Canada Ranks Third Among Countries Most Vulnerable to Cyber Attacks

According to The National Exposure Index, a report released by cyber security vendor Rapid7 Labs, Canada ranks third on a list of countries most vulnerable to cyber attacks. The goal of the report was to determine which countries are most at risk for deliberate, wide-scale breaches.

Countries were ranked based on their unencrypted services on the public internet, services on the internet that are unsuitable for public access and services that are subject to abuse. Notably, researchers found that countries with the most risk have a significant investment in, and reliance on, a safe and stable internet.

Other interesting findings include the following:

  • The top five countries in the 2018 exposure ranking were the United States, China, Canada, South Korea and the United Kingdom. Together, these countries control over 61 million servers on at least one of the ports surveyed.
  • There are 13 million exposed endpoints associated with direct database access.
  • There are about 40,000 unpatched, out-of-date servers. These servers are at risk of being targeted in future, large-scale disrupted denial-of-service attacks.
  • Mature and traditionally profitable countries are not the only ones that rely on a healthy internet. As of 2018, more than half of the entire world maintains an active internet presence.

Rapid7 Labs hopes internet service providers can use these findings, with the help of policy-makers, to create a more secure global internet. To read the full report, click here.

© Zywave, Inc. All rights reserved

Basic Cyber Loss Control Techniques

Protecting your business from cyber risks can be an overwhelming venture. With each passing month, new and more sophisticated viruses are being discovered, more spam is reaching your inbox and yet another well-known company becomes the victim of a data breach.

The world will never be free of cyber risks, but there are many loss control techniques you can implement to help protect your business from exposures.

Install a firewall for your network.

Operating systems often come with pre-installed firewalls, but they are generally designed to protect just one computer. Examine the firewall’s options and select the best configuration to keep the computer safe.

If your business has a network of five or more computers, consider buying a network firewall. They can be pricey but network firewalls provide a fine level of coverage for an entire network.

Install anti-virus, anti-malware and anti-spyware software.

This loss control technique is the easiest and most effective way to increase security at your business. Make sure to install the software on each computer in your network—computers that don’t include these types of software are much more likely to be exposed and can possibly spread malware to other computers in the network. There are a host of viable options for each type of software, ranging in price from free to an annual subscription. Be sure to keep the software as up-to-date as possible.

Encrypt data.

No firewall is perfect. If a hacker manages to get through your firewall and into your network, your data could be a sitting duck. Encryption will make the data unreadable to a hacker. Consider using an encryption program to keep computer drives, files and even email messages safe from hackers.

Use a Virtual Private Network (VPN).

A VPN allows employees to connect to your company’s network remotely. VPNs eliminate the need for a remote-access server, saving companies lots of money in remote server costs. In addition to these savings, VPNs also provide a high level of security by using advanced encryption and authentication protocols that protect sensitive data from unauthorized access. If your company has salespeople in the field or employs workers who work from home or away from the office, a VPN is an effective way to minimize cyber risks.

Implement an employee password policy.

One of the most overlooked ways to keep your business safe is instituting a password policy. Essentially, a password policy should force employees to change work-related passwords every 90 days. The policy should encourage the creation of easy-to-remember, hard-to-guess passwords that include letters, numbers and special characters. For example, an easy-to-remember, hard-to-guess password could be “M1dwbo1025.” (My first daughter was born on Oct. 25th.)

Passwords that contain words from the dictionary or contain sensible combinations (abc123, qwerty, etc.) should never be allowed. Let employees know that they should not write passwords down and leave them in a desk or out in the open. If they are having trouble remembering passwords, there are password-keeping programs available for download.

Back up data regularly.

Important data should be backed up daily and in multiple locations, one being off-site. In addition to being safe from cyber risks, off-site data would not be exposed from physical attacks, like a fire or tornado.

Restrict access to backed up data. The public should never have access to it. If the data is tangible, keep it in locked filing cabinets in a locked room, and only issue keys to those who absolutely need them.

Develop a business continuity plan.

