Are Canada’s networks ready to combat cyber threats?
What role do solutions such as protected DNS have in protecting critical organizations like hospitals, schools and governments?
What the heck is “DNS” anyways?
These were some of the questions that a panel of experts from CIRA, the Canadian Centre for Cyber Security, The Ottawa Hospital and CanSSOC tackled at a virtual event on May 10, 2022.
The event—which can be viewed in its entirety on CIRA’s YouTube channel—featured the following panelists:
- Jon Ferguson - General Manager, Cybersecurity and DNS Services at CIRA
- Donald MacLeod - Director Autonomous Defence and Sensors at CSE/Canadian Centre for Cyber Security
- Jean-Claude Lemonde - Executive Director, Information Services & CISO, The Ottawa Hospital
- Elena Carroll - Associate Director, Security Operations at CanSSOC
The event was moderated by Tanya O'Callaghan, Vice-president, Community Investment, Policy and Advocacy at CIRA.
“Right now, everybody is at risk when you connect to a network…. You don’t need to be special or a high-value individual to potentially be subject to ransomware or botnet attacks.” -Jon Ferguson
“There’s a perfect storm in that as technology evolves we also have more people that use technology in a more sophisticated way from more places and from more devices. So, that makes for a very large attack surface and a very complex set of controls we need to implement to mitigate all these increasing threats.” -Jean-Claude Lemonde
“Cyber crime continues to be the number one threat that we see facing critical infrastructure, government clients or your typical Canadian…but we’re also seeing espionage-type interactions.” -Donald MacLeod
“Cybersecurity teams have to drive changes, or security control adoption, by bringing the community together and doing this exercise in convincing others that certain controls are necessary instead of driving something top-down—which we unfortunately can’t really do.” -Elena Carroll on the challenges of driving cybersecurity protections in the higher-education sector
The event generated lots of questions, many of which there wasn’t time to answer:
|Do you offer any free cyber security training? Or are you planning to anytime?
||CIRA offers Cybersecurity Awareness Training, a paid training solution for organizations of all sizes. We also offer lots of free cybersecurity advice on our blog.
|Is CIRA filtering misinformation?
||No. CIRA’s DNS Firewall and Canadian Shield solutions are focused on blocking malicious URLs. Although we offer parental filtering in Canadian Shield and other content in DNS Firewall (the commercial version of Shield), those settings are configurable by the customer.
|How would you deploy this in a work from home environment when the organization utilizes split VPN tunneling, meaning internet-based traffic is routed locally in the home. Cisco Umbrella for example has an agent that is centrally managed. Asking employees to change their routers DNS to something else is not a solution due to varying skill levels.
||CIRA DNS Firewall is currently trialing “off-network” protection functionality that enables users who are logging in remotely to receive the same protection that they receive when connected to corporate networks.
|What Vendors are partnering with these protections?
||CIRA partners with several organizations to provide threat intelligence for CIRA DNS Firewall, including Akamai, Cybertip and others.
|If we have employees in Australia and India, would there be a lot of lag in using CIRA's DNS Firewall?
||There will be some lag introduced when using our service in other countries although we have many customers with remote users.
|As we join forces to collaborate, are we not also providing a pathway for capable hackers to penetrate further into our associated groups? What safeguards are put in place to prevent this intrusion? I am skeptical that these safeguards are sufficient.
||We believe that this isn’t expanding the attack surface with these capabilities as all customers use a recursive service of some kind, often unknowingly, to forward their public-facing queries.
|How do you push the settings to remote machines on non-corporate networks (house) and modify those 'routers'?
||For off-network devices, a client is needed. This client regularly syncs with the pDNS policy server managed by the provider. The client typically acts as a virtual network adapter or VPN to route traffic according to policy.
|What would be the safest suggested Cloud for Immigration File Management?
||pDNS is a powerful tool for combatting cyber threats but unfortunately this is not something that it can help with. In general though: When storing any digital data, users should consider the sensitivity of the information and treat it accordingly. For highly-sensitive information, avoiding cloud storage might be advisable. At a minimum, organizations should ensure that content is encrypted before uploading to the cloud.
|Is a browser extension or add-on from CIRA available for modern browsers? … If nnot do you think that would be a good idea?
||CIRA is preparing to launch a browser extension for Canadian Shield that will provide a simple alternative to configuring your modem for those who want to protect a device without too much technical expertise. Stay tuned for more info!
|How do you protect your devices (smartphones) when yo are not inside your network?
||CIRA DNS Firewall’s Off-Network Protection feature (see above) is designed to assist with this. Users will download an app that will enable protected DNS resolution on their smartphone and provide the same level of protection as if they were working in the office. Canadian Shield is currently available as an app on android and apple devices.
Looking to learn more about CIRA Cybersecurity Services solutions? Visit the CIRA Cybersecurity Services site or reach out to firstname.lastname@example.org.