HOW TO
CONDUCT A SOCIAL
ENGINEERING EXERCISE PERSONAL INSIGHTS FROM THE
RSA 2013
Africa’s premier cyber security publication
Edition 2 - Mar/Apr 2013
CONFERENCE DEFINING A COMPETENT
DIGITAL FORENSICS PRACTITIONER
MICROSOFT EARMARKS USD12BN
FOR AFRICA
SPECIAL TRAINING AND AWARENESS EDITION • SANS SA Information Security and Forensics Bootcamp • ITWeb Security Summit 2013 • CyberCon Africa 2013 Digital Threat Conference
Inside this issue: INTERNATIONAL NEWS
RSA CONFERENCE HIGHLIGHTS 4 NEW EU CYBERSECURITY PLAN
10
HACKERS HIT BIT9 NETWORKS 11 PUTIN ORDERS FSB TO CREATE CYBER DEFENSE SYSTEM
Ne
C U E w
ybe
r u c e rs
lan10 P y t i ge Pa
11
AFRICA NEWS KENYA LAUNCHES NATIONAL ICT MASTER PLAN
12
ZIMBABWEAN BANK WEBSITES HACKED
12
UGANDA STEPS UP ICT SECURITY
13
MICROSOFT EARMARKS USD12BN FOR AFRICA
13
RED OCTOBER THE ESPIONAGE PLATFORM EVEN SURFACES IN AFRICA
14
DIY GUIDES HOW TO CONDUCT A SOCIAL ENGINEERING EXERCISE
15
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
Micros
THE SECURITY OBLIGATED EXECUTIVE - THE 3 R’S
17
KEEPING YOU INFORMED - LEGISLATIVE CHANGES
19
POPI BILL TO PASS FINAL HURDLE SHORTLY
19
BYOD CHANGING THE WAY BUSINESS IS DONE IN AFRICA
20
AUDITS AND ASSESSMENTS
oft Earm ar
ks USD 12
EXPOSING CHINA’S MOST ACTIVE CYBER ESPIONAGE UNITS
BN For Africa
Page 1 3
21
MANAGED SERVICES A (GRAPHICAL) WORLD OF BOTNETS AND CYBER ATTACKS
23
CYBER CRIME AND CYBER WARFARE PROTECTING AGAINST CYBER ATTACKS 25 WHY CYBERCRIME REMAINS BIG BUSINESS
26
CYBER FORENSICS AND INCIDENT MANAGEMENT WHAT MAKES UP A COMPETENT DIGITAL FORENSICS PRACTITIONER?
28
AWARENESS
frica A h t u o 9 Page 1 ges in S n a h C tive Legasla
SOCIAL NETWORKING SAFELY 32 HOW TO MEASURE DEVELOPER SECURITY KNOWLEDGE
33
LOCAL TRAINING AND EVENTS SANS SOUTH AFRICA 34 CYBERCON AFRICA 2013 DIGITAL THREATS CONFERENCE
3
ITWEB SECURITY SUMMIT 2013 35
OF INTEREST
Africa’s premier cyber security publication
PRIVACY PROTECTION GLASSES
Cybershield magazine is a bi-monthly publication owned by Wolfpack Information Risk (Pty) Ltd. No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine. While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage or inconvenience that may arise therefrom. All rights reserved. Wolfpack does not take any responsibility for any services rendered or products offered by any of the advertisers or contributors contained in the publication. Copyright 2013. E&OE on all advertisements, services and features in Cybershield magazine. Editorial address: Building 1, Prism Office Park, Ruby Close, Fourways, Johannesburg, South Africa, 2055 Enquiries: Telephone - +27 11 367 0613 Advertising - sales@wolfpackrisk.com Content - craig@wolfpackrisk.com Design - design@wolfpackrisk.com General queries - admin@wolfpackrisk.com http://www.wolfpackrisk.com/magazine/
nd R’s Theh3es, Ruins a Ric
a tions P a l u g e R
35
ge 17
A (Gra Cyberphical) Wor Attack ld of B otnets s
an
Page 2 d 3
OF INTEREST
MECAM UNVEILED AT CES 2013
Unveiled earlier in the year at CES 2013, the MeCam consists of a miniature video recorder and chip mounted on a platform surrounded by four rotor blades that keep it in the air. The device does not require a remote control and instead relies on voice command technology. Users can tell it to move up or down, or select the ‘Follow Me’ function – which uses 14 sensors and 3 stabilisation algorithms to ensure the camera is always at close proximity. A sound filter strips any recordings of motor noise. Video can then be streamed through iOS and Android smartphones and uploaded onto social networks. The MeCam is still in development and Always Innovating – the team behind the concept – are currently looking for licensors. Once it hits the market the creators believe it will retail at around USD 49. One to get in on early?
[Website: www.alwaysinnovating.com]
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 3
INTERNATIONAL NEWS
HIGHLIGHTS FROM THE
2013 RSA CONFERENCE
We were excited when the local RSA Security Office invited us to join a small team of clients and partners at the largest information security conference on the planet the RSA Conference 2013 in San Francisco, USA. The stats speak for themselves the 5 day event attracted approximately 25,000 infosec professionals from around the world who were able to feast on hundreds of talks from leading experts in our field and visit the seemingly infinite rows of vendor exhibitors.
The expression “drinking from a firehose” often came to mind trying to decide on which talk to attend from an average of 20 tracks per session. All in all it was a very good conference with great topics, serious discussions, and a perspective on what the information security industry is focusing on for 2013. I have summarised the key points from the conference plus shared some of the gems I extracted from the talks I personally attended. Slip on your dancing shoes, grab your favourite reading gadget and join me on a virtual tour of the conference. With lights flashing and bass thumping the RSA Conference 2013 kicked off with The Queen Extravaganza tribute band rocking the audience to “We are the champions” which was used by Arthur Coviello (RSA Executive Chairman) to highlight the progress we’ve made in the face of very significant threats.
The Queen Extravaganza rocking the audience to “We are the champions”
He encouraged the audience to gain the upper hand in the rapidly escalating cyber security struggle “Don’t despair this is no time for losers!” he said. He also warned that we must show integrity in our reporting of information security events as irresponsible statements may generate short-term interest but do nothing for ongoing awareness efforts and the credibility of the industry as a whole. He touched on their anti fragile model which is an adaptive capacity to become stronger or smarter when attacked - similar to a sponge bouncing back when squashed.
“Don’t despair this is no time for losers!” Arthur Coviello
He said we need to do away with isolated static controls and instead migrate to a focus on big data controls with as many shared external intelligence sources leveraged as possible. We also need to strengthen our security team’s data science skills as we increase our dependence on data analytics. His closing statement “Caesar recognised the omens he just didn’t think they applied to him! Big technology data is here embrace it!”
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 4
THE 2013 RSA SECURITY CONFERENCE HIGHLIGHTS Scott Charney from Microsoft focused on how he believed it was a real accomplishment that they managed to scale their Security Development Lifecycle (SDL) to over 30,000 developers internally. He commented at an international level on how countries were adopting strategies, policy and legislation to deal with the growing cyber security activity. He stressed however that a different focus was required to deal with the various categories of cyber threats - cybercrime, commercial or military espionage and cyber warfare. “We recognise this is a shared problem which we need to work together to fix” he stated. “This is a complex journey and although we will always face difficult security challenges I remain optimistic because as a community we will always rise to meet them”
F
rancis deSouza from Symantec spoke about how they identified Stuxnet 0.5 - a pre version to the officially reported Stuxnet event which was apparently released 5 years before. Another interesting point was they simulated a critical infrastructure environment and brought in some hardware PLCs from the field. Some were hard-wired with passwords that were 12345 yikes! He also mentioned that most countries now have access to cyber weapons and often how the smaller more focused nations can disrupt much larger or wealthier counterparts.
“First we had the Cold war… now we have the Code war” Next up was a cryptographers panel with some well known gurus in the field. Ari Juels from RSA moderated a panel including Ron Rivest, Whitfield Diffie, Adi Shamir and Dan Boneh. One of the topics that was discussed a lot was security and cryptography education. Stanford offers their crypto class online via massive open online courses (MOOC) and their last intake was over 150,000 students with the largest registrations after the USA being China and India. The course can be found here: https://class.coursera.org/crypto-preview/class/index
SECURITY HELPS KEEP DEMOCRACY ALIVE! KEYNOTE SPEAKER: JIMMY WALES - FOUNDER OF WIKIPEDIA
Wikipedia fast facts: • Established 12 years ago • 285 Languages • 490 Million unique visitors with 71 million monthly visitors • Of their knowledge contributors 87% are male who are on average 26 years old • Wikipedia Foundation has 100 employees and 100,000 volunteers • Their driving vision: “Imagine a world in which every single person on the planet has free access to the sum of all human knowledge” • They take a hard stance against censorship • They follow a Non Point of View (NPV) and can not take sides in a debate.
According to these experts cryptography as a discipline is under strain and strangely becoming less relevant today. This is due to the fact that intelligence agencies are often able to bypass encryption and APTs sometimes buried within networks for years simply have to wait for a key to be used in the decryption stage and they are in.
Jimmy Wales - Founder of Wikipedia
The panel covered a few controversial topics, such as the dangers of online voting, mechanisms for making data exfiltration harder and cryptography in a post-quantum-computing world. The sheer amount of brainpower on the stage at one time during the panel is always inspiring to behold. Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 5
THE 2013 RSA SECURITY CONFERENCE HIGHLIGHTS
IMPLEMENTING A NATIONAL AUTHENTICATION PROGRAMME IN INDIA KEYNOTE SPEAKER: SRIKANTH NADHAMUNI
Srikanth Nadhamuni, the advisor to the UID Authority of India presented a fascinating case study on how they tackled extreme government authentication and payment system challenges under circumstances quite similar to those found in Africa. Considering India’s population of 1.2 billion: • 70% Live in villages and only contribute 30% to GDP • 74% Literacy rate • 300 Million are migrant workers • Over 800 million mobile phones
support online authentication options. Off the back of data privacy concerns and public debates AADHAAR also provides a unique number to authenticate a person whilst protecting their personal information. One case study of how technology can be used to reduce costs and improve the wellbeing of their citizens is the national rural employment scheme that provides a guaranteed 100 days work per year to all working citizens.
