printer friendly version

Preparation, expectation and ­authentication is key

You cannot open a paper these days without hearing about information security failures. Whether it is a company that has lost its customers’ credit card information, identity theft, cyber espionage or hacktivism (hacking with a political or social motive), it seems the public and private sectors are spectacularly unprepared to protect the information they gather in daily operations.

To date, the physical security world has not been badly affected by the information wars, or to the best of our knowledge it has not, but that is changing. As more security systems adopt the IP standard and become part of the corporate and global network – whether knowingly or not – security products join the list of vulnerable points within organisations.

The common response from organisation leaders is that they have antivirus installed so all should be well, and if it is not they can blame their vendor. But the reality is that antivirus is simply not enough to protect organisations from determined cyber thieves anymore. An Aberdeen Group insight simply states, 'Anti-virus alone is not enough'.

Hi-Tech Security Solutions spoke to a few people to get their input on the current crisis in the information security field, as well as their advice on what needs to be done.

It could be said that the hacks and information losses we hear about are all happening in America or Europe and do not affect Africa at all since almost all the information loss we read about is on foreign shores. Unfortunately, this is not true because lax local laws do not compel companies to report breaches, South African companies can keep it all concealed and leave their customers vulnerable.

But how exposed are South African companies to cyber attacks? Are they an easy target or simply ignorant? Are they doing enough to protect themselves? How serious is this threat to your average company in South Africa and Africa, or is the threat confined to certain types of companies?

Local not so lekker

Khomotso Kganyago

Dr Khomotso Kganyago, chief security advisor for Microsoft SA, explains that cyber threats exist all over the world – from the far corners of Europe, throughout Africa to a basement in New Jersey. “In the last three months, we (South Africa) have experienced hacktivism that involved defacing of websites and data spillage in both government and corporate sectors. There have also been reports in Africa, particularly North Africa where newspapers and news outlets have been brought down because of attacks.

“While Microsoft cannot speculate on potential exposure of these organisations, we can offer a view into the threat landscape as I did in the earlier blog on Microsoft Security Intelligence Report v13–South Africa’s Perspective” (available at www.securitysa.com/*infosec2).

This report includes regional threat intelligence for South Africa and compares the data against worldwide averages. The regional threat assessment can be downloaded at www.securitysa.com/*infosec3.

Joe Ruthven

Joe Ruthven, security sales leader for IBM Software Group, IBM Middle East and Africa, says South African companies are very exposed, “We are in the top 10 of countries targeted for cyber crime.” Sadly, he confirms that local companies are not doing nearly enough to protect themselves. “The threat is very serious and is not contained to specific industries, although some industries are more targeted than others. Hackers are looking for anything of value, such as credit cards, ID, trade secrets, competitive information, information that can lead to political gain, matters of national security etc.”

Hedley Hurwitz

As to the reasons for these vulnerabilities, Hedley Hurwitz, MD of Magix Security says several factors are contributing to the security vulnerabilities of most companies and individuals in South Africa:

* Environments are inadequately patched, or standards are not enforced or monitored. This exposes companies and individuals to the numerous Trojans, spyware, viruses, etc. that are constantly bombarding our networks. This enables hackers to gather user names and passwords for critical websites, and gather customer and transaction data.

* South Africans love their technology, but the proliferation of tablets and smartphones has run ahead of the enterprise’s and individual’s ability to protect themselves. For example, hackers place wireless networks at strategic points and impersonate wireless networks registered on the mobile device. After a connection is made, the hacker can collect all the user and system interaction with the Internet and virtual private networks.

* The easiest avenue of all is to buy the identities from an insider. Often seen as a victimless crime, the selling of confidential data, or participating in syndicates, makes the insider still the number one threat to our cyber security.

All are vulnerable

Vasily Dyagilev

“All companies, no matter location or size, are at risk of being exposed to hackers and cybercrime today,” says Vasily Dyagilev, MD of Kaspersky Lab Emerging Markets. “This is due to the fact that both the business and threat landscapes have evolved so much over the past few years. Malware is becoming more sophisticated while at the same time, a business’s IT department is having to deal with the reality of new IT devices including:

* Smartphones and tablets which are being used to access the company network from anywhere in the world – the concept of Bring Your Own Device (BYOD).

* Employees who wish to use their mobile devices and PCs to get their work done.

* Confidential data moving freely within the company network, or outside the network via laptops or USB drives.

* Finding and patching holes in user applications and operating systems.

“Furthermore, the threat from hackers and malware both in South Africa and Africa is a very serious problem. As we know, there has been a huge increase in broadband in the continent and African organisations are embracing the digital world. While this is certainly great for the broader African continent, it also leaves them very vulnerable to cybercriminals.

“Often our experience, as it is with Kenya, is that growing economies are often tracked by cybercriminals for potential targeting as a result of these countries being new on the Internet scene and therefore the hope of these criminals is that businesses do not understand the realities of Internet security. Compared to more established economies, Africa is not on par with online security; and, this certainly needs to change, as more broadband is being made available throughout the continent.”

Ruthven adds that, in general, African companies’ IT infrastructures are less secure, often as a result of rapid growth and in many cases due to business demand of getting features and functions out quickly without paying enough, if any attention to security.

“Having said that, there are many large (especially in South Africa) companies that have world class infrastructure. But mostly, security is still seen as a grudge purchase, a kind of insurance, and not as a business enabler.”

The five security areas organisations need to look at, according to Ruthven, are:

* Infrastructure security.

* Application security, especially Web applications.

* Data security.

* People security, especially privilege users.

* Security intelligence.

Dries Morris

Dries Morris, operations director at Securicom says the analogy of a 'Digital Pearl Harbour' with the emphasis on 'knowing something is coming and doing nothing' rather than the assessment of potential harm/ risk, is something that many people have warned about with the general response that it is overestimated that such an event could turn a country into a 'stone age economy'.

“If trade secrets are what these syndicates are after then we in South Africa are at as much risk as any other country in the world; it is general knowledge that we are lacking the budgets and convictions to compete at this level. The USA will spend US$30bn per year to combat the cyber war and still will not be able to stop these hacks from happening. The threat is not confined to certain types of companies, but rather driven by commercial and political gains with acknowledgement from the US Government in as early as 2008 that at least one major black out will be caused by hackers outside the USA.”

So what are they looking for?

If security is so lax, what is of interest to your technically inclined criminal in the cyber shopping mall?

Hurwitz says it depends on the modus operandi of the hacker or syndicate. “If their aim is to impersonate your customers or suppliers, then these are the details they will seek out. If their intention is to hack directly into your underlying systems, or misuse your application frameworks, then they will seek user names, passwords, PIN codes, and other security tokens.”

Dyagilev adds that hackers are looking for anything and everything. Often cybercriminals pose as directors of big organisations, having hacked into their e-mails and ask for their clients most important details. There is not one specific item that hackers are looking for – whatever is available to them, they will take. Therefore, it is essential for organisations to ensure that they are properly protected and prepared.

Kganyago adds that due to the variety of 'malicious actors' out there, including individuals, hacktivists, organised crime groups, terrorist groups as well as nation-states, there are also many motives. These include economic espionage, military espionage, hacktivism, cyber warfare or more traditional areas of criminal activity such as fraud and identity theft.

Cause and effect

Hurwitz explains that there is a fundamental weakness in all our computer-based systems. We do not truly authenticate identities, we only approximate. No one really knows who is using a system at a given time. We can only ever record the activities of a user, eg, User01, who interacted with the system. We can never determine, without the use of true authentication, who occupied the identity of User01 during that period. In other words, anyone in possession of the user ID, password and a mobile phone (if necessary for one-time PINS), can pretend to be User01.

“This is such an absurd scenario it is a wonder that we have been prepared to live with it for so long. Look at the equivalent example in the physical world: a conman walks into your bank and, by presenting falsified documentation, withdraws all the money out of your account. When you complain to the bank that your account is empty, the answer you get is ‘sorry sir, I thought that was you. After all, the man did present the same credentials as you’.

