Scarborough, Ontario, Canada, May 6, 2021: People wait in line for a Covid-19 vaccine at the City of Toronto Vaccination Clinic at Scarborough Town Centre in Scarborough, Ontario, Canada.
Within the last decade, matters of cybersecurity have been steadily playing an increasing role in all our lives. The global COVID-19 pandemic has further accelerated this trend as most of us scramble to replace real world services and activities with online, remote alternatives. This also holds true for pandemic response services such as vaccination appointment booking and vaccination passport infrastructure. It is critical that these services implement rigorous security, and it is all the more damaging when these measures publicly fail.
Such appears to be the case with the Ontario COVID-19 vaccination portal. Two people, one of whom a Government of Ontario employee have been accused of illegally using the Ontario vaccination portal to collect the personal information of Ontarians for the purposes of perpetrating phishing scams. According to the Ontario provincial police, the information, which was taken from the Ontario vaccination scheduling and vaccination passport databases, was used by the duo in question to target specific individuals with fraudulent text messages.
During an interview on the radio show “Dans la mosaïque” on Radio-Canada, Alexandre LaRocque, a cybersecurity expert and CEO of Ardent Security, provided some insight into this security breach:
“ […] Employees are an organization’s greatest defense against cyber threats, but ironically, they can also be the weakest link. This particular incident is a typical case of what we call an insider threat. This type of cyberattacks is expected to become increasingly frequent for organizations over time. Insider threats can be classified into two general categories. The first is a negligent insider attack where an employee unknowingly plays a role in compromising organizational infrastructure. Examples of this are clicking on a fishing e-mail or divulging confidential information to an outside party on a fraudulent, social engineering call. Ultimately this type of attack occurs involuntarily or unknowingly. [The second category] is a malicious internal attack which is when an employee commits a malicious or criminal act deliberately. This can be motivated by retribution, financial gain or corruption by a third party.”
It would appear that the security breach in question is being treated as a malicious insider attack by police given that they have proceeded to making arrests. During a press conference, the Solicitor General of Ontario, Sylvia Jones, declared that the province was thoroughly investigating all potential violations and that, to the best of her knowledge, no one had fallen victim to a scam [related to the breach]. Mr. LaRocque, seeming skeptical about such an assertion, declines to comment stating: “I am unable to provide commentary on such a declaration without knowing the extent of the stolen data. It is best to allow the police to continue their investigation at this time. How can we be sure the stolen data of Ontarians is not being sold to cybercriminals on the Dark Web?”.
Despite the lack of details surrounding the amount of data stolen or the specific contents, Alexandre provides his analysis of the incident based on the publicly available details:
“Looking specifically at this breach with the Ontario vaccination portal, there are some positive and some negative conclusions that can be drawn given the currently available information. First of all, on the good side, the discovery of this attack indicates the Government of Ontario has the ability to record and audit actions taken on their computer networks [and databases]. This is a very good thing and, in fact, a capability that I would recommend to all organizations. However, [this incident] also brings to light several [security] failures. [When analyzing such a scenario] we must always ask ourselves the question “Why?”. For example, when the accused employee accessed the [vaccination] portal database, why did this not raise a red flag. Cleary this shows lack of proper anomaly and threat detection and alerting. In my opinion, the response time of the cybersecurity defense team seems to have been inadequate. By response time, I am referring to the time that elapses between the detection of a potentially malicious act on the internal network and the investigation into this alert by an analyst from the cybersecurity team. [The second potential failure relates to the] common IT Principle of Least Privilege. That is to say, we must restrict the access of [system] users to the strict minimum that is necessary for them to complete their tasks. [This begs the question] why? In this case, why did the employee in question have access to this database? I think this is a question that should be addressed. Thirdly, I think more can be done from a hiring perspective with regards to background checks performed on new employees. Many government positions require a background check as a part of the hiring process, but often no further verifications are performed. Personally, what I would suggest is that [the Ontario Government] clearly state that a security clearance of Confidential (Type 1) or Secret (Type 2) is an absolute requirement for employees who can manipulate or have access to such important personal information. To me, it is non-sensical to hire someone that has not been vetted by an organization such as the RCMP [for such a position].”
Mr. LaRocque then proceeds to offer us his fourth and final insight which relates to the somewhat broad topic of organizational security culture: “What I suggest would be to change the internal culture within the organization and to put in place a program specifically designed to combat the threat of insider attacks. Employees can be solicited by third parties, such as organized crime who will attempt to corrupt them in various ways whether it be blackmail, existing debts, physical threats or other means.”
Interestingly, he describes this enhancement to security culture as a reciprocal and symbiotic relationship between an organization and its employees.
“As much as an organization is relying on its employees to enact the principles of security culture, these same employees must be able to count on their employer and know that they will be protected [in the process of performing these duties]. Employees must feel empowered to seek help if they are the target of pressure from criminals or other third parties seeking to attack the organization. In order to foster this culture of transparency, it is necessary that these employees, who are essentially whistleblowers, be rewarded, recognized and celebrated for their disclosure.”
Ardent Security’s CEO drives this point home by citing a recent and high-profile example of a cyberattack stopped in its tracks by an exemplary employee. In July of 2020, an Elon Musk’s Tesla employee was solicited to be bribed with a sum of $1 million USD for his collaboration in a plot to install ransomware on the Tesla Gigafactory’s internal network. Despite the substantial bribe and assurances that the hack could be pinned on another employee, the honest employee felt safe to report the situation and reached out to his manager who escalated the issue to higher echelons. All it took to stop this cyberthreat in its tracks was the disclosure of the information from Tesla’s management to the FBI. With the cooperation of the targeted employee, the attack was thwarted and, Egor Igorevich Kriuchkov, the man attempting to bribe his way into Tesla’s internal network, was arrested attempting to flee the country.
When asked what we as consumers and users of online services can do to protect our private data, Mr. LaRocque had some tried and true advice to help limit our exposure to cyber threats.
“[…] It is important to try and disseminate our personal information as little as possible. However, we can’t deny that many companies and online services legitimately require our personal information [to do business with us], so the compromise here is that we must remain conscious of our digital footprint. This means being aware of where our data can be found and the sensitivity of the information in question. In addition, many companies, insurance providers among them, offer credit monitoring services and some will go as far as monitoring the dark web and other illegal marketplaces to detect if your personal information becomes available [through these forums].”
Ardent Security is a consulting firm based in Toronto providing cybersecurity services such as penetration testing, vulnerability assessment, advisory and cybersecurity training to businesses.
References:
- A link to the interview on Radio-Canada between Serge Olivier and CEO of Ardent Security Alexandre Larocque can be found at https://ici.radio-canada.ca/ohdio/premiere/emissions/dans-la-mosaique/episodes/586348/rattrapage-du-mardi-23-novembre-2021/9
- A link to a story covering the potential Tesla ransomware attack can be found at https://resources.infosecinstitute.com/topic/insider-threat-report-tesla-employee-thwarts-1-million-dollar-bribery-attempt/
- A link to CBC’s article reporting on Ontario vaccine portal breach: https://toronto.ctvnews.ca/ontario-investigating-potential-security-breach-associated-with-covid-19-vaccine-portal-1.5676122
This article was authored by Adrian Christie, blog contributor and consultant to Ardent Security in the fields of technology and cybersecurity.