This page contains a Flash digital edition of a book.
Almost all firms today have multiple vulnerabilities: open Internet access for company computers, employees who use their own devices for off-site work, and sloppy workplace cybersecurity practices


determined and well-financed attacks on specific firms, oſten executed by foreign government operatives, may also come through other indirect channels. For example, hackers will identify a firm’s senior executives using LinkedIn or disclosure documents, and then use open-source social network sites to identify their children and other family members. The goal is to infect the relatives’ smartphones or computers with “weapon- ized” soſtware files or applications that can be transmitted to the executive’s email; after all, who hasn’t used a company account to exchange messages with a family member? “Nation- states do that,” says Tobok. “They’ll break you and continue to break you until they have access to everything.” (For example, the Canadian government’s electronic spy agency monitors metadata on millions of individuals under broadened security rules approved by ministerial directives from the minister of defence during both the Paul Martin and the Stephen Harper governments. Ottawa has also allegedly spied on Brazil, where many large Canadian firms have significant interests.) The stolen — or “ex-filtrated,” in the parlance of the security


industry — information may end up with competitors, foreign governments or organized crime groups. Organized crime groups are on the rise and are focusing on blackmail, says Robert Masse, Deloitte Canada’s national cybersecurity leader for resilience. The perpetrators send a so-called “proof of life” message to the target — a copy of one of the stolen documents — plus a demand for cash and a means of delivering the funds, oſten in the form of bitcoin. The police, he says, tend not to be notified in such cases because companies don’t want to advertise their exposure and the perpetrators are highly unlikely to be operating in the juris- diction where the crime is reported. Masse also points out that in such cases, the ransom payment ends up being a business decision. If a pharmaceutical company loses cancer research data worth $100 million and an organized crime group is asking for $50,000, he observes, “I think I’d pay the $50,000.” In- creasingly, Masse adds, cyber thieves are targeting more valuable files. “They’re being more patient and looking for bigger payoffs,” he says. The far more pernicious problem, however, occurs when competing companies or front organizations are aſter informa- tion that can be leveraged to undercut or eliminate a rival. What’s more, firms may only discover evidence of this sort of espionage indirectly. “They say, ‘Something’s going on here,’” observes Tobok. “‘We’ve lost our contacts, we lost people.’” Kevin Lo says he’s had clients who only encounter the results of


40 | CPA MAGAZINE | MARCH 2017


the spying activity at an international trade show, where rival firms with knock-off products have set up booths and are writing deals. “Then it dawned on them that it did happen,” he says. “I’ve heard this story many times.” Yet for all the technically dazzling stories about cyberattacks,


OUSTING A CYBER SPY


When Robert Masse, Deloitte Canada’s national cyber- security leader for resilience, is dealing with frantic clients whose senior managers have just discovered they’ve been losing key documents to an unseen thief, many respond with what seems like an intuitively obvious move: unplugging the company’s computers from the Internet and then rebooting their systems. “We have to convince them that’s the worst idea,” he says. Sophisticated cyber thieves work patiently, infiltrating and exploring the target company’s computers slowly and inconspicuously so as not to arouse the suspicion of system administrators. Malware viruses sometimes embedded in the company’s network are programmed to send tiny signals back to the hacker; when these are interrupted suddenly, Masse says, the company has tipped its hand. Tactically, he adds, it’s better that the intruder doesn’t know that the company knows. “If we keep everything as is, we can watch them enter and exit the network and identify all the various ways they can get in.”


Remediation consultants draw on military techniques such as Lockheed Martin’s defence against the “intru- sion kill chain” — a sequence of tactical moves hackers use to launch an attack. The defence sequence includes fixing the location of cyber weapons such as malware; tracking and observing their progress; targeting them and, finally, engaging, which, in military parlance, means destroying them. Masse points out that when a firm becomes aware of a cyber spy’s presence in its com- puter system, his team will quietly begin building a par- allel network, of which the hacker is unaware or can’t access, with the goal of switching over on a single day as a means of “kicking out the bad guys.” As Masse warns, “You can only do that once.”


— JL


Page 1  |  Page 2  |  Page 3  |  Page 4  |  Page 5  |  Page 6  |  Page 7  |  Page 8  |  Page 9  |  Page 10  |  Page 11  |  Page 12  |  Page 13  |  Page 14  |  Page 15  |  Page 16  |  Page 17  |  Page 18  |  Page 19  |  Page 20  |  Page 21  |  Page 22  |  Page 23  |  Page 24  |  Page 25  |  Page 26  |  Page 27  |  Page 28  |  Page 29  |  Page 30  |  Page 31  |  Page 32  |  Page 33  |  Page 34  |  Page 35  |  Page 36  |  Page 37  |  Page 38  |  Page 39  |  Page 40  |  Page 41  |  Page 42  |  Page 43  |  Page 44  |  Page 45  |  Page 46  |  Page 47  |  Page 48  |  Page 49  |  Page 50  |  Page 51  |  Page 52  |  Page 53  |  Page 54  |  Page 55  |  Page 56  |  Page 57  |  Page 58  |  Page 59  |  Page 60  |  Page 61  |  Page 62  |  Page 63  |  Page 64  |  Page 65  |  Page 66  |  Page 67  |  Page 68  |  Page 69  |  Page 70  |  Page 71  |  Page 72