André Cormier is the manager of the incident management and response teams at the Government of Canada’s Communications Security Establishment (CSE).

While the Federal Government is its main client, other organizations that are considered critical infrastructures can also benefit from intervention of the CSE.

Its teams intervene during cyberattacks, but they also note incidents that take place in Canada and document them. They act as an advisor to guide other organizations that might be victims of a cyber incident by directing them to the correct resources.

As such, André Cormier did us the honor of speaking at the 2020 Forensik Conference. He presented the best security practices that business leaders and managers should adopt in order to support their IT teams in the prevention of threats and response to cyberattacks.

We wanted to know more so we invited him to speak on our podcast INTRASEC, In Fidem’s cybersecurity channel.

Can organisations deemed “non-critical” call on the CSE?

Yes, it is even encouraged. This allows us to keep an eye on the attacks facing Canadian firms.

And while we can’t tackle the problem directly, we can offer them “generic” support on how they should respond to such attacks, direct them to documentation or other resources, etc.

Does this mean that the CSE is also an observatory?

One of the missions of the Canadian Center for Cyber ??Security is to be the authority on cybersecurity in Canada. And thus, we need to have a good understanding of the incidents that take place in Canada in order to adjust the other services that are offered to the general population.

For example: publications on how to secure your networks, trends in cyber threats, etc.

The publications depend on what we view as threats in Canada.

Your presentation was on “How to support your teams during a crisis”, in other words, how to … prepare? What was the goal behind the conference?

When we were approached to do a talk, I saw that there was a section for managers. So, we thought it might be useful to do a presentation to help managers support their technical teams.

This is because managers must be able to help them prioritize certain changes in their organizations. For example, we often see that technical teams are overwhelmed and unable to justify major changes in the organization.

Simply put, the purpose of this conference was to help build a link between the technical world and the business world.

I have targeted three important topics that are sources of risk. And one of them is multi-factor authentication as we see a lot of incidents that could have been avoided if it was used.

In relation to multi-factor authentication, something that we underestimate or don’t think about is that some people will reuse personal passwords within a professional context. For example, my Yahoo or LinkedIn password in certain systems at the company I work for. And so, a breach of “public” services can pose a threat to private companies.

Essentially. This is especially true when using company emails to sign up for public services like LinkedIn, etc. and where that same password is also used internally. It is a real problem.

Lately, we have seen breaches of online services accompanied by large deposits of credentials in the dark web. [These credentials] will be used to try to compromise corporate access services remotely.

And we have seen intrusions where criminals did not even have to try different credentials. They had the email and password. They got into the systems without having to make too many login attempts….

Phishing is also another potential source of threat. We can see that phishing is still a very big problem. A ton of people can fall into the trap. Social engineering practices are on the rise and are increasingly sophisticated to the point where it is difficult to distinguish the real from the fake.

The adoption of multi-factor authentication is not, in your opinion, sufficient enough within companies?

No, not enough. Certainly, there is a cost associated with this, but we have seen in recent years this cost has decrease substantially. So, of course not all organizations would have budgets for this, but the majority of remote access solutions offer multi-factor authentication solutions.

Something else I wanted to highlight is the security question, it’s not a separate factor because it’s the same thing as a password.

In any case, what we have seen is that a number of incidents could have been avoided if multi-factor authentication had been implemented.

One of the slides was about the types of vulnerabilities. Notably, system vulnerabilities which are threats that we can’t really prepare for. But once a vendor shares a “patch” for a newly identified vulnerability, the installation time for the patch is still very long … 37 days. How do you explain this delay?

The 37-day delay is the average time between the release of a software patch and the release of an exploit.

The message I wanted to send is that patch management is critical, especially for systems connected to the Internet.

When there is a major vulnerability and a patch is available, it is crucial that companies apply the patch as quickly as possible. In less than a week, we start to see exploits of these vulnerabilities …

These figures are from a very recent study, August 2020, by team 42 at Palo Alto Networks. And in that study, the team analyzed 500 major vulnerabilities since 2015. That’s where the 37 days come from.

And organizations are slow to apply these patches because if they apply them, oftentimes it can disrupt certain business processes?

Yes, this is often what discourages businesses from applying patches or delaying them. Oftentimes system administrators are sensitive to this because it is their responsibility to make sure these services are available.

A patch can also introduce a bug, so when we apply the patch, a service that had been working may now stop working. And that can depend on the use of the software. So even if the manufacturer runs tests, they cannot anticipate every use case.

So, that’s what I was trying to make managers aware of. When you have a service that is exposed to the Internet, you have to be ready to accept a loss of service because it is much less damaging than an intrusion.