If the worst should happen and your company suffers a data breach or similar attack, you should have a business continuity plan in place. A business continuity plan helps:

  • Facilitate timely recovery of core business functions
  • Protect the well-being of employees, their families and your customers
  • Minimize loss of revenue/customers
  • Maintain public image and reputation
  • Minimize loss of data
  • Minimize the critical decisions to be made in a time of crisis

The plan should identify potential cyber risks, along with the recovery team at your company assigned to protect personnel and property in the event of an attack. The recovery team should conduct a damage assessment of the attack and guide the company toward resuming operations.

Contact Your Loss Control Expert

Keeping your data safe from cyber risks requires constant attention to ensure an attack never happens. Your insurance broker can help you identify potential risks and keep your business running smoothly in the event of an attack.

© Zywave, Inc. All rights reserved

Federal Budget Details $600 Million Investment in Cyber Security

The federal government recently released its 2018-19 budget. Among other important allocations, the government announced an investment of more than $600 million in data privacy. Specifically, the budget calls for $507.7 million over the next five years and $108.8 million each year thereafter for a new national cyber security strategy to help protect Canadians and their sensitive personal information.

A portion of the funds—$155.2 million during the next five years and $44.5 million per year thereafter—will go toward establishing a new Canadian Centre for Cybersecurity. This centre will allow the government to consolidate its cyber expertise under one roof as well as establish a single source of advice, guidance, services and support on cyber security-related matters.

In addition to funding the creation of the Canadian Centre for Cybersecurity, the government will provide $236.5 million over the next five years and $41.2 million per year thereafter to support the national cyber security strategy. This strategy is designed to do the following:

  • Enhance the government’s ability to investigate, prepare for and respond to cyber crime.
  • Create a voluntary cyber-certification program to help students and businesses improve their cyber security.
  • Improve cyber security on a national level by working alongside provincial, territorial, private-sector and international partners.

To learn more about these and other investments, review the government’s website on the 2018-19 federal budget.

© Zywave, Inc. All rights reserved

Avoid Costly Phishing Scams

Phishing, a type of cyber attack in which hackers disguise themselves as a trusted source online in order to acquire sensitive information, is a common scam that can put your employees and business at risk. The Canadian Internet Registry Authority recently published a survey of businesses who use the .ca domain and found that 32 per cent of firms had unwittingly divulged sensitive information after falling for phishing tactics.

Falling for a spear phishing attack can give a hacker access to personal and financial information across an entire network. What’s more, successful spear phishing attacks oftentimes go unnoticed, which increases the risk of large and continued losses.

Though it is difficult to completely avoid the risks of spear phishing attacks, there are ways to prevent further damage to your business. Make sure that your employees are aware of these simple techniques:

  • Never send financial or personal information electronically, even if you know the recipient well.
  • Be cautious when you are asked to divulge personal or sensitive business information in an email. Even if it appears to be from a trusted source, it could be a hacker impersonating another person or group.
  • Only share personal information on secure websites or over the phone.
  • Never click on links or open attachments from unknown sources. In addition, encourage employees to think twice about what they post online.
  • Ensure that your company’s security software is up to date. Firewalls and antivirus software can help protect against spear phishing attacks.

It’s important to encourage employees to be overly cautious when it comes to preventing phishing scams. Together, these strategies can go a long way toward keeping your business safe.

© Zywave, Inc. All rights reserved

5 Steps to Website Security

Website security is more important than ever. Cyber criminals are constantly looking for improperly secured websites to attack; therefore, it is essential to secure servers and the network infrastructure that supports them. The consequences of a security breach may include loss of revenue, damage to credibility, legal liability and loss of customer trust.

Web servers, which host the data and other content available to your customers on the Internet, are often the most targeted and attacked components of a company’s network. By securing your Web server, you protect customers and prospects that use your company website. The following are examples of specific security threats to Web servers:

  • Cyber criminals may exploit software bugs in the Web server, underlying operating system or active content to gain unauthorized access to the Web server.
  • Denial-of-service attacks may be directed at the Web server or its supporting network infrastructure to prevent or hinder your website users from making use of its services. This can include preventing the user from accessing email, websites, online accounts or other services. The most common attack is flooding a network with information, so that it can’t process the user’s request.
  • Sensitive information on the Web server may be read or modified without authorization.
  • Information on the Web server may be changed for malicious purposes.
  • Cyber criminals may gain unauthorized access to resources elsewhere in the organization’s network with a successful attack on the Web server.
  • The server may be used as a distribution point for attack tools, pornography or illegally copied software.

Take the following five steps to protect your company from the threats listed above.

Step 1: Form a plan and utilize the right people.

Because it is much more difficult to address security once deployment and implementation have occurred, security should be considered from the initial planning stage. Businesses are more likely to make decisions about configuring computers appropriately and consistently when they develop and use a detailed, well-designed deployment plan. Developing such a plan will support Web server administrators in making the inevitable trade-off decisions between usability, performance and risk.

Make sure to define appropriate management security practices, such as identification of your company’s information system assets and the development, documentation and implementation of policies, as well as guidelines to help ensure the confidentiality, integrity and availability of information system resources.

Businesses also need to consider the human resources requirements for the deployment and continued operation of the Web server and supporting infrastructure. Consider the personnel you will need on your team—for example, system and Web server administrators, webmasters, network administrators and information systems security personnel. Additionally, consider the level of training (initial and ongoing) that will be required to maintain this team.

Step 2: Ensure that Web server operating systems and applications meet your organization’s security requirements.

When securing a Web server, you must first secure the underlying operating system. Most Web servers operate on a general-purpose operating system. Many security issues can be avoided if the operating systems underlying Web servers are configured appropriately. Default hardware and software configurations are typically set by manufacturers to emphasize features, functions and ease of use at the expense of security. Because manufacturers are not aware of each organization’s security needs, Web server administrators must configure new servers to reflect their business’ security requirements and reconfigure them as those requirements change. Make sure to take the following steps as appropriate to your business:

  • Patch and upgrade the operating system.
  • Change all default passwords.
  • Remove or disable unnecessary services and applications.
  • Configure operating system user authentication.
  • Configure resource controls.
  • Install and configure additional security controls.
  • Perform security testing of the operating system.

Step 3: Publish only appropriate information.

Company websites are often one of the first places cyber criminals search for valuable information. Still, many businesses lack a Web publishing process or policy that determines what type of information to publish openly, what information to publish with restricted access and what information should not be published to any publicly accessible repository. Some generally accepted examples of what should not be published, or what should at least be carefully examined and reviewed before being published on a public website, include the following:

  • Classified or proprietary business information
  • Sensitive information relating to your business’ security
  • A business’ detailed physical and information security safeguards
  • Details about a business’ network and information system infrastructure—for example, address ranges, naming conventions and access numbers
  • Information that specifies or implies physical security vulnerabilities
  • Detailed plans, maps, diagrams, aerial photographs and architectural drawings of business buildings, properties or installations
  • Any sensitive information about individuals that might be subject to privacy laws

Step 4: Prevent unauthorized access or modification on your site.

It is important to ensure that the information on your website cannot be modified without authorization. Users of such information rely on its integrity. Content on publicly accessible Web servers is inherently more vulnerable than information that is inaccessible from the Internet, and this vulnerability means businesses need to protect public Web content through the appropriate configuration of Web server resource controls. Examples of resource control practices include the following:

  • Install or enable only necessary services.
  • Install Web content on a dedicated hard drive or logical partition.
  • Limit uploads to directories that are not readable by the Web server.
  • Define a single directory for all external scripts or programs executed as part of Web content.
  • Disable the use of hard or symbolic links.
  • Define a complete Web content access matrix identifying which folders and files in the Web server document directory are restricted and which are accessible, and by whom.
  • Disable directory listings.
  • Deploy user authentication to identify approved users, digital signatures and other cryptographic mechanisms as appropriate.
  • Use intrusion detection systems, intrusion prevention systems and file integrity checkers to spot intrusions and verify Web content.
  • Protect each backend server (i.e., database server or directory server) from command injection attacks.

Step 5: Continuously protect and monitor Web security.

