Mathieu Leblanc
Senior Manager | Ing., M. Ing., MBB | Tax

We hear about nations spying on each other, of geeks hacking large corporations just for fun; how can I know if my company is at risk?

We are all at risk. The questions really are: “How much are we at risk?” and “To what kind of risk are we exposed?” As you have enumerated already, there are many potential attackers, and understanding what our highest value information is will help us answer who could be after us. To keep it simple, let us use Marc Théberge’s, Chief Cyber Security Operations at Arc4dia, categories of attackers: The Gangster and The Traitor.

The Gangster will contemplate exploiting you for a quick win, quick profit, while the Traitor looks at exploiting you for long-term profit.

Ransomware being the superstar for the Gangster has been recently affecting all of us. Either in direct fiscal losses of $1B in 2016 or in mission critical information such as police loss of nine years of evidence, the range impact on business has led to some business closures. Thankfully, you can protect yourself from it by making sure you have at least two (2) backups at all time. And remember, only verified working backups are valid backups.

The Botnet is still around in the Gangster category, making damage by exploiting more and more Internet of Things (IoT) and home routers. This one is a bit trickier as many of the IoT devices simply cannot be updated or patched to protect them against known exploitation vectors.

The best mitigation strategy at the moment is to keep them isolated from direct external Internet access. There are a few technologies worth looking into lately such as the Google Wi-Fi router as well as the F-Secure Sense, both offering some level of protection for our very vulnerable home IoT devices.

As if the Gangster was not problems enough, here comes the most dangerous threat against your company: the Traitor.

The Traitor will go to a great extent to either cause high profile reputable damage or stay hidden to steal as much as possible from you for profit in the long run.

We have seen all sorts of very creative hacking to reach such goals by criminals or state-sponsored acting in the best interest of their local industry. Defending against such actors is the subject of long studies and professional work, but let us try to isolate some ideas for a better understanding of the problem.

The Traitor will seek to breach your privacy by breaching your security in order to target your most valuable information. To preserve your privacy, the first step is to take time to identify what is your high-value information and high-value reputation.

For example, we know of attackers targeting the core systems to gain access to:

  • Intellectual property,
  • Critical infrastructure,
  • International strategies,
  • Acquisition plans,
  • Quotes,
  • Know-how,
  • Etc.

Some of our clients need to bid internationally to acquire some resources. Hackers have targeted the executives in charge of performing such a bidding process with the intent of outbidding them at lowest overhead costs as possible. Such mission critical information losses have been the cause of large companies foreclosing in the last 10 years and even more.

Others are suffering from privacy information leaks. It is very common for companies with very sensitive information in hands to have to pay a ransom in exchange for privacy otherwise they would lose the trust of their clients. These ransom payments are happening behind closed doors and do not make it to the public knowledge, but they are good examples of where to look to identify where we are at risk. The information on ransom paid is very limited, but we can go as far back as the year 2000 when the FBI released information that more than 40 companies had paid ransoms over $100,000 to avoid information release within the last year.

To summarize, if you run a successful business, you are at important risk, especially nowadays with such a rise in criminal hacking.

We see nothing, but we hear about the “hacking battle”; how have threats evolved in the last few years?

True enough, hacking battles are happening, in fact some security vendors like to outline that some of their clients have had almost all the strains of possible advanced malware out there and that they look there when they suspect something is going on.

The threats certainly have evolved. The advanced malware has lowered the number of targeted hosts in exchange for value to optimize the return on investment in their technology against the infosec community after suffering more and more exposure in the recent years.

The rise of ransomware, now possible because of cryptocurrencies such as Bitcoin, has brought a new type of malware in the sense that it is not trying to hide. It is simply acting in a brute force and fast matter.

At the opposite end of the spectrum where stealth is critical for the malware success, we are seeing a rise in fileless malware. This malware avoids touching the system disks in favour of living in memory, only making it much harder to detect.

We heard of the “hunting malware” type of defence, what is it?

Traditionally, the anti-virus was attempting to keep your computers clean of any viruses. This method was very effective at finding the known malware or the already seen before malware. This was an effective way of stopping the viruses because spreading methods were much slower, especially before the Internet days.

Fast forwarding to 2017, these techniques are applying machine defence mechanism fighting against a very dynamic threat controlled by humans. The “old” approach is effectively a machine vs human fight and the machines, in this case, are losing radically.

Malware hunting is bringing the fight at the human vs human level by being dynamic and continuously connected to the protected hosts. Malware hunters are performing live forensic analysis on computers with suspicious alerts without interrupting them.

So what is the best protection strategy, considering the costs involved?

One of my favourite guides is that from the Australian Signal Directorates:

Start with their top 4 recommendations and add an Endpoint Detection and Response platform supported by quality malware hunting managed service. Dedicated malware hunting services are part of defensive strategies to free up time in favour of hardening the environment instead of running around trying to stop potential hackers inefficiently.

Let the old techniques cycle out. We have many high-profile clients letting go of expansive SEIM and IDS/IPS services in favour of cheaper ones or even simpler and more effective techniques as mentioned before.

For small businesses, I would add to this to make sure you have a very simple VPN service on all devices that are going out of your premises. Services such as Freedome by F-Secure are simply too cheap, easy and efficient to pass on. They will protect users from several local attack types while at the local café or the airport.

