Unpatched servers, poor login security procedures and failure to put SCADA devices behind firewalls are some of the major mistakes made here. With a video interview

Canadian organizations have nothing to boast about when it comes to securing their networks and devices, says a researcher security solutions maker Fortinet Technologies Inc.
 
“Canadian businesses are not doing a particularly good job of keeping their infrastructure devices up to date and patched with the latest security patches.” Richard Henderson, a Burnaby, B.C.,-based security strategist at Fortinet’s FortGuard research lab, said in an interview. “This continues to be a song that the security industry in general has sung for a long time.”

Henderson came to the conclusion after doing research that accompanied a report issued today on the increasing number of government-sponsored advanced persistent threats (APTs) around the world.
 
As part of his work Henderson pulled data from thousands of Fortinet firewalls and gateways in Canadian businesses and compared it to data from around the world. He also did some simple sleuthing around the Web to see if Canadian organizations have buttoned up their Internet access.

Fortinet defines APTs as sophisticated attacks, usually coming from government agencies, aimed at damaging or stealing data from other governments, companies or individuals.

APTs that have hit this country include the 2011 attack on the federal Treasury Board, finance department and defence department triggered by phishing emails that appeared to come from other government employees.

Once discovered Ottawa had to shut down some of its networks for some time to cleanse them of the malware and determine what was stolen.

Another attack on the Canadian division of aircraft engine maker Pratt & Whitney was apparently aimed at infiltrating the U.S. headquarters, Henderson said. That leaves the possibility that others also see the advantage of getting secrets from an American company by going through a Canadian subsidiary hoping security is weaker here.

APTs use common hacking techniques – email requests that dupe people into giving up passwords, clicking on supposedly legitimate Web links, scanning the Internet for open ports -- the report says.

(By Howard Solomon)