is safe?
“If you do nothing, it’s guaranteed someone will hack you at some point,” Beitner says. “That’s what these guys count on. They go after the lowest hanging fruit. It’s like breaking into a car—if the door is open, they’ll break in. But if they need to break the glass and make a lot of noise, they’ll just move on to the next car. Why would I spend a month trying to hack in to the CIBC when I can spend no money, send you an email and own your home-building company a few minutes later?”