{"id":24155,"date":"2022-06-17T15:13:24","date_gmt":"2022-06-17T19:13:24","guid":{"rendered":"https:\/\/www.itworldcanada.com?p=488885"},"modified":"2022-06-20T10:56:06","modified_gmt":"2022-06-20T14:56:06","slug":"cyber-security-today-week-in-review-for-friday-june-17-2022","status":"publish","type":"post","link":"https:\/\/technewsday.com\/staging\/cyber-security-today-week-in-review-for-friday-june-17-2022\/","title":{"rendered":"Cyber Security Today, Week in Review for Friday June 17, 2022"},"content":{"rendered":"<p>Welcome to Cyber Security Today. This is the Week in Review edition for the week ending Friday June 17th, 2022. I\u2019m Howard Solomon, contributing reporter on cybersecurity for ITWorldCanada.com.<\/p>\n<p><iframe style=\"border: none;\" title=\"Libsyn Player\" src=\"https:\/\/html5-player.libsyn.com\/embed\/episode\/id\/23444915\/height\/90\/theme\/custom\/thumbnail\/yes\/direction\/forward\/render-playlist\/no\/custom-color\/000000\/\" width=\"100%\" height=\"90\" scrolling=\"no\" allowfullscreen=\"allowfullscreen\"><\/iframe><\/p>\n<table style=\"width: 100%;\">\n<tbody>\n<tr>\n<td><a href=\"https:\/\/www.amazon.com\/ITWC-Cyber-Security-Today\/dp\/B07BRNG89P\/ref=sr_1_1?s=digital-skills&amp;ie=UTF8&amp;qid=1522688435\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396718 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-alexa-200.png\" alt=\"Cyb er Security Today on Amazon Alexa\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<td><a href=\"https:\/\/www.google.com\/podcasts?feed=aHR0cDovL2N5YmVyc2VjdXJpdHl0b2RheS5saWJzeW4uY29tL3Jzcw%3D%3D\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"thumbnail aligncenter wp-image-408712 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2018\/09\/sub-gp-200.png\" alt=\"Cyber Security Today on Google Podcasts\" width=\"200\" height=\"74\"><\/a><\/td>\n<td><a href=\"https:\/\/itunes.apple.com\/ca\/podcast\/cyber-security-today\/id1363182054\" rel=\"noopener noreferrer\"><img loading=\"lazy\" decoding=\"async\" loading=\"lazy\" class=\"aligncenter wp-image-396720 size-full\" src=\"https:\/\/i.itworldcanada.com\/wp-content\/uploads\/2017\/09\/sub-itunes-200.png\" alt=\"Subscribe to Cyber Security Today on Apple Podcasts\" width=\"200\" height=\"74\" border=\"none\"><\/a><\/td>\n<\/tr>\n<\/tbody>\n<\/table>\n<p>&nbsp;<\/p>\n<p>In a few minutes I\u2019ll be joined by David Shipley, head of <a href=\"https:\/\/www.beauceronsecurity.com\/\" rel=\"noopener\">Beauceron Security<\/a> in New Brunswick, to discuss some of what\u2019s been going on. But first a look back at significant events in the past seven days:<\/p>\n<p><strong>Proposed federal legislation<\/strong><a href=\"https:\/\/www.itworldcanada.com\/article\/designated-canadian-firms-would-have-to-report-cyber-breaches-under-proposed-law\/488372\" rel=\"noopener\"> announced this week<\/a> would give the Canadian government some oversight over the cybersecurity programs of many companies providing critical services. It would also force them to report breaches of cybersecurity controls. David and I will parse this proposed law.<\/p>\n<p>And just as were recording this show on Thursday the government announced <a href=\"https:\/\/www.itworldcanada.com\/article\/breaking-news-government-files-latest-attempt-at-privacy-legislation-reform\/488771\" rel=\"noopener\">a proposed overhaul of the privacy legislation<\/a> covering much of the business sector in Canada. The timing will be tight but David and I will have a few minutes to squeeze in some commentary about that.<\/p>\n<p><strong>Linux administrators are being warned<\/strong> of a newly-discovered and hard-to-detect piece of malware. <a href=\"https:\/\/blogs.blackberry.com\/en\/2022\/06\/symbiote-a-new-nearly-impossible-to-detect-linux-threat\">Researchers at BlackBerry and Intezer<\/a> said the malware infects all running processes in a server. That gives the attacker rootkit functionality, including the ability to steal passwords and install a backdoor to give remote access.<\/p>\n<p><strong>That\u2019s not all<\/strong> Linux admins have to worry about. <a href=\"https:\/\/www.akamai.com\/blog\/security\/new-p2p-botnet-panchan\" rel=\"noopener\">Researchers at Akamai discovered<\/a> a new botnet and worm that has been actively breaching Linux servers since March. Dubbed Panchan, the botnet is composed of 209 infected computers, including 82 in Asia, 66 in Europe and 48 in the U.S. and Canada. Targets include telecom companies and universities. Protect your servers with complex passwords, multifactor authentication and network segmentation.<\/p>\n<p><strong><a href=\"https:\/\/www.securityweek.com\/windows-updates-patch-actively-exploited-follina-vulnerability\">Microsoft issued a security update<\/a><\/strong> for a Windows vulnerability called Follina that affects a number of versions of the operating system and Microsoft Office. This vulnerability has been actively exploited since April so the update should be installed as soon as possible, along with other critical updates released this week.