In fact, we have seen that organized crime has reoriented toward cybercrime and that they will look to exploit easy targets such as sites that have not addressed these security flaws.

Oftentimes these managers are pressured to keep the services functional. But companies need to think about this risk management considering the fact that ransomware spares no one these days.

Before, we told ourselves, I don’t have important information, I’m not a target of interest, etc., but the ransomware doesn’t operate based on the importance of the data to the criminal, but rather on the importance of the data to a business; all data is important to a business.

A business cannot survive without its accounting systems, intellectual property, etc. so when you block access to these data and services, it is much more damaging to the business.

In sum, the point of the presentation was to say that ransomware attacks are on the rise and that it is really a devastating type of attack for organizations.

Why do people not seem to be aware of the risks of ransomware? Is it because when we think of cyber-attacks, we think of a breach like that at Desjardins?

That’s a good question.Of course, when you hear about these attacks talked about, the victims are often big companies, municipalities, etc.

So, surely when you are an SME, even a large SME, and you are not the type of company that you would find in the news, you would probably feel less concerned.

And that’s why I wanted to say that it’s not true and that everyone was concerned. Criminals don’t care about that. They just want to get into systems to demand ransom.

In your presentation, you explain that these attacks are not necessarily “personal”. When a vendor releases a patch, they tell the world that there is a vulnerability which criminals could exploit. In other words, I am not getting attacked because I am a particularly interesting target, but rather because I am using a system with a vulnerability. In a way, it’s like the bad guys are going fishing …

Yes, that is true that some attacks are becoming easier to automate but know that security vulnerabilities are not the only sources of vulnerability. We think, for example, of the credentials [from the dark web] that criminals can use to access systems.

With this, cybercriminals enter the network and seek to elevate their privileges through holes or configuration errors.

In sum, safety is not just one element. It’s a combination of actions in different places such as being sure to apply patches quickly and implementing multi-factor authentication, which will greatly reduce the risk of an intrusion, although there remain other factors of course. Awareness also comes into play …

If we come back to the purpose of the presentation, what should managers remember? What should they pay attention to?

The main things from my presentation to remember:

  • apply the patches as soon as possible in the event of a vulnerability;
  • implement multi-factor authentication;
  • have a monitoring system;
  • have backup files.

Because that’s what will ensure that you are going to be able to get your systems back online without having to pay the ransom.

What do you mean by “monitoring”?

I was talking about the event logs. We had to support some organizations and one of the glaring flaws was the lack of event logging from the remote access systems.

We saw that intrusions took place much earlier, several weeks before, for example. But companies have event logs that collect little information or don’t go back far enough … So, they couldn’t detect intrusions any earlier.

It is therefore necessary to ensure that the event logs contain the right information. So, it’s not just enabling logging, but also making sure you have the right level of information and that you have the right tools to do research and piece together events. What we don’t know is whether the shortcoming is due to a lack of investment, a lack of training or a lack of time …

In addressing this subject, I hope to allow them to reflect with their security team. Because you can’t simply buy and activate a product, especially when you have remote access systems. You must have access control and monitoring of these accesses to detect any anomalies.

Another theme that often came up in your presentation and others – is the idea of ??playbooks and the best practices to put in place.

Yes, that is to make sure that once you have these playbooks, they are reviewed and updated regularly. Often documents will have associated contacts, and these people may have left the company … The risk is trying to contact someone who is no longer there …

“Who should be contacted? When do we involve the legal department? The communications department? Who has the authority to decide to close a service? What should we look into first?”

All of these things need to be documented because when you’re in the heat of the moment you have to act quickly, and long response time to incidents can further aggravate the situation.

It may sound tedious, but it is very useful. And it doesn’t need to be 300 pages. You have to have a list of names and know who to contact, depending on what situation. When it is a firewall, who do you contact? What is the escalation procedure after working hours?

Ransomware is important enough to have a specific section in these plans.

Last question, in two parts. As someone observing the situation in Canada, what do you think the trends are for the coming year and what should businesses to do to protect themselves?

I don’t know that I’m very good at making predictions and we haven’t done a trend analysis. Nonetheless, ransomware attacks are expected to continue. Data theft will still be a major problem. It won’t disappear right away because it seems to be too good a revenue source for criminals.

What I would like would be a greater adoption of multi-factor authentication, for services exposed to the Internet, but also within the organization for the privileged access management.

Finally, I hope that within the next year, there will be greater awareness of these issues and better adoption of the best practices to adopt to protect yourself from cyberthreats and be able to respond to them effectively.

The full interview is available (in French) on Ausha, Spotify, Apple Podcasts, Google Podcasts, Podcast Addict.

Need help helping you develop your cybersecurity incident response plans? Contact our experts now!