Cyberattacks on Govt of Canada Portals: Key Take-aways and Some Tips

I just heard the press conference of Canadian federal government agencies regarding last week's cyber attacks. I thought I'd write a quick post with some key take-aways and tips.

Key Take-Aways:

1. The cyber security attack vector primarily comprised credential stuffing – i.e. hackers had fraudulently obtained login credentials from previous data breaches on other websites.
2. The attack vector used a front-door approach through regular user logins for gaining access, and potentially exploited a weakness in the authentication process bypassing the additional layer of security questions.
3. Thankfully, the back-end security infrastructure had deployed user behavior analytics tools that helped detect anomalies, relatively early, and this hopefully contained further breaches.
4. The agencies took action to disable affected accounts across systems, and the government is offering credit monitoring services to people who may have been impacted (notifications to individuals will be sent through regular mail).

Tips to Canadians:

1. If you have re-used your login credentials from other websites on any govt agency portals, change your passwords as soon as you can. Even if you were not directly impacted this time, it is possible that your credentials were validated and may be used in a future data breach.
2. Check other accounts where your financial information is stored for any unusual activity. I would also check social media accounts. Change your passwords here, esp. if you are using the same passwords on government portals.
3. Where possible, use multi-factor authentication (MFA), sometimes called two-factor authentication (2FA). Industry research indicates that MFA can potentially prevent between 75% (automated) to 99% (targetted) cyber security attacks.
4. Use a Password Manager: It doesn’t just help you generate strong passwords and keep track of your logins, but also notifies you of potential data breaches across websites that you are using. I personally use DashLane and highly recommend it.
5. If you are using manually generated passwords, there is research that shows that people don't effectively use strong passwords (combination of letters, numbers, symbols don't work well, and people tend to re-use them much more). My practical advice on this issue is to use simple but long passphrases. You can mix up words from multiple languages (many of us know multiple languages), or you can create a passphrase with multiple words that may only make sense to you and not other people. Here are some tips for passphrases.

Hope this helps! and you all keep yourselves safe and your information secure.

If you have any questions about the above or any feedback, please leave your comments below.