Lisa R. Lifshitz, Torkin Manes LLP, Torkin Manes
Combatting cyber threats: CSE releases new baseline cybersecurity controls
By Lisa R. Lifshitz
On April 5, 2019, the Canadian Centre for Cyber Security released the Baseline Cyber Security Controls for Small and Medium Organizations intended to assist small and medium organizations in Canada that want recommendations to improve their cyber security resiliency.
The centre, part of the Communications Security Establishment (equivalent to the U.S. National Security Agency), was founded last October to work collaboratively with Canada’s critical infrastructure, academia, private industry and all levels of government to combat cyber threats, manage government cybersecurity incidents and provide other cyber-related services, education, Guidelines and training.
The guidelines are intended to fill a critical gap for smaller enterprises that have been slow to adopt adequate cybersecurity protective measures. Reporting on the results of its analysis of the Canadian Survey of Cyber Security and Cybercrime, Statistics Canada found that Canadian businesses spent $14 billion to prevent, detect and recover from cyber security incidents in 2017, which represented less than one per cent of their total revenues.
However, annual average corporate expenditures on cyber security differed greatly based on size of business in 2017. While large businesses (250 employees or more) spent $948,000, medium-sized businesses (50 to 249 employees) spent $113,000 and small businesses (10 to 49 employees) spent $46,000.
Accordingly, the guidelines are based on the so-called 80-20 rule where organizations can supposedly achieve 80 per cent of the benefit from 20 per cent of the effort to cybersecurity practices to achieve concrete gains and enhance cybersecurity efforts.
The guidelines observe that small and medium-sized businesses face their own form of cyber threats from cybercriminals targeting their customer, partner and supplier data in addition to financial information/payment systems more generally and, of course, proprietary information. Small and medium-sized businesses that suffer cybersecurity incidents typically suffer costly reputational damage, productivity losses, intellectual property theft, operational disruptions, not to mention costly recovery expenses.
After determining whether the guidelines should apply to a particular organization based on size, companies should then determine what elements of their information systems and assets should be subject to the controls (ideally, all information systems and assets, whether owned, contracted or otherwise used).
Organizations should also determine and rank the value of their information systems and assets – more sensitive customer information should require additional protection, as would valuable proprietary intellectual property – and assess the potential injury to the confidentiality, integrity and availability to their information systems and assets.
Critically, businesses should also identify an individual in a leadership role that is specifically responsible for their IT security and larger organizations should consider hiring a chief information security officer. It also helps to identify financial spending levels for IT and IT security and identify internal staff levels to determine whether such spending is proportionate.
The baseline controls themselves are straight forward and commonsensical, focusing on how to reduce risk as well as preparing to respond to cyber incidents.
I fully support the recommendation that organizations “adopt the thinking” that they will inevitably suffer a data breach at some point and therefore must be able to quickly detect, respond and recover from the incident.
Key recommendations include:
Developing an incident response plan
Companies should assume the worst and create a written incident plan on how to respond and recover from cyber security incidents. The plan should be part of the entity’s plans for disaster recovery and business continuity and if required, should include who is responsible for handling incidents (including relevant contact information), for communicating to third parties, stakeholders and regulators as well as contract information for third-party external assistance providers (who and for what services). Organizations should also consider acquiring a cyber security insurance policy that includes coverage for incident response and recovery activities in addition to liability coverage.
Automatically patch operating systems and applications
This suggestion is more controversial, but the guidelines suggest that as smaller entities may find keeping track of vulnerabilities for various products across networks onerous and time consuming, small and medium-sized businesses should enable automatic updates for all software and hardware if this option is available (or replacing products with those that provide the option). Moreover, software and hardware than are no longer eligible to receive updates because the vendor has officially ended its support (for being past end of life, etc.) should be replaced (which should help ensure various standalone devices, applications, operating systems, etc. will be up-to-date and free of known vulnerabilities). Not surprisingly, this recommendation is severely caveated and the guidelines take pains to distinguish what would be appropriate for large enterprises with greater IT staff (where there should be full vulnerabilty and patch management practices) rather than “auto-patching” to avoid ‘unexpected side effects’.
Enable security software
Not unexpectedly, the guidelines strongly recommend securely configuring and enabling anti-virus and anti-malware software as feasible on all connected devices so they update and scan automatically for malware.
Securely configure devices
Reiterating a basic principle that default administrative passwords and insecure default settings on devices often pose significant problems in enterprise networks, the guidelines recommend that all enterprises change administrative passwords on devices, review device settings to disable unnecessary functionality and enable security features.
Use strong user authentication
Organizations should have user authentication policies that balance security with usability. Two-factor authentication should be mandatory and used wherever possible, especially for critical accounts (such as financial accounts, system administrators, privileged users and senior executives). Entities should also have clear policies on password length and the use of password managers.
Provide employee awareness training
As a first line of defence, organizations should implement cyber security awareness and training for their employees that covers basic security practices, focusing on practical and easily implementable measure such as use of effective password policies, identification of malicious email/links, appropriate use of the Internet and safe use of social media.
Back up and encrypt data
The guidelines recommend that organizations should back up all essential business information regularly to an external secure location to ensure recovery from ransomware as well as equipment failures and natural disasters. The systems to be backed up and the frequency of the backups should be decided on a case-by-case basis (since different systems will have different back-up and recovery requirements).
Companies should also securely store backups in encrypted states and be only assessable to those employees who require access on a need-to-know basis for testing and/or use of restoration activities.
While acknowledging the importance of cell phones to most organizations, many entities now allow employees to bring their own devices to work and this complicates how companies can secure sensitive company information and corporate IT infrastructure access across employee devices.
Even on devices owned by employees, word data and personal data should be separated and all mobile devices should store sensitive information in a secure, encrypted state. Employees should be required to download apps from trusted sources and authorized stores. Organizations should also educate (or enforce) users to disable automatic connections to open networks; avoid connecting to unknown Wi-Fi networks; limit the use of Bluetooth or other near-field communications for the exchange of sensitive information, and use the most secure connectivity option available, namely corporate WI-FI or cellular data networks rather than public, insecure coffee shop WIFI. Lastly, companies should be able to remotely wipe employee devices to delete corporate data.
Establish basic perimeter defences
Plainly put, the use of a dedicated firewall as a buffer between the organization’s own network and the wider Internet is a must and organizations should implement a Domain Name System firewall to prevent connections to known malicious web domains (and for outbound DNS requests to the Internet more generally).
The guidelines recommend using the WPA2 wireless security protocol or better for internal Wi-Fi networks and where possible, the strongest variant (e.g. WPA2-Enterprise) should be used. Public Wi-Fi networks should never be connected to corporate networks and if applicable, organizations should follow the Payment Card Industry Data Standard for all point-of-sale terminals and financial systems, isolating these systems from the Internet. Lastly, organizational email should be scanned and filtered for malicious attachments and links using domain-based message authentication, reporting and conformance.
Secure cloud and outsourced IT services
The guidelines have some pretty strong advice regarding the use of outsourced IT service providers. Cloud service providers should be obligated to make available an SSAE 16 SOC 3 report that states that they achieved Trust Services Principles Compliance (and if a provider cannot provide this certification, the guidelines suggest that the entity should look to other providers).
All sensitive information of the organization stored at a third-party service provider should be encrypted and access to data stored in the cloud should be made using secure web browser configurations. Companies should also conduct adequate due diligence to ensure that their cloud providers handle and access sensitive information (including personal information) and evaluate their comfort level with the legal jurisdictions where the service providers store or use their sensitive information. The following should be considered when evaluating cloud and outsourced IT providers: privacy and data-handling policies; notification processes when data is accessed without prior authorization; destructive processes for data at the end of the agreement; the physical location and security of the outsourced data centres and the physical location of the outsourced administrators. Lastly, entities should ensure that administrative accounts for cloud services should use two-factor authentication and be different from internal administrator accounts.
Companies can overlook the importance of hardening their own websites from security threats. All corporate websites should meet the Open Web Application Security Project Application Security Verification Standard (and this requirement should be included in contracts with website developers).
Implement access control and authorization
Many organizations over-share access to sensitive information internally and the guidelines recommend that organizations should follow the principle of “least privilege” where users only have the minimal functionality required to perform their jobs. Administrator privileges should be restricted to an “as-required” basis. Users should be given unique individual accounts rather than using shared or shared-use accounts to ensure clear accountability and organizations should have all the necessary processes in place to revoke accounts when employees leave the organization or they are no longer required. The guidelines recommend that larger organizations deploy a centralized authorization control system (such as Lightweight Directory Access Protocol or Active Directory).
Secure portable media
While it is arguably convenient to transfer data files between devices, portable media (including secure digital cards, USB flash drives and portable hard drives) can be a security headache since they are so easily lost or stolen (hello data breach!). The Guidelines recommend limiting the use of portable media to commercial encrypted drives provided by the organization and maintaining strong asset control for all storage devices (including proper disposal). Organizations should also ensure that they can comprehensively wipe/sanitize such devises prior to their disposal, or retain a service provider to securely destroy them.
The guidelines explicitly state that the foregoing base controls are intentionally aimed at small and medium-sized businesses to maximize the effectiveness of their limited cyber security spend and organizations looking to go beyond these controls should consider more comprehensive/robust cyber security measures such as the NIST Cyber Security Framework, the Center for Internet Security Controls, ISO/IEC 27001: 2013 or the CCCS IT Security Risk Management: A Lifecycle Approach.
However there is little doubt that many small and medium-sized businesses will find the Guidelines to be a useful, if somewhat limited, starting point for good cybersecurity practices. Even if a small number of organizations adopt these recommendations then the net impact on Canadian cyber resiliency will likely be positive.
This article originally appeared as Lisa's IT Girl column in Canadian Lawyer Online.