CyberScape Africa_Issue 2 by Cyber In Africa

CYBERSCAPE AFRICA

perspectives from those leading the way

www.cyberinafrica.com

Issue 2 | 2019 | Q2

PROTECTION AND PRIVACY OF DATA IN FINTECH

EAST AFRICA AS AN EXPORT CENTER OF CYBER TALENT Yelbridges Limited

THE MARA FRAMEWORK An African Cybersecurity Innovation

IN THE C-SEAT

CYBER RISK

MANAGEMENT An African Perspective

WITH JESSICA GOMEZ

Cyber Scape Africa

bringing Africa's cybersecurity to the fore

Cyber In Africa, P. O. BOX 62371 - 00200 Uganda House, Kenyatta Avenue M: +254 710 573 580 E: editor@cyberinafrica.com @CyberInAfrica

www.yelbridges.com

Contents Editorial Note Virtual Combat Cyber Risk Management East Africa as an Export Center of Cyber Talent Security Meets Business Objectives We’re Not Just Humans. We Are Assets! Cyber Security Data Analytics Simple Opsec Securing the Nation’s Infrastructure In the C-Seat Protection and Privacy of Data in Fintech Quick Q&A The Mara Framework Cyber Security in the Involving Space of Startups in Africa. Blacks In Cyber Often Overlooked Soft Skills

Cyber Scape Africa

bringing Africa's cybersecurity to the fore

Be a Sponsor

5/7 Learn Network Do business

Pre register

SXSW -STYLE Cybersecurity Festival. 22nd - 26th October, 2019 Africa-wide Festival Multiple venues Multiple African countries Diverse activities Cross-cutting topics Varied speakers

Host an Event

Concept Note

Themes Cyber Talent & workforce development Technical & professional growth trainings,workshops,hacker villages, career villages etc.

Cybersecurity policy, governance and assurance A look at law,regulations,governance,risk, compliance & more

Cybersecurity research, innovation and market. Considers local security researching and innovation, cyber market,business and investments

Get in touch: info@cyberspeaklc.com | +254 710 573580

| www.cyberspeaklc.com

Editorial Note A coming phenomenon yet to happen mainstream in Africa is cybersecurity marketing - and here we mean marketing as a service. Most service and products providers have made strides to invest in the traditional, old is gold marketing methods that the industry rus on currently. It has worked, much, maybe even a lot for these actors thus far and the methods are here to stay. No doubt. Now, here is the next decade’s prediction - a natural path for the industry really, be sure to catch it as you read. There is an increasing demand for cybersecurity services and products in Africa, for obvious reasons; more and more awareness of the importance of cyber & information security in organizations, new regulations and laws that demand for specific standards of security in enterprises, organizations being hit by cyber attacks and data breaches more causing many organizations to set up security controls and process, security has also become quite a competitive advantage with customers and users considering it and caring more about about the privacy of their data. Demand curve will only go upwards. The current push for Africa Single Digital Market is a timely affair. More realization of fighting as a continent in the global battlefield is bringing industries together in diverse ways across borders. Actors within the African eco-system are looking to expand their portfolios and do more partnerships to deliver on this. With expanded offerings, the next move is to take on the continent - going Pan African. Both of these things are increasingly happening right now, fostering an intra-African trading scheme within the private players. One thing - being a truly African brand takes work to create own identity and promote oneself. Uptake is rising, so does the supply. There are many services and products providers in the eco-system, only some solutions provider :) Again, it is obviously anticipated that the number of providers will increase across the board. Expect good competition and drive to stand out. Wait, drive to be at the forefront. New services, nascent areas like cyber insurance will stalk running - in this next decade. Then come backing - capital investments - it will be a venture capitalists world in the cybersecurity in Africa. If you have lots of cash, start considering. Open checks will flow too. Africa is a new frontier of cybersecurity - it is poised to be a powerhouse. Wait for the continent to seriously export cyber talent, build local cyber capital in a whole new paradigm. With all of these things and more unsaid, one thing remains. That part that lets us interact and engage actors - marketing. There will be a huge investment in marketing efforts, like said earlier, to stand out and be at the forefront. Marketing is everything as is said - it will make the biggest difference in market presence. This time it will be need to be done different, thus Marketing As a Service(MaaS) in the sector will be come to life - backed by a vital demand for dedicated, strategic, systemic and sustained marketing initiatives. Cyber In Africa (.Com), a cybersecurity media business, the viewpoint of Africa’s cybersecurity, with a mission to bring Africa’s cybersecurity to the forefront of national,regional and continental conversations and actions - is positioned to be a leading Marketing As a Service (MaaS) provider for cybersecurity eco-system in Africa. Through our creative, custom and end-to-end dedicated, strategic, systemic and sustained media, communications and marketing portfolio and initiatives. We have observed two factors of interest: there will be a jumpstart in investments in in-industry activities and social engagements and responsibilities by organizations, companies and other players in the industry. This issue bring s forth considerations of cybersecurity in the public space, covering terrorism in the digital, taking a look at security in critical systems that support our daily lives. It captures essence of dat and its analysis, explore privacy of the same in financial tech sector while giving a rundown of managing cybersecurity risks in the African cyberscape. Be sure to take a close read and give some good feedback in our feedback cycle featured inside.

VIRTUAL COMBAT

CYBER SCAPE AFRICA | Q2

2019

Why we need to Counter- Cyber Terrorism As the number of internet users increases, more government services move online, the Internet of Things expands, and we become more interconnected: cyber terrorism will become a graver concern as criminals will find ways of attacking our infrastructure for financial gains, to spread their ideology, spread fear and attempt to influence political changes. As such, cyber security must be a priority for both the private and public sector given financial, military, health and political challenges that might arise from cyber attacks and cyber terrorism.

Virtual Combat Fighting Terrorists in the Cyberspace

Obstacles in Countering Cyber Terrorism

The Christchurch terrorist attack in New Zealand as broadcasted on Facebook echoed what counter terrorism experts have been saying all along- both Islamic movements and white power movements strongly rely on the internet to spread their ideology. Tech and internet companies must work with law enforcement agencies to mitigate the threat that has gone global. Raising awareness on cyber terrorism is an effective tool of countering the both groups (white power and Islamist) who share a lot of similarities to ensure everyone’s cooperation in the fight. Mayssa Zerzri in The Threat of Cyber Terrorism and Recommendations for Countermeasures defines cyber terrorism as the convergence of terrorism and the cyberspace whereby activities carried out through cyberspace are directly influenced by terrorist movements or leaders with the aim of achieving political or ideological changes using physical or psychological violence that has far reaching effects. There are two main types of cyber terrorism- hybrid and pure cyber terrorism, neither if which are a new phenomenon in Kenya. Freedom of expression, freedom to information, political stability, modern telecommunication infrastructure, vast mobile phone penetration and fast internet connection capitalist ideals make Kenyan internet users vulnerable to cyber terrorism from al Shabaab, the Islamic state and other radical groups that are active on the internet.

•

The democratic dilemma whereby citizens have freedom to express themselves and get access to information without censorship which can be easily misused.

•

Terrorist shift to use of encrypted channels due to increased surveillance by law enforcement on social media platforms and dark net.

•

Vague understanding of the cybercrime law and politicization in the public domain and little implementation as it is new.

•

Double standards- Kenyans were at the forefront of criticizing the New York Times after they shared photos of victims of the 14 Riverside Drive attack. However, some Kenyans shared the footage from New Zealand’s terrorist attack in Christchurch!

•

Internet and tech companies’ main business is not counter terrorism thus those doing terrorist related surveillance work are often undertrained and underpaid.

CYBER SCAPE AFRICA | Q2

2019

Establishment of a Cyber Intelligence Unit As internet penetration in Kenya continues to grow and al Shabaab loses more territory in Somalia the threat of cyber terrorism will only increase. Consequently, Kenya needs to invest heavily in cyber security personnel and latest artiﬁcial intelligence surveillance software. No African country has a branch of its military solely dedicated to cyber security, yet as a leader in internet penetration and innovation hub, Kenya should consider this a priority. The cyberspace has removed whatever barriers between nations and individuals that globalization might have missed making international cooperation in countering cyber terrorism paramount. In the past Kenya has worked closely with other countries to prevent cyber terrorist operations and exchange information on persons of interest that pose security threats. This is a laudable step in the right direction whose importance cannot be stated enough as it provides opportunities for sharing best practices with more developed national security partners/ allies.

Public-Private Partnerships Unlike in traditional warfare where warring parties can easily distinguish between combatants and non-combatants, in the cyberwarfare, anyone can be an attacker. Therefore, to win, we need all hands on deck as each player in the ﬁght brings new ideas and expertise. Internet and tech companies need to work closely with law enforcement agencies to circumvent the challenge posed by encryption which can only happen through goodwill on the part of the corporations. Doing so gives them a good standing with their clients who need a safe environment to enjoy their goods and services. Tough legislation can circumvent encryption as corporations will be forced to cooperate with law enforcement agencies for intelligence and prosecution evidence collection. Propaganda War Counter messaging is an eﬀective tool of delegitimizing terrorist organizations by exposing loopholes in their propaganda. This must be done carefully to not legitimize wannabe leaders who crave attention and fame that comes with being considered a threat against the government.

The National Counter Terrorism Center and Epuka Ugaidi have been at the forefront of counter messaging the hateful ideology that al Shabaab ascribes to. Individuals engaged in counter messaging must be careful with the narrative they want to propagate and must be versed in the enemy’s ideology and changing tactics lest they make the same mistakes countries such as the United States made with counter messaging. Artificial Intelligence and Human Surveillance Employment of artificial intelligence to identify and map terrorist-related content on social media platforms alongside human beings to decipher the context of content that might be missed by automation. Sharing of new methods like “hash sharing” that enables a corporation which discovers terrorist content on its platform to create a digital fingerprint of that content and sharing it with other companies is an effective way of removing terrorist-related content fast across multiple platforms. Social media giants such as Twitter and Facebook need to create a database of key terms, phrases and images that are affiliated with al Shabaab and other extremist movements. This database will then be fed into their artificial intelligence mechanisms and people fluent in Swahili, English, Arabic and popularly used vernacular to prevent their use for hate speech and harmful speech online which can have devastating consequences both online and offline. The internet presents great opportunities for terrorist organizations and white power groups as it amplifies their message, is cost effective, allows tailoring of messages to suit different audiences, encrypted communication channels among others so they will not stop using it any time soon. Law enforcement officials must keep themselves abreast with the different trends of internet and social media use by terrorist organizations. Victory on the cyberspace against terrorist organizations and white supremacy groups will greatly impact the physical fight against these groups. Given how fast terrorist organizations evolve in their operations, Kenya is doing well in combating cyber terrorism. Just as with more powerful countries, there will be tough challenges ahead and mistakes from which we will learn, but as a country we are headed in the right direction. Tabitha Mwangi Head of Security Program, Center for International & Security Affairs (CISA).

OUR CHANNELS

CYBERSECURITY SUMMIT

THE GOTO PLACES FOR CYBERSECURITY INFORMATION IN AND FROM AFRICA

On Web The Viewpoint of Africa's Cybersecurity. We explore & bring you what's up in cybersecurity in Africa.

www.cyberinafrica.com

In Print

Every quarter we'll deliver insightful cybersecurity content from the industry & folks shaping the way

www.cyberinafrica.com/cyberscapeafricamag

Community Working with the Africa Cybersecurity Forum on LinkedIn, we are fostering a truly African cybersecurity community.

www.linkedin.com/groups/10333268/

In Audio

Launching soon is our podcast featuring infosec professionals in Africa talking about all cybersecurity things from across the continent.

www.cyberinafrica.com/cyber54radio

Twitter: @CyberInAfrica LinkedIn: Cyber In Africa

+254 735 670170 / 710 573580 editor@cyberinafrica.com www.cyberinafrica.com

CYBER CEREBRAL SOUTH AFRICA 9TH – 10TH OCTOBER 2019 THE EMPERORS PALACE JOHANNESBURG Registration Link: www.easycode.com/ccsasdelegate Cyber Cerebral Team Contact: +27 74 836 4105 Email: info@7eventsafrica.co.za Website: www.7eventsafrica.co.za/ccsas

AFRICA BOUND? Keen on cybersecurity opportunities in Africa? CyberSpeak LC has partnered with Cyber Cerebral South Africa. The aim is for East Africa to attend this summit to gain valuable knowledge about Cyber Security, what the latest threats are, learn best practice from the thought leaders in the industry and establish the way forward for Africa’s cyber security landscape. Our Countries need to join forces to combat cyber-crime. About Cyber Cerebral South Africa: Cyber Cerebral South Africa, endorsed by the African Society for Cyber Security Awareness (ASCSA) is a 2-day programme that has a platform to educate over 16 different industries such as education, government, mining, retail, manufacturing,

Talk to us.

banking, academics , media, insurance, just to mention a few to understand a cyber -attack, how to be a digital citizen and help them understand their digital identity and being digital resilient.

About the endorser: African Society for Cyber Security Awareness (ASCSA) was founded to help South Africa and the rest of Africa to understand cyber security and cyber safety online. ASCSA encourages people to be more vigilant about practising safe online habits and view internet safety as a shared cyber hygiene responsibility at home, in the workplace, and in our communities. The aim is to re-introduce the cyber security awareness programme to enhance the online safety and security for our communities. The programme will begin with an opening keynote, leading into 7 keynote topics and panel discussions around smarter with cyber security, email protection, digital identity, malware and advance persistent threats, digital citizenship, computer forensics and digital resilient. The speakers are the likes of, Adv. Jacqueline Fick, Maria Pienaar, Jamaaludeen Khan, Nithen Naidoo, Michael Felix, Abdul Kader Baba, Thabo Johnson, Obedience Kuguyo, just to mention a few.

the frontier of now.

WHAT TO EXPECT AT #CCSAS Vol.2 7 Keynote Presentations 9 Networking Sessions 7 Panel Discussions 18 Workshops 10 Round Table Discussions 1 Cyber Cerebral Short Film Lunch and refreshments Full access to the Sponsor Lounge INTERNATIONAL DELEGATE RATES: $ 329.00 LOCAL DELEGATE RATES: $ 470.00

Africa. Access our networks Explore prospects Establish your presence Make a mark

DISCOUNT: International discounted registrations for East Africans.

+254 710 573580 editor@cyberinafrica.com www.cyberinafrica.com

CYBER SCAPE AFRICA | Q2

2019

CYBER RISK MANAGEMENT An African Perspective

Africa has witnessed a steady growth in the access to Internet enabled devices and internet penetration has grown steadily from 2.1 % in 2005 to over 24% in 2018 . This represents millions of its 1.2 billion population. The increase and the projections for the years to come show that there is progressive growth in internet use on the continent.

These attacks do not disfavour between the companies to attack because companies of all sizes and in all industries globally are victims of cyberattacks . Therefore, African businesses and companies should strengthen their cyber-risk protection schemes in order to prevent ďŹ nancial loss and distrust from its customers, and generally on the African economy .

Due to the steady increase in Internet penetration and the proliferation of Internet enabled devices, across Africa, companies and government are becoming digitalised and as a result, they are vulnerable to cyber threats. Cyber-attacks are on the increase, the scale is getting bigger and the more expensive. There is a great need for organisations to manage cyber risk because cyber-attacks are imminent, increasing and are becoming more excruciating.

Furthermore, the importance of cyber risk management in an organisation can never be overemphasised as risk management is a continuous process of identifying, assessing and responding to risk . In managing risk, organisations must analyse the possibility and potential impact of an event and determine the most eďŹ&#x20AC;ective approach in dealing with the risks: acceptance, transference, avoidance, mitigation of risks.

In fact, some organisations in Africa have suďŹ&#x20AC;ered severe consequence of cybersecurity breaches such as; data exposure, sophisticated malware on a network, defacement of websites, identity theft and Distributed Denial of Service (DDoS).

CYBER SCAPE AFRICA | Q2

1. Commitment from top management Resisting an evolving threat landscape requires board level approval in ensuring that there is a high level of commitment to support cyber risk management. Therefore, it is pertinent for investors, customers and other business stakeholders to ensure that Board and Executive leaderships are involved in the strategic and comprehensive approach to cybersecurity that will protect valuable data and advance the dexterity and growth of the organisation.

2019

These regulations though useful, should also encourage organisations in enacting their bespoke industry-aligned cyber risk management framework. Also, there should be a clause in any framework that requires a report to be submitted to the appointed authority within or outside the organisation showing proof of implementation of cyber risk management and obtain a Certiﬁcate of Compliance. African countries should also accede to the African Union Convention on Cybersecurity and Protection of Personal Data.

4. Cyber Risk Insurance 2. Crisis Response and Incident management : Organisations in Africa can take a holistic business strategy by focusing on business continuity planning and crisis response in the event of a cyber attack. How? a. Gather security experts who inﬂuence cybersecurity, information security, product security, and data privacy. b. Create risk scenarios based on emerging threats to have informed decisions to address the vulnerabilities recognised. c. Present the board and management with ‘cybermetrics’ that measure risk and performance. d. Organise and implement trainings on cyber risk management for employees. e. Create a communication plan to provide transparency in the event of a cyber attack. f. Enact a framework for assessing and analysing cyber risk. 3. Regulatory Frameworks The government in the African continent have taken steps to enact laws and regulations bordering on cybersecurity risk management such as the Risk-Based Cybersecurity Framework and Guidelines for Deposit Money Banks and Payment Service Providers by the Central Bank of Nigeria , the Computer Misuse and Cybercrimes Act and the Information and Communications Act of Kenya to name a few.

To mitigate risk, organisations can engage insurance companies that offer products modelled to shield businesses from risks affecting the confidentiality, integrity and availability of information assets . Cyber insurance products can include; first party business income loss, cyber risk assessment, data loss and restoration, crisis communications and reputational mitigation expenses, and business interruption loss due to a network security failure or attack, human error or programming and so on.

5. Managing Insider threat It is only natural to infer that cyber-attacks are usually external in nature. However, organisations also have to bear in mind that attacks could also be caused by an insider (employee, business pattern and a 3rd party vendor) be it negligently or maliciously and have/had authorised and approved access to the organisation’s network systems and data thereby obtaining trade secrets, conducting fraud and unauthorised trading . According to the Ponemon Institute Research Report 2018, about 64% of insider threats are caused by employees or contractor negligence . This is evident that insider threat is steadily increasing and must be properly managed. Accordingly, in managing insider threat, organisations can implement the following tools; Data Loss Prevention (DLP), Privileged Access Management (PAM), User Activity Monitoring (UAM), Secure Information and Event Management Systems (SIEMS), User Behaviour Analytics (UBA) software , and Digital Forensic Tools

The Next Cyber risk management is not just technical but a business issue because, where cyber-attack occurs in an organisation that is least prepared, the consequences could cause ďŹ nancial, reputational, intellectual property loss and lost value of customer relationship . Consequently, businesses in the African ecosystem should strengthen their cyber resiliency by building systems and operations designed to prevent and detect threats. Furthermore, organisations should maintain good cyber hygiene by implementing the following principles recently released by the Software Engineering Institute (SEI) to reiterate the above ; 1.

Identify and prioritise key organisational services, products and, their supporting assets.

Identify, prioritise, and respond to risks to the organisationâ&#x20AC;&#x2122;s key services and products

Create an incident response plan

Conduct cybersecurity education and awareness exercises

Establish network security and monitoring

Control access based on least privilege and maintain user access accounts

Manage technology changes and use standardised and approved secure conďŹ gurations

Utilise controls to protect and recover data

Forestall and monitor malware exposures

10.

Manage cyber risks associated with suppliers and external dependencies

11.

Conduct cyber threat and vulnerability monitoring and remediation

It is imperative to note that the above cyber hygiene principles are mere foundational footsteps that can be taken in managing cyber risk. Organisations in Africa must be open to changes and improvements in their cyber risk management routine. Motunrayo Akinyemi, LLB (Law with Criminology), B.L. Lagos, Nigeria

CYBER SCAPE AFRICA | Q2

East Africa as an Export Center of Cyber Talent

A survey carried in out in 2017 indicated that 95% of African organizations operated below globally acceptable cyber security standard. The cost of cyber crime had sky rocketed from a $ 2 billion in 2016 to $ 3.5 billion in 2017. East Africa nations – Kenya, Uganda and Tanzania were on the top 5 list with a total loss of $ 376 billion. During the same period UNCTAD (United Nations Conference on Trade & Development) reported that Foreign Direct Investment (FDI) ﬂow in Africa slumped to $42 billion in 2017, a 21% decline from 2016. Cost of cybercrime in Africa has a direct correlation with FDI inﬂow as well as the economic growth of the continent.

2019

www.yelbridges.com

The Cyber4Growth project was launched to promote economic growth in East Africa by improving cyber resilience among organizations in the region. The project was funded by German government through KFW DEG and other German corporates - SEC Consult, Tuv Rheinland, CYRISO(just to name a few). The project oﬀered private and public organizations in E.Africa with hands-on training which is absolutely essential to raise the level of security awareness on one hand, but also to promote the economic competitiveness on the other.

The overarching goal was to promote fair trade between E.Africa and Europe where data privacy and cyber security are paramount for business. On January 10th 2019 the project kicked off by training selected partners from four of the East African countries (Kenya, Rwanda, Uganda & Tanzania). The training was spearheaded by Martin Eiszner(CTO -Sec Consult Group and Co-founder of OWASP) and Emmanuel Hebe(Product Manager Sec Consult Singapore) & Torsten Toellner (SEC Consult Deutschalnd gmbh MD) as the godfather of the project overseeing the implementation and success of the project. The initial step was to change mindset of the participants on developing effective cyber defense methodologies. The trainers took the participants through the Cyber Attack Kill Chain and at every step they were challenged to think like a hacker so as to develop effective countermeasures. The simulated training environment further provided a playing field for participants to exercise and to be creative as they keep the attacker at bay. In addition, interactions and engagements within the 10 days of training provided a platform to discuss cyber security challenges in the region. All participants were in agreement that an alliance was required for the team to make an impact in addressing cyber security challenges. The partners were required to offer the cyber defense simulation training to their clients back home.

Cyber Security Safari Nairobi, Kigali, Kampala, Dar East Africa is a rich region with young people who are passionate about cyber security. The millennials are so eager to learn so that they can contribute positively in their economies as well as secure the cyberspace. In addition, both public and private sectors are in agreement that there is need for capacity building for the region to address the cybercrime epidemic. A report by Palo Alto Research Center 2017 reported that 65% of organizations have shortage of IT staﬀ dedicated to cyber security. In East Africa the picture is dooming as representatives of organizations represented concurred with the report but even indicated that those who were responsible for Cyber Security had other responsibilities due to lean IT teams. Hands-on training with simulated environments gives a real picture of a cyber incident and participants no only use their technical skills but a lot of analytic skills is required to manage a cyber incident.

The only way to grow is to let yourself make mistakes – Nikki Giovani

CYBER SCAPE AFRICA | Q2

2019

There is a need for more ‘real’ sessions for the IT teams in the region to be prepared to handle any type of attack. The simulated environment mimics a typical organization with servers, networking devices, security solutions (Firewalls, Endpoints, SIEMS), client running both Windows & Linux. The simulated environment provides a space to make mistakes at no cost to an organization but more importantly the IT teams learn and are able to implement proactive cyber defense measures within their organizations. In the near future Virtual Reality (VR) will be implemented to make the training more realistic where the IT Teams will even interact with physical devices and people in the virtual rooms. The VR platform will provide an opportunity for ﬁlm study just like it done in sports – there is no better way to learn than watch yourself make mistakes.

East Africa as an export center for cyber security talent & skills The key is continued investment in building our people’s capacity – H.E Paul Kagame, President for Rwanda.

Business is the best way to create a lasting prosperity Cyber attacks are inevitable just like death however, we can just sit and wait. Our next steps is to grow the Africa cyber security talent by an annual rate of 10%. This will be achieved through the alliance formed and partnerships with Universities and other learning institutions. If our public and private organizations can get access to skilled cyber security professionals, then we can bring down the cost of cyber crime in Africa. Our people will gain more trust in digital business which in turn creates more opportunities for our businesses and also attracts investments.

East Africa and greater African has the potential of becoming a global cybersecurity powerhouse. The diversity and magnitude of the market are key to economic growth however, cyber crime will drag the continent behind. GDPR( de facto data privacy regulation) will be a major catalyst in the Foreign Direct Investment in the continent, however with low cyber security standards investors will shy away from the continent. Young Africans are excited & motivated to learn about cyber security and they want to create a mark in their respective countries. Feedback received from the project is that people want more of such simulated trainings that will provide more challenging situations to invoke new thought processes in cyber defense methods. This is an exciting challenge for us as the project promoters to take Cyber4Growth to other regions in Africa – West, Central, South and North.

Special thanks to Yelbridges (Kenya), USIU-Africa (Kenya), MagilaTech(Tanzania), MilimaTech(Uganda), Bizoneer Consulting Africa LTD(Rwanda).

Security Meets Business Objectives CYBER SCAPE AFRICA | Q2

With the advent of globalisation and ever changing technologies, both public and private organisations are facing unprecedented information threats. Protecting their information assets has become a key function within the information systems management regime. It is absolutely necessary to develop and deploy a functional information security culture in order to achieve an eﬀective information systems management.

2019

Control Objectives for Information and related Technology (COBIT) main focus is on development of clear policies and good practices for security and control in information technology. Information Technology Infrastructure library (ITIL) focuses on critical business processes and disciplines needed for delivering high quality services. ISO/IEC is a standard for information security industry that includes a comprehensive set of controls and best practices.

The protection and security of information to all individuals, institutions and governments requires three forefronts which are conﬁdentiality, integrity and availability. Security of information goes beyond antivirus software, ﬁrewall, etc. The general approach to the protection and security should be strategic as well as operational.

Information Security Incidents Most organisations in African countries are experiencing serious problems in applying a successful comprehensive information security management system. Security incidents cost organisations in Ghana, Uganda, Tanzania, Kenya and Nigeria, more than $50 million, $60 million, $90 million, $210 million and $500 respectively each year. These ﬁgures are likely to place insuﬃcient emphasis on the problem, as most organisations in Africa do not report any potential or accurate losses to authorities.

The objective of information security is to safeguard business continuity and reduce the impact of security incidents. The organisational information, IT systems/infrastructures that support it, are vital business assets. The conﬁdentiality, integrity and availability of business assets are critical to maintain competitive edge, legal compliance and proﬁtability.

The WannaCry ransomware attack of May 2017 demonstrated that security breaches happened in over 100 countries including more than ten (10) African countries. The attack hit over 200,000 users and more than 400,000 computer systems. The involvement of Cambridge Analytica in Kenya and Nigeria electioneering processes, the Collection #1 data breach of email addresses and passwords totaling more than 700 million and more than 1.1 billion unique login passwords, the Equifax data breach in September 2017 that hit over 145 million consumers, amongst others; revealed the need for a comprehensive approach to protect their information assets.

Information Security Management (ISM) encapsulates the conﬁdentiality, integrity and availability of information as well as the delivering of business beneﬁts by protecting and controlling information sharing and managing the associated. The growing adoption of information security management practices has been driven by the requirement for the information technology industry to better manage the quality and reliability of information technology in business and respond to a growing number of regulatory and contractual regulatory and contractual requirements. ISM practices include COBIT, ITIL, and ISO/IEC 27000.

CYBER SCAPE AFRICA | Q2

2019

ISM Plan Information Security Management (ISM) emphasis controls that organisations should implement to ensure risk management that relate to the protection and security of information and information infrastructure. Organisations in African countries must set the right information security culture and resilience in introducing and maintaining a comprehensive information security management plan. This can be achieved through the followings: 1.

Information security is a corporate governance responsibility and not just the IT department responsibility.

Information security is not just a technical issue. It is more of a business issue that requires comprehensive solution.

Information security must be based on certain type of risk analysis through high level oriented approach in accordance with international good practices.

Information security policy containing comprehensive of supporting sub-policies, procedures and standards is extremely important.

Corporate information security policy must be adhered to strictly. Technical and non-technical measurement tools should be deployed in enforcing and maintaining compliance.

Information security awareness to all levels of the organisation should be implemented.

How prepared are organisations in African countries for any form of information security incidents? This is a vital question towards the protection and security of their information assets. Organisations on the continent must continually strengthen their risk management protection systems in order to sustain their activities in an ever increasing connected world in accordance to international good practices.

