Follow ISA Cybersecurity on LinkedIn for the latest cybersecurity news
Weekly CyberTip: Ask for the vendors’ certifications
Are you sure your service providers and suppliers are as concerned about security as you are? Make sure you always vet the cyber posture of third parties, and apply the same security rigour to your extended network as you do to your own systems.
Ask for the vendors’ certifications regarding their IT practices, monitor cyber news stories about the vendor and their sector, and check references before partnering with them. Play it safe by restricting their access to a need-to-know basis. And be sure to monitor and audit third-party network and data access regularly.
Ontario releases “Modernizing Privacy in Ontario” white paper
The Province of Ontario has released a white paper calling for key changes to the proposed Bill C-11 in Canada. The white paper, based on the province’s Building Digital Ontario framework released in April 2021, focuses on three major issues the provincial government has identified with the proposed bill: “its consent framework could allow organizations to collect and use citizens’ data for commercial interests without their knowledge; it does not provide special protections for children and youth; and its digital rights do not go far enough to protect individuals from new risks such as surveillance.”
Bill C-11 was introduced in November 2020 as a replacement for the existing privacy law in Canada, called the Personal Information Protection and Electronic Documents Act (PIPEDA), which has been in force since January 1, 2004.
While the provincial government agrees there are some improvements to privacy law in the new bill, there is still significant room for improvement. In the white paper, the government also signaled that Ontario is prepared to proceed with its own privacy law if national consensus on further changes to C-11 cannot be agreed upon.
The proposed bill has also come under fire from the Office of the Privacy Commissioner of Canada in recent weeks, with federal Privacy Commissioner Daniel Therrien describing Bill C-11 as “a step back overall” and “frequently misaligned and less protective than the laws of other jurisdictions,” in his May letter to the Standing Committee on Access to Information, Privacy and Ethics reviewing the bill.
Toronto’s Humber River Hospital still recovering from suspected ransomware attack
A week after an early morning cyber attack on its systems, IT staff at Humber River Hospital in Toronto continue to patch, repair, and restart their computer systems.
The incident started at around 2:00 a.m. on Monday, June 14 when the hospital network suffered “a zero-day ransomware of a new malware variant,” according to their website. The hospital declared a “code grey” (a loss of essential services) and began to shut down all of their systems in order to prevent widespread infection.
The early forecasts of recovery were optimistic. On June 15, the website announced: “Since our systems are constantly updated (most recent patching June 13) and monitored this was discovered almost immediately and all IT systems were shut down, including our patient health records system.”
“We have over 5,000 computers, 800 of which are servers, (and) each will be restarted manually. [A malware patch] will be added to each computer and then each system recovered as required. We will bring systems back online in a staggered approach over the next 48 hours,” continued the statement.
The bulletin assured patients that there were no breaches of confidential information and – though a variety of clinics were cancelled and some ambulances re-directed – emergency services were unaffected.
Through the course of the week, however, concerns were raised about the progress of the recovery. On June 17, a group of as many as 30 physicians wrote a letter to hospital administrators urging them to close the emergency department until full services have been restored, citing concerns about patient care, according to a report in the Toronto Star. And the hospital’s update on Friday, June 18 was more guarded about the recovery timelines. The number of computers affected was revised to 3000, but the bulletin suggested that, at the current pace, several systems would still not be available until early this week.
IT teams continue to work around the clock to complete the recovery as quickly as possible, reportedly assisted by IT personnel from other Toronto area hospitals. The hospital is also conducting a retrospective during the recovery process: “We are working as a team to revise existing processes, rethink what work is critical to continue in this moment versus what can be reprioritized for a later point. We are also beginning to think about what recovery might look like and what resources and work might need to be completed as we get back to a point of being completely online.”
Humber River Hospital was North America’s first all-digital hospital when it opened in 2015. An industry trade publication at the time described a facility that “has moved well beyond electronic health records or telemedicine to create a seamless, paperless, connected experience for patients, staff and clinicians.”
Google releases supply chain software security framework
Google has released a blueprint for helping to strengthen the software security posture for organizations in an effort to reduce the risk of supply chain cyber attack. Called SLSA (pronounced “salsa”), the framework is a proposal that Google hopes will ensure the integrity of software systems and components end to end throughout the supply chain.
Google’s June 16 blog post outlines eight “typical” supply chain vulnerabilities, and provides insight as to how their new framework could help reduce the risks inherent in relying on third parties and open source software code.
The proposal calls for SLSA to be implemented in four phases, running from SLSA 1 which “offers a basic level of code source identification and may aid in vulnerability management,” through to SLSA 4, seen as the ideal end state which addresses all aspects of software code review.
Google’s framework is inspired by its own internal processes: their “Binary Authorization for Borg” process for code management and review has been in use for over eight years, and is “mandatory for all of Google’s production workloads”. The timing of the announcement is no coincidence, driven by the recent high-profile cyber attacks involving weaknesses in supply chain software (most notably the SolarWinds breach in late 2020).
Summary of U.S. President’s executive order on cybersecurity
Security news outlet, The Hacker News, has presented a helpful digest of the U.S. government’s May 12 executive order that outlined requirements for government agencies (and, tacitly, guidelines for other organizations) to help improve their cybersecurity posture and protect critical national infrastructure.
The executive order presents three broad recommendations, most featuring aggressive implementation timelines:
– Encourage and streamline the sharing of threat intelligence across agencies to help mitigate risk when vulnerabilities are found and exploited.
– Adopt a cloud-first mentality for technology; implement a zero-trust security architecture; and mandate multi-factor authentication.
– Secure the supply chain by focusing on the security of third-party software from procurement to inventory to audit.