Inoculate Your Mind

With the spread of the 2019 Novel Coronavirus, hackers have started phishing campaigns geared to capitalise on the mounting fear of this virus. Koddos (a secure hosting provider) has published a story indicating that this fear is being used to spread the Emotet Trojan in Japan. The panic that surrounds crises such as global health threats, the Australian wild fires, or other major environmental events; are often used by hackers to distribute computer viruses and trojans. This kind of social engineering takes advantage of heightened anxiety with the knowledge that people will click on things they would normally avoid. The same kind of thing happens during championship sporting events such as the Super Bowl, the FIFA World Cup, or the Olympics.

So, what can you do? Well, the simple answer is slow down. Most social engineering tries to create a sense of urgency. One is lead to believe that time is of the essence, and a speedy action is required. One is also often advised to keep the information secret, that s/he is special and the information is just for him/her. Therefore, slow down, contemplate if it is reasonable for the organisation that is purported as having sent it would normally communicate in this fashion. In our current situation, is it reasonable to expect that the Centers for Disease Control in the US, or Heath Canada, would send a private message to the citizens of that country? How is the spelling and grammar in the message? Phishing campaigns are famously poorly written. Writing is quickly becoming a lost art, so a poorly written email is not an absolute indication of phishing, but it is a partial red flag. Ask a friend. Sometimes just the act of telling someone about the message will help you realise how "off" it sounds. When in doubt, go directly to the source. Do a Google search for the organisation in question, and see if any such information is on their website. If it supposedly came from a contact of yours, call the contact. Did s/he send it? Finally, simply ignore it. If things get bad enough, you'll hear about it from multiple sources.

As a parting note, a good source for social engineering inoculation is the Hacking Humans podcast. Each week, the hosts share stories of attempted social engineering and conduct an interview with an industry expert to help make you aware of the various forms of social engineering. It's a lighthearted show that is not too technical for the average person.

Risky Business

Business ownership involves risk. We all know that, but how much risk is too much risk? One's risk-tolerance is usually expressed, at least initially, as a qualitative statement about what one's "gut" says; something like "moderate", or "limited". Arguably, such statements are about as useful as a milk-bucket under a bull. So, the CISSP Common Body of Knowledge proposes a few quantitative formulas to help us out. Introducing the "Single Loss Expectancy" (SLE) and the "Annualized Loss Expectancy" (ALE).

Simply put, the SLE is the potential cost of a single event, and the ALE is the cost of such an event spread across all the years between events. Such formulas appeal to the executive members of organizations because they give actual numbers that can be used in making "fact-based" decisions. So, the cost of a particular event is $x, and the event can be reasonably expected to occur every y years. Your ALE becomes $x/y. Nice. Clean. Simple. Now we know what our risk on that given event will cost, and we can factor its management into the budget. Or can we?

Risk Management generally applies one or more of four strategies: Avoidance, Acceptance, Transference, and/or Mitigation. Avoidance means not doing whatever leads to the event in question. If the event is the loss of the entire executive team in a transportation accident, the risk can be avoided by not allowing the c-suite to travel at the same time. But if the risk is a breach of the computer network, deciding not to use networked computers may not be a viable solution. Acceptance means what you would expect; yes, there's a risk to the c-suite all traveling together, we acknowledge that risk but will keep doing it. This is an informed decision, no action required. Transference is making some other arrangement so that the risk is addressed in some other way. Buying what is known as Key-man Insurance on the entire c-suite would transfer the risk of them all being lost at sea to the insurance company (though I doubt this would be practical). Finally, mitigation is the handling of the risk. If the executive team never travel together, the risk of an empty c-suite due to a transportation accident is mitigated, though maybe not eliminated. Calculating the SLE of a particular threat is a natural part of the lead-up to a risk management plan. In order to determine a useful SLE however, one had better make sure the scope of the risk is adequately analysed.

As mentioned earlier, identifying the ALE is the process of determining how much a risk might cost over a given number of years. Common wisdom would say don't spend more than that amount trying to manage the risk. Furthermore, the more efficiently and effectively one can manage a risk, the better. The challenge however, is in accurately identifying all the composite parts of the risk event. Obviously, some risks have fewer moving parts than others. In the world of Cyber-security the knock on effects of an event can quickly become bigger than the event itself.

A case-in-point is the story of Danish hearing aid manufacturer Demant. On September 30th, ZDNet published the story discussing how a ransomware attack on Demant has cost the company $95M in one month. According to the story, Demant announced their trouble on the third of September, and by the publication date had not yet fully recovered. To be fair, I wouldn't begin to suggest that I know all that took place in this story, and admit that I am comfortably playing armchair analyst. However, I will make a few observations here as a thought experiment with the aim to help my readers avoid similar situations.

Of the risk management strategies discussed earlier, there is no way that Demant, or any other organization, could "avoid" a ransomware attack. Doing so would require disconnecting their computers from the internet, and maybe even getting rid of them all together. There is also no reason to suspect that Demant just "accepted" the risk and went about their business with their collective heads in the sand. Quite the opposite in fact. The story makes a couple of key points that illustrate that Demant included in their risk management a transference strategy. This is shown in that they have a $14.6 million cyber insurance policy. That is double the $7.3M required to recover and rebuild their IT infrastructure.

Demant Stock History (www.demant.com)

So if they had insurance for double the cost of their IT infrastructure, how did this event cost them $95M? According to the report, about half of that represents lost earnings, while the rest includes missed opportunity to implement a planned expansion. Demant seems to be a significant player in their field, and with stock prices still sitting at ~$25 per share, I would suspect they will rebound. But the question remains, how did this get so out of hand? Without inside knowledge, one is left to posit that the initial calculations of SLE did not take into account the amount of time it would take to restore the IT infrastructure and, by extension, the lost revenue during that time. I would also doubt that the individual calculating the SLE could have known that an expansion would be planned at the very time that the event occurred. It would be my guess that an assumption was made that new equipment would be bought, or existing equipment would be restored to factory defaults, and the back-ups would simply be applied. Done. Easy, right?

My grandfather used to say: "You don't get what you expect, you get what you inspect." While Demant can be credited for their implementation of a transference strategy, this story shows that transference is not necessarily enough. We can see that the risk from a ransomware attack could not be transferred to an insurance company because they only deal with the exchange of funds. In our earlier example, if the insurance company pays out the key-man policies, the company would still have to hire the replacements. Here, it would appear that though there were funds for the infrastructure, the restoration took significantly longer to execute than expected. This could be the result of corrupt back-up media, limited scope of back-ups, or any other number of failure points in the exercise. Unless one actually goes through the motions, and actually tries to restore from back-ups, one is rolling the dice. What would risk mitigation have looked like? Demant should have at least tested their ability to restore from back-ups. Or at an extreme, they could have had a complete segregated IT infrastructure sitting in the wings, ready to go at a moment's notice. While the setup of such an environment may have seemed cost prohibitive at the outset, the events that transpired over the past month show that greater mitigation was in fact warranted.

---

Photo credit: "Destiny" by Dave Gough (cc-by 2.0)

Rotten Trade

One would have to be living pretty deeply under a rock to not know that Canada is being bullied by president #45 of the United States of America. President Trump has unilaterally declared economic war on Canada, and entered into bilateral discussions with Mexico in an attempt to subvert the North American Free Trade Agreement (NAFTA). That is, of course, his prerogative. It would seem that Free Trade, as a concept, is completely foreign to Mr. Trump, because he only views a "negotiation" to be a success if he "wins" and the other guy "loses". Free Trade, on the other hand is all about mutual benefit, not winners and losers. As such, I don't expect that NAFTA will have a life until the orange man is out of the white house. While the government of Canada continues to press for mutual respect in negotiations with Washington, we are restricting our tariff activities to "tit-for-tat" adjustments. This is the civilized approach, and our government is wise to do so. However, when dealing with a bullying ape guerilla tactics are in order. It is time for all Canadians to stand on guard for Canada and hit the United States of America where it will hurt most, the pocket book.

I sent a letter today to Prime Minister Trudeau requesting that the product labelling laws in Canada be adjusted to require the provenance of products be displayed, by percentage from each country, on all packaging. For example, if a box of cereal is imported from Mexico but uses wheat from the USA, I may want to consider another brand that uses wheat from Canada. Or in another case, just because a pair of shoes is assembled in Canada doesn't mean that they don't use uppers and soles from the USA. Perhaps the government could certify products that have more than a certain percentage of Canadian content (say 80% or higher).

Such changes however, if chosen, would take a long time to implement. We Canadians must act now. So I am asking that all Canadians contact the grocery chains at the corporate level, and advise them that we will NOT be buying produce from the USA, and request that they identify other sources of produce for their stores.

Grocery Landscape in Canada (click image to enlarge)

Almost all grocery stores in Canada are owned by one of three companies: either Empire Company Limited, Loblaw Companies Limited, or Metro. Writing to Loblaw Companies Limited one reaches 27 grocery and pharmacy chains. Writing to the Empire Company Limited, will reach 13 grocery chains. Writing to Metro will reach 5 grocery chains in Ontario and Quebec. To the best of my knowledge, there is nothing that is grown in the United States that cannot be either sourced from another country, or replaced with a comparable product from Canada. If the large grocery chains are made to understand that produce from the USA will just rot on their shelves, they will make other purchasing decisions, or they will lose sales to competitors who do.

The time to act is now. Stand up to this bully, and show him what Canadian grit and determination looks like. Call or write today. Don't know what to say? I've drafted some thoughts at the bottom of this page to get you started.

Loblaw Companies Limited

Customer Relations
Hours of Operation
Monday to Friday 8:30 am to 4:30 pm ET
Call toll-free: 1-888-495-5111
Email: customerservice@loblaws.ca

Empire Company Limited

Contact the Board of Directors
You may communicate with the Board of Directors through the Office of the Senior Vice President, General Counsel and Secretary in the following manner:

Doug Nathanson
Senior Vice President, General Counsel and Secretary
Empire Company Limited
115 King Street
Stellarton, Nova Scotia
B0K 1S0

E-mail: board@empireco.ca

Sobeys Customer Care
Atlantic
Call toll-free 1-888-944-0442
Monday to Friday 8:00 am to 5:00 pm (AST)
E-mail: customer.service@sobeys.com
Ontario
Call toll-free 1-888-821-5557
Monday to Friday 8:00 am to 4:30 pm (EST)
E-mail: customer.care.ontario@sobeys.com
West
Call toll-free 1-800-723-3929
Monday to Friday 8:00 am to 5:00 pm (MST)
E-mail: customer.helpline@sobeys.com

Metro

Call toll-free: 7-877-763-7374
or Fill out the web-form here.

Draft Email

Dear Sir or Madam,

I am a loyal customer of [name of chain].

I am very concerned about the situation involving Canada's trade with the United States. As such, I would like to advise you that, until an equitable NAFTA has been renegotiated that is fair to all trading partners, I will not be buying any produce that originates in the USA. I ask that you make sure that you source produce from other countries so that I continue to have the selection to which I am accustomed. If I cannot avoid American produce at your stores, I may have to avoid your stores to find stores that are willing to stand up for Canada.

Thank you in advance.