John Olayemi Odumesi Cybersecurity Analyst, OďŹ&#x192;ce of The National Security Adviser Nigeria

CYBER SCAPE AFRICA | Q2

2019

We’re not just humans. We are assets! source https://towardsdatascience.com/ai-the-future-of-technology-and-the-world-86f59d0cf720

The Human Factor in Cybersecurity. Recently at BSides Cairo, during Q&A after my talk on social engineering and a human factor in security, I was asked by a gentleman why his company would need a social engineering and physical security test if his company already had the newest, well conﬁgured, tools, and a hardened network.

If on every layer we ﬁnd a human element, then we need to start treating security holistically, where our users are our assets and treated as part of our threat landscape with their own vulnerabilities that we need to count and know how to remediate, like with any other asset in our network.

What a great question! It tells me a lot about the state of this gentleman’s mind, and his company’s security. It also lets me open the discussion to why the human factor is important in security.

The insider threats, like inadvertent insiders, who are the insiders in your company who unwittingly compromise the environment, were reported by IBM X-Force Threat Intelligence Report 2019 as the most relentless threat that will continue to rise in 2019.

I’ve heard people calling humans the 8th layer of the OSI model. And, while I think it’s important to start bringing the human element into the realm of our security models, I would say that the human element lies in every layer of the OSI model – humans are the ones putting all the cables, hubs and repeaters into our networks. They are also installing and configuring switches and bridges. Humans are the ones architecting services, configuring them, deploying them, maintaining them, and finally, humans are the ones ceasing those services. They are also the ones coding, testing, maintaining, and engaging with the web applications.

And this should simply be part of your threat landscape. As Ira Winkler says in his talk, The Human Exploitation Kill Chain, there are 10 opportunities to stop phishing attack and only 2 of them are user related. Before an email with malicious content reaches a user, for instance, our perimeter devices should be configured to their full potential in order to filter those emails out – our email servers and email clients should detect, filter, and quarantine phishing emails.

CYBER SCAPE AFRICA | Q2

2019

Once the email reaches our users and they decide to click, they should be warned not to open malicious attachments or be followed to a malicious site. Our tools should stop malicious programs loading, sending data to outside parties, use DLP, detection of keystroke loggers, etc. And even if all above fails, our network tools should detect both successful and unsuccessful attacks, and if they are unsuccessful, they should start cleaning up and reporting it immediately. So can we really blame the user who is in the middle of their busy day and clicks on a link in an email that looked like a genuine email from their manager? We should stop blaming users, we should stop saying that humans are the weakest link or that there is no patch for human stupidity. Because it is our responsibility as security teams driving security policies and procedures within our companies to account for the human element of our security programs, of our security landscape. We should take ownership of this so to build a security environment where secure behaviours are enacted by default, as these will become behaviours rooted in your company’s culture. From the mailroom, to the board room, we should engage with everyone in our company to follow security processes and procedures. Hard coding security in the human part of your network is only one layer of your in-depth security model. Along with secure culture, we should be using zero-trusts frameworks or even go towards a digital trust model network where each user has a specific “digital fingerprint” therefore any unusual connection to unusual shares, ports or bigger volume of downloaded data would be flagged and investigated. Part of the strategy to patch vulnerabilities caused by human assets in your network should be an awareness program. And we’ve seen a shift towards more awareness programs, so why are our employees’ habits, in regards to information security, getting worse as SailPoint research shows? Maybe we should look at how humans learn. We know from research that our experiences become long-term memories through biochemical synthesis between existing neurons in our brain. Strong and long-term memories are largely the result of a continued flow of information from one cell to the next.

Is it really constructive to scare our users every couple of months with new ways of how to exploit them? What if we would focus on just cultivating the ﬂow of information about what our users should do, rather than just trying to create new neurons, new ways of how they can be exploited, and make sure they are comfortable knowing what they should do, with anything out of ordinary reported to the security team in their organisation? Same as I am trying for my social engineering targets to have positive experience engaging with me, we should be celebrating successes of our users. We should put results of our social engineering tests , and while I was able to manipulate someone into divulging sensitive data over the phone, what about all the others that refused to give me any information over the phone? It’s easy to see the failings and focus on them and it is rarely seen to focus on the success. All this said, I would like to open a discussion about human element of security in Africa . We should have look at what is the status of our human threat landscape? What can we do to improve security posture of the users in our organisations, as well as our loved ones at home ?

Sarka Pekarova, Security Consultant Dreamlab Technologies

THE WEAKEST LINK You never know who or what the weakest link is in

your organisation's cybersecurity. Get the most secure endpoint antivirus and antimalware.

Find out more

CYBER SCAPE AFRICA | Q2

2019

CYBERSECURITY DATA ANALYTICS

Cyber analytics – how to hunt something in absolutely everything Similarly, cyber analytics would refer to computing networks and the discovery, analysis and interpretation of patterns in data. So, let’s say we discover, analyze and interpret a real-world example of anomalous activity and patterns. The visualization (a.k.a. the graph) below shows a baseline of normal behavior with anomalous activity highlighted (by the red dots). Now, before you pull your face – this is not a sales pitch – you can do this with FOSS (Free Open Source Software), like Elastic, Prelert or Timelion (www.elastic.co).

For the brave few: Introduction - the dawn, of the age, of the planet, of intelligence

Data source selection - carefully selecting absolutely everything

We no longer live in the information age, rather we struggle with information overload. We crawl furiously through our Google search results, finding nirvana somewhere between page 10 and 15. However, for the indefinite optimistic like myself, it is the dawn of a new era – the age of intelligence. At a high level, data is consumed to form information; which gleans knowledge; ultimately giving birth to the holy grail of intelligence. This seems obvious, but still we choose to call an array of malicious IP addresses, DNS names and file hashes “threat intelligence” (low blow, I know). Not that I’m complaining about the semantics, I’m simply highlighting the fact that we could, and should, add a few steps.

This is, or could be, a good point to introduce the concept of cyber intelligence. Simply put, cyber refers to computing networks and intelligence refers to the collection, analysis and interpretation of information. For example, I describe Snode Guardian by 3 core features – data fusion, machine analytics and interactive visualization. The natural question to surface will be – of what data? Now, this is where I disagree with most people. I don’t think logs are suﬃcient. Furthermore, I don’t think full packet capture is suﬃcient. Snode consumes everything inside your business – including open and closed sources outside your business.

Discovery is done, let’s do the analysis. Now, we isolate the specific protocol that caused the anomalous pattern of behavior. The visual analytics (graph) shows the activity is web traffic, specifically HTTP (Hypertext Transfer Protocol), with an evident anomalous spike of activity.

CYBER SCAPE AFRICA | Q2

2019

Next, we interrogate this activity (with a mouse click) and ﬁnd a high number of proxy authentication failures. Additionally, the threat intelligence (a.k.a. data) correlates the attempted HTTP communication with the known malicious domain chickenkiller[.]com.

Agreed, that was not only a really simple example, it was mildly boring. Hence a logical ﬂow, into the ﬁnal section, which is no more exciting, but eludes to the fact that the end is near.

Machine assisted analytics – army of one (lots of ones, and some zeros too) Intelligence Amplification is a core design principle in Snode technology. It refers to the perfect harmony of machines assisting humans solve difficult problems (that’s not very accurate, maybe buy a book). However, for the simple (boring) stuff, we use the machines. So, our final step involves automating the (playbook) incident response. A FOSS alternative here (please note, I’ve not used this software personally) would be the Puppet Framework. So, why automation? Below are thousands of reasons and the number of attacks detected in one client, in one month, represented in a nice flat earth (not the theory, an illustration).

CYBER SCAPE AFRICA | Q2

2019

Big finish, final curtain, the end and last paragraph (which ironically, is a numeric list)

Intelligence Ampliﬁcation is a core design principle in Snode technology. It refers to the perfect In conclusion, my suggested cyber analytics method (or, if you prefer, madness): •

Integrate all data sources;

•

Know your critical assets;

•

Use statistical analysis; and

•

Machine learning; and also

•

Expert, rule-based engines;

•

Automate response systems;

•

Report, trend, measure; and

•

Improve,… like a boss!!!

Nithen Naidoo is the CEO and Founder of Snode Technologies, a cybersecurity business based in Pretoria, South Africa.

CYBER SCAPE AFRICA | Q2

2019

Simple-OpSec

Account Recovery • • • • • •

Communication Security Google Info: • •

Google Custom Alerts Google Reverse Image search instructions

AppleCare Facebook Google Microsoft - Outlook, Xbox, Hotmail, and so on.. Twitter Yahoo!

Backup Services and Products • • • • •

Antitheft Apps : • • •

Cerberus Lookout Prey

Create an Account with a New Email Provider

Antitracking Plug-ins and Extensions • • • •

AdBlock Plus Blur Disconnect Ghostery

• • • • • • • •

Password Managers • • •

1Password KeePass LastPass

• • •

Pipl Spokeo USSearch Intelius

VeraCrypt CipherShed AxCrypt

Encryption Programs • •

Breaches • • •

Gmail Tutanota [Mail.com] https://www.mail.com/int/ ) Hushmail iCloud Microsoft Outlook Yahoo! Mail Zoho Mail

Encryption Products

Searching Your Name • • • •

Amazon Cloud Services Box CrashPlan iCloud DropBox

FTC data breach complaint report Hack checker Hard drive recovery Drive Savers

BitLocker for Windows FileVault for Mac

DMCA Takedown Request Services •

DMCA Defender

CYBER SCAPE AFRICA | Q2

2019

Outsourcing • • • • •

Social Media Privacy Settings • • • • •

Kuhustle Amazon’s Mechanical Turk Elance Remote Staﬀ Your Man In India

Photo Sharing Site Privacy Settings

Reputation Services and Image Removal • • •

• • •

Abine DMCA Defender Reputation

• • • • • •

Army of She Ban Revenge Porn Crash Override Network Combating Online Hate End Revenge Porn IWF Women Against Revenge Porn

There isn’t one single clearinghouse where you can put yourself on a “do not track” list, but you can opt out of data mining by all members of industry associations :

Cerberus AVG Kapersky Lookout McAfee Prey Where’s My Droid

• • • •

Antitheft Tracking Apps • • • • • • •

Cerberus AVG Kapersky Lookout McAfee Prey Where’s My Droid

Self-Regulatory Program for Online Behavioral Advertising Do Not Track Mobile App Tracking Network Advertising Initiative

Dating and Sexy time •

Place a Security Freeze on Your Credit • • •

BeenVerified DOBSearch Intelius LexisNexis Spokeo WhitePages

Opt Out of Data Mining

Antitheft Tracking Apps • • • • • • •

Flickr Imgur Instagram

People-Finder Sites

Revenge Porn Support Organizations • • • • • •

Facebook Google Google+ Google Safety Twitter

Equifax Experian TransUnion

Sample in-person safety guidelines for online dating

CYBER SCAPE AFRICA | Q2

2019

Browser Plug-ins and Extensions • • • • • • • • • • • •

OTR

Adblock Plus - Blocks ads and tracking for most advertisers AppLock AVG PrivacyFix - Manages all social media privacy settings Blur - Blocks tracking, password management, disposable email addresses, and much more BugMeNot - Bypasses the sign-in on websites that require your info to simply read a page Cocoon - Blocks tracking, offers disposable email addresses Disconnect - Blocks Facebook tracking Do Not Track DuckDuckGo - A nontracking search engine Ghostery - Alerts you to bugs, tracking, and ad networks on sites you HTTPS Everywhere - Enables encryption automatically on sites that support it PrivacySuite

• •

Chat/IM software clients that come with OTR • • • • •

• • • • •

• • •

Burner App Google Voice Skype

Password Generators

Amex Discover MasterCard Visa Masked cards unique, disposable credit cards - MaskMe

• •

LastPass Norton

Password Managers • • • • • •

OpenPGP Encryption • • • • •

Project site How it works Apps that use Tor Orbot for Android

VoIP

Experian TransUnion Equifax

Prepaid Credit Cards/Gift Cards • • • • •

Blur ChatSecure Cocoon RedPhone and Text Secure Silent Circle

Recommended Privacy Apps

Find your current IP address PO Box Application VPN, reliable reviews

Credit Freezes and Fraud Alerts • • •

Adium Xabber TextSecure ChatSecure Pidgin

Recommended Privacy Apps

Paranoid • • •

How OTR works 1 How OTR works 2

How it works Cryptology links PGP Installation and Use For Dummies Browser Extension - Mailvelope Open source alternative

1Password KeePass LastPass oneSafe Password Safe Splash ID Safe

Authors Dr. Bright Mawudor

John (Troon) Ombagi

CYBER SCAPE AFRICA | Q2

2019

Securing The Nation’s Infrastructure Critical Infrastructure: Of ICS & Cybersecurity

Supervisory Control And Data Acquisition

Industrial Control Systems (ICS) generally encompass several types of control systems, including supervisory control and data acquisition (SCADA) systems, distributed control systems (DCS), and other control system conﬁgurations such as Programmable Logic Controllers (PLC) often found in the industrial sectors and critical infrastructures. ICS are typically used in industries such as electrical distribution, water treatment plants, oil and natural gas pipelines, chemical, transportation, pharmaceutical, food and beverage processing, and discrete manufacturing such as automotive, aerospace, and durable goods. These control

SCADA systems are highly distributed systems used to control geographically dispersed assets, often scattered over thousands of square kilometers, where centralized data acquisition and control are critical to system operation. They are used in distribution systems such as water distribution and wastewater collection systems, oil and natural gas pipelines, electrical power grids, and railway transportation systems. A SCADA control center performs centralized monitoring and control for ﬁeld sites over long-distance communications networks, including monitoring alarms and processing status data. Based on information received from remote stations, automated or operator-driven supervisory commands can be pushed to remote station control devices, which are often referred to as ﬁeld devices. Field devices control local operations such as opening and closing valves and breakers, collecting data from sensor systems, and monitoring the local environment for alarm conditions.

systems are critical to the operation of any country's critical infrastructures that are often highly interconnected and mutually dependent systems.

CYBER SCAPE AFRICA | Q2

Distributed Control Systems DCS are used to control industrial processes such as electric power generation, oil refineries, water and wastewater treatment, and chemical, food, and automotive production. DCS are integrated as a control architecture containing a supervisory level of control overseeing multiple, integrated sub-systems that are responsible for controlling the details of a localized process. Product and process control are usually achieved by deploying feed back or feed forward control loops whereby key product and/or process conditions are automatically maintained around a desired set point. To accomplish the desired product and/or process tolerance around a specified set point, specific PLCs are employed in the field and proportional, integral, and/or derivative settings on the PLC are tuned to provide the desired tolerance as well as the rate of self-correction during process upsets. DCS are used extensively in process-based industries. Programmable Logic Controllers PLCs are computer-based solid-state devices that control industrial equipment and processes. While PLCs are control system components used throughout SCADA and DCS systems, they are often the primary components in smaller control system configurations used to provide operational control of discrete processes such as automobile assembly lines and power plant soot blower controls. PLCs are used extensively in almost all industrial processes. Cyber Security Assessments of ICS Industrial Control Systems were originally built as isolated stand-alone systems bearing little resemblance to traditional information technology (IT) systems and running propriety control protocols with specialized hardware and software. Many ICS components were in physically secured areas and were not connected to IT systems or networks threats and incidents. As ICS are adopting IT solutions to promote corporate business systems connectivity and remote access capabilities,

2019

and are being designed and implemented using industry standard computers, operating systems (OS) and network protocols, they are becoming less isolated from the outside world and are potentially reachable from the internet by malicious and skilled adversaries. Threats to control systems can come from numerous sources, including adversarial sources such as hostile governments, terrorist groups, industrial spies, malicious intruders and even disgruntled employees. While security solutions have been designed to deal with these security issues in typical IT environment, special precautions must be taken when introducing these same solutions to ICS environments. In some cases, new security solutions are needed that are tailored to the ICS environment. In July 2010, the first ever computer virus was discovered that targeted industrial control systems. Referred to as Stuxnet, this virus has proven to be one of the most advanced viruses of its kind exploiting particular weaknesses in the Windows operating system that had not been previously documented, and possessing the ability to exploit a specific industrial control systems platform. The ultimate goal of Stuxnet was to sabotage that facility by reprogramming programmable logic controllers (PLCs) to operate as the attackers intended them to, most likely out of their specified boundaries. It took nearly five months from the time Stuxnet was discovered until the time at which Microsoft had issued patches which closed the four zero-days that were exploited by Stuxnet. Stuxnet virus proved that ICS cyber security risk is not theoretical. Executives need to understand and balance the cyber security risk related to the use of ICS with other business risk factors. Efficient and sustainable ICS security program requires a long-term strategy, human resources plans, business processes, procurement and many other domains. There is need for a governance and incident response structure in place in which accountability and responsibilities for ICS security are clearly stated and accepted by all responsible parties.

Lawrence Dinga, Founder & CEO, Managecom Systems Ltd

CYBER SCAPE AFRICA | Q2

IN THE C-SEAT WITH JESSICA GOMEZ

Tell us about Jessica and her space in the cybersecurity ﬁeld. I am Jessica from Benin Republic. Am an expert and consultant in information security in Switzerland. Since I was a little girl, I have loved to help people, to come to their rescue. In this age of information technologies, I asked myself, where and how can I be of help to people? Then I found information security, cybersecurity and data privacy.

The head of the EMBA program got me enrolled, because he was impressed with my master’s degree thesis and wanted to encourage women to get into information security. That‘s how I landed in information security and cybersecurity ﬁeld, in that high level formation, with 20 other people and only 2 women, me included. They were all working in big companies, with at least 5 years experience, while I was not able to even get my ﬁrst job.

How long have you been in the tech industry and how did you get into cybersecurity. I have been in the tech industry for more than 10 years now. After my high school certiﬁcate, I was designated to be an engineer or a doctor (it’s every African parent's dreams). I was good in mathematics and physics, so obviously, I decided to be an electrical engineer because I wanted to create electricity to my country. I choose renewable energy systems as an option,so as to know how to get electricity from the sun, wind and water.

Looking back, what are some of the highs and lows you have experienced being in the industry. Anything hilariously interesting or scary? The only big high I ever have and always focus on, is to get people to acknowledge and recognize my worth and my skills, only. When I read on their faces, satisfaction and respect for my work, project or ideas - it’s my victory.

After my engineering degree, I couldn’t ﬁnd a good opportunity - job or investment capital to launch a solar pales project. I pursued my studies with a plan to be an atypical and polyvalent professional, by adding management and economical skills to my technicals ones. So I got a master’s degree in information systems, from a business school, and searched for a job, to no avail. I got tired of having nothing to do, so I tried my luck to enroll in an Executive MBA Program, without any work experience.

The hilarious part was and will always be, the reaction I get when I say to people, especially the male professionals in the ﬁeld, that am one of them. I don’t think they expect to meet or to work with a young, black, African woman in cybersecurity. In general, it’s a good surprise for them (I guess).

CYBER SCAPE AFRICA | Q2

2019

At the beginning, the scary part was actually to go into information and cybersecurity, because I was seeing myself only behind a computer, doing some coding or hacking. But, hopefully, I discovered that there are so many speciﬁcations and areas of skills to explore. That was a great relief and a motivation to learn.

If a data breach or leak occur, an African company will not have the same consequences and damages (legals and ﬁnancials sanctions) as a European company, for instance. Simply because there are rules, regulations, and sanctions in EUROPE.

The fact that am a woman, black woman for that matter, was neither an issue for me (maybe for others too). I was raised with the mind of hard work and faith in God in everything, regardless of our gender, color or race. So I can say, I was well prepared for this battle.

Same thing, when a secret document of the government is leaked - every other day, we can read on social media some secret information, from public administrations. If an african company is under a cyber attack, I can imagine that, due to lack of cybersecurity prevention, detection, response plans, the company could just be a victim without any help.

You are originally from Benin but based out in Switzerland. Tell us more about this.

I think sooner or later, Africa authorities and companies, will be obliged to be compliant to the cybersecurity laws and regulations of Europe or USA, to maintain their collaborations. But, it will be, obviously, at the detriment of our interests, because we weren’t able to design and implement our cybersecurity strategy and bolster its maturity.

My parents lived and studied in switzerland. They went there on scholarships, and fell in love with the country. Then they all returned to Benin. When my friends were destined to go to France, canada, USA, my parents were focus on Switzerland. It a big love story between my family and switzerland. It became my love story!

How is the eco-system in Benin ? Are you actively involved in It?

Right oﬀ the batt, it’s easy to say in your case, that there is a brain drain of cybersecurity talent in Africa. Any thoughts on this issue ?

I am trying to be actively involved in the digital ecosystem in Benin, without sacriﬁcing my integrity, my sincerity and my passion for information security.

I am not considering myself as talent "brain drained" from Africa, simply because, whenever and wherever I get the opportunity to oﬀer my skills to my country and to any other country in Africa, I am available to assist.

The ecosystem in Benin is majorly dominated by the government. It is very diﬃcult to do something without the approval or at least, the support of the government. The digital ecosystem in my country, is run by and for several people, some of them have great skills and projects, some are just in for politicals reasons.

From my experience and point of view, there is not lack of talent, but lack of opportunities to express and to apply skills. Thing is, I am more valued and sought for in Switzerland than in Benin.

The government launched so many projects, like Sèmè City (the digital city) they are working with the Tony Elemelu Foundation entrepreneurial program, sponsoring some forums, some competitions, etc.

I think that the mindset in Africa, and particurlarly with our authorities, is, they do not yet understand the gravity of cybersecurity, cybercrime and cyberterrorism. Therefore, there isn’t some relevant requirements or obligations from companies and organizations, whether private or public, to adopt a cybersecurity strategy.

I think, cybersécurity in Benin, is focused more on cyber fraudsters (gay mens, yahoo boys, 419, etc) and the police department of cyber criminality is evolving.

CYBER SCAPE AFRICA | Q2

The most important fact that am really proud of, is that Benin has established and applied « le code du numérique » (The Digital Code), with all legal requirements, rules, clauses and sanctions on April, 2018. Data privacy, e-commerce, services providers, cybercriminality and cybersecurity, e-signature, network and services, are severals parts of The Digital Code.

2019

Can Africa achieve a “GDPR for Africa” framework with global eﬀects? What would be the upsides of such a framework/ Yes, Africa can deﬁnitively have its own data privacy law. We have so much frameworks and examples to work with.

This legal base is very important for the evolution of the digital ecosystem in Benin. Though I think they made an amazing job with that, but it can surely be improved. I sincerely hope they will implement all the processes and make available all the resources needed to assure that the law is applied. A law is useless, if sanctions are not given.

The upsides will be the same as the one for GDPR, but focus on African residents and citizens. It‘s important for us, and for our humans rights as Africans, to have our personal life and our private information protected, secured like for the others citizens of the world. I don’t think it’s fair for a company to dispose of Africans & Africa residents private information without being sanctioned, the same way it is for Europeans citizens.

Unfortunately, there is no national information security and cybersecurity strategy and plan. But I must admit that the government is shaking the digital ecosystem in Benin, I know in Benin, we are committed to building the best and most innovative digital ecosystem in West Africa, that is actually one of the promise of our president, His excellency Mr Patrice Talon.

The only challenge I can think of, is the same problem we have in most things in Africa, coming together and making something happen for Africa. Unfortunately, to design and apply a general data privacy regulation for Africa, every nation across Africa must be committed and involved.

You are an avid advocate for and a seasoned pro in data privacy and protection. What are your thoughts on the GDPR implications on Africa. GPDR is impacting European companies in Africa. But, from my point of view, African companies dealing with European citizens private data are still no bothered. For instance, how many African websites have a data privacy policy published? How many of them, give the rights to the visitors to give their consent to cookies or others information they collect? GDPR sanctions will be applied to African companies for sure, and it will obviously be a disaster for our economies. I urge every Africans companies, doing business with European residents to be compliant to GDPR. Even if you are a start-up, and you’re selling products or services on a web platform, and you’re collecting informations like name, address and obviously credits cards, from European residents, you need to be GDPR compliant. Being compliant to GDPR is not a big deal if you’re not collecting sensible private data, like religion, marital status, sexual orientation, medical information, etc.

A quick one - do you think CISOs should be part of the “big boys” – the board? I need not think about this. It’s obvious. We won’t ask ourselves if a marketing manager or a ﬁnancial risk manager should be part of the board, right? We are in a new era totally based on digitalisation. We are already talking about the 4th industrial revolution, cyberwar, cyberactivism, cyberterrorism,etc. The economy is based on the abilities of companies to protect and secure information. If the top management of the company don’t take seriously the importance of information and cybersecurity, they are surely not going to make it in this digital era. What are the fears of top level management regarding cybersecurity and how can they be allayed. It really depends on the risk appetite of the top level management - what they consider as high risk or residual risk.

CYBER SCAPE AFRICA | Q2

2019

Speaking to those joining the ﬁeld, especially ladies - share with them your career starter & growth checklist.

Most of the time, the top level management's ﬁrst question is - how much will this cost? For how long? The only way to make them understand the return of that investment is to show them what they will lose if a sensible data leak or data breach occurs, in terms of legal sanctions, bad reputation and image, loss of clients etc.

First of all, having and keeping faith. During the journey of my career, I've always kept my faith in God, to do amazing things in my life and give me the strength and the confidence I needed and still need. Secondly, three words: passion – skills – worth. Be passionate and curious. Get more and more skills. Be polyvalent. Establish your worth and they will come for it. Thirdly, I never joined this field with the mind, that being a woman is a weakness. I used that as an advantage instead; to prove what a man can do, a woman can do, even better. It is as simple as that. And last, but not least, being in cybersecurity isn’t about hacking, coding, being a geek only. Cybersecurity is not only about tech skills, but also legal, management, risk analysis, finance, HR, change management, and all others humans skills. You can be in cybersecurity and totally embrace your femininity, your faith, yours dreams and most importantly your personality. I like to see myself as a SHERO in a digital world, and you can also be one, too.

When the top level management becomes fully aware that information is a crucial asset for the company, they should be very willing to protect and secure it by all costs. The movement of women in cybersecurity in growing by the day with new groups coming around. How are you involved in this ? Are you supporting the same in Africa ? I am really proud of what I am doing in Africa about women in cybersecurity. I really try to involve myself through mentorship, by sharing my story and my experiences as a black woman in cybersecurity from Africa and in Europe. I do some online conference meetings to sensitize everyone on information security and committing myself to diﬀerent projects. I think I can do a lot more, I hope to do more actually. I’m working on it. Stay tuned. Tell us about your experiences as a woman in cybersecurity.

Jessica GOMEZ Information Security

I can summarise my experiences as a woman in cybersecurity in 3 words: Passion – skills – worth. Without my passion for information security, cybersecurity and data privacy, I think I would not be there to ﬁght for my place in the ﬁeld.

CISO, Senior Advisor/Consultant in information security, information system, data privacy and cybersecurity. Specialist in risk analysis and information security compliance.

Without developing and showing my skills, I wouldn’t have a career in cybersecurity. I must improve myself, must be constantly innovative and understand the needs and fears of my company and my clients. I have to be polyvalent in every areas of cybersecurity. I am also building my worth in information and cybersecurity. All that matters for me is to establish and prove my worth, and to make it available to the world. I cannot deny the fact that, it is a man‘s world, and as a woman, sometimes, I get some surprising reﬂections from men, but not only negatives ones. For now, no majors issues, but so much fun and good challenges.

DEMOS & HACKS

HACKER VILLAGE

A full day, hands-on bootcamp dedicated to specific areas of hacking & security. DefCon style!

Host or Sponsor a Hacker Village anywhere in Africa.

www.cyberspeaklc.com

PROTECTION AND PRIVACY CYBER SCAPE AFRICA | Q2

2019

OF DATA IN FINTECH “The Unbanked Continent”

The advent of mobile communications encapsulated in smartphone market penetration has reduced the costs for telecommunication. This cost-reduction has translated to an increase in access for mobile payment systems, banking services and recently, blockchain technology through cryptocurrencies. But, this ﬁnancial inclusion through FinTech comes at risk because there is little to no knowledge of the risks associated with cybersecurity to the new technology users especially the vulnerabilities of their personal information and privacy.

From Algeria to Kenya to Nigeria to Zimbabwe, various African nations have had to grapple with different kinds of problems in their banking and financial sectors. Corruption, corporate malfeasance, economic mismanagement, fraud, cyber threats, armed conflict and instability all contribute to making Africa one of the most unbanked continents in the world. This has given Africa the moniker: “The Unbanked Continent”. On the bright side, some headway is seen for improvement particularly in the realm of Fintech. According to the World Bank, statistics of the number of unbanked adults in the world decreased by 20%; that is from the 2011 estimate of 2.5 billion persons to 2 billion in 2014.

The FinTech industry is rapidly growing. It grew astronomically from roughly $15 billion in late 2016 to roughly $40 billion in 2018. In Africa, there are hundreds of FinTech companies. The pioneer of FinTech startup in Africa is the Kenyan M-Pesa which grew its customer base to 17 million in 6 years. It currently provides services across Africa, Europe, and Asia. Other prominent startups include the MCash which is a replicate of the Kenyan M-Pesa and was introduced in Nigeria by Nigeria Inter-Bank Settlement System (NIBSS); Piggyvest which is an online saving platform, RenMoney which is also an online lending platform, Remita, and Remitly for eﬃcient online transfers, and payments.

FinTech and Financial Inclusion FinTech may be a disruption of the financial services industry, but it is also akin to financial inclusion. Financial inclusion is “the access to institutional financial instruments and services that can help individuals and businesses develop economically.” The World Bank considers increasing financial inclusion as one of its main advocacies so much so that it has established a goal for 2020 called Universal Financial Access. This proposal aims to increase access to formal financial institutions and services all over the world in order to reduce poverty and encourage economic growth.

There is still room for more startups to emerge especially in the sphere of payment providers and solutions. For instance, making payments or providing account information via mobile devices through the use of Dual-Tone Multi-Frequency (DTMF) marking technology has not been introduced by an African-based FinTech company.

Without access to formal ﬁnancial services, an individual or a business would not be able to develop substantially and sustainably. They would not have access to a savings account, credit facility, insurance, and other ﬁnancial instruments.

CYBER SCAPE AFRICA | Q2

2019

Privacy & Protection of data: Too important for Africa

In the ﬁnancial services industry, the foundation of the banking sectors and FinTech companies is trust. The customers trust that their personal information which is of great commercial value in today’s world will be treated with utmost care, although they may not have a clue on what companies may do with it. So, it behooves on FinTech companies to obtain the required consent for the use or storage of customer’s personal data. But such consent should not be irrevocable.

Privacy is an inherent fundamental and constitutional right which is also enshrined in the Universal Declaration for Human Rights. It is from this fundamental right; regulations drew data protection and data privacy. The privacy of every individual on earth should be protected at all cost and should not be compromised. Data Protection and Privacy is a cliché. It came into limelight after the data breaches by Facebook and Cambridge Analytica.

No company either in the banking industry or the FinTech sector is immune from security gaps. It does not matter if the companies communicate with the customers on how their data are accessed, used, or stored; or if the companies utilize Application Program Interfaces (APIs). Also, it does not matter if there are regulations put in place to protect customers. No measure is 100% safe-proofs.

By May 2018, the General Data Protection Regulation (Regulation (EU) 2016/679) (GDPR) came into eﬀect and became applicable to corporations processing personal data of European Union (EU) citizens irrespective of whether they are located in Europe or not. In Africa, laws similar to the EU GDPR are the Protection of Personal Information (POPI) Act of South Africa, and in Nigeria, the Nigerian Data Protection Regulation (NDPR) 2019.

The debate remains that to avoid vulnerabilities associated with cyber-attacks, and cyber thefts, organizations must stick to a primary policy of “Little is Better”. That is, to hold onto as much little sensitive personal data of its customers as possible, for the shortest time as possible. Compliance to regulations and laws does not protect data either does it protect privacy.

In Africa, there is no uniﬁed GDPR for African nations. Most nations rely on old, antiquated laws for data protection and privacy. Now, each African nation is faced with its duty to enact data protection and privacy law(s). But, for multi-national organizations in Africa, the battle on whether or not to transfer the personal data of its users across the national boundary is an issue of data sovereignty.

Nnubia Ogbueﬁ Tech Lawyer

Data sovereignty is the regulation of data, particularly in electronic form in its country of residence. Thus, for each data protection laws in Africa, there is a principle on data sovereignty and it prevents the transfer of personal data from one country to another. The exception to this rule is compliance with the conditions stipulated in each individual law. The bane of these laws is premised on four crucial measures which all FinTech companies are obligated to comply with. They include Consent, Data breaches, Right to access, and Transparency.

QUICK CYBER SCAPE AFRICA | Q2

2019

WITH SIMBIAT OZIOMA

Up close and personal with Simbiat, on her life inside and outside cybersecurity

Your job? My job entails threat intelligence, malware analysis, vulnerability and risk assessment and cybersecurity awareness training to customers.

Feel good activities? Hmmmm!!! Talking to people. I love when I am able to talk to people. It eases of stress for me. Basically, I feel good when I am able to express myself.

Your life mantra? There will be bad days. Make sure your bad days do not take over the better part of you. Never stop believing in your dreams!

Your inspiration? The urge to make a diﬀerence. I love to stand out and I want to be able to look back and tell myself “I am proud of you”

Best part of your job?

If not in cybersecurity, where would you be?

Interacting! I don’t have to sit all day on my screen talking to myself. I am able to interact with my colleagues and share ideas and thoughts.

I honestly haven’t thought about where I would have been if not in cybersecurity but well, I’ll probably be in engineering (maybe) because I really can’t picture myself in a diﬀerent ﬁeld.

Biggest dream in life? My biggest dream is to impact lives. I want to be able to inspire a lot of women. I mean! There is nothing as refreshing as people looking up to you.

by SIMBIAT OZIOMA

CYBER SCAPE AFRICA | Q2

2019

THE MARA FRAMEWORK

An African Cybersecurity Innovation

The tool worked quite well, and we decided to open source it to the cyber security community, so that other pentesters and researchers could have a much easier time reverse engineering and analyzing mobile applications.

Its objective is to make the task easier and friendlier to mobile application developers and security professionals. MARA is developed and maintained by Christian and Chrispus. Mobile application reverse engineering can seem like quite a daunting task. This is mostly due to the fact that a number of tools are required to get the job done, where you convert a mobile application from one form to another. For example disassembling an android APK into a java class file (JAR) or even to smali, which is more or less a human readable version of assembly. MARA was developed out of necessity. Chrispus and I were reverse engineering and analyzing tons of mobile applications, and the process was quite repetitive and soon it became tiresome and boring. Mostly because of running the same decompilation tools, with the same commands over and over again, across different apps. That’s when we figured, it was about time to sit down and automate the whole process. So we started out the process of writing a couple of bash scripts and after a few months, we came up with MARA framework.

At the heart of MARA, is simply a number of bash scripts that tie together really awesome, reliable and well known mobile application reverse engineering tools, scanners and an excellent deobfuscator. This is so that they can all be used in a systematic way. The tools themselves can also be used independently, in the event a speciﬁc use for the tools is required and the capability is not included in the bash scripts. Up until this date, MARA has gone through a few script updates, bug ﬁxes and tool updates. In all honesty, MARA is still in its very early stages of development and there is a lot more to come, in line with our roadmap. The tool by far is neither the best in the market, nor contains the cleanest code. However, what we are happy about is that it works, and sometimes that’s just what someone needs to get the job done. If you would like to try out MARA Framework, you can download it here and try it out for yourself. Any contributions and suggestions for the tool will be highly appreciated. Christian Kisutsa Information Security Analyst

CYBER SCAPE AFRICA | Q2

2019

MARA is a Mobile Application Reverse engineering and Analysis Framework. It is basically a tool that puts together commonly used mobile application reverse engineering and analysis tools, so as to assist in testing mobile applications against the OWASP mobile security threats. Its objective is to make the task easier and friendlier to mobile application developers and security professionals. MARA is developed and maintained by Christian and Chrispus. Mobile application reverse engineering can seem like quite a daunting task. This is mostly due to the fact that a number of tools are required to get the job done, where you convert a mobile application from one form to another. For example disassembling an android APK into a java class ﬁle (JAR) or even to smali, which is more or less a human readable version of assembly.

MARA was developed out of necessity. Chrispus and I were reverse engineering and analyzing tons of mobile applications, and the process was quite repetitive and soon it became tiresome and boring. Mostly because of running the same decompilation tools, with the same commands over and over again, across diﬀerent apps.

That’s when we ﬁgured, it was about time to sit down and automate the whole process. So we started out the process of writing a couple of bash scripts and after a few months, we came up with MARA framework. The tool worked quite well, and we decided to open source it to the cyber security community, so that other pentesters and researchers could have a much easier time reverse engineering and analyzing mobile applications. At the heart of MARA, is simply a number of bash scripts that tie together really awesome, reliable and well known mobile application reverse engineering tools, scanners and an excellent deobfuscator. This is so that they can all be used in a systematic way. The tools themselves can also be used independently, in the event a speciﬁc use for the tools is required and the capability is not included in the bash scripts.

CYBER SCAPE AFRICA | Q2

2019

Up until this date, MARA has gone through a few script updates, bug ďŹ xes and tool updates. In all honesty, MARA is still in its very early stages of development and there is a lot more to come, in line with our roadmap. The tool by far is neither the best in the market, nor contains the cleanest code. However, what we are happy about is that it works, and sometimes thatâ&#x20AC;&#x2122;s just what someone needs to get the job done.

If you would like to try out MARA Framework, you can download it here and try it out for yourself. Any contributions and suggestions for the tool will be highly appreciated.

Written by: Christian Kisutsa Information Security Analyst

MARA Framework co-creators Christian Kisutsa Information Security Analyst

Chrispus Kamau Information Security Engineer

CYBER SECURITY in the evolving space of startups in Africa. "A startup is a human institution designed to deliver a new product or service under conditions of extreme uncertainty" - June 21 , 201 9, Startup Lesson Learned, "What is a startup?" - Eric Ries.

Natalie Robehmed, wrote an article on Forbes "What Is A Startup?" where she quote Neil Blumenthal, cofounder and co-CEO of Warby Parker, who says that "A startup is a company working to solve a problem where the solution is not obvious and success is not guaranteed," I'm more prone on the second deﬁnition aligned with what IFC (International Finance Corporation) stated in "Creating Markets for Start-Ups in Africa" the challenge for the "Next African Start-Ups" with a starting note that says "From Cairo to Cape Town, Africa is full of promising entrepreneurs who are building innovative companies and helping solve some of the continent’s most pressing development challenges." So startups are here to respond to those challenges. Bill Gates in his speech at African Union told that." And it’s not just health. It’s also education and agriculture.

It’s programs that let farmers sell their harvest to wider markets – and technologies that let people transact and store their money digitally. Anything that gives people a chance to pick themselves up. Economists call this "human capital." African countries are facing a lot of challenges and its aggravated by the very fast growing population. Gabriella Mulligan wrote an article on Disrupt Africa, "1 2 African startups to watch in 201 9" and in this article we can see solutions for a variety of challenges that we face in Africa .... Startups tend to be the answer to all those and all others unmentioned challenges designing solutions in a fast ways that large enterprise may not, majority of listed startups are reached from a digital or mobile device. Those mobile devices are a common elements between corporates and startups making the threats to startups quite the same or even worse than large corporates and this highlights the need for better cyber risk controls within startups.

CYBER SCAPE AFRICA | Q2

2019

The Ponemon Institute in the 2017 report, "2017 State of Cybersecurity in Small and Medium- Sized Businesses (SMB)" states that 61 % of surveyed SMBs experienced a Cyber Attack and 54% experienced a Data Breach with information about employees and customers exposed with an average of $1 .02B in ﬁnancial loss the report continues saying that half of critical data are accessible from a mobile device what increases the attacking surface. Another report from SANS "Cyber Defense Challenges from the Small and Medium-Sized Business Perspective" revealed that surveyed companies faced challenges around available ﬁnance to pay for talents, regulatory and compliance as well as available professional talent. Despite the fact that all referred documents takes into account SMBs the assumptions and results can be applied into startups.

The African Union (AU) convention of 27th June 201 4 encourage all members to create local Data Privacy Laws and startups are not apart of the existing or upcoming regulations, despite the slow adoption or ratiﬁcation of the convention within AU members, it's important to start incorporating cybersecurity principles into the DNA.

The numbers expressed above is a wakeup call for startups, because they deal with personal information in some situations and others with ﬁnancial information making the need for proper controls in place a must. The 201 9 Cybersecurity Forecast of Issue #1 Highlighted an important subject that is related to chapter "Data Protection Legislation Gaining Ground in Africa", having that chapter in mind the Angolan Data Protection Act of 2011 (Law No 22/11 , of 1 7 June 2011 ), states that personal data is "any information, regardless of its nature or the media on which it is stored, processed by automated or manual means relating to an identiﬁable natural person" so, startups operating in Angola must comply with this Law when dealing with personal information, and the other situation is that many of them are stored on well knowns cloud providers that interface as well with the Law 22/11 "... the Agency of Data Protection must be informed of international data transfer to countries that ensure a suitable level of data protection".

Because of the nature of startups some of them doesn't have enough funds when starting what make some investments diﬃculties and majority of times cybersecurity is left behind on those types of situations but doing so can jeopardy the business or bring some risks.

The Lean startup lifecycle encompasses a process with three phases also known as feedback loop which most of Startups relies onWhich in case suggest to Build "fast" and the questions that comes in mind are how to insert secure development principles in this fast building process? How well known security standards (e.g: ISO27000, NIST800-53) could ﬁt into this process? And how a company starting with 2 or 5 employees can integrate those controls into the company genesis?

A startup competition (seedstars) in Angola has listed 28 startups from 201 6 to 201 8 with offers from transportation, food delivery, public internet access, health and so on, what all these startups have in common is that they deal with personal data and they are prone to the same risks (data theft, unavailability, ...). In the report "The 2017 State of SMB Cybersecurity" they list four measures to protect against cyber threats, including: Training, Password Management, Mobile Device Protection and Early Investment in Cybersecurity. While those lines in some cases can be challenging what I recommend is an adoption os OWASP ASVS (Application Security Verification Standard) following the "Case Study 2: As a secure SDLC" on the document "Application Security Verification Standard 3.0.1 ". The second recommendation is to introduce some principles of data classification, implementing some controls for data at rest as well as to data in movement and be in alignment with regulation because startups may not have enough funds to pay for penalties.

In the case of Angola the Agency of Data Protection isn't created yet what makes hypothetically the storage of personal data outside the country a violation of the aforementioned Law.

Author Alcides Miguel Cybersecurity Analyst Onzo Cybersecurity

CYBER SCAPE AFRICA | Q2

2019

The Blacks in Cybersecurity, LLC Conference series known more commonly as “B.I.C.” has recently made its way into the Cybersecurity and Information Security conference scene in the Washington, D.C. Metro Area, U.S.A.

Through addressing the lack of resources available to communities by having regular events and providing incite via knowledge shares and online spaces for interaction as well as using our platform to regularly cite both executive-level through entry level African American Cybersecurity professionals, hobbyists, and interested individuals B.I.C. seeks to address the issue of lack of proper inclusion in the Cybersecurity ﬁeld.

In the United States, there are approximately only 12.3% of African Americans working as Information Security Analysts in the field. In analyzing this statistic, it can be inferred that there is a dramatic lack of representation in this field compared to the general population of African Americans in the country. This lack not only represents that opportunities that are potentially missed by qualified members but also, the lack of neurodiversity that the African American community could offer that is missing from the Cybersecurity community as a whole.

B.I.C was founded early in the spring of 2018 and later officially organized in January of 2019. The official mission of Blacks In Cybersecurity, LLC is to encourage the participation of people of color in Cybersecurity. In taking on this powerful mission, B.I.C strives to be a conference series and meetup group to help highlight and elevate minorities in the Cybersecurity field. Since conception, this conference series has hosted several happy hours, networking events, scheduled meetups at common conferences, and their own unique brand of micro conferences called “Minicons”. For many in the Delaware-D.C.-Maryland-Virginia (D.M.V.) area, B.I.C. is not simply a series of events but, a small reunion from which meaningful comradery is formed and familiar faces can be matched with their twitter profiles and engaged with in rigorous conversation.

This lack of representation from the African American community as well as the lack of access to adequate resources has caused much discussion in the African American community working in Cybersecurity and Technology related ﬁelds. This constant discussion in forums, panels, conferences and social media over the issue has always circled around to the same question, “How can we get more African Americans in Cyber?”.

The laid-back and friendly atmosphere of B.I.C. events has allowed for it to have itâ&#x20AC;&#x2122;s own personal brand of inclusivity. This unique aspect allows for

The B.I.C. committee currently consists of Alexandria Barnett, Finance and Marketing chairman, Joyous Huggins Operations chairman,

all who come to attend their events to feel welcome to give their talks on industry subjects, experiment with new skills, ask questions and feel

and Michaela Barnett, C.E.O.

comfortable when trying to gage what the experience of maneuvering their entry into this ďŹ eld as an underrepresented minority can be.

both Instagram and Twitter.

Details about this organization can be found on

The BIC Team.

CYBER SCAPE AFRICA | Q2

2019

What soft skills are needed to work in the cybersecurity industry as a newcomer? One of the important is analytical skills coupled with writing and presenting, as you will need to write a compromise report from an analysis of an incident, e.g. ransomware attack. A very vital task is delivering analysis results to a diﬀerent level of technical and management teams. A newbie needs to have strong analytical skills and communication acumen to tell their case and encourage teams to apply their recommendations

OftenOverlooked Soft Skills

Another skill is adaptability; working in cybersecurity requires having a passion for learning. You will need to be a lifelong student. In addition, you should be comfortable to work with diverse backgrounds and cultures. However, everyday challenges will let you get better at diagnosing problems, modeling and analyzing data. This requires attention to detail with innovative approaches. You will think smartly not hard which means you will be a problem solver.

of Information Security

Last but not least, team playing skill may be challenging for newcomers. It needed to work closely with colleagues throughout the organization in achieving set goals. From my perspective; it helps you to develop other skills including adaptability, problem-solving and leadership. That’s why I title it “Pirate Queen Skill”. My question now, what soft skills do you have and how do you develop them?

It's been years since I decided to develop my skills manifesto published on "page 16" of the 1st issue - Cyberscape Africa Magazine". I use it to develop skills as a successful security professional with good soft skills as well as strong technical skills. The World Economic Forum Future of Jobs report, indicates that by 2020, complex problem-solving, analytical thinking, initiative, leadership, and social inﬂuence would be among the most important “soft” skills required in the workplace. Soft skills are personality traits and behaviors in diﬀerent situations. The security industry has a new challenge on a daily basis, such as ransomware-encrypted patient’s data and It needs you to handle the case with minimum time and save patients from any inconveniences. The real challenge is to use both sets of skills; technical and soft.

Amgad Magdy. Founder, BSides Cairo Twitter: @Bluzron

By 2020, complex problem-solving, analytical thinking, initiative, leadership, and social inﬂuence would be among the most important “soft” skills required in the workplace.

WWW.CYBERSPEAKLC.COM

CYBER SECURITY FESTIVAL. SXSW STYLE 22ND - 26TH OCTOBER, 2019

CYBERSECURITY TALENT

POLICY

RESEARCH

BE A SPONSOR

Email Us: info@cyberspeaklc.com

MARKET ORGANIZED BY

OFFICIAL MEDIA PARTNER