<\/p>\n<p><strong>IT departments<\/strong> that use Cisco Systems\u2019 Secure Email and Web Manager appliances have been warned <a href=\"https:\/\/tools.cisco.com\/security\/center\/content\/CiscoSecurityAdvisory\/cisco-sa-sma-esa-auth-bypass-66kEcxQD\" rel=\"noopener\">to install the latest security updates<\/a>. The patches close a major vulnerability that could allow a remote attacker to bypass login authentication and access the web management interface.<\/p>\n<p><strong>And<\/strong> email administrators who use the Zimbra email suite should make sure they\u2019re running the latest version. This comes after <a href=\"https:\/\/blog.sonarsource.com\/zimbra-mail-stealing-clear-text-credentials-via-memcache-injection\/\" rel=\"noopener\">researchers at SonarSource of Switzerland announced<\/a> they found a vulnerability that allows an attacker to steal login credentials. The patch was released last month, so there\u2019s no excuse for not having installed it by now.<\/p>\n<p><em>(The following discussion has been edited for clarity. To hear the full conversation play the podcast)<\/em><\/p>\n<p><strong>Howard:<\/strong> We\u2019ll start by looking at the proposed cybersecurity legislation announced on Tuesday. One part is a new law called the Critical Cyber Systems Protection Act [CCSPA]. It will allow the government to name companies as vital services in four critical infrastructure sectors \u2014 financial, energy, telecom and transportation. Those companies will have to show regulators they have cybersecurity programs, can mitigate supply-chain and third-party risks, and have to report cybersecurity incidents to the Canadian Security Establishment \u2014 which for our American listeners is the equivalent to the combined National Security Agency and Cybersecurity and Infrastructure Security Agency. Regulators will have the power to give the companies orders if they don\u2019t like what they\u2019re doing in cybersecurity. And the companies will have to exchange information about cyber incidents. What do you think of this proposed act?<\/p>\n<p class=\"western\"><strong>David Shipley:<\/strong> I think it\u2019s a great first step, and I think it brings telecommunications, energy and transportation up to the same level of cyber security oversight and accountability as the Canadian financial system. And given their importance to our economy, I think it\u2019s entirely appropriate. It sets up some basic cyber security hygiene standards, creates the relationships between experts at the Canadian Security Establishment (CSE) with the regulators for each of these important sectors to advance the state of security \u2014 and that\u2019s not a bad thing. And it does provide for mandatory breach reporting by these sectors, which is fantastic. So there\u2019s a lot I like.<\/p>\n<p class=\"western\">But there are also some concerns: It doesn\u2019t require mandatory information sharing from CSE back to stakeholders when they learn about incidents. They do a good job of that today, but it is voluntary. I\u2019d like to see that firmed up a little bit in the legislation so that the insights and lessons learned \u2013that\u2019s the most important thing \u2014 when a cyber incident happens we\u2019re telling somebody about: What were the root causes? How can we improve?<\/p>\n<p class=\"western\">When we look at the Europeans\u2019 NIS2 proposal [<a href=\"https:\/\/ec.europa.eu\/commission\/presscorner\/detail\/en\/IP_22_2985\" rel=\"noopener\">an EU cybersecurity standard<\/a>] they\u2019re going beyond just key sectors to any sector that could have a meaningful economic impact. I think about the food supply chain and the JBS Meats ransomware attack. At a minimum, this [Canadian] legislation should have the food supply chain in there because they are just getting hammered with cyber attacks.<\/p>\n<p class=\"western\">But if we step back, the majority of actual attacks are not in these four sectors [telecom, energy, finance and transportation]. It\u2019s far more likely to be subnational and entities \u2014 hospitals, school districts, municipalities, small and mid-sized businesses who are not covered by this proposed regulation. Senior Canadian government officials indicated in a technical briefing they have the ability to add more sectors to the law the intent for now is to see provinces actually draft their own mandatory breach reporting for areas of their jurisdiction. That\u2019s problematic for several reasons: Number one is if each province is going to regulate these other sectors. You could have have-not security provinces. Second, imagine if there are 13 different cybersecurity reporting laws and I get hit but have business across the country. Reporting to all jurisdictions seems like a nightmare. And finally some provinces might have industry write the laws. Well, that hasn\u2019t worked out so well when it comes to things like the right to information.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> The proposed act has some gaps that are going to be filled in after consultations with industry and the issuance of regulations. One of the things it does do is define what cyber incidents have to be reported: Anything that interferes with the continuity, confidentiality, integrity, security or availability of a vital IT system. Is that too broad?