September 2020 - Protect Your Business, Lessons Learned from the CRA Breach

Physical hygiene is on our minds now more than ever due to the COVID-19 pandemic, but the recently disclosed CRA Breach highlights the importance of another kind of hygiene - cyber hygiene.  Read on to learn how hackers gained access to thousands of Canadian’s accounts and how practising cyber hygiene can help prevent such attacks both personally and for your business. Incident: In mid-August, the federal government disclosed that three separate cyber breaches had taken place over the preceding months.  This resulted in at least 5,500 individual CRA and GCKey (a secure portal that allows Canadians to access government services online) accounts being hacked.  Once they gained access, the cyber criminals were able to apply for COVID-19 benefits and well as alter passwords, email and direct deposit information. In response, CRA online services were shut down for days while the government bolstered their security. The RCMP is investigating.  Anyone who has been affected will be contacted by the CRA by email or letter. “Credential Stuffing” Attack The CRA described the breaches as “credential stuffing” attacks. This type of attack takes advantage of a common tendency that many people have - using the same password and username on multiple sites.  Credential stuffing attacks have three stages: 1. The hacker (commonly called a bad or malicious actor because of their intent to cause damage) acquires previously hacked credentials (personal and confidential information such as usernames and passwords, SIN numbers, credit card info, passport numbers, banking information etc.) either by launching a cyber attack themselves or purchasing them on the dark web from a previous breach. If financial institutions, such as hotels, stores, websites or any place you have given your information to, get hacked, that personal information (such as a username, an email address and a password) can now be accessed and shared or sold. 2.  The attacker can use a botnet (a group of devices that have been affected by malware and have come under control of a malicious actor) to perform large-scale automated login requests on many websites using various combinations of stolen user IDs and passwords until they hit the right combination and get in. 3.  The attacker can then take over the account and steal personal information or execute activities as that user.  In the case of this CRA breach, applying for COVID-19 benefits to be deposited in the attacker’s own accounts. How to Protect Yourself and Your Business This hacker attempt was successful because passwords and usernames were reused on multiple sites.  This is common because it’s convenient and easy to remember just one password.  But when a hack steals the password from one site, it allows them to use the password to gain access to multiple sites or accounts. To avoid this trap, use a unique, long and strong password on each site you use.  If your credentials from one site are stolen, you have limited the damage a hacker can do to only that one site.  If you use a password that is easy to guess, you’ve made the hacker’s job even easier. For each character you add to the length of a password, the complexity to guess that password is much greater.  We recommend at least 12 character passwords. Use a software password manager to safely keep track of all your passwords. Some we recommend are MyGlue, LastPass, Dashlane or 1Password to keep all of your passwords securely in one place.  Experts used to recommend changing passwords frequently, but now recommend simply following the steps outlined above. Since all a hacker needs is the password of just one of your employees to gain access to your organization’s data, each employee needs to do their part.  Educate your staff about cybersecurity awareness especially in regards to how to create strong and unique passwords and never to reuse personal passwords (such as Facebook, LinkedIn or other social media accounts) at work. Within your organization, only allow access to as much data as each employee needs.  This creates barriers to keep hackers or rogue employees from accessing even more data. Lastly, use multi-factor authentication (MFA) throughout your business.  When MFA is used, neither a valid user or a hacker can gain access to your network with only a password. They also need the time based code that changes every 30 seconds, this challenges them to prove who they are before allowing them to log in, adding an additional strong layer of security. Much like guarding against COVID-19, the strategies you can use to avoid becoming the victim of a “credential stuffing” plot are as simple as putting on a mask or washing your hands.  Do not reuse usernames and passwords, and use unique, long and strong passwords.  Future newsletters will examine best practices for creating passwords.