They have to pay over $40 billion to the poor through various schemes and each service requires validating both identification and address details. Their flagship project is called AADHAAR and India has a vision to create a common national identity solution.
An example was cited of a worker who in order to collect his weekly wages of Rs792 (Rupees) had to walk 6km to the bus station, make a 14km bus trip and wait at least 2 hours at the bank - which closed at 2:30pm resulting in some workers having to repeat the exercise the next day. It was not uncommon for workers to sometimes have to forfeit two thirds of their wages in cost and lost productivity.
They have already rolled AADHAAR out to over 300 million citizens with hundreds of thousands enrolling each week. The system relies on biometric identification (10 fingerprints / 2 irises / 1 face picture) to eliminate duplicates, fake IDs and
Thanks to the new public private partnership model the worker now goes to a local AADHAAR authorised enrollment station in his village, is authenticated via the mobile network and for a small commission receives his cash
payment on the spot. There are currently around 40,000 enrolment stations operated by over 100,000 trained and self employed operators. They are adding close to one million new registrations daily and adding the equivalent of a Finland each week. This is a prime example of a complex project implemented with the proper technical and information security controls in place, that now delivers a tremendous services to make the lives of the average impoverished Indian citizen a whole lot easier.
Srikanth Nadhamuni, the advisor to the UID Authority [Image courtesy of http://forbesindia.com]
MAYANS, MAYHEM & MALWARE
WILL GRAGIDO - RSA FIRSTWATCH / CHRIS VALASEK - THREAT RESEARCH AT IOACTIVE / JOSH CORMAN - AKAMAI / GREG HOGLUND AND BRIAN HONAN
Everyone is focussing on preventing a breach but the focus should rather be on detecting and responding to a breach to start as it is close to impossible to stop a zero day. We need to focus on aggressively defending through continuous monitoring. Hacktivism movements are sometimes used as scapegoats by state actors to hide their attacks. A good way to detect this is if there is no Pastebin entry then its a good early indicator of a state attack. With defenders increasing their Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 6
capabilities attackers now often know they are being tagged and need to adopt more advanced opsec measures themselves. On the point of fighting fire with fire the “hackback” term is now often a topic of conversation. The law has unfortunately not caught up with this point. There are still unanswered questions of legality as it is hard to be certain that you are attacking the correct perpetrators. Furthermore many companies are hardly able to defend effectively - how will they be able to attack an advanced foe which requires even deeper security skills?
THE 2013 RSA SECURITY CONFERENCE HIGHLIGHTS
CYBER THREAT LANDSCAPE
New themes in prevention, detection, response KEYNOTE SPEAKER: KIMBERLY PERETTI- ALSTON & BIRD, LLP
With cyber breaches personal identifiable information (PII) is often compromised even though it may not have been the asset the intruders were after. As a result companies are still required to notify the relevant authorities and enact the procedures as laid out by applicable privacy notification laws.
ENTERPRISE IMPACT INVESTIGATIONS Many companies do not conduct a thorough investigation following a breach and if systems are not reviewed in detail and the threats mitigated they will return!
Which functions should be part of a Crisis Management team? • An experienced public relations firm • Legal experts • Board involvement needed to support and respond • Intelligence gathering analysts • Incident response professionals • Forensic investigators • Malware analysts • Network traffic monitoring staff • Data analysis service • Breach notification management and business support teams These type of services are seldom offered by one company. Ensure you have the necessary partnerships in place before an incident happens.
BIG DATA ANALYTICS
DEFINITION
Regulators have also changed their attitudes regarding investigations and insist that more detailed reviews take place. As part of an investigation you need to picture a criminal walking down a street full of shops. He stops along the way turning doorknobs trying to get into certain shops. Some he enters and leaves and finally other shops he enters and actually steals goods. Similarly cyber investigators need to document in this fashion.
Big data analytics is the process of examining large amounts of data of a variety of types to uncover hidden patterns, unknown correlations and other useful information. Such information can provide competitive advantages over rival organisations. These other data sources may include web server logs and internet clickstream data, social media activity reports, mobile-phone call detail records and information captured by sensors. The primary goal of big data analytics is to help companies make better business decisions by enabling data scientists and other users to analyse huge volumes of transaction data as well as other data sources that may be left untapped by conventional business intelligence programs. [Source: http://searchbusinessanalytics.techtarget.com]
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 7
THE 2013 RSA SECURITY CONFERENCE HIGHLIGHTS
INTRIGUING INSIDER THREAT CASES
3
KEYNOTE SPEAKER: DAWN CAPPELLI
types of insider threats:
1. Insider IT Sabotage Normally very disgruntled technical employees who end up on HR radar. 2. Insider theft of IP Often committed by insiders joining a competitor or starting their own business. 3. Insider fraud Most internal fraud is committed by tellers or financial employees who steal money once and then get stuck in the cycle.
Case studies 1. Trusted business partner An employee of a company’s trusted partner stole info before accepting a job with the competitor. 2. Secure file sharing Three employees at a law firm installed Dropbox and resigned a few months later. They stole 78,000 client files and had it configured that it synchronised both ways, updating original records damaging the integrity of database.
3. Virtual machines evade detection of data exfiltration Employee had plans to start his own hedge fund business and started with the company solely to steal their algorithms. He used virtual machines to bypass security controls and saved the files to an external hard drive. 4. Think twice before logging into a shared computer Malware installed by an insider emailed credentials to himself to spy on staff or steal info. One employee walked around a hospital spreading malware to the Mission Impossible soundtrack. A fellow hacker reported him after his actions jeopardised the safety of patients. 5. National security risk by insiders The terror watch list was tampered with by an employee working in a government agency, when he added his wife’s name to it when she on holiday to Pakistan. As a result she was unable to return to the USA for 3 years. His actions however backfired on him when he later got a promotion and the background checks conducted by his new employer uncovered his wife’s terror watch listing.
6. Embedded malware A contract programmer added in a random line of code which shut the system down on his client’s various systems. He got lots of business as a result charging a premium fee to troubleshoot his client’s systems. 7. CEO presents pornography to his board of directors A fired IT manager compromised his CEO’s laptop to inject pornographic images into his presentation to the board.
Dawn Cappelli CERT Insider Threat Centre Carnegie Mellon University ABOUT CERT:
•
CERT was established in 1988 by the US Department of Defence Their Insider Threat Centre started in 2001 and works closely with the US Secret Service They have a database of over 800 insider threat cases covered since 2001
• •
PANEL DISCUSSION ON THE CSIS 20 CRITICAL SECURITY CONTROLS
E
W
A
We ran an exercise of analysing all the large scale breach cases we have investigated. After mapping them to the 20 controls we are confident that had the companies implemented the controls these breaches would have been prevented.
Commented that they have seen customers using the 20 controls integrated with automated security solutions run far more successful security programmes.
There are opportunities to develop your career across all industries as the 20 controls has fundamentally changed the game. He suggested vendors adopt a more hands-on approach with their clients to assist them to integrate their solutions alongside the guidance from the 20 controls. Both consultants and end user security staff have a limited window to use the controls to implement a robust cyber security programme and impress their management team.
d Skoudis (Counter Hack)
olfgang Kandek (Qualys CTO)
The discussion also centred on how to implement the controls and SANS mentioned there was a new roadmap being published shortly which provides security teams guidance on where to start. Their guidance is to focus on the first 5 controls and optimise them - this will give you the most benefit in the short-term. It was also mentioned that security teams should start focussing more time on actually implementing security solutions instead of generating reams of frameworks and compliance files. Sager stressed the value of building trusted networks Panel Chair - Tony Sager
“Let my detection become your prevention!”
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 8
lan Paler (SANS Research Director)
A new standard of due care for cybersecurity
THE 2013 RSA SECURITY CONFERENCE HIGHLIGHTS
THE FIRST
48 HOURS OF INCIDENT RESPONSE
KEYNOTE SPEAKER: NICK SELBY - N4STRUCT
RULES OF A BREACH: • DON’T panic • Establish whether there has actually been an incident - determine the business impact to see if it is an event or an actual incident? • Once you are sure then DECLARE an incident (this should then release necessary resources and authority to empower you) • Set an incident commander and treat as a series of discreet projects that need to be managed as a programme - with goals and start / end points. Ensure the commander has sufficient seniority and empowered so that people listen to them • Contact resource lists (internal and external) need to be updated, and must be reachable 24/7 • Assess internal capability, and locate them early. They understand what the current state is and will help spot anomalies if a breach is suspected • Understand what dangers there are to bring in external resources - ensure trusted and reputable people
LESSONS LEARNT: • Focus on the impact of: How / Why / When it happened? • A sound communication strategy is key! • Conduct a brutally honest selfassessment - post-breach inventory (what we lost) / internal capabilities and weaknesses / where to go to improve • Capture evidence in detail and according to sound practice. Expect it may take years to get your hard drives back with a chance that they may be gone forever • Don’t get hung up on attribution - are you going to take on Russia / China? • It’s always good to get the police involved early - that way you can tell the media - “Sorry we cant comment - this is under police investigation!” • Your adversary wont send in the A-team if the cheaper D-team can do the job - if your security sucks they will take the easy route.
FIRST STEPS: 1. Lawyer up Get legal involved asap. They will handle reporting requirements plus they have significant authority. Also good to have Head of Audit on your side - they are going to have to help clean up the incident afterwards! 2. Manage up Management will want this to be over yesterday but also need to understand that a thorough investigation and clean up needs to happen. Also harness their energy but don’t exploit their trust whilst they are vulnerable! 3. Look up Get visibility into the incident - the faster the better. Must have visibility into the flow (in/ egress points), logs and full packet capture.
Intelligence sharing is key to incident management today.
• You ARE going to get hit - waste less time trying to show management that the threat is real and more energy on building your incident response capability • If you are breached don’t make it worse and lie to your stakeholders especially the media, if they find out they will be after you! • If you have a breach turn it into an opportunity! Get the “breach discount” with vendors (Offer to tell the media that they helped or that they can use you as a case study for a significant discount)
“ Waste less time trying to show management that the threat is real and more energy on building your incident response capability. Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 9
INTERNATIONAL NEWS
NEW EU CYBERSECURITY PLAN FORCES BUSINESSES TO ADMIT DATA BREACHES
Each country in the European Union will have to set up national authorities charged with defending against online attacks under a new EU cybersecurity strategy, which will also see major companies and utilities forced to report any security breaches.
Since the publication of the EU’s proposed cyber security strategy and supporting directive, much of the focus has been on how difficult it will be to implement and how effective it will be in improving data security. But what effect will it have on business?
The most obvious effect is that it will mean additional costs for all businesses covered by the proposed directive in terms of creating new processes and acquiring new technology to comply.
The directive means that, for the first time, companies will be under a legal obligation to ensure they have suitable IT security mechanisms in place, which is likely to boost IT spending across the EU Conversely, it will mean additional income for the IT security industry as businesses are forced to find money to invest in whatever additional security technologies they need to become compliant. Among the measures the strategy recommends are that each European country set up a CERT authority and
designate a “competent authority” to manage online security for EU organisations. Such national cybercrime units would share information with each other, law enforcement agencies as well as data protection authorities, and publicly publish early warnings of online threats. The strategy follows the launch of the European Cybercrime Centre in the Netherlands last month, and is intended to be Europe’s focal point for fighting online crime and sharing information on security threats.her high-profile security
[International News Sources: http://ec.europa.eu / http://www.zdnet.com / http://www.computerweekly.com ] Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 10
INTERNATIONAL NEWS
HACKERS HIT BIT9 NETWORKS Another high profile security company has been breached. Attackers breached corporate systems at security services company Bit9 and accessed code-signing certificates that they used to make malware appear legitimate. Bit9, a provider of application whitelisting technology, admitted to being breached by a malicious external party who was able to illegally gain access to one of their digital code-signing certificates. Ironically, the breached Bit9 system appears not to have been protected by the company’s own software. This attack bears similarities to the 2011 attack on RSA, in which attackers stole information that was likely used to conduct attacks on other organisations. The attackers hastily used the compromised certificates to infiltrate the network of at least three customers. The theory is that the real target of the attack was not the company itself, but the protected network of its customers.
According to an editor from the SANS Institiute Bit9 received $34M in investment funding around 7 months ago and it was highly likely that not enough went into protecting their own crown jewels. “They simply did not follow the best practices they recommend to their own customers by making certain their product was on all physical and virtual machines within their environment.” [Source: Sans.org / Hackmageddon.com]
PUTIN ORDERS FSB TO CREATE
CYBER DEFENSE SYSTEM President Vladimir Putin tasked the Federal Security Service with creating a unified system for the “detection, prevention and liquidation” of cyberattacks on government websites in an official decree published Monday. The main tasks include development of methods for predicting threats, institution of monitoring to determine the levels of protection of critical information systems, and a rendering of accounts for certain computer incidents, Itar-Tass reported Monday. The resources included in the decree are information systems and data networks in Russia itself or in Russian embassies and diplomatic institutions of abroad. The decree came into effect Tuesday, the day it was signed. It follows on the heels of charges brought in early January against a Krasnoyarsk resident who launched a recent cyberattack on the president’s website. He faces up to four years in prison. Last week, an Internet security firm said a spy network had infiltrated government and embassy computers across the former Soviet bloc. Dubbed Red October, the network used phishing attacks, or unsolicited emails to intended targets, to infect the computers of embassies and other state institutions with a program designed to harvest intelligence and send it back to a server.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 11
AFRICA NEWS
KENYA LAUNCHES NATIONAL ICT MASTER PLAN THE KENYAN GOVERNMENT HAS UNVEILED A MASTER PLAN AIMED AT HELPING THE ICT SECTOR GROW TO A USD2 BILLION INDUSTRY BY 2017 The government’s efforts to transform the country into a knowledge based economy through digital empowerment has today culminated in the launch of the first National ICT Master Plan. A five year plan that seeks to drive citizen adoption of the Vision 2030 priorities through ICT policies and initiatives, the Master Plan projects that by 2017 Kenya’s ICT industry will be contributing an estimated USD2 billion (some 25% of Kenya’s GDP) and have created around 500 new tier 1 ICT companies and over 50,000 jobs. “As a step towards its realisation, the ministry is working on standardising business processes and developing sub-plans that will allow the delivery of innovative public services within government” said Information and Communication PS Dr. Bitange Ndemo “Strong governance and increasing engagement between the government and private sector will help to remove barriers that would impede execution in order to deliver a society based on knowledge,” added Ndemo. Guided by the ministry’s policy objectives and to achieve the intended full benefits of ICT, the Masterplan plugs into the vision 2030’s social and economic pillars in seven key intervention areas. Under the social pillars are education and training, health, water and sanitation, environment, housing and urbanisation, gender, youth and vulnerable groups, social equity and poverty reduction. The economic pillar shall deliver on tourism, agriculture, wholesale and retail trade, manufacturing, business process outsourcing and financial services and the creative industry. What began as a stakeholder engagement on the hypothesis of what had been adopted in countries like Singapore has taken two years, culminating in the birth of the ICT Master Plan.
“Indeed, the plan is ambitious and it is an attempt to infuse ICT and knowledge into Vision 2030 by enhancing citizen value. This will be achieved by availing channels that will stimulate the set-up of ICT related businesses and therefore employment creation” said Paul Kukubo, ICT Board CEO. At the core of this Master Plan are three strategic pillars that will be used as a measure of success. Enhancing public value through service delivery and access of public service, strengthening ICT as a driver of industry by establishing an ecosystem for ICT adoption and the development of ICT business that lead an understanding of the emerging market needs. “The plan is really just a guideline and offering it to the public means that we are open for further deliberation and feedback. We intend to review the document annually to review progress and realign to the country’s priorities”, added Kukubo. The launch of the National ICT Master Plan comes Dr. Bitange Ndemo just two days after a draft National Cyber Security Master Plan round table, a final review session for the country’s first document that seeks to establish a regulatory and policy framework in information security. The Strategy and Plan play a fundamental role in managing risks to government processes through the securing of information assets. [Source: Biztechafrica.com]
ZIMBABWEAN BANK WEBSITES HACKED Zimbabwean bank, Metropolitan Bank (www.metbank.co.zw) was defaced and subsequently taken down ‘for maintenance’. According to site defacement archive zone-h.org, the Metropolitan Bank website was defaced on 19 January 2013 by hackers calling themselves “Qifwhysoserious”.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 12
The website was developed by a local company called Hello World, and a source at the company mentioned it was based on the Joomla content management system. It was later confirmed that Tetrad Holdings and MBCA Bank also had their websites defaced. [Source: www.techzim.co.zw]
AFRICA NEWS
UGANDA STEPS UP ICT SECURITY The National Information Technology Authority – Uganda (NITA-U)’s Director for Information Security, Peter Kahiigi, has outlined Ugandan Government plans to step up national information security. Kahiigi said that the Government of Uganda, through NITA-U, in addition to setting up an Information Security Directorate has put a National Information Security Strategy in place. It has also established UG-CERT in cooperation with UCC and ITU; the role of the UG-CERT is to ensure the protection of the nation’s Critical Information Infrastructures, assist in drafting the overall plan on the country’s approach to cyber security related issues, and thus can serve as a focal point for further building and implementing the National Culture of Cyber security. THE GOVERNMENT OF UGANDA OUTLINED THE FOLLOWING KEY PLANS 1. 2. 3. 4. 5.
Implementation of an information security strategy Implementation of public key infrastructure (PKI) Develop a national IS policy Set up roles and responsibilities Development of an IS framework. [Source: Biztechafrica.com]
MICROSOFT EARMARKS USD12BN FOR AFRICA Microsoft Corporation this week unveiled a package of USD12 billion which it said will be spent in Africa over the next three years to empower the youth on the continent. Emmanuel Onyeje, country manager, Microsoft Anglophone West Africa, who disclosed this in Lagos, said pursuant to this goal, the firm has launched their Microsoft 4Afrika Initiative, through which it will actively engage in Africa’s economic development to improve its global competitiveness. Onyeje said the firm’s efforts will focus on accelerating adoption of smart devices, empowering small and medium businesses, and up-leveling skills development to ignite African innovation for the continent and for the world. By 2016, Microsoft aims to help place tens of millions of smart devices in the hands of African youths, bring one million African Small Medium Enterprises (SMEs) online, up-skill 100,000 members of Africa’s existing workforce, and help an additional 100,000 recent graduates develop skills for employment, 75% of whom Microsoft will help place in jobs. Onyeje said: “Microsoft wants to invest in that promise which recognises Africa’s promise. We want to empower African youths, entrepreneurs, developers and business and civic leaders to turn great ideas into reality that can help community, their country, the continent and beyond”
“The initiative is built on the dual beliefs that technology can accelerate growth for Africa, and Africa can also accelerate technology for the world.” He said that Microsoft was motivated to embark on the projects as part of its contributions to Africa’s transformation initiatives. [Source: Biztechafrica.com]
“We want to empower African youths, entrepreneurs, developers and business and civic leaders to turn great ideas into reality that can help community, their country, the continent and beyond.” Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 13
RED OCTOBER THE ESPIONAGE PLATFORM EVEN SURFACES IN AFRICA
AFRICA NEWS
In January 2013 the IT security world was abuzz with a report published by Kaspersky Labs on an espionage platform they dubbed ‘Red October’ The name of the platform paid homage to the novel by Tom Clancy which told the story of a rogue Soviet submarine captain and his planned defection to the United States during the Cold War. However this ‘Red October’ is far more sophisticated and deploys stealth more effectively than the Soviet submarine described in Clancy’s novel. ‘Red October’ is first and foremost not a virus but instead a malware delivery and data collection platform. It is described by Kaspersky Labs as one of the most advanced espionage platforms uncovered. ‘Red October’ operated a number of computers and domain names that acted as proxies to hide the core purpose and functionality of the network platform. Using this layered ‘Command and Control’ structure, attackers had more than 1,000 ‘plug and play’ modules at their disposal which they utilised to customise their attacks on targeted victims. It is believed that ‘Red October’ has been active since 2007 and has remained undetected for such a long period of time as a result of its tailored execution of exploit code. Code that is received from the ‘Red October’ servers executes in memory only and is then immediately discarded leaving no trace or service to detect. Traditional anti-virus software would therefore not be able to identify this malicious code as it is resident in memory for a short period of time and is not written to local storage media. Targeted victims are infected by a ‘spear-phishing’ attack which utilises a known exploit in Microsoft Office products. Once infected the victims are then further compromised by one of the many modules the attackers have at their disposal.
Chris Lazari Director: Infrastructure Services Airborne Consulting
These attack modules have been categorised into ten sub-categories 1. Recon – Scanning the infected machine for useful information as well as system specific information which could be used for further exploitation. 2. Password – Passwords stored on the local drive are stolen as well as cryptographically hashed account credentials. 3. Email – Email data is searched and scanned. 4. USB Drives – USB Drives are scanned and data copied and FTP’d to attack servers. 5. Keyboard – Keyboard Loggers are installed which capture keystrokes allowing attackers to record username / password combinations. 6. Persistence – Some modules exist which provide ‘persistence’ so that attackers can revisit the compromised device at a later date should they lose connection to the victim. 7. Spreading – Modules exist which scan network attached devices for vulnerabilities allowing the infection to spread from one connected device to another. 8. Mobile – ‘Red October’ has the ability to scan mobile devices that have been docked to the infected device for sensitive information. 9. Exfiltration – This code has the ability to copy and transfer data on local drives to FTP servers in the ‘Red October’ network. 10. USB Infection – Investigations show that these modules create logs and files which match those in use by current USB malware.
It appears that the ‘Red October’ operators focussed their activities on governments, embassies and scientific organisations around the world with victims primarily located in the former Soviet Bloc countries in Eastern Europe. The origin of the operators has been subject to much speculation amongst researchers. There has been conjecture that this may have been a state-sponsored infiltration but this can neither be proved nor disproved. What is known is that exploits used are Chinese in origin and have been published on the Internet for some time. The attackers modified these exploits with a telling first line in the executable they created. This first line of code changed the ‘codepage’ of an infected system to 1251 which is required to address files and directories
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 14
that contain Cyrillic characters. This leads one to believe that the authors are Russian or at the very least Russian speaking. Due to the nature of the stealth capability adopted by ‘Red October’ analysing it could not be done utilising traditional means at the disposal of anti-virus companies. Kaspersky Labs conducted its research into ‘Red October’ by setting up fake victim ‘honeypots’ at locations around the globe which then allowed them to monitor and collect hundreds of attack modules and exploit tools used. This analysis was underway in October 2012, hence the name ‘Red October’ being given to this malware espionage platform. Since the discovery and publication of the ‘Red October’ report by Kaspersky Labs the ‘Red October’ network has been shut down by its operators. What makes this specific case of malware espionage interesting to an African publication is the fact that foreign embassies in African countries were directly attacked by the ‘Red October’ operators. In an infographic provided by Kaspersky Labs, embassies in Algeria, Botswana, Congo, Kenya, Mauritania, Morocco, Mozambique, South Africa, Tanzania and Uganda were all targeted. Based on the infection vectors identified in ‘Red October’ one must take a prudent view and assume that as a result of these base infections, the platform may have extended its tentacles into other organisations in the identified countries. The lesson one takes from this latest discovery is that the prevalence of sophisticated malware on networks must be assumed and organisations and individuals must act accordingly. A reactive strategy is no longer sufficient in protecting secure networks and data. This case has proven that 5 years’ worth of data may have been siphoned off your network without your knowledge while your anti- malware solution would have reported everything in order. Security professionals must assume at any time that their networks and data may have been compromised and provide solutions to mitigate this advanced persistent threat.
DIY GUIDES
HOW TO CONDUCT
A SOCIAL ENGINEERING EXERCISE Social engineering attacks are one of the top hacking techniques used against companies today Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine and bypasses anti-virus, firewalls and many intrusion prevention systems? This is most commonly used in phishing attacks today - craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it?
Sample Of Social Engineering Attack Vectors
1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Third Party Modules
The Social Engineer Toolkit (SET) incorporates many useful social-engineering attacks all in one interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. It can automatically generate exploit-hiding web pages or email messages, and can use Metasploit payloads to, for example, connect back with a shell once the page is opened. SET was created and written by the founder of TrustedSec. It is an open-source Pythondriven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, Defcon and ShmooCon. With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 15
SET is included in the latest version of the most popular Linux distribution focused on security, BackTrack. It’s easiest to run SET from BackTrack. Boot to it via USB or optical media, or run it as a virtual machine. Navigate to Applications | BackTrack | Exploitation Tools | Social Engineering Tools | Social Engineering Toolkit | set and you’re off to the races.
ION DEFINIT
QUICK INSTALLATION NOTES
Social en gineering is a term non-techn that descri ical kind o bes a f intrusion human in that relies teraction and often heavily on to break n involves tr ormal sec ic king other urity proc people edures. A social e ngineer ru ns what u game.” Fo sed to be r example called a “c , a person to break in on using soc to a comp ial engine uter netw confidenc eri ork might e of an au try to gain ng thorized u informatio th ser and g n that com et them to e promises rev the netwo rk’s securi eal Social en ty. gineers o ften rely o people as n the well as on their weak natural helpfulness example, nesses. T of call the au hey might, thorized e urgent pro m fo p r blem that requires im loyee with some kin Appeal to d of mediate n vanity, ap etwork ac peal to au and old-fa cess. thority, ap shioned e p e a a l v engineeri to e s d g ro re pping are e ng techniq other typic d, ues. al social
To download SET and watch sample videos visit: https://www.trustedsec.com/downloads/social-engineer-toolkit/
[Africa News Sources: https://www.trustedsec.com / http://holisticinfosec.blogspot.com / http://www.infosecisland.com] Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 16
THE SECURITY OBLIGATED EXECUTIVE - THE 3 R’S:
RICHES, RUINS AND REGULATIONS Whether they realise it or not, C-suite executives now have ownership over keeping their organisations secure. According to Gartner predictions, by 2015 as much as 25 percent of all organisations will add a new “C” to the C-suite: Chief Digital Officers. Living in the digital age, the CEOs, CFOs, CTOs, COOs and soon to come CDOs, of the world are now responsible for all material threats to their companies, and that includes information security. Given the fast path the cyber threat landscape is changing, on any given day, a company can suffer a cyber-attack whether it be malware, ransomware or crimeware that can cripple an organisation with potentially irreversible ramifications. While the C-suite is ultimately responsible for their organisations, many are untrained on what it means to be a security-obligated executive. These executives should know how to identify threats and what warning signs to monitor to circumvent cyber-attacks before they happen.
PREPARE A STRATEGIC PLAN Identify what the most important security improvements are, with an explicit understanding of the company’s assets that need to be protected. By creating an alignment between specific business risks and security controls, teams will be able to fit the building blocks together to create a strategic plan of action.
Governance
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
As the security gatekeepers of their organisations, which are constantly evolving and becoming more digital, C-Level executives need to remember that they are responsible for all material threats to their enterprises and networks, including information security. Ticking the boxes in order to be compliant is no longer enough. Moreover efficient and clear communication is paramount to increase the security posture. Historically the C-suite and the security teams haven’t spoken much at all, or security teams haven’t spoken to execs in a simple enough language to be understood.
BELOW ARE KEY POINT THE C-SUITE SHOULD USE TO PREPARE FOR THE BATTLE AGAINST CYBER-ATTACKS:
PAY ATTENTION TO THE TYPES OF SECURITY THREATS THAT EXIST The types of cyber-warfare and attacks are both increasing and diversifying. With Bring your Own Device (BYOD) heavily on the rise, devices such as smart phones and wireless tablets accessing cloud-based applications provide even more opportunities for attackers. DON’T ISOLATE “BUSINESS” FROM IT AND SECURITY OPERATIONS Encourage the security team to have a strong understanding of the business. It is too often the case that security teams work in isolation. Security teams should know what business leaders value in order to properly match the levels of protection with the risk.
PERFORM THREAT ANALYSES AND PLAN ACCORDINGLY The security team should be able to identify risk and threats, while the security-obligated executive should be aware of what those vulnerabilities are and how to mitigate them.
There are major disconnects we often see when auditing the security of an organisation. A typical security team will assess the ability to defend against generic threats or attacks and will develop a plan to fill in those holes. More often than not, the resulting roll-out plan is missing a key ingredient: an explicit understanding of the company’s assets that need to be protected. To guarantee that the security strategy is aligned with the business objectives, we created an exercise to uncover business risks in a non-technical way so that the business risk and security plan dovetail together seamlessly. What we call the 3 R’s: Riches, Ruins and Regulations, helps executives and security professional speak in a common language. The exercise is designed to uncover critical and valuable assets that are core to the line of business. Oftentimes it is only the line-of-business employees that are aware of the presence and relevance of these assets and they are outside the purview of the security team. Because of this disconnect, the security controls deployed on these systems are often inappropriate in relation to the risk those assets pose to the organisation. Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 17
HOW IT WORKS IS SIMPLE. THE FIRST STEP IS TO IDENTIFY THE 3R’S AND THEN BASED ON THE RESULTS THE SECURITY TEAM UTILISES THE ANALYSES TO KEEP THE COMPANY SECURE:
Governance
RICHES • • • •
What assets can be targeted that would be valuable to a thief? What are the ways assets can be stolen? Who would be most likely to steal this asset? How would a thief go about stealing this asset?
RUINS
• What could you target specifically to ruin our reputation? • What direct costs or liabilities would our company incur if the asset is stolen? • What indirect costs, such as harm to reputation, would our company incur if the asset is stolen?
REGULATIONS
• What compliance rules does our company abide by? • Who is responsible for compliance? • Who audits our company’s compliance with these different regulations? • Do we have any contracts with penalties for non-compliance? The primary purpose of the exercise is to uncover assets of significant value if stolen, potential attacks that might cause great damage, and finally the costs associated with failure to meet regulatory requirements. Identifying the 3 R’s will help the security-obligated executives have a clear vision of security as it relates to their company, which is the first step against cyber-threats and attacks.
This article is based on the content of the book “The Security Battleground” by Michael Fey, Brian Kenyon, Kevin Reardon, Bradon Rogers, and Charles Ross.
Innovation
Professionalism
Agility
This article was provided by Craig Hockley, Regional Director, South Africa and Sub Saharan Africa, McAfee.
Thought Leadership
Specialists
Commitment
Security Experts
Security Systems Integrator
Trustworthy It Risk Management
Information Security Experts Cybercrime It Governance
Subject Matter Experts
Management Security Services Cybercrime Intelligence Services
Industry Relationships
+27 11 523 1600 • www.drs.co.za
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 18
. innovation . specialists . security experts . professionalism . system integrators . thought leader . Agility . Easy to do business with . trustworthy . information security . IT risk management . IT governance . cybercrime . subject matter experts . Security management services . cybercrime intelligence services . committed . strong industry relationships
KEEPING YOU INFORMED
LEGISLATIVE CHANGES Changes in:
Financial Services Laws General Amendment Bill
What’s changed in the law?
What does it mean for you?
1. Defines “financial sector legislation” and “non-financial sector legislation” 2. Financial institutions no longer bound by non-financial legislation 3. Excludes the financial sector from the application of the Consumer Protection Act 4. Enhanced power of the Regulator to oversee risk 1. Concept of prescribed offices introduced 2. The Bill redefines electronic transactions, electronic signatures and unsolicited commercial communications 3. Alignment to other information protection and customer protection laws 4. Penalties increased from R1million and 12 month imprisonment to R10million and 10 years imprisonment respectively
1. Compliance systems needs to be adjusted for applicable legislation 2. Redundant legislation should be identified to improve efficiencies and the impact of new legislation should be determined Preparation for Regulator audits or reviews
Companies Act 2008
1. Articles and Memoranda of Association (“M&AOA”) are to be aligned by 30 April 2013 2. From 1 May 2013, any unaligned provisions in each of the MAOA and shareholders’ agreements will be overridden by the Companies Act
1. Consolidation of the content governing an organisation is necessary 2. Filing of new MOI by 30 April 2013 3. Definition, training and awareness around “prescribed officers” is required
Common Market for Eastern and Southern Africa (“COMESA”) Competition Commission regulations
1. COMESA comprises 19 countries: Burundi, Comoros, the Democratic Republic of Congo, Djibouti, Egypt, Eritrea, Ethiopia, Kenya, Libya, Madagascar, Malawi, Mauritius, Rwanda, Seychelles, Sudan, Swaziland, Uganda, Zambia and Zimbabwe 2. In order to ensure fair competition and transparency among economic operators in the region, COMESA has adopted a regional competition policy called the COMESA Competition Regulations
1. Research the merger filing fees and other applicable rules when considering transactions in COMESA member states 2. Align existing organisation competition law policies with COMESA requirements 3. Training of impacted staff
Electronic Communications and Transactions Act (“ECTA”) Amendment Bill
1. Revision and amendment of organisation’s Information, Communication and Technology Policies 2. Implications for the change to an “opt in” model in respect of marketing communications to be determined 3. Conduct an ECTA gap analysis to determine compliance
Compliance
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
PROTECTION OF PERSONAL INFORMATION BILL TO PASS FINAL HURDLE SHORTLY A Parliamentary update has confirmed that the Protection of Personal Information Bill (“PPI”) will be in front of the security committee of the National Council of Provinces and possibly be finalised in the next few weeks.
Once PPI becomes an Act of Parliament, private and public entities will have 1 year to comply with the requirements therein. For those that have not yet begun their compliance journey, immediate mobilisation should be a priority since compliance will require significant changes to an organisations’ processing and operational landscape. Candice Holland
Deloitte Legal Associate Director
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 19
Risk BRING YOUR OWN DEVICE (BYOD)
CHANGING THE WAY BUSINESS IS DONE IN AFRICA
The consumerisation of IT is moving at a faster pace and has triggered a monumental shift on mobility and the way organisations and their employees run their day to day business. As with any other continent, Africa is no exception. African businesses embracing BYOD may generate greater business benefits such as: • Improved employee productivity, faster customer response times and improved operational efficiencies • Increasing competitive advantage • Enabling Anywhere and Anytime mobility • Addressing widespread remote access issues • Staff retention especially the Gen-Y’s • Reducing cost of video and data comms through unified comms solutions On a daily basis end users continue the push to allow their own devices on the enterprise networks whilst at the same time business data needs to be analysed on the go and decisions made instantly, creating a new revolution to let employees use their own devices to access the organisation’s network and information. An Informa Telecoms Media report reveals that there will be up to 265 million data subscribers in Africa by 2015, up from about 12 million today and according to Microsoft South Africa Executive, Fred Baumhardt, mobile devices such as smart phones are entering the African market four times faster than PCs or laptops. The BYOD phenomenon is already having a significant impact on enterprises worldwide. How will African businesses and individuals adopt to the changing trends.
Despite the rapid growth and realisable benefits of embracing BYOD, it is important that African organisations also consider adopting suitable governance, risk management and compliance controls capable of supporting the broad array of mobile devices. As with any emerging technology, security is at the core of BYOD. As users shift to mobile and cloud platforms, so will attackers. It should come as no surprise that mobile platforms and cloud services will be likely targets for attacks and breaches in 2013 and beyond. "Cyber criminals are increasingly targeting employees as access portals to a company's infrastructure, intensifying the need for controls and layered defences that can identify and mitigate attacks," said Jacques Erasmus, chief information security officer at Webroot. “As the popularity of employee-owned devices in the workplace continues to grow, this defence needs to be supplemented with a coherent but simple BYOD management strategy, underpinned by three elements: device control policies, device-level security and mobile workforce security training." From an African perspective, there is a need for a cultural shift which will be driven by organisations implementing robust BYOD and Security Awareness training programmes to educate users from senior management down to the most junior employee.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 20
The following components should also be taken into consideration as part of the core components of each BYOD program: • BYOD Governance, Policy & Risk Management Framework • Funding & Support Model • Identity Management/Authentication/ Encryption • Device Policy Compliance and Enforcement • Usage and Cost Plans: Maintenance Liability • Device Diversity and Degree of Freedom : Bring your own Anything or Company provided devices • Provisioning, On-Boarding and Exiting Plan • Configuration Management & Enterprise App Store • Data Loss Prevention • Converged Security and Policy Monitoring (Logging & Monitoring) • BYOD Incident Management & Forensics Plan • Threat & Vulnerability Management • Awareness Training: BYOD involves significant culture & organisational change
FINAL THOUGHTS: BYOD and Big Data are the new gamechangers offering every organisation in Africa or across the globe serious tangible business benefits. The time is ripe for African organisations to securely join the revolution that will forever change how business is done on the continent.
Francis Kaitano Security Manager at CEN NZ
AUDITS AND ASSESSMENTS MANDIANT ASSESSMENT CLAIMS TO EXPOSE ONE OF CHINA’S MOST ACTIVE
CYBER ESPIONAGE UNITS In a fascinating, unprecedented, and statistics-packed report, security firm Mandiant made direct allegations and exposed a multi-year, massive cyber espionage campaign that they say with confidence is the work of a unit of China’s People’s Liberation Army (PLA).
Mandiant has named the attack group “APT1”, what is likely a government sponsored group that is one of the most persistent of China’s cyber threat actors, and considered to be one of the most prolific in terms of quantity of information it has stolen. To further its claims that there are actual individuals behind the keyboard, Mandiant also revealed three “personas” that they say are associated with APT1 attacks. According to Mandiant’s investigations, APT1 has taken hundreds of terabytes of data from at least 141 organisations across many industries going as far back as early 2006, but this represents just a small fraction of the overall cyber espionage that APT1 has conducted. It was the massive scale and impact of APT1’s operations that compelled Mandiant to write and publically release the report.
Historically, Mandiant has said there was no way to determine the extent of China’s involvement in many attacks, but the firm now says it has enough evidence to confidently say that “the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.” While many firms steer away from publicly calling out China as a culprit in cyber attacks, Mandiant is taking a stance and boldly pointing fingers at China, and bringing many statistics and research to back its case. “It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.” “The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection
to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.” Mandiant believes APT1 is the 2nd Bureau of the People’s Liberation Army (PLA) General staff Department’s (GSD) 3rd Department, commonly known by its Military unit Cover Designator (MUCD) as Unit 61398. The security firm estimates that Unit 61398 is staffed by hundreds, or even thousands of people, and that China Telecom provided special fibre optic communications infrastructure for the unit. Additionally, Mandiant said that it conservatively estimates that APT1’s current attack infrastructure includes over 1,000 servers across dozens of countries. Mandiant said that it was able to confirm 937 command and control servers running on 849 distinct IP addresses and has
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 21
confirmed 2,551 domain names attributed to APT1 in the last several years. “Our research and observations indicate that the Communist Party of China is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world,” the report alleged. When APT1 launches an attack against a target, it’s typically not a one shot deal or a quick hit. In fact, according to Mandiant’s research, APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was four years and ten months. In one operation, Mandiant witnessed APT1 steal 6.5 terabytes of compressed data from a single organization over a ten-month time period. APT1’s targets include organizations across a broad range of industries, mainly in the United States and other English-speaking countries. In over 97% of the 1,905 times Mandiant witnessed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language. “Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership
agreements, emails and contact lists from victim organizations’ leadership,” the report explained. HACKING FOR ECONOMIC GAIN AND ADVANTAGE Mandiant’s investigations show that APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan, and warns that any industry related to China’s strategic priorities are potential attack targets. Mandiant highlighted an attack in 2008 that compromised the network of a company involved in a wholesale industry. According to Mandiant, over the next two and a half years, APT1 used various tools to steal an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the conpany’s CEO and General Counsel. During this same time period, news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities, Mandiant said.
In addition to the detailed report, Mandiant provided more than 3,000 APT1 indicators including domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware used by APT1’s attackers, in order to help organizations identify and defend against APT1 operations. Russia, Israel, and France have also been named as engaging in similar activity, but China’s alleged activity outstrips theirs by far. Chinese Foreign Ministry spokesman Hong Lei dismissed the Mandiant report’s accusations against China and said that China itself is a victim of countless cyberattacks: “to make groundless accusations based on some rough material is neither responsible nor professional.” The full report from Mandiant can be found here (PDF), and the Appendix and 3,000+ APT1 Indicators can be found here (.zip).
While Mandiant hopes its efforts will lead to increased understanding and coordinated action in countering targeted cyber attacks, it also acknowledged that releasing this report has put itself somewhat at risk. “We are acutely aware of the risk this report poses for us,” Mandiant noted. “We expect reprisals from China as well as an onslaught of criticism.”
“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.” [Source: www.hotforsecurity.com / www.securityweek.com / www.sans.org ] Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 22
MANAGED SERVICES
A (GRAPHICAL) WORLD OF
BOTNETS AND CYBER ATTACKS Today we live in a cyber world filled with botnets and digital attacks! In an attempt to better manage this malicious landscape an increasing number of security companies, public and private organisations are collecting data from
their security endpoints or network devices. This is being sent to the cloud to be analysed by big data algorithms. The objective is to reduce the time slice between the release of a threat and the availability of an antidote.
The same data can also be used to build spectacular maps that show in real time the status of the internet, an impressive and worrisome spectacle! Here is a short list of a few companies providing services in this space:
HoneyMap Probably the most impressive: the HoneyMap shows a real-time visualisation of attacks detected by the Honeynet Project’s sensors deployed around the world. The map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please note that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does not necessarily imply that those countries are “very active in the cyberwar”. Red markers on the map represent attackers, yellow markers are targets (honeypot sensors).
Akamai Real-Time Web Monitor Akamai monitors global internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the internet with their diverse network deployments. Data is collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses. Values are measured in attacks per 24 hours (attacks/24hrs). Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 23
Securelist Statistics (Kaspersky Lab) The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.
Trend Micro Global Botnet Map Trend Micro continuously monitors malicious network activities to identify Command-and-Control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimised computers that have been discovered in the previous six hours.
Shadowserver The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made by converting all the IP addresses of the aggressor, the Command-and-Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.
Arbor’s Threat Level Analysis System (ATLAS) Through its relationships with several worldwide service providers and global network operators, Arbor provides insight on global DDoS attack activity, Internet security and traffic trends. Their Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC servers and fast flux bots.
The objective is to reduce the time slice between the release of a threat and the availability of an antidote. Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 24
Paolo Passeri - Hackmageddon.com
CYBER CRIME AND CYBER WARFARE PROTECTING DATA, INTELLECTUAL PROPERTY AND BRAND FROM
C Y B E R AT TA C K S Enterprises and government agencies are under serious threat from cyber attacks today. Significant breaches, which have made headlines in recent times affecting high-profile organisations such as RSA, Global Payments, ADP, Symantec, International Monetary Fund, to name a few. All point to the fact that traditional defences are no longer able to keep up with the rapidly evolving threat landscape. Indeed, the emergence of highly advanced malware including the Flame and Stuxnet viruses have set an alarming new standard for the level of complexity and sophistication of the next-generation of cyber attacks. Fundamentally, these developments make clear that the cybercriminals, nation-states and ‘hacktivists’ behind these attacks are growing increasingly sophisticated and more effective in their efforts to steal sensitive data and sabotage networks. Leveraging dynamic malware, targeted spear phishing emails, elaborate Web attacks and a host of other tactics, these cyber criminals are now adept at circumventing traditional security mechanisms such as firewalls, IPS, anti-virus (AV), and gateways. To assume that your organisation is immune is a dangerous, and in all likelihood, wholly inaccurate assumption. Ninety five percent of organisations are routinely compromised, with the theft of intellectual property, customer records, and other sensitive data increasingly common. Indeed, a recent report from Gartner (2012) made the following statement: “There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.” The question remains as to why today’s security defences are failing? Organisations are all too often typically overly reliant on legacy security platforms based on defences that originated many years ago, using signatures and heuristics based
A Guide for CIOs, CFOs, and CISOs
THE PROBLEM
technology. These tools form a necessary front line in an organisation’s defence architecture, as they are good at blocking basic malware that is known and documented. However, as standalone systems, they are simply inadequate and are incapable of identifying today’s dynamic, multi-pronged cyber attacks, including advanced persistent threats (APTs), zero-day attacks and other advanced malware
THE IMPACT Most organisations are spending vast sums of money, perhaps 10-20 percent of their annual IT budget, on security, but it is simply not working. In addition, organisations need to consider these impacts to the business: • Loss of competitiveness When cybercriminals successfully circumvent defences, trade secrets, patents and customer records can all be exposed and significantly weaken an organisation’s competitive position. • Compliance breaches Organisations not protected from breaches, are in serious jeopardy of being served substantial financial penalties and also risk lost business, and a host of other penalties, as a result of failing to comply with regulatory requirements. • Damaged reputation Customer trust and market share are precious commodities. A significant breach hitting the headlines can erode assets. Estimates from companies that have been breached regarding the resulting cost to their business can run into the millions. • Lost productivity Security teams discovering breaches after the event, are going to need time to handle the incident, shore up the vulnerability, assess where similar gaps may lie, rebuild corrupted systems, and so on. The time spent on these efforts is time wasted and as such, will add to the total cost of a breach to an organisation.
THE SOLUTION To combat the trends and risks outlined above, many organisations are adding a new layer of defence that complements their existing security technologies and enables security teams to effectively spot and thwart advanced cyber attacks. With this added layer of defence, security teams can detect, in real-time, when code is truly malicious and successfully infiltrated other existing defences. You need to consider solutions that effectively detect and block the advanced cyber threats organisations face. Further, by automating advanced malware detection, security teams are removed from fire-fighting mode to be able to deliver more tactical projects and generate significant operational savings.
Hildburg Hofer, FireEye Product Manager at AxizWorkgroup
[Photo source: Brainstormmag]
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 25
CYBER CRIME AND CYBER WARFARE
WHY CYBERCRIME REMAINS
BIG BUSINESS
AND HOW TO STOP IT
Cybercrime is big business and it is growing in scope and impact. What may not be obvious to the casual observer is that cybercrime is growing in its magnitude and sophistication because of two key factors: the consumerisation of crimeware, and the adoption of time-tested business processes to enhance the profitability of crime syndicates worldwide. NU SA Mag FP Advert.ai
1
2012/11/14
12:26 PM
The disturbing trend in cybercrime is the “enterprise-class” approach crime syndicates take to grow their businesses. Today’s syndicates employ hierarchies of participants with roles that mirror the executive suite, middle management and the rank and file. The executive suite oversees strategy and operations that initiate nefarious acts. Recruiters identify “infantry” that carry out large-scale attack schemes on a permanent hire or outsource (affiliate) basis. They also create and handout malware and mold reward programs to pay affiliates once successful attacks are carried out.
Real Time Network Protection
The threats stop here.
C
M
Y
CM
MY
CY
CMY
K
Healthcare Every day, Fortinet protects the networks of many of the largest and most successful organizations in the world. We deliver complete content
Government & Defense Education
protection to block hidden threats. Our consolidated security technologies
Multi-Threat Security
combine application control with identity-based policy enforcement. Learn
Service Providers
how you can increase security, improve performance, and lower costs.
Financial Services Retail Utilities
Visit us at www.nu.co.za for more information or call 011 304 6200 to find out how you can protect your network today. © 2010 Fortinet, Inc. All Rights Reserved. Fortinet and the Fortinet logo are trademarks of Fortinet, Inc.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 26
Understanding “Crime-as-a-Service” given the ubiquitous adoption of cloud computing, social networking, BYOD and mobile communications, cybercriminals now have unprecedented reach across and into more organisations, databases, desktops and mobile devices than ever before. Infrastructure advances and the enormous number of avenues for attacks are giving cybercriminals a smorgasbord of attack vectors to choose from. To capitalise on these opportunities, cybercrime syndicates use recruiters to attract new “talent” via fully realised web portals, many of which protect themselves with disclaimers such as, “We do not allow spam or other illicit methods for machine infection.” This is a method of passing off legal responsibility to the hired
HOW TO STOP IT
ad-hoc crime fighting groups seem to pop up like a game of whack-a-mole.
Given this grim outlook, what successes are turning the tide? Several large-scale botnet takedowns showcase the advantages of working groups and task forces. With the help of the Microsoft Digital Crime Unit, the Kelihos botnet rumoured to have as many as 40,000 bots, was taken offline in September 2011. This collaboration between Microsoft and the U.S. government led to prosecuting Kelihos operators.
“infantry” while providing the necessary malware needed to execute a full-fledged infection campaign.
FANNING THE FLAMES The drivers of these constantly evolving tools are extensive R&D organisations that create custom-order code to produce private botnets, fake antivirus software and deployment systems. In turn, these are typically carried out for premeditated, targeted attacks known as Advanced Persistent Threats, or APTs. Another key contributor to the expanding influence of cybercrime is the hosting provider. Simply put, criminals need somewhere to store attack content such as attack code, malware and stolen data. Taking a page out of Wall Street, crime syndicates are engaging in mergers and acquisitions to grow their botnets through the use of other organisation’s botnets. A recent example is Zeus and SpyEye. Zeus, circa 2007 peaked in 2010 as the most prolific banking crime kit around. The crimeware kit would create new versions of powerful malware which had the capability to steal banking credentials, as well as hijack and manipulate secure online banking sessions. A rival botnet known as SpyEye emerged in 2010 and tried to take over what was clearly a successful market. The competition hurt profits for both, so in late 2010, the two authors merged source code, retired Zeus support and passed the torch to SpyEye. And with creative profit-sharing flair, crime syndicates are continuing to grow sophisticated pay-per-click/install/ purchase affiliate programs to reward up and coming cybercriminal affiliates on a performance-based scale.
In January of this year, the large, Eastern European botnet Virut was taken down with the help of local CERT teams and partners. This particular botnet had control of close to 900,000 unique IP addresses in Poland alone and was thought to be the fifth most widespread threat in 2012. Virut was a widespread threat as early as 2008, as it had a unique hybrid capability that allowed it to spread through other botnets. In essence, it was using the competition to amplify its success. Since Virut code was complex and could embed itself in other infections, detection and take-down was difficult over a five year run. Regrettably, these “stops” are a drop in the bucket. Kelihos, for example, came back in another form after being stopped. While the dismantlement of a botnet’s command and control center is optimal, another preventive strategy to clamping down on cybercrime is to vet domain registrations to avoid the creation of these domains. A good case in point is the Conficker Working Group that helped filter out domains before they could be registered to prevent the spread of that particular botnet.
It is apparent that the best way to take a chunk out of cybercrime is attacking its Achilles heel: going after the cash flow itself. The best targets would be affiliate programs, the cash cows that pay out commission and rewards to hired affiliates (“infantry”) who carry out malicious attacks. If the well dries up, so will the rest of the food chain. So, where does this leave us? Practically speaking, the most effective way to secure a business from crimeware is from the inside out. Organisations need to take matters into their own hands to proactively prevent the spread of cybercrime among its employees, partners and customers. What this amounts to is a highly layered security strategy consisting of vital elements that include intrusion prevention, botnet and application control, web filtering, antispam and antivirus. Companies must engage in regular accounting of digital assets and assessment of potential security flaws. Organisations must aggressively educate users about security best practices while implementing enforceable mechanisms for security policy violations. They must also implement an incident response plan “what happens if?” It is imperative for companies to work together with security experts in this highly dynamic threat landscape. Through collaborative global efforts and organisational commitment to deploying aggressive multi-layered security policies, the cybercrime epidemic can eventually be contained.
But the best approach to effectively fight cybercrime requires global participation. We need an international body that can mediate disputes and dispatch resources to share information about cybercrime trends. A central reporting and information sharing channel between the private and public sectors is also needed. The best example of this kind of information sharing thus far is FIRST (Forum of Incident Response and Security Teams), circa 1990. When it comes to law enforcement, varying jurisdictions and laws complicate the prosecution of cybercriminals. FIRST helps address this problem through collaboration. Unfortunately, many attacks are handled outside this forum and
Derek Manky Global security strategist for Fortinet.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 27
CYBER FORENSICS AND INCIDENT MANAGEMENT
WHAT MAKES UP A COMPETENT
DIGITAL FORENSICS
PRACTITIONER?
There is no professional board or body that one must belong to before they are allowed to practice as a digital forensics practitioner.
As a digital forensic scientist within South Africa, an area that has been a cause for significant concern for me is that any person can simply state that they are a digital forensics practitioner, and realistically there is no way to objectively determine competency and skills in this highly specialised field. There is no professional board or body that one must belong to before they are allowed to practice as a digital forensics practitioner. Could you imagine a situation where anyone who had an interest in medicine was simply allowed to practice as a medical doctor? It could be argued that doctors need to be well qualified and regulated because they often literally can make life or death decisions about their patients. However, in my view this is no different to the digital forensic practitioner who stands up in court claiming a position of expertise
and interprets evidence for a judge that may lead to a person being convicted. Getting it wrong can just as easily destroy a person’s life. One merely has to do an internet search for computer forensics and digital forensics and a whole host of service providers are identified, many of which seem to offer digital forensics as an addon service to some other service, such as forensic auditing or IT security. Could you imagine making use of the services of a professional chef, who because they were good with a knife, dabbled in a little surgery on the side? You would never seek medical services from someone that was not a full-time and professional medical practitioner, so why would you make use of a part-time digital forensic practitioner? Digital forensics is a highly technical forensic science involving the acquisition,
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 28
examination and analysis of digital evidence for purposes of proving or disproving a legal issue. As a discipline, it combines elements of computer science, digital engineering, mathematics, statistics, investigation and criminalistics, and the law. It is for all intents and purposes a very distinct profession. However, in the absence of professional regulatory bodies requiring the registration of digital forensic practitioners, how does one determine whether or not a digital forensics practitioner is competent and capable? The problem is that many people are not in a position to realistically and objectively determine whether or not a digital forensic practitioner is competent and qualified to perform a digital forensics task, or even exactly what skills and knowledge a digital forensics practitioner should have, or even what their typical duties are.
THE CYBERSECURITY WORKFORCE FRAMEWORK
• Knowledge of substantive and procedural law dealing with cyber crime and digital evidence • Knowledge of processes for packaging, transporting, and In the United States of America, the National Initiative for storage of electronic evidence to avoid alteration, loss, Cybersecurity Education is an initiative of the National Institute physical damage, or destruction of data of Standards and Technology (NIST), and has developed a • Knowledge of types and collection of persistent data cybersecurity workforce framework, which includes skills and • Knowledge of web mail collection, searching/analysing competencies which are required for various cybersecurity techniques, and cookies occupations and functions, one of which is digital forensics. • Knowledge of which system files (e.g., log files, registry files, The cybersecurity workforce framework can be found at configuration files) contain relevant information and where to http://csrc.nist.gov/nice/framework/ find those system files • Knowledge of types of digital forensics data and how to This framework is fairly comprehensive and well researched, recognise them and describes the typical tasks that a digital forensics • Knowledge of deployable forensics practitioner would engage in, as well as the typical skills and • Knowledge of forensics in multiple operating system knowledge that a digital forensic practitioner should have. environments • Knowledge of security event correlation tools SOME OF THE KNOWLEDGE AND SKILLS THAT A DIGITAL • Knowledge of legal governance related to admissibility FORENSIC PRACTITIONER SHOULD HAVE ARE (Criminal Procedure Act, Civil Proceedings and Evidence Act, Electronic Communications and Related Matters Act) • Knowledge of concepts and practices of processing digital • Knowledge of electronic devices such as computer systems information and their components, access control devices, digital • Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE, cameras, handheld devices, electronic organisers, hard MD5, SHA, 3DES) drives, memory cards, modems, network components, • Knowledge of cybercrime response and handling connectors, pagers, printers, removable storage devices, methodologies scanners, telephones, copiers, credit card skimmers, • Knowledge of network architecture concepts including facsimile machines, global positioning systems, and other topology, protocols, and components miscellaneous electronic items • Knowledge of data backup, types of backups (e.g., full, • Knowledge of social dynamics of computer attackers in a incremental), and recovery concepts and tools global context • Knowledge of legal governance related to information • Skill in analysing memory dumps to extract information security, computer monitoring, and collection • Skill in identifying, modifying, and manipulating applicable • Knowledge of server diagnostic tools and fault identification system components (Windows and/or Unix/Linux) (e.g., techniques passwords, user accounts, files) • Knowledge of system administration concepts for Unix/Linux • Skill in processing, packaging, transporting and storing and/or Windows operating systems electronic evidence to avoid alteration, loss, physical • Knowledge of basic physical computer components and damage, or destruction of data architectures, including the functions of various components • Skill in setting up a forensic workstation and peripherals (e.g., CPUs, Network Interface Cards, data • Skill in using digital forensic tools (hardware and software) storage) • Skill in using virtual machines • Knowledge of binary analysis • Skill in disassembling PCs • Knowledge of file system implementations • Ability to decrypt digital data collections • Knowledge of Forensic Chain of Evidence • Skill in seizing and preserving digital evidence • Knowledge of hacking methodologies in Windows or Unix/ • Skill in finding and extracting information of evidentiary value Linux environment • Skill in using scientific rules and methods to solve problems
CONNECTED SECURITY IS SMARTER SECURITY Security is no longer about where. It’s about everywhere. So that’s exactly where McAfee focuses its efforts. The Security Connected framework from McAfee provides a seamless integration of solutions, services, and partnerships that intelligently reduces overall risk. With unmatched brainpower and unmatched obsession, we build global connected solutions that deliver smarter security. On every device, every network, everywhere.
www.mcafee.com/smarter
©2013 McAfee, Inc. All rights reserved.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 29
If a digital forensic practitioner possessed the knowledge and skills contained within the digital forensics domain of the framework, then they could be said to be competent digital forensic examiners, the problem is how can one objectively determine whether or not a digital forensic examiner is actually competent. CERTIFICATIONS AS A MEANS OF DEMONSTRATING COMPETENCY IN DIGITAL FORENSICS Certifications have become a common method within the field of computer science and information technology to demonstrate competency in various information technology domains. Within the field of digital forensics a number of certification programs are available. Two of these certification programs are of particular interest, as together they are aligned to the digital forensics domain of the Cybersecurity Workforce Framework. These are the Global Information Assurance Certification Computer Forensic Examiner (GCFE) and Computer Forensic Analyst (GCFA) certifications offered by the SANS Institute. THE GCFE CERTIFICATION TESTS COMPETENCY IN THE FOLLOWING AREAS OF DIGITAL FORENSIC PRACTICE • Digital forensics fundamentals • Digital evidence acquisition • Computer system and device profiling and analysis • File and program activity analysis • Log file analysis • E-mail and communication analysis • Internet browser forensic analysis Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 30
THE GCFA CERTIFICATION TESTS COMPETENCY IN THE FOLLOWING AREAS OF DIGITAL FORENSIC PRACTICE • Digital forensics investigation methodologies • Digital forensics and incident response • Acquiring and analysing volatile data • Intrusion analysis • Operating systems and file system analysis • Data layer examination and analysis • Metadata and file name layer examination and analysis • Timeline analysis
A digital forensics practitioner that has earned both the GCFE and GCFA certification has demonstrated that they satisfy the requirements of the digital forensics domain of the Cybersecurity Workforce Framework. In other words, a digital forensics practitioner that has achieved both the GCFE and GCFA can objectively be considered to be competent as a digital forensics practitioner. It is not to say that unless a digital forensics practitioner has both the GCFE and GCFA that they are not competent digital forensic practitioners, merely that it makes it more difficult for a person who is not an experienced digital forensics practitioner to determine whether or not they are competent examiners against an objective criteria.
THE WAY FORWARD With digital forensics being “sexy” at the moment, and with no formal regulation of the profession, there is a real risk of engaging the services of a person who is not really competent in this field.
