From: AlanBaggett@volcanomail.com   
      
   Thousands of CRA employees fell for fake phishing e-mail test : CRA SOTW   
      
   BILL CURRY - OTTAWA -- The Globe and Mail   
   Last updatedThursday, May. 14 2015, 10:51 AM EDT   
      
   A security test by the Canada Revenue Agency found thousands of its employees   
   could not resist the lure of a phony e-mail phishing scam, a discovery that   
   suggests vulnerabilities remain at the agency more than a year after it was   
   rocked by a major online    
   security breach.   
      
   The Globe and Mail has learned that over the first three months of this year,   
   the agency's security and internal-affairs division sent 16,000 employees an   
   e-mail designed to replicate the potentially dangerous messages that are   
   common to anyone with an e-   
   mail account.   
      
   A phishing scam usually involves an e-mail that encourages a user to click on   
   a link, which could then expose the user's computer to malicious software.   
      
   The result of the CRA's test was that 78 per cent of employees did not click   
   on the link contained in phishing attempts. However, that means roughly 3,500   
   employees did fall for the scam, even though they were informed ahead of time   
   that the test would    
   take place.   
      
   Last year, the CRA was forced to delay the tax-filing deadline because its   
   network was exposed to the Heartbleed bug, which essentially allows   
   unauthorized people to access supposedly protected Internet traffic. A   
   computer-science student in London, Ont.,   
    is facing several charges for exploiting the vulnerability created by the bug   
   to access sensitive information.   
      
   The CRA did not provide a sample of the phishing e-mail. The agency said it   
   was presented as if it came from an internal source, but included clues such   
   as contradictory information that were meant to raise doubt as to the   
   message's true origin.   
      
   David Skillicorn, a professor at the Queen's University School of Computing,   
   said it is hard to judge the test results without knowing the quality of the   
   phishing exercise. Dr. Skillicorn said that while many phishing attempts are   
   obviously scams,    
   hackers sometimes create far more convincing e-mails that appear to be coming   
   from trusted colleagues.   
      
   "The real test is the sophistication of the e-mail itself," he said. "Without   
   seeing the e-mail, it's really hard to judge whether that [result] was   
   surprising or really quite confidence-building."   
      
   Dr. Skillicorn said government departments tend to have security firewalls   
   that would protect the system even when employees click on malicious links. He   
   also noted it can be harder to identify phishing e-mails when users are   
   flipping through their    
   account on their phone.   
      
   An internal briefing memo obtained by The Globe through Access to Information   
   shows public-sector unions objected to the test when it was raised in a July   
   10, 2014, meeting.   
      
   "The unions' main concern was that employees will not perform well on the   
   simulation exercise, resulting in negative media coverage, which would have an   
   impact on the morale of CRA employees," states the Aug. 5, 2014, briefing note   
   to the CRA    
   commissioner.   
      
   The memo states that the agency's Information Technology branch "has noticed a   
   significant increase in phishing attacks through the corporate e-mail system"   
   and that "falling victim to a phishing scam could result in unauthorized   
   disclosure of    
   information, loss of information and/or denial of network service."   
   Philippe Brideau, a spokesperson for the CRA, said in an e-mail the test will   
   lead to further employee training.   
      
   "As a result of this learning exercise, the CRA will continue to implement   
   improved security awareness and training, which includes e-mail phishing and   
   cybersecurity," he said. "Please note there was never a risk to taxpayer   
   information throughout the    
   exercise. The CRA's systems are safe and secure."   
      
   An international survey released Wednesday by the Computing Technology   
   Industry Association found 65 per cent of Canadian executives surveyed said   
   the cybersecurity threat is increasing. Nearly half of the Canadian   
   respondents - representing 125 people    
   out of the total survey of 1,507 business and IT executives - said human error   
   is a growing factor in security incidents, including failing to follow   
   security procedures and failure of staff to get up to speed with new threats.   
      
      
      
   ----------------------------------------------------------   
   Miss a Tax Tale Miss a lot!   
   Visit the CRA SOTW Library at http://canada.revenue.agency.angelfire.com   
      
   ------------------------------------------------------------   
   Alan Baggett - http://www.taxcollectorsbible.com/ - Tax Collector's Bible   
      
   --- SoupGate-Win32 v1.05   
    * Origin: you cannot sedate... all the things you hate (1:229/2)