<\/p>\n<p class=\"western\"><strong>David:<\/strong> It is a really interesting question. There may be some pushback from the industry about scale and significance. Under this legislation theoretically one device hit with ransomware and encrypted might check all these boxes. But is that really what CSE wants to hear, or do they want to hear about more significant outbreaks that have more meaningful impact?<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> But the problem is in your example where there\u2019s only one computer in a company that\u2019s been hit by ransomware it may be a unique strain and that company may have stopped the attack from spreading. Isn\u2019t that justification for very quickly notifying the government of that attack?<\/p>\n<p class=\"western\"><strong>David:<\/strong> I tend to agree with you. It\u2019s like if you catch a patient zero with a new novel coronavirus \u2014 imagine how important to identify [the new virus] and notify others. Little attacks might fit into a bigger picture pattern that CSE may have. So I\u2019m not against this. I think it\u2019s going to have, as a CISO friend said to me when I when I shared the legislation, this is going to have budget leverage, a financial impact on companies.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> I mentioned that there are some gaps. There are things that the government still wants to negotiate with companies and will set certain standards in regulations. One of them is how fast an incident will have to be reported. Another is how much detail will have to be reported. Those are pretty crucial details missing for a CIO or CISO.<\/p>\n<p class=\"western\"><strong>David:<\/strong> Timeline\u2019s going to be important. I think we should <a href=\"https:\/\/www.pwc.com\/us\/en\/services\/consulting\/cybersecurity-risk-regulatory\/library\/cyber-breach-reporting-legislation.html\" rel=\"noopener\">match the American required timeline of 72 hours<\/a> for firms in critical infrastructure. We\u2019ve seen some legislation proposed in other countries that require disclosure within hours of becoming aware. That\u2019s completely ludicrous \u2026 But also if it\u2019s a multi-sector attack, a nation-state start of a real big push you don\u2019t want to have a huge window of weeks here. I hope it\u2019s as closely aligned in process and look and feel as the Americans have done, because we are a tightly integrated economy. Many of our companies will probably have to report to the United States as well as Canada, so having different sets of processes is probably unreasonable. That is one of the concerns that\u2019s been raised by some industry stakeholders: \u2018We already have to report to our regulator. Why couldn\u2019t the regulator just decide if CSE gets to hear this? Why do we have to create duplicate processes?\u2019<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> The regulator who they might have to report to is the privacy commissioner of Canada. But then there\u2019s a different standard. You report to the privacy commissioner if there\u2019s been a breach of security controls on data that would have a real risk of serious harm to a customer or an employee. [As opposed to the CPPA\u2019s standard described earlier].<\/p>\n<p class=\"western\"><strong>David:<\/strong> Canadian banks have to report to the Office of the Superintendent of Financial Institutions (OSFI}, which sets their cybersecurity standards for them. Why not just keep that single process flow and make the regulator responsible for feeding information to CSE, is an argument.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> One provision in the proposed Canadian cybersecurity legislation says that as soon as any cybersecurity risk to a company\u2019s supply chain or its use of third-party products and services has been identified the company has to take reasonable steps to mitigate those risks. Is that going to cause a problem for IT departments?<\/p>\n<p class=\"western\"><strong>David:<\/strong> It gets interesting. When we go back to the <a href=\"https:\/\/www.itworldcanada.com\/article\/how-the-solarwinds-hackers-hid-their-work\/441201\" rel=\"noopener\">SolarWinds attack<\/a> [where the update mechanism for its Orion network management suite was compromised] think about all these Canadian companies have to report to CSE they got hit. The government has order-making capability. What if it says to companies, \u2018Pull it all out\u2019? But IT can\u2019t monitor the network without Orion. The government replies, \u2018We don\u2019t care.\u2019 Theoretically, that might happen. Or they might say, \u2018Tell us what your plan is to replace it,\u2019 which puts more onus on companies to say, \u2018We\u2019ve worked with the vendor they\u2019ve improved their processes. We\u2019ve tightened up our contracts.\u2019 It\u2019ll be interesting to see how it gets applied \u2014 if we even ever know how it gets applied. The legislation gives the government the ability to issue completely private security orders.<\/p>\n<p class=\"western\"><strong>Howard<\/strong>: But it\u2019s an emergency clause. There\u2019s some logic to saying a company isn\u2019t moving fast enough to plug a hole in its system for whatever reason and so we\u2019re going to issue an order to them to protect the public\u2019s safety.