We understand the specialized markets in which you operate and provide tailored solutions to meet your unique business needs.
Our comprehensive suite of business services combines industry expertise, market knowledge and professional insights.
MNP is a leading national accounting, tax and business consulting firm in Canada.
Suite 2000, 330 5th Ave. S.W.
Submit an RFP
MNP careers are Different by Design. As an entrepreneurial firm, we truly believe there are no limits to where your career can go.
There is a new term in the cyber world that post-secondary institutions – and everyone else – should be aware of: cryptojacking.
Cryptojacking is when hackers tap into a private computer, business or institution to steal energy and computer processing power so they can mine bitcoin or other cryptocurrencies without draining their own resources. But cryptojacking represents more than a drain of CPU and resources; it can lead to a potential security threat to all business and organizations holding highly sensitive personal and financial data, such as hospitals and municipalities.
For one Canadian college, a cryptojacking incident translated into 100 percent of their CPU capacity being drained over the 2017 Christmas holidays. The dramatic slow-down of the system is what raised red flags to system administrators, who might not have become aware of a cyber breach until well after the holiday break.
Post secondary institutions across Canada were alerted of the attacks via the academic grape vine. This resulted in at least three other colleges discovering they also had been compromised (a full number isn't available as organizations and companies are not obligated to report a cyber incident if personal data isn't breached).
Unmasking the Scheme
As risk management advisors to several post secondary institutions, MNP's Clifford Trollope and Eugene Ng were called in to investigate what happened and see if any other assets were tampered with or if data was stolen. The breaches were seen as low level because only power and CPU capacity were tapped into for bitcoin mining – but it could have been far worse.
Universities and colleges are fountains of opportunity for criminals, as their systems include personal and payroll information, as well as financial transactions and competitive research data. Post secondary institutions also tend to have many servers connected to the internet with less than stringent monitoring and patching protocols and are notorious for having highly siloed groups between the different faculties. Faculties often have different IT systems for research, students and staff, making it difficult to operate an overarching and comprehensive security program.
In the December 2017 cryptojacking incidents, cyber criminals hacked into the systems by exploiting vulnerabilities on web servers and the software they use. Several of the colleges were running a dated human resource (HR) management system, which had alerted users of a critical vulnerability earlier that year.
Without a risk-based cyber security and resiliency plan in place, the post secondary institutions failed to follow through on the critical announcement by the vendor and hadn't yet updated their systems.
A risk-based approach towards security uncovers vulnerabilities and allows institutions to channel investment toward important assets rather than diluting resources with a blanket solution. For example, when a critical business system has a significant security update, the update is tagged as priority and completed.
The weakness in the colleges' HR platform was similar to the one exploited in the 2017 Equifax breach that compromised the data of 148-million consumers. It also emphasized how cyber breaches can target things other than information to steal.
Other related attacks see cyber criminals inject a malicious code on each website visitor, enabling the hacker to use their power and CPU capacity to mine cryptocurrencies.
Rising Demand for Computing Power
Mining cryptocurrencies can require huge amounts of power – Icelandic data centres mining cryptocurrencies are expected to consume more electricity than that country's entire population in 2018, according to private utility HS Orka.
Cryptocurrencies use blockchain technology to validate each transaction on virtual ledgers. To add a block, participants must decipher complex cryptographic puzzles, a process which can produce tens of quintillion guesses, absorbing energy and CPUs all the while.
The first miner to solve the equation adds the next block to the block chain, claims the transaction fee and earns new coins. As the value of cryptocurrency skyrocketed, so did the number of miners and the horsepower needed to build the block chain.
While a power drain might seem an inconvenience, cryptojackers are a millisecond away from tapping into post secondary institutions' critical personal and financial data. And as long as cryptocurrency mining remains lucrative, mining malware will continue to improve and proliferate.
For information on how MNP can help, contact:
Eugene Ng, Cyber Security Leader, Eastern Canada, at 905.607.9777 or [email protected]
Cliff Trollope, National Leader, Business Resilience Services, at 416.596.1711 ext 3851 or [email protected]
Related Topics:Business Resilience; Cyber Security
Suite 2000, 330 5th Ave. S.W.
Find an office near me