Maintaining a secure Web server requires constant effort, resources and vigilance. Securely administering a Web server on a daily basis is essential. Maintaining the security of a Web server will usually involve the following steps:

  • Configuring, protecting and analyzing log files
  • Backing up critical information frequently
  • Maintaining a protected authoritative copy of your organization’s Web content
  • Establishing and following procedures for recovering from compromise
  • Testing and applying patches in a timely manner
  • Testing security periodically

Taking proactive measures to secure your website by carefully setting up and maintaining your Web server can save your business from experiencing crushing losses of revenue, customer loyalty and proprietary information. For more information about how to mitigate your cyber risk, contact your broker today.

© Zywave, Inc. All rights reserved

Uber says over 800k Canadians affected by data breach

Uber says over 800k Canadians affected by data breachSource: Insurance Business Canada
In a statement issued this week, Uber Canada disclosed that the information of 815,000 Canadian riders and drivers may have been affected by a major data breach.The ridesharing company first announced news of the breach last November. Uber revealed that the breach occurred sometime in October 2016, and resulted in the theft of information from some 57 million Uber accounts globally.Uber Canada said the information taken by the cyber attackers includes names, email addresses, and mobile phone numbers. The company’s investigation has not identified, however, if the hackers managed to also steal users’ location histories, credit card numbers, bank account numbers, or dates of birth.

The company’s disclosure earlier this week came the same day that the federal privacy commissioner said it had opened a formal investigation into the breach, The Canadian Press reported.

Uber Canada spokesperson Jean-Christophe de le Rue said that the company will cooperate with the commissioner’s investigation.

“The privacy of riders and drivers is of paramount importance at Uber and we will continue to work with the privacy commissioner on this matter.”

In late November, a law firm representing Albertans whose information was compromised by the data breach filed a class-action lawsuit against Uber. On top of general damages, the lawsuit is seeking special damages for costs related to credit counselling, compensation for the plaintiffs’ lost time and income, as well as costs for credit monitoring and other similar services.

KRACK Cyber Vulnerability Puts Wi-Fi Networks at Risk to Hackers

Recently, Mathy Vanhoef, a researcher from a Belgium university, discovered a security flaw in Wi-Fi Protected Access II (WPA2)—a protocol that secures almost all modern, protected Wi-Fi networks. Through this newfound vulnerability, hackers can potentially gain access to encrypted information using what is called a key reinstallation attack (KRACK).

Any organization or individual that utilizes Wi-Fi is at risk for an attack, and hackers can use the KRACK method to steal sensitive information like credit card numbers, passwords, chat messages, emails, photos and most data that is stored or transmitted online.

What’s particularly troubling about this cyber threat is that it’s not tied to a specific machine or software and is more so a flaw in how WPA2 was originally designed. Essentially, all a hacker needs to do to access your protected information is to be near your Wi-Fi access point and execute a script that tricks a system into bypassing the security. Not only does this allow cyber criminals to eavesdrop on network traffic, but they can also infect connected machines with malware.

While Vanhoef demoed the vulnerability using an Android operating system, it’s likely that KRACK can be used against a number of others, including Linux, Windows and macOS.

Thankfully, KRACK can be controlled with patches, and Vanhoef warned many companies of the security flaw long before publishing his findings, giving them time to develop a solution. It’s possible your network may already be fixed.

However, there are still a number of precautions businesses and individuals should take, including the following:

  • Update all laptops, smartphones, smartwatches and other devices that can be connected to Wi-Fi.
  • Be cautious about using any hardware that has not yet been patched, as any information stored or transmitted on that device could be compromised.
  • Contact your internet service provider to determine if you need to update your network.

To read the original findings on KRACK, click here.

© Zywave, Inc. All rights reserved

4 Takeaways from a Cyber Study

Cyber lock with chainsThe Scalar Security Study is an annual report that examines how prepared Canadian businesses are for cyber threats. Specifically, the study surveyed 654 IT and IT security practitioners to determine the average cost of a cyber attack, whether organizations feel prepared for cyber threats and what tactics they find most effective when it comes to protecting themselves. The following are some of the major findings from the study:

  1. The number of cyber attacks is increasing. Survey responders reported experiencing an average of 40 cyber attacks per year. This number represents a 17 per cent increase compared to last year’s report. It’s important to note that many of these cyber attacks related to the loss of sensitive information.
  2. Organizations are less confident in their ability to protect themselves. Cyber attacks are increasing in frequency and sophistication. What’s more, insufficient personnel or lack of in-house expertise were found to be the major reasons for why organizations felt unprepared for the increasing threat. In fact, only about 37 per cent of organizations felt they are winning the war against cyber criminals.
  3. Organizations are concerned about security threats from mobile devices. Mobile devices and applications were two of the major security concerns for organizations. These risks require both technological and internal governance to help mitigate the risk.
  4. Intellectual property is a major and expensive target of cyber criminals. The loss of intellectual property and other proprietary information due to cyber attacks impacted 33 per cent of the businesses surveyed, with the average cost of the loss coming in just under $6 million.

In addition to the above, the report found that cyber security threats will increase in severity. Businesses will need to adapt to the changing landscape if they are to protect themselves from the devastating losses associated with cyber crime.

©  Zywave, Inc. All rights reserved.

Estate Planning for Your Digital Assets

cloud computingTechnology has become more pervasive, and it’s become increasingly difficult to avoid having at least some kind of valuable data that has to be managed. Whether it’s important photographs, documents hosted in the Cloud, online banking accounts, or Web-based assets like social media accounts or websites, virtually everyone has some digital assets to track.

That can be a daunting task in its own right, but what happens to those assets if something should happen to you? If you haven’t taken the time to plan for your digital assets, your loved ones could find themselves unable to access your accounts. And, if one of those accounts is compromised by a data breach, hackers could use your online accounts as a “back door” into your bank accounts or other assets.

Estate planning for your digital assets is a crucial part of your overall estate-planning strategy. While it’s always best to consult with a financial planner or legal counsel when considering estate planning, there are some general guidelines everyone should follow when making plans for their digital assets.

Create an Inventory

“Digital assets” can refer to a broad range of things, but in general, it refers to any part of your digital identity that would require your successors’ attention. The first step in planning is making sure that you have an exhaustive, centralized inventory of your assets so that your executor, attorney or trustee knows where to find everything.

  1. Hardware

Begin by making an inventory of your hardware. It may seem obvious, but don’t take this step for granted. Many people use a number of different devices in their day-to-day lives, with important data stored in each of those devices. Remember to create an inventory and make a note of hardware that may be company-owned, and also remember that pieces of old hardware—computers, cellphones, cameras, etc.—may have important data on them.

Tailor your inventory to your needs, but consider some of the following:

  • Computers, laptops and tablets (including username and login information)
  • Cellphones
  • Digital cameras
  • CDs, DVDs, flash drives, SIM cards, external hard drives and other devices that store data

In addition to making a list of the names and locations of all of your hardware, it could be helpful to your successors to map out the file structures of your data. Write out step-by-step instructions so your successors know how to navigate the file system on your hardware in order to access your important information.

  1. Online Assets

Next, consider your online presence in its various forms. Though it may be daunting, consider every site for which you’ve created a user profile and determine whether or not your successors will need to gain access. In doing so, be sure to log website names, URLs, usernames and passwords:

The list will vary, but be especially mindful of websites that store your personal information or banking information. Consider the following:

  • Online backing accounts
  • Shopping sites (e.g., Amazon, the Apple Store, eBay)
  • Social media accounts (e.g., Facebook, Twitter, LinkedIn)
  • Cloud-hosted email accounts (e.g. Gmail, Yahoo, Outlook)
  • Cloud Storage (e.g., Dropbox, Google Drive)
  • Organizational sites and apps (e.g., OmniFocus, Evernote, Pinterest)
  • Subscriptions (e.g., Netflix, Audible, Hulu Plus, HBO Go)
  1. Work

Depending on your job, it might make sense to create a separate inventory for any work-related information that might be among your digital assets. This will vary widely from profession to profession, but as telecommuting becomes more commonplace, it’s an increasingly important consideration. In some cases, it’s a matter of keeping sensitive information secure. In other cases, it’s simply a matter of making sure your successors have access to the work you’ve been doing on projects that they might need to take over. Consider the following:

  • Client files
  • Spreadsheets
  • Online databases or software
  • Projects tasks, notes or drafts

Everyone’s digital assets are bound to be different, which is why making an exhaustive inventory is so important.