<\/p>\n<p class=\"western\"><strong>David:<\/strong> I agree the order-making power is sort of a weapon of last resort. I think the hope is that these companies see it\u2019s in their own self-interest to deal with cyber threats as soon as possible. The part that I am concerned about is the secrecy component. The government can make secret orders to companies to pull equipment, force patches or force changes et cetra. And it\u2019s not to say that there can\u2019t be a secrecy window. But think about like Google Project Zero, for example. Google gives a window of time for organizations to get their stuff cleaned up and then they\u2019ll publicly report a vulnerability. This is something when a parliamentary committee reviews the proposed law. It needs revisiting because I don\u2019t like the idea of the government being able to make secret orders without ever having to be publicly accountable.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> This goes back to an old debate: If companies have to notify the government there\u2019s been a data breach or a serious cyber incident, why shouldn\u2019t they notify the general public as well?<\/p>\n<p class=\"western\"><strong>David:<\/strong> There has to be an appropriate notification regime, and I think we can deal with that. But when, say, an energy utility gets punched and punched hard it doesn\u2019t necessarily want to give all the gory details out to the public and reduce confidence and trust in the work that it\u2019s doing. There are all kinds of reputational implications and harms that could come into play. So I\u2019m okay with them getting a shield on this one \u2014 particularly if we\u2019re talking about one computer. But what\u2019s important on the other side of that equation is what they [regulators] do with the breach reporting. We get the de-identified, anonymized key root causes, lessons learned and disseminated \u2014 at least to other energy companies so that they don\u2019t make the same mistakes. Ideally that gets posted publicly again without names so that other industries where it might also be germane can see. Right now in Canada we rely on vendors in the security industry to issue reports, which is okay in some respects but they always do it from their own lens of, \u2018You need to buy my thing .\u2019And I say this as the CEO of a cyber security company. I like the idea of an independent government agency publishing the facts of an incident and the lessons learned and the best practices so you don\u2019t have that vendor lens on it.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> As I said the cyber security legislation package had two parts. The other part amends the federal Telecommunications Act and gives the government the power to ban telcos and internet providers from doing anything that harms their networks. This is the legal basis for the government of Canada to forbid cellular carriers from having network equipment from China\u2019s Huawei and ZTE in their systems. What do you see in this package that would worry telecoms and internet providers?<\/p>\n<p class=\"western\"><strong>David:<\/strong> There could be some legitimate concerns. We could be told to pull a piece of equipment for whatever reason and we\u2019re not given any compensation. We made that investment. We made it in good faith et cetera and if we don\u2019t do that there\u2019s a big stick of a $10 million to $50 million fine. It\u2019s an awfully big stick. I\u2019m not sure what the checks and balances are. [Editor\u2019s note: Telcos can appeal to a judge.] Given the critical role they play having the telecommunications industry with additional regulatory oversight relative to cyber security makes sense. But a little give and take here, particularly if you\u2019ve got a government that maybe didn\u2019t give clear direction or the geopolitical situation may have changed in radical ways that no one could have seen. I wonder if that will get some sober second thought as [Parliamentary] committees get to dig into things.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> We had a quick look at the proposed privacy legislation that was introduced only hours before we started this recording, but to me it looks awfully similar to the original version. That didn\u2019t pass Parliament before the election was called last year. What do you think of it?<\/p>\n<p class=\"western\"><strong>David:<\/strong> We desperately need modernized privacy legislation in Canada with real accountability for firms that are abusing people\u2019s personal information. This is a good step. [Right now] we\u2019ve got essentially got paper tigers with our federal privacy commissioner. We look back at things that have happened with social media companies like Facebook or the Cambridge Analytica case, or we think about the stuff that was going on with Clearview AI , we\u2019ve had the essential consequence of a stern finger-wagging for serious violations of privacy. This [new legislation] does move the bar. I particularly like the improvements they\u2019ve made that data involving children is particularly sensitive and additional rigor around [protecting] that. What\u2019s disappointing about this legislation, both its original version and its re-introduction, is we were the pioneers in Canada in privacy by design \u2026 and that framework isn\u2019t apparent in this legislation.