Pierre Roberge: An 11-year veteran of the Communication Security Establishment (CSE), Pierre led advanced technical teams tasked with protecting Canada’s national interests in cyberspace. While the majority of Pierre’s projects remain classified, Pierre established a strong reputation among ‘5- Eyes’ nations as a leading expert and innovator in cyber intelligence operations.

His declassified awards include the CSE Excellency Award and the Chief of the Defence Staff Commendation. While working alongside British and American counterparts, Pierre lead teams of 100+ members to combat the most advanced cyber threats originating from both state and non-state actors.

Pierre is experienced in working within a complex, enterprise-level networking environment using the most advanced technologies. His technical experience ranges from securing low-level infrastructure and endpoint systems to interfacing with dynamic and cross-functional networks.

27 Mar 2017  |  Written by :

Mr. Leblanc is a senior director at Raymond Chabot Grant Thornton. He is your expert in taxation for...

See the profile

Next article

Federal Minister of Finance, Bill Morneau, presented his budget on March 22, 2017. The government is continuing with its planned focus on building a strong middle class through innovation, skills, partnership and fairness. Budget 2017 focuses on giving talented people the skills they need to drive our most successful industries and high-growth companies forward, while investing in Canadians’ well-being through a focus on mental health, home care and indigenous health care.

Forecasted deficits

As widely anticipated, the budget projects significant deficits over the next several years. The government forecasts a deficit of $23 billion for 2016–17 and $28.5 million in 2017–18. Over the next four years, deficits are expected to decline gradually from $27.4 billion in 2018–19 to $18.8 billion in 2021–22.

Canada continues to have the lowest total government net debt-to-GDP ratio of all G7 countries. The federal debt-to-GDP ratio is projected to decline gradually after 2018–19 reaching 30.9 percent in 2021–22.

Investing in priorities

The government is committed to making smart, necessary investments in the economy to ensure a thriving middle class, and remains committed to a responsible approach to fiscal management.

The government will initiate three new expenditure management initiatives:

  • A comprehensive review of at least three federal departments (to be determined), with the aim to eliminate poorly targeted and inefficient programs, wasteful spending and inefficient programs, and ineffective and obsolete government initiatives.
  • Initiate a three-year review of federal fixed assets to identify ways to enhance or generate greater value from government assets.
  • Initiate a review of all federal innovation and clean technology programs across all departments, as federal programs are dispersed to simplify programming and better align resources to improve the effectiveness of innovation programs.

The government will report on the progress of these reviews in Budget 2018.

The government will also introduce legislative changes to improve the organization and efficiency of government operations, as needed.

Next article

Benoit Turcotte
Partner | M. Fisc. | Tax

January 30, 2017 Executive Order

U.S. President Donald Trump’s January 30, 2017 Executive Order restricts the issuance of new U.S. federal agency regulations.

As a result, the Internal Revenue Service (hereafter the “IRS”) will not propose any new technical tax interpretations, other than the usual notices such as interest rate changes.

Under this new executive order, every time an executive department or agency would like to comment on or enact a new regulation, they must identify at least two prior regulations to be eliminated.

Regulations

These interpretations represent the opinion of the U.S. Department of the Treasury relating to the Internal Revenue Code (hereafter the “IRC”) and constitute a reference for interpreting the federal income tax legislation. The Treasury’s technical interpretations summarize application of the IRC by providing an official interpretation of the U.S. tax code by the Department of the Treasury. Often these interpretations are presented following requests for private letter rulings or at the Treasury’s initiative to clarify certain aspects of the law (revenue rulings).

Order objectives

According to the White House, the idea of compensating for new regulations by eliminating prior ones has the potential to provide a “regulatory balance” to the flow of new administrative formalities issued by the U.S. Government and help simplify or eliminate obsolete regulations.

Furthermore, according to the White House, the additional costs associated with the new regulations will be offset, to the extent permitted by law, by the elimination of existing costs associated with at least two prior regulations.

The impact of the order

According to President Donald Trump, businesses will find it easier to create and operate a business in the U.S., as they won’t be hampered by tax regulations.

However, opponents of the President, many of whom from the world of business and tax, would argue that this order could be detrimental to the sound administration of the tax system of the world’s leading economy, by creating or maintaining a vague regulatory framework around complex tax rules. Many also consider that these interpretations are needed for the government to function properly and for the sound management of the tax environment that U.S. businesses or companies doing business in the United States rely on.

17 Mar 2017  |  Written by :

Mr. Turcotte is a partner at RCGT. He is your expert in taxation for the Montréal office. Contact...

See the profile

Next article

On-line Tax Strategies

Did you know that intragroup transactions are often incorrect and a common source of significant assessments by the tax authorities? Many of these frequent errors can easily be avoided. The following paragraphs provide information on areas to watch out for and potential solutions to limit the impact of commodity taxes on your cash resources in intragroup transactions.

Basic rules

Enterprises are required to collect and remit taxes on taxable supplies, even in the case of transactions between companies within the same group. The consideration paid or payable to an entity in exchange for a taxable supply triggers taxes, regardless of whether an invoice has been produced. Transactions may be evidenced by a contract, invoice or even a journal entry.