Provide Access to Your Assets

Once you have an inventory of your digital assets, it’s important to make sure you provide your successors with access. You’ll want to choose someone you can trust to handle sensitive personal and financial information, as well as the task of carrying out your wishes. It could be a trusted advisor, an attorney, or a family member or friend.

Whomever you choose, make sure you keep records naming that person and his or her responsibilities along with the rest of your estate planning information. Just because someone has your hardware or knows your passwords doesn’t mean that he or she is authorized to use them. Certain laws may prohibit others from accessing or using your digital assets, so having proper documentation is essential.

Write Out Instructions

Once you’ve created an inventory of your assets and assigned the appropriate executor or trustee, you’ll want to document your wishes. It may seem tedious, but it’s important to take the time to be detailed. After all, you wouldn’t want someone mistakenly selling or deleting important documents or photographs.

Planning for the Future

Estate planning may conjure unpleasant thoughts about death, but it’s important to plan now so that your wishes can be carried out and your loved ones and colleagues can continue on without undue stress.

It’s also important to make sure you have the people and the resources that you need in order to make sure your wishes are carried out as you’d like.


© Zywave, Inc. All rights reserved.

CRSP Part 9: Quantum Computing and Why Quantum Encryption Research is Important to Our Future

This is one in a series of related short essays about the unrelenting cyber stresses every person and every organization now faces. The first essay, titled Cyber Risk, Security & Privacy (CRSP)  – Waterloo Region’s Vibrant New Business Cluster, appeared in the December, 2014 issue of The Triangle. 
Today’s modern living is now completely dependent on reliable, available, and secure global communications. One critical component supporting the security aspect of secure communications is encryption. Without effective mathematical algorithms that ensure the transmission of messages that can only be understood by the receiver, the world would be in deep trouble.

A Looming Problem

The global body of knowledge continues to grow at an astounding rate. One relatively recent development is the emergence of a new approach for computing and cryptography. This approach is far different than traditional digital computing which uses electronic transistors to store and retrieve zeroes and ones. It is called quantum computing and is leading to a looming problem that could hit us before the world is ready to handle it.

As Tim Moses, a security expert at Entrust Inc., explained in a 2009 report:

Recent years have seen significant advances in both quantum computing and quantum cryptography. Reports have hinted at radical implications for the practice of computing in general and information security in particular.

Certain well-known problems in the fields of modeling, optimization and cryptography have proven intractable using the classical model of computation. But, using a model of computation that exploits quantum mechanical phenomena, solutions to these problems become possible. If and when quantum computers of sufficient size become a reality, secure information systems based on [conventional] cryptography will require an overhaul.[i]

As quantum computing matures, traditional approaches for encrypting the world’s sensitive communications may be at risk. Where would we be if an organization or state developed the ability to render current secure communication methods obsolete and we didn’t have an available solution with which to replace them?

How the CRSP Sector in Waterloo Region is Helping to Address this Problem

The University of Waterloo’s Institute for Quantum Computing, led by Dr. Michele Mosca, is addressing this issue by performing quantum cryptography research and developing quantum computing tools.[ii] One of the Institute’s goals is to develop novel approaches and tools for securing communications before traditional solutions become obsolete. In other words, by being at the forefront of new technologies like quantum cryptography, we will be able to develop new means and algorithms, using quantum phenomena, to counter the looming obsolescence of traditional digital encryption algorithms.

For more information about this leading edge research, refer to endnote 3 below.

[i] Piet Hien, wikiquotes, Piet Hien Quote.
[ii] Quantum Computing and Cryptography, Entrust, January 2009, Quantum Computing and Cryptography.
[iii] Internet security: Creating cryptographic tools for the quantum age, Waterloo Stories, August 4, 2015, Internet security: Creating cryptographic tools for the quantum age.