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> One of the things that both the first attempt by the government to reform the privacy law and this new attempt includes is the creation of a data privacy tribunal that will review the recommendations by the federal privacy commissioner to issue fines for companies that don\u2019t comply with the privacy legislation. In England, for example, the privacy commissioner has the power to issue a fine. The Canadian legislation creates a tribunal. The privacy commissioner would only have the power to recommend fines \u2014 and admittedly they\u2019re multimillion-dollar fines. But it would be up to the privacy tribunal to actually approve fines. The previous privacy commissioner complained this is an extra step and it just drags out the whole process.<\/p>\n<p class=\"western\"><strong>David:<\/strong> This comes down to whether you trust your privacy commissioner to do their job, which is to investigate and then to impose consequences. I think that\u2019s a clearer signal. I\u2019d rather have you hire a privacy commissioner, you empower them with a team, make sure they\u2019re applying the law as you as you\u2019ve written it and they do their action \u2014 and companies can appeal to the courts. A tribunal is unnecessary.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> I\u2019ll play the part of business: \u2018I don\u2019t want a bureaucrat and appointed person to act as judge and jury \u2014 he judges me on whether I\u2019ve complied with the privacy law, and then he fine me.\u2019<\/p>\n<p class=\"western\"><strong>David:<\/strong> \u2018But I would like three more bureaucrats [in the tribunal] to be on top of that bureaucrat.\u2019 You\u2019ve got the privacy commissioner and then you\u2019ve got the courts [to appeal to], who are professional legal experts and arguably would probably be better for you overall in applying law than a tribunal appointed by the government who aren\u2019t judges. If you really want accountability and oversight over this office, do it through the federal court.<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> One thing to remember is that the Liberal government is in a minority. These pieces of legislation need the support of a big enough opposition party to pass. So there\u2019s there\u2019s no guarantee they\u2019re going to become law [without changes].<\/p>\n<p class=\"western\"><strong>David<\/strong>: I don\u2019t see philosophical opposition to the privacy legislation or even the cybersecurity legislation from the key party that\u2019s propping them up, the NDP. I think the Conservative Party will want to dig into the business impacts on the privacy law and how that\u2019s going to affect the Canadian economy. I think one of the most important questions that probably needs to be asked is if this law isn\u2019t up to snuff for the European equivalency [under the<a href=\"https:\/\/www.itworldcanada.com\/article\/gdpr-advice-to-canadian-firms-chill-out-but-get-working-on-it\/405631\" rel=\"noopener\"> General Data Protection Regulation<\/a>]?<\/p>\n<p class=\"western\"><strong>Howard:<\/strong> I would expect that the government has had informal conversations on the wording of the proposed privacy legislation.<\/p>\n<p class=\"western\">David: I certainly hope so.<\/p>\n<p>The post <a href=\"https:\/\/www.itworldcanada.com\/article\/cyber-security-today-week-in-review-for-friday-june-17-2022\/488885\">Cyber Security Today, Week in Review for Friday June 17, 2022<\/a> first appeared on <a href=\"https:\/\/www.itworldcanada.com\/\">IT World Canada<\/a>.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>This episode features a discussion about the newly-proposed Canadian cybersecurity incident reporting and data privacy l<\/p>\n","protected":false},"author":17,"featured_media":20701,"comment_status":"closed","ping_status":"closed","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[58,360,16],"tags":[389],"class_list":["post-24155","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-government-public-sector","category-podcasts","category-security","tag-cyber-security-today"],"acf":[],"_links":{"self":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24155","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/users\/17"}],"replies":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/comments?post=24155"}],"version-history":[{"count":3,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24155\/revisions"}],"predecessor-version":[{"id":24244,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/posts\/24155\/revisions\/24244"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media\/20701"}],"wp:attachment":[{"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/media?parent=24155"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/categories?post=24155"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/technewsday.com\/staging\/wp-json\/wp\/v2\/tags?post=24155"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}