Canada’s security agencies, including Royal Canadian Mounted Police (RCMP) and the Canadian Security Intelligence Service (CSIS), are warning Canadian companies to be careful when purchasing technology supplied by state-owned companies from countries such as Russia and China.

The RCMP organized two workshops this past March, one in Calgary, and the other in Toronto. The aim of each workshop was to raise awareness about threats to critical systems, including espionage and foreign interference, cyberattacks, terrorism and sabotage.

The RCMP warn that technology supplied from foreign governments can be set-up in a manner to steal corporate secrets, as well as consumer information.

The CSIS materials prepared for these workshops advise that “non-likeminded countries,” state-owned enterprises and affiliated companies are engaged in the global pursuit of technology and knowledge driven by economic and military ambitions. The disclosed documentation was released to The Canadian Press in response to an access-to-information request.

The markedly censored records do not go into great detail about specific countries, however, the presentation does include a section from a 2017 U.S. government report indicating that competitors such as China and Russia steal American intellectual property valued in excess of hundreds of billions of dollars annually.

CSIS has openly warned that Russia and China are also targeting Canada’s classified information and advanced technology, as well as government officials and systems. Law enforcement concerns emerge as Canada considers allowing Chinese firm Huawei Technologies to take part in developing a 5G telecommunications network in the country.

Security officials in the U.S. and Canada have warned against the consideration, suggesting the companies ties to Beijing could compromise the security of Canada and its closest allies. Huawei denies engaging in intelligence work on behalf of any government agency.

CSIS spokesman, John Townsend, notes that the concerns aren’t without warrant and arise from cases where equipment and related computerized control systems and services are manufactured and installed by companies controlled by or affiliated with a foreign government, such as China.

The security presentation also warned Canadian businesses of “spear-phishing.” Spear-phishing is the fraudulent practice of sending emails from a known or trusted sender’s account in order to induce the targeted individuals into revealing sensitive data, including passwords and user logins. Such tactics could potentially be implemented to gain influence and leverage over a host country via espionage, technology theft and malicious cyberactivity.

“95% of all attacks on enterprise networks are the result of successful spear-phishing.”

Allen Paller, Director of Research, SANS Institute

The agencies encouraged organizations to take protective measures and develop a corporate cybersecurity plan to manage such risks. For starters, organizations would be well advised to take precautions when any outside commissioned workers visit. Additionally, it would be wise to implement penetration testing to further identify and mitigate existing vulnerabilities to infrastructure and applications that may leave Canadian organizations unprotected from cyber threats.

For readers new to penetration testing, the process of performing a penetration test is to discover vulnerabilities in new and existing applications, networks and systems in order to better secure them by remediated and patching vulnerabilities in order to reduce risk.

What is a High-value Penetration Test?

A high-value penetration test encompasses several aspects. When properly executed, a “pen test” should model the activities of real-world attackers to find vulnerabilities in target systems and exploit them under controlled circumstances. Applying such measures helps to determine and document company risk. As well, a pen test will indicate potential business impacts of such risks, with the goal of aiding an organization in prioritizing its resources and improving its security posture; which will ultimately deliver real savings and reassurance to the business.

For more information, please contact us for in-depth information on any of the items discussed here.

Packetlabs Ltd.

Our mission to continually stay on top of current threats and vulnerabilities has helped distinguish our testing from our competitors. Often times, firms will try to commoditize security testing by performing automated testing (VA scans) with little benefit to the client. Our methodology only begins with automated testing. Thereafter, our extensive experience allows us to manually uncover high-risk vulnerabilities which are often missed by conventional testing methodologies.

We mandate training and continually learn and adopt new attack techniques for our clients. We are always digging deeper to uncover vulnerabilities that may have been overlooked. Our mission is to maintain the fact that not one of our clients have been breached by a vulnerability we’ve missed; we take this very seriously.