printer friendly version

A conversation about security

Craig Rosewarne

The person who is probably most in touch with the state of information security in South Africa is Craig Rosewarne, MD of Wolfpack Information Risk and founder and chairperson of the Information Security Group of Africa (ISGA). Rosewarne deals with both private and public organisations in his efforts to increase their level of information security awareness and preparedness.

And while he says the awareness is growing, he still comes across situations where organisations are poorly prepared to deal with the current wave of cyber crime, never mind what the future holds. The publication Wolfpack brought out past year, The South African Cyber Threat Barometer estimates that R2.65 billion was lost to cyber crime in the period from January 2011 to August 2012, with just over R660 million that was not recovered. The publication is downloadable at www.securitysa.com/*infosec5.

And that is not considering the other cyber crimes, such as cyber espionage faced on a national level, and the theft of intellectual property and business strategy that has been widely publicised of late in the USA. As the article introducing this section notes, South African companies and the government are naïve if they think the cyber villains are going to pass this country by.

One of the greatest flaws in South Africa is a lack of a response mechanism to cyber attacks. We have a few private companies that can initiate a response to a commercial attack, but no national organisation to deal with the threat and despite previous talk of developing a CERT (Computer Emergency Readiness Team) for the country, it seems this has been put on the back burner.

Rosewarne is also a concerned about the lack of security skills in South Africa, both in the private and public sectors and is looking for ways in which business can work together to overcome this problem. He has already been instrumental in promoting SANS training and certifications on the continent. He admits, however, that much more is needed.

RSA 2013 Conference

Rosewarne attended the recent RSA conference and gave Hi-Tech Security Solutions a few pointers on what was discussed. The conference was attended by over 27 000 people and featured over 250 talks, giving the attendees over 20 tracks per session to choose from.

In facing the information security threats the world is threatened by, the conference highlighted the following key themes, among others:

* Big data analytics has arrived. Arthur Coviello, RSA executive chairman, said, “Caesar recognised the omens, he just did not think they applied to him. Big technology data is here – embrace it.”

* Ensure you implement and test incident response capabilities.

* Develop deep technical information security skills.

* Obtain threat intelligence from as many sources as you can.

* Focus less on ‘tick-box’ assessments and put more effort into implementation.

* Establish multiple internal and external partnerships.

Notable notes

Among the notable presentations, Rosewarne highlighted a few that stood out, although he notes that they were all well worth listening to.

Ari Juels from RSA moderated a cryptographer’s panel with some well-known gurus in the field, including Ron Rivest, Whitfield Diffie, Adi Shamir and Dan Boneh. One of the topics discussed was security and cryptography education. Stanford offers their crypto class online via massive open online courses (MOOC). Its last intake was over 150 000 students with the largest registrations after the USA being China and India.

According to these experts, cryptography as a discipline is under strain and strangely becoming less relevant today. This is because intelligence agencies are often able to bypass encryption and APTs, sometimes buried within networks for years, simply have to wait for a key to be used in the decryption stage and they are in.

A panel discussion on the CSIS 20 Critical Security Controls discussed a new standard of due care for cyber security. “The Twenty Critical Security Controls have already begun to transform security in government agencies and other large enterprises by focusing their spending on the key controls that block known attacks and find the ones that get through.” (Source: http://www.sans.org/critical-security-controls.)

On the panel, Ed Skoudis said, “we ran an exercise of analysing all the large scale breach cases we have investigated. After mapping them to the 20 controls we are confident that had the companies implemented the controls these breaches would have been prevented.”

Of course, most companies do not have the 20 controls in place and are still suffering breaches. When looking at enterprise impact investigations, the consensus is that many companies do not conduct a thorough investigation following a breach. If systems are not reviewed in detail and the threats mitigated, they will return. Regulators have also changed their attitudes regarding investigations and insist that more detailed reviews take place.

Finally, although there was much more to see and hear at the conference, Rosewarne ends with a list of which functions should be part of a crisis management team.

* An experienced public relations firm.

* Legal experts.

* Board involvement needed to support and respond.

* Intelligence gathering analysts.

* Incident response professionals.

* Forensic investigators.

* Malware analysts.

* Network traffic monitoring staff.

* Data analysis service, and

* Breach notification management and business support teams.

These types of services are seldom offered by one company, therefore ensure you have the necessary partnerships in place before an incident happens, advises Rosewarne.

Share this article:

Further reading: