Working in cybersecurity can be a thankless job, often tasked with being the bearer of bad news to colleagues and clients who may lack a good understanding of the nature of the problems, the challenges involved in mitigation, or in some cases how much worse compromises could have been. There are such a wide multitude of attack vectors that cyber security has evolved into more a game of probabilities than absolutes, doing the best one can with the time and resources available.
There are no 100% secure computer systems. (and likely never will be)
On top of contending with the constantly shifting sands of hardware and software vulnerabilities, there are various avenues of social engineering and exploitation of the human condition which complicates the job of white hat cyber security professionals. The recent attacks on SSC/CRA are a good example of how important safe password creation and handling are to overall system security, along with fielding inbound contacts requesting information, controlling access to external URL links etc.
The quality and convincingness of email phishing attacks are very high now, with messages linking to near perfect copies of financial services websites a long way from the days of yore when all we had to worry about was a grammatically challenged Nigerian prince with pressing need for foreign partner to unload the millions burning a hole in his pocket. The volume of malicious cyber attacks faced daily by large companies and organizations in Canada (and elsewhere) is astonishing, begging the question ‘how do the bad guys find the time’?
In public institutional systems there are also the high standards around personal privacy to contend with in trying to balance individual freedoms against the using of shared information needed to protect the group, while also keeping in mind the fundamental principles of an inclusive society which should provide equal access to information and services for all citizens. There are a lot of tradeoffs, streamlining of systems by linking them together increasing the efficiency of legitimate users and bad actors alike.
Its not an easy job, and generally a positive sign that CRA/SSC was able to identify the suspicous activity and take quick action. That said, MFA has become table stakes for publicly accessible systems, and it would be a good step to have optional 2FA, even a simple TOTP factor, on GCKey accounts in near future. Hopefully all systems affected in these recent attacks have been identified and restored to full integrity.
Excerpt from IT World Canada article…
“I would argue, no,” Marc Brouillard, acting chief information officer, told reporters during a press briefing this morning. “Quite the opposite. The system worked. We were able to identify these fraudulent actions coming in through some pretty sophisticated analytics that detected [suspicious] behaviours. From a systems perspective, this is a person trying to log into the system and our tools were able to detect those patterns that were suspicious and identify those that were not valid.
“Once those accounts were identified as potentially compromised, that’s when the system jumped into action and disabled accounts.
“It’s important to know when we’re watching those systems we’re not affecting valid users,” he added. “It’s always a complicated matter to analyze that traffic and make sure we’re detecting true malicious intent versus people just forgetting their passwords.”
When it was pointed out that attempts were detected, but thousands of accounts were still compromised, Brouillard replied, “Not to minimize it, but 11,000 of 12 million [accounts]” were compromised. “This was still a pretty sophisticated capacity to identify those accounts. We have thousands of actions every day on these systems, so it is a high-volume system.”