CONTINUED: WHAT MAKES UP A COMPETENT
DIGITAL FORENSICS PRACTITIONER?
This has several risks, the least of which is losing a case in court, with the worst facing potential criminal or civil action as a result of the digital forensic practitioners actions. The best way to mitigate these risks going forward it to make use of an objective measure of competency, such as the Cybersecurity Workforce Framework and certifications that are aligned thereto. ABOUT THE AUTHOR • Jason Jordaan is head of the Cyber Forensic Laboratory of the Special Investigating Unit in South Africa • He is a practicing digital forensic scientist, academic, and researcher • He has earned MTech (Forensic Investigation), BComHons (Information Systems), BSc (CJ Computer Science) and BTech (Policing) degrees • He is a Certified Forensic Computer Examiner, a Certified Fraud Examiner and a Professional Member of the Computer Society of South Africa
Jason Jordaan - Head at Cyber Forensic Laboratory Special Investigating Unit
With digital forensics being “sexy” at the moment, and with no formal regulation of the profession, there is a real risk of engaging the services of a person who is not really competent in this field.
ADVANCED TARGETED ATTACKS HAVE PENETRATED 95% OF ALL NETWORKS. THINK YOU’RE IN THE 5%? You may think your existing security defenses prevent advanced targeted attacks from entering your network and stealing your data. They don’t. Advanced attacks easily evade traditional and next generation firewalls, IPS, AV and gateways. Your best defense is FireEye. Trusted by the Fortune 500, and over 60 government agencies globally, FireEye is the leader in helping organizations combat advanced malware and targeted APT attacks. Put a stop to advanced attacks with advanced security. Visit us today at www.FireEye.com/StopAPTs and let us help you close the hole in your network. © 2013 FireEye. All rights reserved.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 31
AWARENESS
SOCIAL NETWORKING SAFELY Social networking sites such as Facebook, Twitter, Google+, Pinterest and LinkedIn are powerful, allowing you to meet, interact and share with people around the world. However, with all these capabilities come risks; not to just you, but your family, friends and employer. In this article we will discuss what these dangers are and how to use these sites more safely.
PRIVACY
A common concern about social networking sites is privacy protecting your personal information and the sensitive information of others. POTENTIAL DANGERS INCLUDE: Impacting Your Future Many organisations search social networking sites as part of background checks. Embarrassing or incriminating posts, no matter how old, can prevent you from getting hired or promoted. In addition, many universities conduct similar checks for new student applications. Privacy options may not protect you, as these organisations can ask you to “Like” or join their pages prior to the application process. Attacks Against You Cyber criminals can harvest your personal information and use it for attacks against you. For example, they can use your information to guess the answers to your “secret questions” to reset your online passwords, create targeted email attacks called spear phishing or apply for a credit card using your name. In addition these attacks can spill into the physical world, such as identifying where you work or live.
SOUND ADVICE
The best protection is to limit the information you post. Yes, privacy options can provide some protection; however, keep in mind that privacy options are often confusing and can change frequently without you knowing. What you thought was private could become public for a variety of reasons. In addition, the privacy of your information is only as secure as the people you share it with. The more friends or contacts you share private information with, the more likely that information will become public. Ultimately, the best way to protect your privacy is to follow this rule: if you do not want your mother or boss to see your post, you most likely should not post it. Also be aware of what information friends are posting about you. It can be just as damaging If they post private information or embarrassing photos of you. Make sure your friends understand what they can or cannot post about you. If they post something you are not comfortable with, ask them to take it down. At the same time, be respectful of what you post about others.
Harming Your Employer Criminals or competitors can use any sensitive information you post about your organisation against your employer. In addition, your posts can potentially cause reputational harm for your organisation. Be sure to check with your organisation’s policies before posting anything about your employer.
“Social networking sites are powerful and fun, but be careful what you post and whom you trust.”
SECURITY
In addition to privacy concerns, social networking sites can be used by cyber criminals to attack you or your devices. Here are some steps to protect yourself: Login Protect your social networking account with a strong password and do not share this password with anyone or re-use it for other sites. In addition, some social networking sites support stronger authentication, such as two-step verification. Enable stronger authentication methods whenever possible. Encryption Many social networking sites allow you to use encryption called HTTPS to secure your connection to the site. Some sites like Twitter and Google+ have this enabled by default, while other sites require you to manually enabled HTTPS via account settings. Whenever possible use HTTPS. Email Be suspicious of emails that claim to come from a social networking site; these can easily be spoofed attacks sent by cyber criminals. The safest way to reply to such messages is to log in to the website directly, perhaps from a saved bookmark, and check any messages or notifications using the website.
Ted Demopoulos SANS Certified Instructor
[Source: OUCH Awareness Newsletter http://www.securingthuman.org] Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 32
HOW TO MEASURE
DEVELOPER SECURITY
KNOWLEDGE
Aspect Security launches free analytics tool to determine strengths and weaknesses Aspect Security has launched a free baseline knowledge tool that claims to produce an accurate assessment of a development team’s knowledge of application security. Secure Coder Analytics can be accessed online to determine the skill set and level of a group of developers or individuals.
“How do you know what you don’t know? That’s the challenge facing development teams that want to develop secure code. There’s no shame in not knowing all of the tricky aspects of application security, and now you can find out where your gaps are,” said Jeff Williams, CEO of Aspect Security. Williams is also cofounder of the Open Web Application Security Project (OWASP), and he contends his firm’s Secure Coder
Analytics takes a developer approximately 20 minutes to complete and tests knowledge in various security areas via a multiple-choice assessment. Questions are randomised from what is said to be an “extensive” pool of questions. Managers of development teams can set up their own tests and invite developers to participate anonymously. After participating, each developer sees their own grade and managers can see aggregate scores that reveal the strengths and weaknesses of the team as a whole. Aspect Security’s eLearning curriculum features 53 learning modules at three different levels of technical depth. The company says that its eLearning solution is in use by developers worldwide at many corporate entities, including giants in the financial, shipping and logistics, airline industries and government agencies.
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 33
LOCAL TRAINING AND EVENTS
South Africa JOIN US IN MAY IN JOHANNESBURG, SOUTH AFRICA FOR THE LARGEST SANS INFORMATION SECURITY AND FORENSICS TRAINING EVENT EVER HELD ON THE AFRICAN CONTINENT! As the frequency and voracity of cyber attacks increases worldwide, most African businesses are significantly unprepared to effectively detect, prevent or respond to a major cyber breach. Training from the SANS Institute equips your teams with the necessary skills to fight back. We are pleased to return to Johannesburg between May 9th to the 25th to bring you SANS South Africa 2013. We are introducing three new bootcamp courses in forensics, information security and audit in addition to a new two day course on mobile security. Don’t miss this opportunity to upgrade your skills, work toward your GIAC Certification, and network with other top information security professionals.
BOOK NOW 9-10 May:
13-18 May:
20-25 May:
SEC440 - by Ted Demopoulos
FOR408 - by Jess Garcia
FOR508 (NEW) - by Jess Garcia
20 Critical Security Controls Planning, Implementing and Auditing SEC571 (NEW) Mobile Device Security Run in partnership with the ITWeb Security Summit 2013 conference http://www.securitysummit.co.za/
Computer Forensic Investigations Windows In-Depth taught
Advanced Computer Forensic Analysis and Incident Response taught
SEC401 - by Ted Demopoulos Security Essentials Bootcamp Style
http://www.sans.org/event/southafrica-may-2013
http://www.sans.org/event/southafrica-may-2013
For information on government or team discount eligibility please contact our African Director Craig Rosewarne at crosewarne@sans.org
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 34
OF INTEREST
PRIVACY PROTECTION GLASSES It’s no secret that facial recognition technologies are becoming increasingly common, with applications ranging from security to targeted marketing. For those uncomfortable with the idea of a world without anonymity, however, two Japanese professors have invented privacy-protecting glasses designed specifically to thwart such facial recognition attempts.
“Because this noise appended to the facial image causes a considerable change in the amount of features that is referenced at facial detection, facial detection is misjudged and recognition of people’s faces is prevented,” explain the inventors, who also anticipate applications for their technology in preventing similar invasions of privacy via augmented reality apps.
Developed by Isao Echizen of Japan’s National Institute of Informatics and Seiichi Gohshi of Kogakuin University, the new glasses incorporate a near-infrared light source that affects only the camera and not people’s vision.
Style improvements are currently in the works for these privacy-protecting goggles, which are currently in prototype form. Ultimately, pricing is expected to be about USD 1 per pair, according to a Slate report. Techminded entrepreneurs: one to help commercialize?
So, the glasses look like a simple pair of goggles to people nearby; for cameras, however, the near-infrared LEDs built in emit rays appear as visual “noise” in the camera’s imaging device.
[Website: www.nii.ac.jp/userimg/press_details_20121212.pdf]
ARE YOU PREPARED FOR ONGOING INFOSEC THREATS? Attend the eighth annual ITWeb Security Summit, where you will be briefed on how to improve your infosec strategy and tactics. REASONS WHY THIS IS A MUST-ATTEND EVENT: 1. Must-hear keynotes by Misha Glenny, investigative journalist and leading expert on cyber crime and Richard Bejtlich, chief security officer, MANDIANT 2. Sought-after SANS training: 20 Critical Security Controls: Planning, Implementing and Auditing and Mobile Device Security 3. Thirty-four conference sessions with key insights from leading international and local infosec experts 4. Three practical workshops to equip you for the challenges you face 5. An extensive expo area with leading solutions providers 6. Unparalleled networking opportunities with business matchmaking
Make sure you attend the annual gathering of information security experts and professionals. Contact Maggie Pienaar on 011 807 3294 or maggie@itweb.co.za.
Thanks to our sponsors:
www.securitysummit.co.za Event Sponsor
in partnership with
Security Summit Ad_ISG_Half Page.indd 1
Bronze Sponsors
Coffee Bar Sponsor
Display Sponsors
#ITWebSec Sponsor
BO SEATOK YOUR TODA Y!
Endorsed by
in partnership with
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 35 2013/03/01 03:11:40 PM
Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 36