Working in cybersecurity can be a thankless job, being the bearer of bad news for colleagues and clients who may not understand all the risks and challenges, and in some cases how much worse system compromises could have been. There are such a wide multitude of attack vectors that cybersecurity has evolved into more a game of probabilities than absolutes, doing the best one can with the time and resources available.
There are no 100% secure computer systems. (and likely never will be)
On top of contending with daily shifting sands of hardware and software vulnerabilities, there are various avenues of social engineering and exploitation of the human condition which complicates the job of white hat cybersecurity professionals. The recent attacks on SSC/CRA are a good example of how important safe password creation and handling are to overall system security, along with fielding inbound contacts requesting information, controlling access to external URL links etc.
The quality of phishing attacks is very high now, with email messages linking to convincing copies of financial services, government and other websites meant to pilfer credentials. The current state of the art is a long way from days of yore when we got emails from grammatically challenged diplomats with pressing need for foreign partners to unload the millions burning a hole in their pockets. The volume of malicious cyber attacks faced daily by large companies and organizations in Canada (and around the world) is astonishing, begging the question ‘how do the bad guys find the time’?
In public institutional computer systems there are high standards around personal privacy to contend with in trying to balance individual freedoms against the using of shared information to better protect the group, and also keeping in mind fundamental principles of an inclusive open society, which in principle should try to provide equal access to information and services for all citizens. There are a lot of tradeoffs, streamlining of systems by linking them together increasing efficiency of legit users and bad actors alike.
Its not an easy job, and seems a positive sign that the suspicous activity was noticed and quick action taken. Multi-factor authentication (MFA) has become table stakes for publicly accessible systems, and it may be a good to consider turning up optional 2FA feature, even a simple TOTP factor, on GCKey accounts. There is good value in maintaining authentication independence from third parties for Canada’s online government (essential service), and evolving those capabilities with the times. Hopefully all systems affected in recent cyberattacks have been identified and restored to full integrity, and props to CRA/SSC team.
Excerpt from IT World Canada article…
“I would argue, no,” Marc Brouillard, acting chief information officer, told reporters during a press briefing this morning. “Quite the opposite. The system worked. We were able to identify these fraudulent actions coming in through some pretty sophisticated analytics that detected [suspicious] behaviours. From a systems perspective, this is a person trying to log into the system and our tools were able to detect those patterns that were suspicious and identify those that were not valid.
“Once those accounts were identified as potentially compromised, that’s when the system jumped into action and disabled accounts.
“It’s important to know when we’re watching those systems we’re not affecting valid users,” he added. “It’s always a complicated matter to analyze that traffic and make sure we’re detecting true malicious intent versus people just forgetting their passwords.”
When it was pointed out that attempts were detected, but thousands of accounts were still compromised, Brouillard replied, “Not to minimize it, but 11,000 of 12 million [accounts]” were compromised. “This was still a pretty sophisticated capacity to identify those accounts. We have thousands of actions every day on these systems, so it is a high-volume system.”