“This is the risk we face daily when using our virtual identities to interact with online systems. The only solution to the authentication challenge is to enforce the use of biometrics. This will prevent the majority of cybercrime incidents. Unfortunately, most of us continue to put our effort into fixing the aftermath rather than correcting the problem upfront.

Many of today’s threats are highly sophisticated. But often the starting-point for a targeted attack is to trick individuals in the company into doing something that puts the company’s security at risk. Dyagilev says cyber criminals also gather information from social networks and other public resources that allow them to tailor their attack to bypass the company’s security. People are susceptible to social engineering tricks for various reasons. Sometimes they simply do not realise the danger. Sometimes they are taken in by the lure of ‘something for nothing’. Sometimes they cut corners to make their lives easier – for example, using the same password for all online accounts.

“Unfortunately, businesses often ignore the human dimension of security. Even if the need for staff awareness is acknowledged, the methods used do not achieve positive results. Yet we ignore the human factor in corporate security at our peril, since it is all too clear that technology alone cannot guarantee security. So it is important for organisations to make security awareness part of their security strategy.”

Kganyago says there are some basic, but effective steps you can take to protect yourself from the types of threats found in South Africa. These include:

* Use strong passwords.

* Keep your system up to date by regularly applying available updates for all the software you have installed.

* Use antivirus software from a trusted source.

* Invest in newer products that have a higher quality of software protection.

What are the biggest threats we face?

While there are many threats out there, Morris says the greatest threat is thinking it 'will not happen to us'. Another common weakness is underestimating the threats out there and considering the measures one has in place as being adequate.

“Have external professionals probe your defences and point you to where you are falling short; understand the risks associated with mobile devices and do not allow your security team to treat them as an extension of your network,” he explains. “We have risk managers buying into the understanding of what the threats are and engaging us to assist in assessing the environment, consulting on best practices and scheduled discussions on what is happening, to who and why.”

According to Microsoft’s SIRv13, worms were the most prevalent threat category detected in South Africa in the 2nd quarter of 2012, says Kganyago. Phone scams, amongst others like 'lottery' and '419' scams have being very persistent as noted at www.securitysa.com/*infosec4. “Hopefully, our risk managers are working very closely with the security officers to understand the impact these threats are having on business and customers,” he says.

Hurwitz says the greatest threat is identity theft. ID books, passports and drivers’ licences are freely available and access to systems is controlled through virtual identities. “This combination of vulnerabilities is what has made South Africa into the third biggest victim of cybercrime after Russia and China. Risk managers are not doing enough to motivate for the appropriate remedy. Only through the use of biometrics can we be sure that we have authenticated a user. Only with biometrics can we have a chain of evidence that leads to conviction.”

Ruthven says ignorance is the biggest threat in many cases, combined with a lack of understanding of the real threats and the many solutions available to resolve them. “For example, 53% of breaches in 2012 were via Web applications using techniques that have been known for up to seven years ... and with known counter measures. Yet organisations are still producing applications that are not secure. He suggests:

* Become aware.

* Appoint a CISO and make IT security a boardroom discussion.

* Drive extensive internal awareness campaigns.

* Expect the worst.

* Prepare for every eventuality.

* Take it seriously.

Information security is an industry all to itself. In this article we have only covered some of the basics, leaving out some issues like the mobility, which is becoming more important to companies and consumers alike. As with any security process, information security requires an understanding of the risks as well as the potential solutions; and it requires awareness from all stakeholders of what could be lost and why data theft is not a victimless crime. One thing we can count on is that the traditional protection we have come to rely on is no longer enough. To date in South Africa companies have a free run when it comes to losing sensitive data, but the PoPI Act will change this and hold companies and directors liable for the protection of the information entrusted to them. As the cyber criminals get smarter, organisations need to adapt if they plan to survive.

Share this article:

Further reading: