Cybershield magazine is a bi-monthly publication and is owned by Wolfpack Information Risk (Pty) Ltd. No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine. While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage or inconvenience that may arise therefrom. All rights reserved. Wolfpack does not take any responsibility for any services rendered or products offered by any of the advertisers or contributors contained in the publication. Copyright 2013. E&OE on all advertisements, services and features in Cybershield magazine. Editorial address: Building 1, Prism Office Park, Ruby Close, Fourways, Johannesburg, South Africa, 2055 Enquiries: Telephone - +27 11 367 0613 Advertising - sales@wolfpackrisk.com Content - craig@wolfpackrisk.com Design - design@wolfpackrisk.com General queries - admin@wolfpackrisk.com http://www.wolfpackrisk.com/magazine/
Page 2 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
ANONYMOUS RECORDS U.K. POLICE/FBI CALL - PUBLISHED ON YOUTUBE
In February, Anonymous settled a score with anti-Anonymous police in the U.K. and the U.S., by breaching a secure conference call in which the hacking collective was discussed, along with names of alleged members who had attacked highvalue infrastructure targets and companies. It was no doubt a serious embarrassment for law enforcement on both sides of the Atlantic. Not only did they breach the cybercrime call, it was recorded and subsequently uploaded to YouTube. The call shed light on U.S. and U.K. Intelligence sharing arrangements, and clearly shows that a number of law enforcement units are working together in a bid to track down those who were involved in the previous and continued hacking attacks.
FLASHBACK,
THE FIRST MAJOR MAC ATTACK
CHINESE SPIED ON NORTEL No stranger to tough times, one-time telecommunications giant Nortel Networks Ltd was apparently deeply infiltrated with spyware from Chinese hackers for at least a decade.
The Flashback Trojan was the latest malware to hit Apple Mac machines running OS X. It ultimately led to Apple removing the "virus-free" slogan from its Web site and marketing strategy after the highly publicized malware attack. More than 600,000 Macs were understood to have been infected by unknowingly installing the Adobe Flash look-alike software.
The reports which surfaced in February of 2012, claimed that the hackers had "access to everything," including technical papers, R&D reports, business plans and employee emails.
The malware was designed to pilfer user passwords and other data through the Web browser and other applications, such as Skype. Perhaps more worryingly, some users may find that the rogue software installs itself automatically without any user intervention at all.
The attack began with the theft of seven passwords from top executives, including Nortel's chief executive. A number of employees were quoted as saying that the company made no attempts to close the breach before its assets were subsequently sold.
The bug required multiple patches and at the same time, shattered the Apple platform's perceived invincibility against the attack. The bottom line for infected machines, as is usually the case, was the theft of a variety of personal information.
VMWARE ESX SERVER HYPERVISOR SOURCE CODE LEAKS In late April, VMware acknowledged that a single file from its ESX server hypervisor source code had been posted online. The breach opened up the potential for a zero-day attack, and it ignited concerns that additional files might also be made public. Additional source code was then leaked in November by a hacker using the alias "Stun." Most of the specifics about either case were not publicly disclosed, making it difficult to assess the actual level of risk. But, a software update is believed to have resolved any potential issues. Page 3 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
THE DSL MODEMS, HUAWEI BANNING & HARDWARE HACKS In October 2012, researcher Fabio Assolini published the details of an attack which had been taking place in Brazil since 2011 using a single firmware vulnerability, two malicious scripts and 40 malicious DNS servers. This operation affected six hardware manufacturers, resulting in millions of Brazilian internet users falling victim to a sustained and silent mass attack on DSL modems. In March 2012, Brazil’s CERT team confirmed that more than 4.5 million modems were compromised in the attack and were being abused by cybercriminals for all sorts of fraudulent activity. At the T2 conference in Finland, security researcher Felix ‘FX’ Lindner of Recurity Labs GmbH discussed the security posture and vulnerabilities discovered in the Huawei family of routers. This came in the wake of the U.S. government’s decision to investigate Huawei for espionage risks. A White House review later found no firm evidence that Huawei intentionally spied for the Chinese government. The case of Huawei and the DSL routers in Brazil are not random incidents. They are just indications that hardware routers can pose the same if not higher security risks as older or obscure software that is never updated. They indicate that defence has become more complex and more difficult than ever - in some cases, even impossible.
POSTBANK LOSES $6.7M (R42M) TO CYBERCRIME SYNDICATE Johannesburg - The National Intelligence Agency (NIA) launched a high-level probe after a cybercrime syndicate stole R42m from SA Post Office financial institution Postbank over the New Year holidays. The theft occurred between January 1 and January 3, and was allegedly committed by a syndicate with knowledge of the post office's information technology (IT) system. Postbank currently holds over R4bn in deposits, and processes millions of rands in social grants throughout the year. The syndicate reportedly opened several Postbank accounts across the country late last year, and during the New Year holiday period gained access to a Rustenburg Post Office employee's computer and made deposits from other accounts into its own. Over the next three days, automated teller machines (ATMs) in Gauteng, Free State and KwaZulu-Natal were used to withdraw cash from the accounts. The incident comes three years after Postbank spent over R15m to upgrade its fraud-detection service.
BANKS UNDER DDOS ATTACK
The year marked a significant increase in the number of distributed-denial-of-service (DDoS) attacks against global banks and other financial institutions. A nearly 80-fold increase in malicious traffic was recorded from the fourth quarter 2011 to the first quarter of 2012, and the attacks continued on an ongoing basis. Attackers had begun using shorter, stronger bursts of traffic and were seen to increase the overall intensity of the exploits, increasing their firepower. By the end of the year, the sophistication increased to include obvious decoy attacks that would attract attention of security personnel while the more insidious portion of the attack occurred elsewhere on the network.
One of the cyber gang, Teboho Donald Masoleng, was sentenced to 15 years in March 2013 for his role in the heist. In September the National Prosecuting Authority (NPA) stated that millions of rands were still missing from the Postbank heist case.
GLOBAL REGULATORS SHUT DOWN PC 'TECH SUPPORT' SCAM Some good news if you've ever received a call from some random guy claiming to be from Microsoft, and also claiming that you have malware on your computer - even though you inexplicably own a Mac. They don't know that, they're trying to sell you fake antivirus programs that you likely don't even need in order to make a quick buck. U.S. officials, working alongside Canadian, Australian, New Zealand, Irish, and British regulators and authorities cracked the so-called "tech support scam" and froze financial assets. It was a coup for cyber scammers worldwide who plagued the vulnerable - and everyone else for that matter with cold calls claiming they were someone that they were not. Thankfully not everyone fell for the scam, but tens of thousands clearly did. Page 4 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
International News MICROSOFT BOTNET TAKEDOWNS Leveraging the RICO Act for the first time, last March Microsoft with the help of U.S. marshals carrying a federal warrant took down a number of malware-spreading botnets that were allegedly responsible for the theft of more than $100 million from financial institutions and other businesses. Roughly 13 million computers and 800 domains were involved in the criminal enterprise, which was tied to commandand-control servers in Lombard, Ill., and Scranton, Pa. The illegal botnets were held responsible for spreading the Zeus family of malware that included the SpyEye and Ice-IX variants. Similar operations were conducted later in the year.
THE EXPLOSION OF ANDROID THREATS During 2011, we witnessed an explosion in the number of malicious threats targeting the Android platform. We predicted that the number of threats for Android will continue to grow at an alarming rate. The chart below clearly confirms this:
STUXNET ATTACK
- LINKED TO U.S.
The number of samples continued to grow and peaked in June 2012, when almost 7,000 malicious Android programs were identified. Overall in 2012, more than 35,000 malicious Android programs were detected, which is about six times more than in 2011. The reason for the huge growth of Android can be explained by two factors: economic and platform related. First of all, the Android platform itself has become incredibly popular, becoming the most widespread OS for new phones, with over 70% market share. Secondly, the open nature of the operating system, the ease with which apps can be created and the wide variety of (unofficial) application markets have combined to shine a negative spotlight on the security posture of the Android platform. Looking forward, there is no doubt this trend will continue, just like it did with Windows malware many years ago. We are therefore expecting 2013 to be filled with targeted attacks against Android users, zero-days and data leaks. Page 5 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
In early June, the New York Times reported alleged ties between the Stuxnet worm and the presidential administrations of both George W. Bush and Barack Obama, thereby raising questions as to whether the U.S. was at cyberwar with Iran. The malware was allegedly used to attack centrifuges in Iran that were believed to be tied to a nuclear weapons program that economic sanctions had failed to deter. There was widespread speculation that the cyberattack would've been viewed as a substitute for conventional military attack that would have further destabilized the Middle East. This was presumably the first time that the United States has used this type of initiative against a foreign government.
THE LINKEDIN, LAST.FM, DROPBOX AND GAMIGO PASSWORD LEAKS In June 2012, LinkedIn, one of the world’s biggest social networks for business users was hacked by unknown assailants and the password hashes of more than 6.4 million people leaked onto the Internet. Through the use of fast GPU cards, security researchers recovered an amazing 85% of the original passwords. When DropBox announced that it was hacked and user account details were leaked, it was yet another confirmation that hackers were targeting valuable data (especially user credentials) at popular web services. In 2012, we saw similar attacks at Last.fm and Gamigo, where more than 8 million passwords were leaked to the public. To get an idea of how big a problem this is, during the InfoSec South-West 2012 conference, Korelogic released an archive containing about 146 million password hashes, which was put together from multiple hacking incidents. Of these, 122 million were already cracked. These attacks show that in the age of the ‘cloud’, when information about millions of accounts is available in one server, over speedy internet links, the concept of data leaks takes on new dimensions.
MIDDLE EAST ATTACKS Not so long after Stuxnet was discovered in June 2010, another round of cyber attacks began in the Middle East. Dubbed "Flame" by the malware finder Kaspersky Lab, due to fragments of code noting the word in the source code, the sophisticated malware was about twenty times the size of Stuxnet in file size and just as, if not even more dangerous. It was thought to be targeting machines in Iran, the Palestinian-controlled West Bank, Sudan, Syria, and others in the region, and was far more sophisticated than Stuxnet in a number of ways. However, instead of targeting the physical infrastructure attached to the network, it was designed to steal data and collect audio and video content from webcams and microphones. It was an intelligence-gathering piece of malware and clearly developed by a state-actor or government. But who exactly remain a mystery still.
SHAMOON In the middle of August 2013, details appeared about a piece of highly destructive malware that was used in an attack against Saudi Aramco, one of the world’s largest oil conglomerates. According to reports, more than 30,000 computers were completely destroyed by the malware. Detailed analysis of the Shamoon malware found that it contained a built-in switch which would activate the destructive process on 15 August 2013, 8:08 UTC. Later, reports emerged of another attack of the same malware against another oil company in the Middle East. Shamoon is important because it brought up the idea used in the Wiper malware, which is a destructive payload with the purpose of massively compromising a company’s operations. As in the case of Wiper, many details are unknown, such as how the malware infected the systems in the first place or who was behind it. Page 6 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
FLAME AND GAUSS ARRIVE ON THE SCENE In mid-April 2012, a series of cyber-attacks destroyed computer systems at several oil platforms in the Middle East. The malware responsible for the attacks named “Wiper”, was never found – although several pointers indicated a resemblance to Duqu and Stuxnet. During the investigation, a huge cyber-espionage campaign now known as Flame was discovered. Flame is arguably one of the most sophisticated pieces of malware ever created. When fully deployed onto a system, it has more than 20 MB of modules which perform a wide array of functions such as audio interception, bluetooth device scanning, document theft and the making of screenshots from the infected machine. The most impressive part was the use of a fake Microsoft certificate to perform a man-in-the-middle attack against Windows Updates, which allowed it to infect fully patched Windows 7 PCs at the blink of an eye. The complexity of this operation left no doubt that this was backed by a nation’s state. Actually, a strong connection to Stuxnet was discovered by Kaspersky researchers, which indicate the Flame developers worked together with Stuxnet developers, perhaps during the same operation. Flame is important because it showed that highly complex malware can exist undetected for many years. It is estimated that the Flame project could be at least five years old. It also redefined the whole idea of “zero-days”, through its “God mode” man-in-the-middle propagation technique. Of course, when Flame was discovered, people wondered how many other campaigns like this were being mounted. And it wasn’t long before others surfaced. The discovery of Gauss, another highly sophisticated Trojan that was widely deployed in the Middle East, added a new dimension to nation-state cyber campaigns. Gauss is remarkable for a variety of things, some of which remain a mystery to this day. The use of a custom font named “Palida Narrow” or its encrypted payload which targets a computer disconnected from the Internet are among the many unknowns. It is also the first government-sponsored banking Trojan with the ability to hijack online banking credentials from victims, primarily in Lebanon.
Sources: news.cnet.com • zdnet.com • crn.com • mybroadband.co.za Page 7 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Security Predictions 2013-2014:
EMERGING TRENDS IN IT AND SECURITY Cloud:
“I expect to see a sharp increase in attacks against end-users and administrators who are accessing and controlling cloudbased services (both public and private clouds). Much of the focus is on the security of the cloud itself but very often the end-users are left to their own while connecting from less secure public networks. Administrators in particular will be targeted as they hold the keys to the cloud-based kingdom.” - Bryce Galbraith
Simulations:
“Gamification, the application of game design techniques to real-world problems, will play a far more important role in Information Security education in the coming years. The field of Information Security education is uniquely positioned to explore these possibilities and act as an incubator of ideas for gamifying education. Competition and gaming have always played a large role in the Information Security community. One need only look at the immense number of excellent Capture the Flag competitions played yearly, online and at conferences. Taking advantage of the fervour for competition and games to fuel learning in the classroom has already proven to be successful. The future is rife with opportunities. SANS itself has already experimented in this field with ID- net, IPnet, course-specific Capture the Flag competitions, and most recently, NetWars.” - Yori Kovichko
Innovation:
“What we are doing is not working. We need to review what we are doing and why. We need to re-evaluate everything, from passwords to pentests to firewalls to DLP. We have to stop doing the same thing over and over again. We have to stop being insane. My prediction? Companies will start looking for alternative security technologies to augment or outright replace many of the technologies that have failed time and time again.” - John Strand
Metrics:
“No profession has ever achieved status and creditability prior to developing effective metrics showing cause and effect, providing reliable prognostication and delivering the information needed by various parts of an organization to make informed decisions. Information security is no different While practitioners frequently lament the profession’s lack of standing with business executives, we continue to fail to provide credible answers to essential questions and reliable evidence for the value of our craft. Most of us only provide management with obscure technical measures that do little to provide needed answers, actionable information or comfort, let alone assurance. But relentless pressure to cut costs, to increase both effectiveness and efficiency and do more with less will increasingly drive development and deployment of better metrics in the coming years. “ - Krag Brotby
Authentication:
“This will be the year for advancements in authentication. Even though good multi-factor authentication systems have existed for years, most organizations have relied on passwords to the exclusion of these other technologies despite clear demonstrations that usernames and passwords just aren't enough. This was a banner year for major compromises involving tens to hundreds of thousands of usernames, often with passwords also being revealed. I believe that this will trigger two things related to authentication: 1) serious adoption of multi-factor authentication and 2) focused research info an even more cost efficient yet more secure authentication process in an effort to eliminate the username/password equation and move us to "who you are" authentication systems.” - David Hoelzer
“While the user may have selected a password of sufficient length, when it's stored on an unsecured device it may be easily recoverable by an attacker. “ Page 9 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
This is an effort to chronicle what a number of really smart people believe the state of the information security industry to be, and where we are going. A lot of the emphasis is on security threats, but we also consider what is working and what good practice is. We hope you will be able to use this in your strategic planning and also as input for your security architecture. Mobile devices:
“With the continued development and proliferation of intelligent portable electronic devices (smartphones, tablet computers, etc.), I predict a rise in account compromises resulting from the credentials for those accounts being stored on unsecured devices. While the user may have selected a password of sufficient length, when it's stored on an unsecured device it may be easily recoverable by an attacker. “ - Fred Kerby
Geolocation:
“A little known fact about the new HTML5 web specification is that device geolocation is baked in. With just a few lines of code, any website can now enable geolocation features, potentially leaving geo-artifacts on any device with a web browser. The recent US Supreme Court case, U.S. vs. Jones, demonstrates how interested law enforcement has been in geolocation monitoring. I predict a much wider range of investigators, both public and private, will begin to take advantage of geo-artifacts present on nearly every computer and mobile device, giving the ability to put the device at a particular place at a particular time.” - Chad Tilbury
Internet devices:
“Up to now, the internet connected mostly "people": The end point of an internet connection was usually implemented using a PC, a server or more lately tablets and phone. But foremost, a person was operating and using the device connected to the network. In parallel to this "internet for people" we always had an "internet for devices": Small control systems and embedded devices that delivered metrics and control to other devices or larger control networks. Up to now, the proliferation of these devices was limited to specialized networks and environments. However, in particular the advent of IPv6, and the continuation of Moore's law to deliver cheaper and more powerful devices, will make it much easier to deploy devices ubiquitously. We already see a surge in internet controlled home automation and alarm systems. Cars with not one but several IP addresses, sub $50 "servers" as implemented in the Raspberry Pi project and projects like Androino to deliver sensory and control capabilities to the masses. These technologies frequently take advantage of cloud computing to supplement their limited computing capacity and heavily rely on commodity networks for data exchange. We should pretty soon see successful attacks against these devices by exploiting unsecured communication networks. Later on, complete take over of the device by injecting exploit code into the insecure communication stream may be achieved. - Johannes Ullrich
Fortinet's Top Six Security Predictions For 2013 Are: 1. APTs:
We’ll see more advanced persistent threats much like Stuxnet, Flame and Gauss, hitting civilian targets like celebrities, company CEOs and political figures. Since targets are not directly linked to military and or government agencies, attackers will likely be looking for information they can use for criminal activity such as blackmail, according to the report.
2. Password Controls:
Expect the demise of password-only security mechanisms. Since attackers can now easily download cloud-based password cracking tools for as low as $20, FortiGuard predicts an increasing number of companies will start using some form of two-factor authentication for their personnel and clients. This will likely involve a web-based login which requires a user password and a secondary password that will be provided to the user via the user’s mobile device or a standalone security token.
3. Machine Attacks:
The year 2013 will likely be the first instance where attackers will hack into appliances and devices that are capable of machine-to-machine communication. M2M technology can be found in many devices including surveillance cameras that cross check photos with a database of known suspects and medical equipment that regulate oxygen intake for patients based on the individual’s heart rate which is collected by another machine. Fortinet foresees attackers hitting national security targets by “poisoning information streams” that pass through M2M channels.
4. Sandboxes:
As adoption of sandboxing becomes a more widely employed security technology, attackers will launch exploit codes that can circumvent sandbox environments. The most likely targets in 2013 will be security appliances and mobile devices.
5. Botnets:
Cross platform botnets such as Zitmo will become more widespread in the coming year. Since many divergent platforms now share many features, FortGuard predicts that 2013 will see an increase in new forms of denial of service attacks that will simultaneously hit both PC and mobile structures.
6. Mobile Malware:
Growth of malware written for mobile devices will close in on those for PCs and laptops. Historically malware have been directed against PC because the devices have been around for so long. But the number of new mobile devices continues to explode making them the ideal target of attackers.
Source: http://www.sans.edu/research/security-laboratory/article/2140
Page 10 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
According to PandaLabs, Panda Security’s malware laboratory, the security trends that will predominate in 2013 are:
• Social networks:
• Growth of malware:
• Malware for mobile devices:
A police force can only act within its jurisdiction, whereas a cyber-crook can launch an attack from country A, steal data from citizens of country B, send the stolen data server situated in country C and could be living in country D. This can be done with just a few clicks, whereas coordinated action of security forces across various countries could take months. For this reason, cybercriminals are still living their own golden era.
One of the most widely used techniques is social engineering. Tricking users into collaborating to infect their computers and steal their data is an easy task, as there are no security applications to protect users from themselves. In this context, use of social networks (Facebook, Twitter, etc.), places where hundreds of millions of users exchange information (very often personal data), makes them the preferred hunting ground for susceptible users. Particular attention should be paid to Skype, which after replacing Messenger, could become a target for cybercriminals. Android has become the dominant mobile operating system. In September 2012, Google announced that it had reached the incredible figure of 700 million Android activations. Although it is mainly used on smartphones and tablets, its flexibility and the fact that it doesn’t require a licence for use will result in new devices opting to use Google's operating system. Its use is going to become increasingly widespread, from televisions to all types of home appliances, which opens up a world of possible attacks as yet unknown.
• Cyber-warfare/Cyber-espionage:
Throughout 2012, different types of attacks have been launched against nations. The Middle East is worth mentioning, where the conflict is also present in cyberspace. In fact, many of these attacks are not even carried out by national governments but by citizens, who feel that they should defend their nation by attacking their neighbors using any means available. Furthermore, the governments of the world’s leading nations are creating cyber commandos to prepare both defence and attack and therefore, the cyber-arms race will escalate.
For two decades, the amount of malware has been growing dramatically. The figures are stratospheric, with tens of thousands of new malware strains appearing every day and, therefore, this sustained growth seems very far from coming to an end. Despite security forces being better prepared to combat this type of crime, they are still handicapped by the absence of borders on the internet.
• Malware for Mac:
Cases like Flashback, which occurred in 2012, have demonstrated that not only is Mac susceptible to malware attacks but that there are also massive infections affecting hundreds of thousands of users. Although the number of malware strains for Mac is still relatively low compared to malware for PCs, we expect it to continue rising. A growing number of users added to security flaws and lack of user awareness (due to overconfidence), mean that the attraction of this platform cyber-crooks will continue to increase in 2013.
• Windows 8:
Last but not least, Windows 8. Microsoft’s latest operating system, along with all of its predecessors, will also suffer attacks. Cyber-criminals are not going to focus on this operating system only but they will also make sure that their creations work equally well on Windows XP to Windows 8, through Windows 7. One of the attractions of Microsoft’s new operating system is that it runs on PCs, as well as on tablets and smartphones. For this reason, if functional malware strains that allow information to be stolen regardless of the type of device used are developed, we could see a specific development of malware for Windows 8 that could take attacks to a new level.
Page 11 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
THE SCRAP VALUE OF A HACKED PC
“I don’t bank online, I don’t store sensitive information on my machine! - I only use it to check email. What could hackers possibly want with this hunk of junk ?”
The above image lists the various ways criminals can monetise a hacked PC. The project was designed to explain simply and visually to the sort of computer user who can’t begin to fathom why miscreants would want to hack into his PC. “I don’t bank online, I don’t store sensitive information on my machine! I only use it to check email. What could hackers possibly want with this hunk of junk ?,” are all common refrains from this type of user. The graphic below includes some of the increasingly prevalent malicious uses for hacked PCs, including hostage attacks — such as ransomware — and reputation hijacking on social networking forums. One of the ideas to get across with this image is that nearly every aspect of a hacked computer and a user’s online life can be and has been commoditised. If it has value and can be resold, you can be sure there is a service or product offered in the cybercriminal underground to monetise it. I haven't yet found an exception to this rule. Source: http://krebsonsecurity.com
Next time someone asks why someone might want to hack their PC, show them this article.
Page 12 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
AFRICA’S FASTEST GROWING ICT NATIONS New figures released today by ITU show that information and communication technology (ICT) uptake continues to grow worldwide, spurred by a steady fall in the price of telephone and broadband Internet services. The new data, released in ITU’s flagship annual report Measuring the Information Society 2012, ranks the Republic of Korea as the world’s most advanced ICT economy, followed by Sweden, Denmark, Iceland and Finland. ITU’s ICT Development Index (IDI) ranks 155 countries according to their level of ICT access, use and skills, and compares 2010 and 2011 scores. All countries in the IDI top 30 are high-income countries, underlining the strong link between income and ICT progress. IDI values are, on average, twice as high in the developed world compared with developing countries, the report says.
The report identifies the group of countries with the lowest IDI levels – so-called ‘Least Connected Countries’ – and highlights the need for policy makers to pay keen attention to this group. Ghana, Nigeria and Niger are ranked among these. Measuring the Information Society 2012 report also identifies countries which have made the most progress when it comes to ICT development. These dynamic ICT markets are mostly located in the developing world – evidence that many developing countries are catching up quickly in efforts to bridge the so-called ‘digital divide’. Strong performers include Bahrain, Brazil, Ghana, Kenya, Rwanda and Saudi Arabia.
Source: Biztech Africa Page 13 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
The report says that globally, telecommunication and Internet services are becoming more affordable.
ZAMBIA - ESPIONAGE CHARGES FOR PC THIEVES - 20 YEAR SENTENCE
According to the report’s ICT Price Basket (IPB), which spans 161 economies and combines the average cost of fixed telephone, mobile-cellular and fixed-broadband Internet services, the price of ICT services dropped by 30% globally between 2008 and 2011, with the biggest decrease in fixed-broadband Internet services, where average prices have come down by 75% Impact on economic growth.
Zambian police have slapped espionage charges against thieves who stole computers from the country’s only cancer hospital - a charge that carries a minimum sentence of 20 years in jail. The police said they have slapped espionage charges against the suspects because of the nature and gravity of the offence. The thieves broke into the country’s only cancer disease hospital about two weeks ago, stealing computers, computer controlling towers and keyboards used in the diagnosis of cancer patients. Some stolen items have so far been recovered and reinstalled in order to normalize operations at the hospital and serve lives. “We did not pick and charge them with theft because it is not only about stealing the computers and other equipment, it is about the lives of people (patients) which were endangered during that period and considering how critical this facility is,” said Police spokesperson Elizabeth Kanjela. The accused appeared in a Lusaka Magistrate and were this week given bail and allowed to go home. In Zambia, any person charged with espionage and found guilty of the offence and convicted faces imprisonment of a period not less than 20 years but not exceeding 30 years.
The report also shows that the ICT sector has become a major contributor to economic growth. In 2010, global exports of ICT goods accounted for 12% of world merchandise trade, and as much as 20% in developing countries. ITU data show that global revenues from telecommunication services reached USD 1.5 trillion in 2010, corresponding to 2.4 % of the world’s gross domestic product (GDP). In the same year, investment (measured by capital expenditure) in telecommunications amounted to more than USD 241 billion, or an estimated 2% of the world’s total gross fixed capital formation.
(Source: Edith Mwale, Lusaka, Zambia - Biztechafrica.com)
Page 14 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
LOCAL RESEARCH REPORT ON The Wolfpack 2012/2013 SA Cyber Threat Barometer report is now available for free download.
CYBERCRIME RELEASED
Source: Biztech Africa
The report, officially launched recently in Johannesburg, is described as Wolfpack’s most ambitious research project yet. The research was sponsored by the British High Commission. The report covers: • Global cyber security models from USA / UK / Brazil / Russia / India / China and South Africa • Cybercrime initiatives in 12 African countries • A framework for analysing the cost of cybercrime and losses calculated for South Africa • Proposed initiatives for South Africa including a National Cyber Security Academy / CSIRT / National Awareness programme • Feedback from workshops with government, financial and telecom stakeholders Wolfpack’s Managing Director, Craig Rosewarne says the intention of this project was to collaborate with key local and international stakeholders to help raise awareness of cyber threats at a strategic level, forge relationships across key sectors and to help fast-track the selection of the best cyber threat countermeasures. "For phase two, we wish to increase the scope to include a number of other African countries," he says.
EGYPT - AFRICA INTERNET GOVERNANCE FORUM CALLS TO TACKLE CYBERCRIME The inaugural Africa Internet Governance Forum (AfrIGF) has called for increased partnership and collaboration to curb cyber crime and enhance online security across the continent. The ongoing forum in Cairo, Egypt, opened after the successful hosting of the five regional internet governance forums or IGFs by the respective regions. The five regional IGFs include the West Africa Internet Governance Forum (WAIGF), the East Africa Internet Governance Forum (EAIGF), Forum de Gouvernance de l’Internet en Afrique Centrale (FGI-CA), the Southern Africa Internet Governance Forum (SAIGF) and the North Africa Internet Governance Forum (NAIGF). In his opening address Egypt’s ICT Minister Eng Hany Mahmoud noted that enhancing security and building confidence and trust in the use of ICT applications is one of the “most important emerging issues that are threatening the ICT sector worldwide.” Page 15 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
A full copy of the report is available on the Research section of the Wolfpack website. www.wolfpackrisk.com
“Collaboration of regional and international efforts from all stakeholders involved is much needed. In this respect, Egypt has established its national CERT and we are ready to discuss together policy challenges and find ways for cross border cooperation on cybersecurity. The minister said the UN General Assembly would decide on a number of important issues such as the report of the 15th session of the Commission on Science and Technology for Development of the Economic and Social Council on Internet Governance Improvements, the Enhanced Cooperation consultations, and the WSIS Review Meeting Decision. Makane Faye, who read the speech on behalf of Dr Aida Opoku-Mensah, the director of UNECA’ ICT, Science and Technology Division (ISTD), said that Internet governance, as a key issue emerging from the WSIS process, is an important multi-stakeholder platform. “The key to making Internet Governance a success at both the sub-regional and regional levels is dependent on the take up and active participation at the national level. To this end, national forums on the management of Internet resources and critical infrastructure are encouraged in countries,” said Faye. “We expect that this conference will promote discussions on the African IG agenda and shape the way for Africa's participation in the next IGF, in Baku,” said Faye. (Source: Semaj Itosno, Nairobi, Kenya - Biztechafrica.com)
SOUTH AFRICA BEEFING UP CYBER SECURITY
- Source: Biztechafrica.com
The South African government is finalising plans for a national cyber security hub and long-awaited cyber inspectors. Palesa Legose, Director of Cybersecurity at South Africa's Department of Communications, said in Johannesburg at the recent launch of Wolfpack’s 2013/4 Cyber Threat Barometer report that plans for a national cyber security hub were being finalised, with a view to announcements being made around July next year. Legose said it would serve as a central contact point for cyber security initiatives across the country. Legose noted that the government views cyber crime in a serious light, and therefore aims to launch an awareness programme and establish a National Cyber security Advisory Council (NCAC) in collaboration with the private sector, to step up the fight against cybercrime. She added that cyber inspectors, mooted since 2003, are now being trained.
Palesa Legose. Picture source: BiztechAfrica
WOLFPACK OPINION PIECE UPDATE - What is happening with South Africa's National CSIRT (or Cybersecurity Hub as it has been called) ?
Craig Rosewarne from Wolfpack was invited to attend a strategic briefing session with key government, banking and telecoms stakeholders in November 2012. The purpose of the meeting was an opportunity to ask questions and to provide input into the development of our national CSIRT. In summary:
The National Cybersecurity Policy Framework (NCPF) mandates the Department of Communications to establish a Cybersecurity Hub for South Africa. The Council for Scientific and Industrial Research (CSIR) has been contracted to establish and provide support to the Cybersecurity Hub.
Objective of the Cybersecurity Hub
• To pool public and private sector threat information for the purposes of processing and disseminating such information to relevant stakeholders promoting cybersecurity in South Africa.
Implementation Roadmap
• Prof Marthie Grobler, Project lead from the CSIR took us through an interesting implementation roadmap presentation that covered: • Building infrastructure (The Hub design and a layered defence model). • Location of the Cybersecurity Hub (Which is the CSIR Campus - an existng National Key Point with good security in place) • ICT infrastructure and reporting software utilised • Incident workflows and links to other CSIRTs and the South African Police Services (SAPS) • Policies and SOPs (Standard Operating Procedures) Implemented. In summary I was really impressed with the progress the CSIR has made and we should have a functional Hub that operates on a 8 x 5 model (to start) by around July 2013. The two areas of improvement that I raised were greater community involvement as well as a governance committee representative of all sectors of South Africa. We don’t want another government focused CSIRT but rather one that is there to serve and protect all stakeholders in SA. We will send you feedback on progress as soon as we get an update. Page 16 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
HOW A CRIMINAL COULD GAIN ACCESS TO YOUR PERSONAL INFO VIA YOUR SMARTTV This article concerns SmartTVs, but the problem extends to every internet enabled device that we have in our homes today. Thanks to a massive introduction of technology into our personal lives, we have dramatically increased our surface of attack. We are all potential targets and the large majority of consumers are totally oblivious to the threats around them - even high profile celebrity or political figures with enhanced security. A plethora of devices now manage our personal information. SmartTVs are even more sophisticated devices that can interact with humans by detecting their presence and that are interconnected with a wide range of technology appliances.
Why would an attacker be interested to hack your domestic appliance? Domestic devices such as our SmartTV have got network connectivity and are equipped with a serious computational capability that could be attacked for several purposes: • Cyber espionage – Objects such as SmartTV’s are open gates to our domestic network where there may be large quantities of personal data. Think of your 1Tb USB hard drive connected to your TV full of personal photos / videos or even a backup of you laptop? • To recruit new bots to join larger more powerful multidevice botnets to conduct cyber attacks against strategic targets. Let’s think to the possibility to use any device to conduct a DDoS attack or a phishing attack.
Watch the video
http://vimeo.com/55174958
• Cybercrime – hackers could be interested in harvesting financial data which may be available on gaming console or in clear text on the hard drive of a media centre connected to the TV. Other monetisation schemes could include the use of ransomware or the spread of malicious agents. The above examples are an introduction to a widerange of risks to be taken into account. We all need to be reminded on how to better manage our domestic device security. Firmware installed on SmartTVs are already vulnerable to cyber attacks and the researchers of ReVuln have demonstrated it. The security experts posted a video that demonstrates how it is possible to attack a Samsung Smart TV by exploiting a 0-day vulnerability to gain root access on it. The hacker could then remotely wipe data from attached storage devices and monitor and control the victim’s TV.
Definition - What is a SmartTV? A SmartTV, sometimes referred to as connected TV or hybrid TV, (not to be confused with IPTV, Internet TV, or with Web TV), describes a trend of integration of the Internet and Web 2.0 features into television sets and set-top boxes, as well as the technological convergence between computers and these television sets / set-top boxes. The devices have a higher focus on online interactive media, Internet TV, over the-top content, as well as on-demand streaming media, and less focus on traditional broadcast media than traditional television sets and set-top boxes. wikipedia
Page 17 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
HOW CRIMINALS WERE ABLE TO STEAL
36 MILLION EUROS USING MALWARE
A CASE STUDY OF EUROGRABBER - EXECUTIVE SUMMARY This is a case study about a sophisticated, multi-dimensional and targeted attack that stole an estimated 36+ million Euros from more than 30,000 bank customers from multiple banks across Europe.
Overview of the Eurograbber Attack Recently, financial institutions have taken steps to increase security for online transactions. Historically, bank customers merely needed their bank account number and password to access their account online. Clearly this one-factor authentication is relatively easy to bypass since customers often choose weak passwords and can easily misplace their credentials leading to their account being compromised. To improve this, the banks added a second authentication mechanism that validates the identity of the customer and the integrity of the online transaction. Specifically, when the bank customer submits an online banking transaction, the bank sends a Transaction Authentication Number (TAN) via SMS to the customer’s mobile device. The customer then confirms and completes their banking transaction by entering the received TAN in the screen of their online banking session. As we will see, Eurograbber is customised to specifically circumvent even this two-factor authentication.
The attacks began in Italy, and soon after, tens of thousands of infected online bank customers were detected in Germany, Spain and Holland. Entirely transparent, the online banking customers had no idea they were infected with Trojans, that their online banking sessions were being compromised or that funds were being stolen directly out of their accounts. The multi-staged attack infected the computers and mobile devices of online banking customers and once the Eurograbber Trojans were installed on both devices, the bank customer’s online banking sessions were completely monitored and manipulated by the attackers. Even the two-factor authentication mechanism used by the banks to ensure the security of online banking transactions was circumvented in the attack and actually used by the attackers to authenticate their illicit financial transfer. Further, the Trojan used to attack mobile devices was developed for both the Blackberry and Android platforms in order to facilitate a wide “target market” and as such was able to infect both corporate and private banking users and illicitly transfer funds out of customers’ accounts in amounts ranging from 500 to 250,000 Euros each.
“Even the two-factor authentication mechanism used by the banks to ensure the security of online banking transactions was circumvented in the attack and actually used by the attackers to authenticate their illicit financial transfer.”
Bank’s customers’ issues begin when they click on a “bad link” that downloads a customised Trojan onto their computer. This happens either during internet browsing or more likely from responding to a phishing email that entices a customer to click on the bogus link. This is the first step of the attack and the next time the customer logs into his or her bank account, the now installed Trojan (customised variants of the Zeus, SpyEye, and CarBerp Trojans) recognises the login which triggers the next phase of the attack. It is this next phase where Eurograbber overcomes the bank’s two-factor authentication and is an excellent example of a sophisticated, targeted attack. During the customer’s first online banking session after their computer is infected, Eurograbber injects instructions into the session that prompts the customer to enter their mobile phone number. Then they are informed to complete the “banking software security upgrade”, by following the instructions sent to their mobile device via SMS. The attacker’s SMS instructs a customer to click on a link to complete a “security upgrade” on their mobile phone; however, clicking on the link actually downloads a variant of “Zeus in the mobile” (ZITMO) Trojan. The ZITMO variant is specifically designed to intercept the bank’s SMS containing the all important “transaction Authorisation number” (TAN). The bank’s SMS containing the TAN is the key element of the bank’s two factorauthorisation. Page 18 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
HOW CRIMINALS WERE ABLE TO STEAL 36 MILLION EUROS USING MALWARE Continued From Page 18
The ZITMO variant is specifically designed to intercept the bank’s SMS containing the all important “transaction authorisation number” (TAN). The bank’s SMS containing the TAN is the key element of the bank’s two factorauthorisation. The Eurograbber Trojan on the customer’s mobile device intercepts the SMS and uses the TAN to complete its own transaction to silently transfer money out of the bank customer’s account. The Eurograbber attack occurs entirely in the background. Once the “security upgrade” is completed, the bank customer is monitored and controlled by Eurograbber attackers and the customer’s online banking sessions give no evidence of the illicit activity. In order to facilitate such a sophisticated, multi-stage attack, a Command & Control (C&C) server infrastructure had to be created.
Figure 1 - Anatomy of the Attack
This infrastructure received, stored and managed the information sent by the Trojans and also orchestrated the attacks. The gathered information was stored in a SQL database for later use during an attack. In order to avoid detection, the attackers used several different domain names and servers, some of which were proxy servers to further complicate detection. If detected, the attackers could easily and quickly replace their infrastructure thus ensuring the integrity of their attack infrastructure, and ensuring the continuity of their operation and illicit money flow.
The Money Theft Once the Eurograbber Trojans are installed on the bank customer’s computer and mobile phone, the malware lays dormant until the next time the customer accesses their bank account. Step 1: A banking customer logs in to their online bank account. Step 2: Immediately upon a bank customer’s login, cybercriminal initiates Eurograbber’s computer Trojan to start its own transaction to transfer a predefined percentage of money out of the customer’s bank account to a “mule” account owned by the attackers. Step 3: Upon submission of the illicit banking transaction, the bank sends a Transaction Authorisation Number (TAN) via SMS to a user’s mobile device. Step 4: However, the Eurograbber mobile Trojan intercepts the SMS containing the TAN, hides it from the customer and forwards it to one of many relay phone numbers setup by the attackers. The SMS is then forwarded from the relay phone number to the drop zone where it is stored in the command and control database along with other user information. If the SMS was forwarded straight to the drop zone it would be more easily detected. Step 5: The TAN is then pulled from storage by the computer Trojan which in turn sends it to the bank to complete the illicit transfer of money out of a bank customer’s account and into the attacker’s “mule” account. The customer’s screen does not show any of this activity and they are completely unaware of the fraudulent action that just took place.
Page 19 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Figure 2 - Follow the Money
At this point, victims’ bank accounts will have lost money without their knowledge. Cybercriminals are being paid off via mule accounts. This entire process occurs every time the bank customer logs into his or her bank account. How to Protect Against The Eurograbber Attack The Eurograbber attack targets online banking customers and not the banks themselves. To best protect against attacks like Eurograbber, online banking customers need to ensure they have the most current protection in two areas – on the network that provides them internet access to their bank and on the computer they use to conduct online banking. (Source: http://www.checkpoint.com/products/downloads/whitepapers/Eurograbber_White_Paper.pdf )
RISK - WHAT CAN COMPANIES DO TO PREVENT FRAUD AND CORRUPTION IN THE WORKPLACE? Public Service and Administration Minister Lindiwe Sisulu recently anounnced that the SA - government has lost millions through fraud, corruption and other financial misconduct by civil servants. In 2011, Willie Hofmeyr of the Special Investigating Unit said that corruption involving government procurement was costing South Africa up to R30 billion p/a. Spent correctly, this money could be used to improve the education, health and safety of many South African citizens. It is clear that fraud prevention should become a key area of focus not just for government, but for every company operating in the South African business landscape today. Gareth Newman, Head of the Crime and Justice Programme at the Institute of Security Studies says that corruption is a serious concern for South Africa and various indicators suggest that the problem is worsening. The annual Transparency Corruptions Perceptions Index is a useful measure of corruption in 182 countries worldwide. In 2011, Somalia was rated as the most corrupt country in the world but South Africa, having dropped a further 10 places in 2012, is now ranked 64th out of 182 countries. South African citizens are also recognising corruption as a growing cause for concern and in 2011, 29 percent of adults (compared to 15 percent in 2008) believed corruption to be a serious problem for the country. On a global front, a fraud adviser for CIFAS, a fraud prevention service in the United Kingdom (UK), said that while staff are generally honest and trustworthy, staff fraud is a serious problem that poses real and continuing risks for businesses worldwide. According to the recent findings of CIFAS, there has been a startling 41 percent increase in the number of dishonest actions by employees. 31 percent of cases were where staff stole cash from customers and 23 percent of cases were where staff stole from their employers. In addition, poor credit checks increased by 50 percent and there was a 79 percent increase in the manipulation of customer account details in order to assist family or friends in difficult circumstances.
Source: Jenny Reid, Director of iFacts
Evidence provided in a recent study by Price Waterhouse Coopers shows that the CEO of a company plays a key role in risk management and fraud prevention. This corresponds directly with what Corporate Governance strives to achieve in the King III report. If the CEO is involved in the risk management of an organisation it is easier to recognise concerning patterns that emerge and respond in a timely manner. There are also a number of steps an organisation can take towards a more honest and transparent working environment. Companies need to assess the risks they face by analysing intelligence gleaned from inside and outside the business so that they may develop strategies that will counter such risks. In addition, it is essential to understand the climate of the employees by conducting a Human Resources Climate Survey and an Ethics Assessment. Measures should also be put in place to ensure that employees, suppliers and contractors are not colluding against the company.
The South African Institute of Corporate Fraud Management has developed a Red Flag tool which outlines some warning signs:
Employee Fraud:
• Familiarity with operations (including cover-up capabilities and being in a position of trust). • Close association with suppliers and other key people. Employees that are not informed about rules or actions taken to combat fraud. • Rapid employee turnover of key employees either by quiting or firing dishonest or overly dominant management. • Inadequate personnel screening policies when hiring new employees for positions of trust. •No maintenance of records of dishonest acts or disciplinary actions. •Inadequate compensation practices. •Poor internal information security and inadequate training/awareness programs.
Supplier Fraud:
• Fraudulent documentation presented with the tender. • A close relationship between the supplier and staff members. • Insufficient supervisory review of accounts payable activity. • Vendor payments that have increased dramatically for no apparent reason. •Excessive credit adjustments to a particular vendor and/or credit issued by an unauthorised department. •Lack of documentation for payment of invoices, paid invoices not properly cancelled (allowing for reprocessing) and a high volume of manually prepared disbursement cheques. Page 20 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
CURRENT TRENDS IN
INFORMATION SECURITY Introduction There are three high water marks in the evolution of a body of “information security law” in South Africa: 1. The King III Report on Governance for South Africa was released on 1 September 2009 2. The Electronic Communications and Transactions Act 25 of 2002 3. The release of the 10th draft of the Protection of Personal Information Bill (POPI) in September 2012. King III recommended that the board ensure that “information assets are managed effectively”. This includes the protection of information: “information security” (principle 5.6, sections 40 to 42). The ECT Act: • Provided a framework for public key infrastructures (PKI), • Laid down the requirements for reliable electronic signatures (“advanced electronic signatures”), • Provided the requirements for transactional security, and • Introduced a range of cybercrimes into our law for the first time. POPI has introduced the concepts of providing appropriate, reasonable technical and organisational measures to protect personal information. In 2004 three trends in information security law in the United States were identified by Mr. Thomas Smedinghoff in his article titled “Security and Surveillance, Trends in the Law of Information Security” published in the BNA International World Data Protection Report. Almost nine years later, we begin to identify those trends emerging in South Africa.
Trend 1: Information Security is now a corporate obligation “In the Wild West, when Jesse James and Butch Cassidy robbed banks, we felt sorry for the banks and hunted down the outlaws.
Page 21 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Today, when someone breaks into a company’s computer system, our response is totally different: We blame the company for failing to provide adequate security” (Smedinghoff). Information security is therefore no longer just a technical issue for the IT Department. King III specifically requires the board to ensure that an information security framework is developed and an information security management system implemented. The risk and audit committees must assist the board in their IT responsibilities. Information security is now a board agenda item by virtue of the fact that it forms part of IT governance. When it comes to the protection of “personal information” POPI imposes several security measures.
Trend 2: Emergence of a Legal Standard POPI marks the emergence of the second trend: a legal standard against which information security will be measured generally, and for compliance with POPI in particular. This raises key questions. Just what exactly is a business meant to do? What is the scope of its legal obligation to implement information security measures? Section 19(1) of POPI requires entities that process personal information to “secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures“: words which are deliberately very broad and non- specific. This wording takes account of the fact that information security can never be absolute. It is also technologically neutral.
“POPI requires companies to engage in an ongoing and repetitive process” Rather than telling companies what specific security measures they must implement, section 19(2) requires
COMPLIANCE IN SOUTH AFRICA
companies to engage in an ongoing and repetitive process that is designed to identify all reasonably foreseeable internal and external risks; establish and maintain appropriate safeguards against the risks identified; regularly verify that the safeguards are effectively implemented and ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards. Key to the legal information security standard in POPI is a requirement that security be responsive to the company’s fact specific risk assessment. This process is advocated by (amongst others) the South African National Standard SANS 27001:2006/ISO/IEC 27001:2005 (Information technology – Security techniques – Information security management systems – Requirements). This standard was approved by the South African Bureau of Standards (SABS) in January 2006. This standard specifies the requirements for establishing, implementing, operating, monitoring, reviewing, maintaining, and improving a documented information security management system (ISMS). It is a much higher level standard than SANS 17799:2005. “Security must respond to the specific risks of a company” The key to the new legal obligation is that security must respond to the specific risks of a company. In other words, merely implementing seemingly strong security measures is not sufficient. Security measures must respond to the particular threats a business faces and must address its vulnerabilities. Brian Gaff uses the example of posting armed guards around a building or requiring key-card access may give the appearance of security, but if the primary threat the company faces is unauthorised remote access via the Internet, physical security measures are of little value.
Trend 3: Duty to disclose security breaches Current law does not oblige a company to implement security measures – instead it obliges a company to disclose security breaches. Section 22 of POPI requires responsible parties to notify the Regulator and the data subject “where there are reasonable grounds to believe that the personal information of a data subject has been accessed or acquired by any unauthorised person”. This is similar to the common law “duty of care” and foreseeability. And the obligation to warn of dangers where they are known. The emergence of the obligation to disclose security breaches highlights the necessity for proper incident management policies to be in place. Information security incidents occur all the time. If they are not properly managed, they erode confidence in the IT Department, compromise the company’s computer systems, and can be used to extort or publicly embarrass a company. A structured and coordinated approach is necessary to ensure a fast and effective resolution that limits or mitigates the impact of each security incident on a company’s business.
Likewise, firewalls and intrusion detection software are often effective ways to stop hackers and protect sensitive databases, but if a company’s major vulnerability is careless (or malicious) employees who inadvertently (or intentionally) disclose passwords or protected information, then even those sophisticated technical security measures, although important, will not adequately address the problem. Source: Lance Michalson - Michalsons law firm
Page 22 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
HOW BOARDS AND SENIOR EXECUTIVES SHOULD BE MANAGING CYBER RISKS
(Image source: Houieha)
It has long been recognised that directors and officers have a fiduciary duty to protect the assets of their organisations. Today, this duty extends to digital assets, and has been expanded by laws and regulations that impose specific privacy and cyber security obligations on companies. For the third time, the survey revealed that boards are not actively addressing cyber risk management. While placing high importance on risk management generally, there is still a gap in understanding the linkage between information technology (IT) risks and enterprise risk management. Although there have been some measurable improvements since the 2008 and 2010 surveys, boards still are not undertaking key oversight activities related to cyber risks, such as reviewing budgets, security program assessments, and top-level policies; assigning roles and responsibilities for privacy and security; and receiving regular reports on breaches and IT risks. Involvement in these areas would help them manage reputational and financial risks associated with the theft of confidential and proprietary data and security breaches of personal information.
Recommendations: If boards and senior management take the following 12 actions, they could significantly improve their organisations’ security posture and reduce risk: 1. Establish a board Risk Committee separate from the Audit Committee and assign it responsibility for enterprise risks, including IT risks. Recruit directors with security and IT governance and cyber risk expertise. 2. Ensure that privacy and security roles within the organisation are separated and that responsibilities are appropriately assigned. The CIO, CISO/CSO, and CPO should report independently to senior management. Page 23 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
3. Evaluate the existing organisational structure and establish a cross-organisational team that is required to meet at least monthly to coordinate and communicate on privacy and security issues. This team should include senior management from human resources, public relations, legal, and procurement, as well as the CFO, the CIO, CISO/CSO, CRO, the CPO, and business line executives. 4. Review existing top-level policies to create a culture of security and respect for privacy. Organisations can enhance their reputation by valuing cyber security and the protection of privacy and viewing it as a corporate social responsibility. 5. Review assessments of the organisation’s security program and ensure that it comports with best practices and standards and includes incident response, breach notification, disaster recovery, and crisis communications plans. 6. Ensure that privacy and security requirements for vendors (including cloud and software-as-a-service providers) are based upon key aspects of the organisation’s security program, including annual audits and control requirements. Carefully review notification procedures in the event of a breach or security incident. 7. Conduct an annual audit of the organisation’s enterprise security program, to be reviewed by the Audit Committee. 8. Conduct an annual review of the enterprise security program and effectiveness of controls, to be reviewed by the board Risk Committee, and ensure that identified gaps or weaknesses are addressed. 9. Require regular reports from senior management on privacy and security risks. 10. Require annual board review of budgets for privacy and security risk management. 11. Conduct annual privacy compliance audits and review incident response, breach notification, disaster recovery, and crisis communication plans. 12. Assess cyber risks and potential loss valuations and review adequacy of cyber insurance coverage.
Source: RSA Laboratories is the research center of RSA, The Security Division of EMC, and the security research group within the EMC Innovation Network.
GETTING TO GRIPS WITH THE ‘BLACK ART’ OF EMV While the US grapples with EMV migration, South Africa’s banks and retailers have more or less completed their migration. But this is not the end of their journey, says Stanchion Payment Solutions. EMV standards were introduced by EuroPay, MasterCard and Visa (hence EMV) some years ago, mainly to reduce the risk of fraud in credit cards. EMV credit and debit cards, carrying microchips that effectively provide a computer processing platform upon the card itself are widely known as chip cards in South Africa. Stanchion says they deliver significantly improved card transaction security, even if they have not yet delivered on all the multi-application uses initially expected. However, despite the fact that South African banks and businesses have adopted EMV cards, their EMV journey is not over. Stanchion technical director Shaun Baker and operations director Liam McDermott say EMV compliance and certification is an ongoing issue mostly due to the constant evolution of the technology, but also due to changes institutions make on their platforms. Without compliance, retailers, banks and the transaction chain may find themselves liable for any fraud committed using an EMV card. But certifying the systems used for EMV transactions is generally a complex and lengthy process, and any core changes in the payment systems would typically require re-certification, they say. “To many, this is a ‘black art’, which is not very well understood,” says Baker. “And because they hear it is a painful and protracted process, companies are hesitant.” “The minute you change pertinent parts of your infrastructure (i.e. changing a POS vendor, or moving from one payments system to another), you must re-certify it. This happens infrequently in most big organisations, but it happens. In addition, certification and compliance are not the end-game"
Using these tools to effectively combat fraud requires a deeper understanding of the EMV standard and of the systems within the transaction chain. Many companies do not have the resources to ensure complete control of the value chain,” he adds. Baker says taking charge of the re-certification will fall under the responsibilities of an enterprise’s Compliance Officer, who therefore needs to be kept informed of all relevant IT infrastructure changes. “Certification can be a lengthy process that may take as long as 9 to 12 months to complete, although the typical period is around 3 months. Because of the perceived complexity and cost of the process, enterprises often find it preferable to use a consultancy such as Stanchion to run it,” says McDermott.
“Many companies, although members of payment associations, don’t have meaningful relationships with MasterCard or Visa, or they don’t know what questions to ask. Stanchion can also contribute by facilitating this process for them,” says Baker. However, says Baker, because EMV certification comes at a heavy price, EMV may not always be the only, or even the most suitable, solution for securitising transactions. In some cases, new technologies such as interactive transaction authentication tools may be viable replacements, he notes. EMV remains the current global trend until such time as these replacement technologies come of age.
EMV stands for Europay, MasterCard and Visa, a global standard for interoperation of integrated circuit cards (IC cards or "chip cards") and IC card capable point of sale (POS) terminals and automated teller machines (ATMs), for authenticating credit and debit card transactions. It is a joint effort between Europay, MasterCard and Visa to ensure security and global interoperability so that Visa and MasterCard cards can continue to be accepted everywhere. IC card systems based on EMV are being phased in across the world, under names such as "IC Credit" and "Chip and PIN". (Source: Wikipedia)
EMV provides a foundation for fighting fraud, allowing issuers to take charge of transactions at point-of-sale. Page 24 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
20 THE CSIS Securing a country against cyber attacks has today become one of a nation's highest priorities. To achieve this objective, networks and systems, as well as the operations teams that support them, must vigorously defend against a variety of internal and external threats. To respond to those attacks that are successful, defences must be prepared to detect and that follow-on attacks on internal enterprise networks as attackers spread inside a compromised network. A critical component of such a defence system ist continuous monitoring—that is, the ability to automatically test and validate whether current security measures are working and proactively remediate vulnerabilities in a timely manner. Because government departments and companies have limited resources, current and past chief information officers (CIOs) and chief information security officers (CISOs) across the USA and Europe have concluded that the only rational way to meet these requirements is to jointly establish a prioritised baseline of information security measures and controls that can be continuously monitored using automated mechanisms. This consensus document of 20 Critical Controls begins the process of establishing a prioritised baseline of information security measures and controls that can be applied across government and commercial environments.
CRITICAL SECURITY CONTROLS Quick wins
Improve security stance generally without major procedural, architectural, or technical changes to its environment. The intent of identifying "quick wins" is to highlight where security can be improved rapidly.
Improved visibility and attribution
The consensual effort identifies 20 specific technical security controls effective in blocking currently known high-priority attacks as well as those attack types expected in the near future.
These sub controls focus on improving the process, architecture, and technical capabilities of organisations so that they can monitor their networks and computer systems and better visualise their own IT operations.
Guiding principles for control areas:
Hardened configuration and improved information security hygiene
• Defences should focus on addressing the most common and damaging attack activities occurring today, and on those anticipated in the near future. • Enterprise environments must ensure that consistent controls are in place across the organisation to effectively negate attacks. • Defences should be automated where possible and periodically or continuously measured using automated measurement techniques. • Root cause problems must be fixed in order to ensure the prevention or timely detection of attacks. • Metrics should be established that facilitate common ground for measuring the effectiveness of security measures, providing a common language for executives, IT specialists, auditors, and security teams to communicate about risk within the organisation.
Sub-control category groupings
To help organisations of different security maturities the 20 Critical Controls have been grouped into specific categories:
Page 25 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
These sub controls are designed to improve an organisation's information security stance by reducing the number and magnitude of potential security vulnerabilities and by improving the operations of networked computer systems.
Advanced
These sub controls are designed to further improve the security of an organization beyond the other three categories. Organisations already following all of the other sub controls should focus on this category.
Why the Controls Work
The Critical Controls draw on the knowledge gained in combating the myriad attacks launched regularly against networks. Top cybersecurity experts have joined forces to make the Controls the most effective and specific set of technical measures available to detect and prevent the most common and damaging of those computer attacks. This consensus process is the foundation of the Controls because it provides first-hand knowledge of actual attacks and the best defensive techniques to stop them. It also ensures
“To help organisations of different security maturities the 20 Critical Controls have been grouped into specific categories”
that the Controls will address the root causes of attacks so that security measures deployed today will be effective against the next generation of advanced threats. The Critical Controls represent the sum total of efforts over the last decade to develop standards to identify common vulnerabilities and their severity, define secure configurations, inventory systems and platforms, and pinpoint application weaknesses.
IMPLEMENT --> AUTOMATE ---> AUDIT The Critical Controls Document
The presentation of each Critical Control in this document includes: • A step-by-step breakdown of the procedures and tools required to implement and automate it; • An explanation of how attackers exploit the absence of this control; • Entity relationship diagrams to show how the controls can be implemented; • An outline of the most appropriate sub-controls to implement, automate, and measure effectiveness; • Summaries of metrics and tests that can be used to evaluate implementation; and • A list of associated NIST controls and NSA tasks. After organisations implement the Controls and gain experience with automation, CIOs can use the document as an audit guide to ensure that they are taking the right actions for effective cyber defence. The Controls are meant to deal with multiple kinds of computer attackers, including malicious internal employees and contractors, independent individual external actors, organised crime groups, terrorists, and nationstate actors, as well as mixes of these different threats.
The Controls are not limited to blocking the initial compromise of systems, but also to detecting already-compromised machines and preventing or disrupting an attacker's actions.The defences identified through these controls deal with reducing the initial attack surface by hardening security, identifying compromised machines to address long-term threats inside an organisation's network, controlling super-user privileges on systems, and disrupting attackers' command-and-control of implanted malicious code. Finally, each control included in the document describes a series of tests that organisations can conduct on a periodic or continual basis to ensure that appropriate defences are in place.
Download your copy of the CSIS 20 Critical Security Controls: http://www.sans.org/critical-security-controls/ Moving Ahead
The consensus effort to define critical security controls is an evolving process. Changing technology and attack patterns will necessitate future changes to the current set of Critical Controls. In a sense, this will be a living document moving forward, but the Controls described here are a solid start toward making fundamental computer security defences a well-understood, replicable, measurable, scalable, and reliable process.
Page 26 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
CRITICAL QUESTIONS TO ASK WHEN BUILDING A
SECURITY OPERATIONS CENTRE (SOC)
Introduction
Organisations of small, medium and large enterprises, in this day and age, are updating their technologies rapidly in order to expand their business. As a result of this, a number of outsourced models and 3rd party services are being incorporated within these organisations in order to help them with this expansion. One of the key challenges to this approach is to track the activities of such outsourced models and services.
Organisations can evaluate their respective security posture by answering simple questions like:
• Do I know how complex my deployment is, even if it is deemed safe and working as expected? • Do I have information regarding the threats faced by my business' critical assets? • Do I know who is accessing this information? Are they supposed to be accessing it? • Is the information being handled in the right manner? • Is the behavior of users over the network appropriate or are there any anomalies with respect to what they are doing? Organisations also grow with time and in many ways, the dynamic nature of the IT infrastructure itself adds to the increasing level of risk.
to monitor their digital data and infrastructure in an attempt to protect themselves from various forms of risk and threats.
Consider the following factors:
To proactively monitor malicious activities, organisations should consider setting up their own Security Monitoring or Operations Center (SOC).
• The complexity of infrastructure grows along with the addition of new technologies and applications. • The number of users accessing digital data and infrastructure always increases. • The volume of data that we handle, store and manage is expected to double every 18 months according to a recent study by the IDC. • Regulatory standards tend to increase in complexity with new revisions and controls being added in order to protect digital data. In the recent decade, we have noticed the introduction of many regulatory standards like the PCI, ISO 27001, Data Breach Notification Acts,etc.
Threat Landscape
The year 2011–12 has been a year of significant breaches across various high profile global organisations. These breaches have occurred in spite of the latest technologies and programs being in practice. The analysis of these incidents clearly identifies the need for innovative measures of threat management. Most organisations today are adapting to the concept of maintaining a Security Operations Center (SOC) in order Page 27 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Picture source: RSA Security
SOC also acts as a turn-key solution for various security and compliance requirements.
Security Operations Centre
This involves collecting, reviewing, analyzing and managing information that may be of interest from a security perspective considering the components within the infrastructure, usually via event logs. SOC's primary emphasis is to facilitate monitoring and detection capabilities in the occurrence of various forms of threats emerging from a wide range of sources. The threat source can be that of an external internal entity. No matter where the source is located, SOC will assist organisations keep a tab on such malicious activities and take preventive measures in order to protect its assets.
Key Benefits of a SOC
• Real-time detection with a record of the alert and the respective response. • Attack correlation of logs from multiple sources. • Effective incident management. • Historic forensic analysis. • Visualization of organizations complete with a threat landscape.
managed services Organisational Requirements
Organisations are adopting complex business models today and demand information in order to achieve their goals. For example, a CIO/CTO's focus would be to improve service levels while the CSO looks at better visibility into the security threats. The Compliance department emphasises the use of regulatory guidelines and the forensic team looks at the granular data feed in order to investigate incidents and infer the impact. There is a dire need for a solution that can cater to such security requirements from different stakeholders. Effective log monitoring and management provides the means to address such requirements. A log monitoring and management platform can effectively aggregate data originating from various infrastructure devices and applications into a common platform and provide access to this information for various stakeholders.
These solutions offer a wide range of features that are set to the various requirements of security monitoring including:
• Data collection, log management and storage • Effective threat management and event-based identification • Rules-based identification • Anomaly-based identification • Risk-based identification • Automate compliance reporting • Facilitation of data for forensic and incident management.
SOC Deployment Models Enterprises today have the following options for SOC eployment: 1. Internal SOC – Build a customized SOC along with internal skills and operate it using internal resources. 2. Build and Operate (BO) – Build a customized SOC by outsourcing the SOC setup and operations. In his model, the SOC infrastructure is owned by the customer, but the operations are outsourced. 3. Operate and Transfer (BOT) – Build a customized SOC by outsourcing the SOC setup. The operations are outsourced only for a predetermined time period and the control is then transferred back internally over this period of time by developing the required skills and resources. 4. MSSP Model – The SOC services are outsourced to a Managed Security Service Provider (MSSP). In this model, the infrastructure and operations are owned by the service provider. These SOC models are described on page 29.
Page 35 • Cyber Shield Magazine Jan/Feb 2013 • Special Cyber Crime Issue
Page 28 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
“ A SOC will assist an organisation to keep a tab on malicious activities and take preventative measures in order to protect its assets”
Internal SOC Model: In this model, the organisation procures the required technologies and implements these technologies using internal resources or with the assistance of respective technology partners. The operations are competely managed by trained internal staff. The pros and cons of this model are listed below.
Pros:
• Highest level of control for security operations. • Flexibility in making changes to the services because they are driven internally. • No risk of transition as the operations are internally managed.
Cons:
• Intense focus is required from the top management for SOC. It is difficult to do so, if the focus of the top management is required for core business operations. • In-depth technical and security domain skills are required internally. Challenges are faced during the recruitment and retention of high-skilled resources. • It is difficult to keep pace with the latest security threats, vulnerabilities and changes in security technologies since the internal team has exposure to only one environment. • Financial investment required is high and more than that of the other models. • Adopton of the best practices will remain a challenge for the internal teams due to lack of exposure.
Build and Operate (BO) Model: In this model, SOC implementation and operations are outsourced to a security partner while the infrastructure is owned by the organisation. The pros and cons of this model are listed below
Pros:
• Outsourcing to a specialist security company ensures constant updates and better response to vulnerabilities, threats and changes in security technologies. • Easy adoption of the best practices since the security specialist company has a cumulative experience resulting from multiple other customer sites as well as sufficient global exposure. • The organisation does not require resources with indepth technical and security domain skills. Hence, overheads are not encountered during recruitment and retention. • Focus on SOC requirements from the top management is optimized.
Page 29 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Cons:
• The control on security operations is lower when compared with the Internal SOC and BOT models. It depends on how well the Service Level Agreement (SLA) is instructured and managed. • The risk of service transition is very high. Taking control of services at a later stage will be a complex procedure due to the lack of skills and the understanding of processes within the organization. • Flexibility in making changes to the services might be limited; subject to the contractual terms and agreements. • Financial investment required is higher when compared with the MSSP and BOT models.
Build, Operate and Transfer (BOT) model: In this model, SOC implementation and operations are co-sourced to a security partner while the infrastructure is owned by the organisation. A joint team from the organisation and the security partner manages the operations for a predetermined period of time. At the end of this period, SOC operations are transitioned back to the organisation. The pros and cons of this model are listed below
Pros:
• The control on the respective security operations is high since it is a combined team (combination of internal and outsourced resources) for operations. • Co-sourcing to a specialist security company ensures constant updates and better response to vulnerabilities, threats and changes in security technologies. The cosourced model also enables internal employees to scale up simultaneously. • Easy adoption of the best practices is possible since the security specialist company will have a cumulative experience resulting from multiple other customer sites as well as sufficient global exposure. •Focus on SOC requirements from the top management is optimised. • The risk of service transition is well managed in this model. It is easy for an organisation to take control at a later stage since the internal resources are acquiring the required skills simultaneously.
Cons:
• Financial investment required is higher compared with the MSSP model.
• The organization still requires resources who can scale up and acquire in-depth technical and security domain skills over a period of time. Limited overheads during recruitment and retention will also be encountered. • Flexibility in making changes to the services might be limited; subject to the contractual terms and agreements.
MSSP Model In this model, SOC implementation and operations are outsourced to a security partner and the infrastructure is also owned by the security partner. The pros and cons of this model are listed below
Pros:
• Outsourcing to a specialist security company ensures constant updates and better response to vulnerabilities, threats and changes in security technologies. • Easy adoption of the best practices is possible since the security specialist company will have a cumulative experience from multiple other customer sites as well as sufficient global exosure.
• The organization does not require resources with in-depth technical and security domain skills. Hence, there will be not be any overheads encountered for recruitment and retention purposes. • Focus on SOC operatons from the top management is optimised. •Financial investment is the lowest when compared with all the other models.
Cons:
• The control on security operations is the lowest when compared with the other options since the infrastructure is also outsourced. It depends on how well the Service Level Agreement (SLA) is structured and managed. • The risk of service transition is the highest in this model. Taking control of services at a later stage will be complex due to the lack of skills and understanding of processes within the organisation. The technology is owned by the service provider and this increases transition complexities. • Flexibility in making changes to the services might be limited; subject to the contractual terms and agreements. (Source: Rajesh Gopinath AVP and Head Presales at Paladion Networks)
THE GLOBAL CYBER WARFARE MARKET A new study has been released that shows the leading Cyber Warfare market segments in various regions across the world. The Global Cyber Warfare Market 2011-2021 - Competitive Landscape and Strategic Insights report provides details of top companies active across the global Cyber Warfare market, together with market size and forecasts till 2021. The report provides a detailed analysis of the competitive landscape of the Cyber warfare industry. It provides an overview of key Cyber Warfare companies catering to the Cyber Warfare sector, together with insights such as key alliances, strategic initiatives and a brief financial analysis. The global cyber warfare market is highly competitive, with a limited amount of large suppliers worldwide. Within the global cyber warfare market, American and European countries are among the leading defense spenders and have well-developed domestic cyber security industries which allows them to be self-reliant.
In particular, it provides an in-depth analysis of the following: • Global Cyber Warfare market size and drivers: Comprehensive analysis of the global Cyber warfare market through 2011–2021, including highlights of the demand drivers and growth stimulators for Cyber warfare solutions. It also provides an insight on the spending pattern and modernization pattern in different regions around the world. • Recent development and industry challenges: Insights into technological developments in the global cyber warfare market, and an extensive analysis of the changing preferences of armed forces around the world. It also provides the current consolidation trends in the industry and the challenges faced by industry participants. • SWOT analysis of the global cyber warfare market: Exhaustive analysis of industry characteristics, determining the strengths, weaknesses, opportunities and threats faced by the cyber warfare market. • Global cyber warfare market-country analysis: Analysis of the key markets in each region, providing an analysis of the top segments of cyber warfare expected to be in demand. • Major programs: Details of the major programs in each segment expected to be executed during the forecast period. • Competitive landscape and strategic insights: Detailed analysis of competitive landscape of the global Cyber Warfare industry. It provides an overview of key Cyber Warfare solutions providers catering to the global Cyber Warfare sector, together with insights such as key alliances, strategic initiatives and a brief financial analysis. Scope: • Analysis of the global Cyber Warfare market size from 2011 through 2021 • Analysis of defense budget spending pattern by region • Insights on the region wise defense modernization initiatives • Sub-sector analysis of the Cyber Warfare market • Analysis of key global Cyber Warfare market by country • Key competitor profiling specifically focusing on the global Cyber Warfare market. It comes with a hefty pricetag of $4,800 and is available from http://www.reportlinker.com
SOUTH AFRICA FACES
INCREASING
CYBERCRIME THREATS Cybercrime is now posing major increased strategic risks to South African companies. Threats posed to organisations by cybercrimes have increased faster than potential victims - or cyber security professionals - can cope with them, placing targeted organisations at significant risk. This is the key finding of Deloitte ’s review of the results of their CSO Cyber Security Watch Survey, sponsored by Deloitte and conducted in collaboration with CSO Magazine, the U.S. Secret Service, and the CERT Coordination Centre at Carnegie Mellon. As the trend to technical convergence and offering consumers access to corporate information, products and services continues, so the risk of disruption arises. The risk of disruption is also heightened as more services and products are offered on cell phone platforms, creating new opportunities for theft and fraud, says Nerisha Singh, Senior Manager, Risk Advisory at Deloitte. “What makes cybercrime even more serious in South Africa is that it often goes unreported by corporations. There are presently no laws or regulations that require reporting of cybercrimes. Many corporate victims simply do not acknowledge that their ‘corporate defences’ have been breached as they wish to avoid the potential loss of public faith in their institutions. This silence unfortunately assists perpetrators, as they thrive within environments of anonymity and often operate simultaneously across several geographical boundaries.”
Several additional developments had increased the opportunities for cybercrime globally, says Singh. These include: • The proliferation of communication devices, networks and users; • Social networking; • The increase in on line banking services, investing, retail and wholesale trading services; • Attacks through cyber space by organised crime and terrorist organisations; • The growth of the ‘wire mule’ phenomenon. This has seen cyber criminals gaining access to systems through the unwitting assistance of authorised users. The criminals then operate as if they were users, navigating pathways, copying data and executing transactions. “Added to these increased risks is the present state of international economies which have caused financial hardships for many people. Resentment against employers, or pure necessity, can drive employees or former employees to cybercrime,” says Singh. These trends demand a bold response by the corporate sector, says Singh.
“Presently, many companies are either over-confident about the continued integrity of their systems, are employing ‘non-agile’ security tools and processes and failing to recognise cybercrimes in their IT environments. In many cases misallocation of limited resources sees only lesser threats being dealt with.” Trends emerging that demand strong, rapid corporate responses, says Singh, are: • An increase in the frequency of cyber-attacks; • Use of new malware and ‘anonymity’ techniques that evade current security controls; • Perimeter- intrusion detection, signature-based malware and anti-virus solutions that are rapidly becoming obsolete; • Cyber criminals leveraging innovation at a rate that outpaces security vendors; • A lack of effective deterrents for cybercrime; • The possibility of industrial espionage and cybercrime intersecting to a great degree.
“What makes cybercrime even more serious in South Africa is that it often goes unreported by corporations” To counter the threats of cyber intrusions and crime, companies should make use of services which offered a multi-pronged approach to the problem of cybercrime. These include a ‘cyber compromise diagnostic’ process aimed at analysing information security event logs; a remote access compromise analysis; on line application transaction analysis, and information security control assessment. “Forensic investigations play their part in this approach by tracking and detecting sources of hacking attacks. Following trace-routes, if the source of the attack has an IP address, extracting the evidence required to remove electronic data from the system then follows. The evidence is then preserved for prosecutions, repairing systems and checking for other vulnerabilities exploited by hackers. The final step is an audit aimed at preventing future attacks.” “The bottom line is that organisations must make use of cyber intelligence to develop capabilities that are able to deal with the threats they could face. Organisations must go beyond the traditional ‘detect and respond’ security functions. They must add tools that help them protect against possible threats and identify threats that could apply specifically to their companies.” Source: Deloitte Risk Advisory Page 32 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
HOW SERIOUS IS
INTERNET RELATED CRIME IN SOUTH AFRICA? The Police Minister Nathi Mthethwa recently announced the South African Police Services (SAPS) Crime Statistics for the period between 31st March 2011 and 1st April 2012. When one listens and reads through the debates on this releases, this quote from unknown author - “Facts are stubborn things, but statistics are more pliable.” brings solace to their pliability but still reminds us that cybercrime statistics are still not part of this release. This is a fact that will remain as a growing stubborn stain on a white cloth as we continue to see a wave of technological penetration in the form of devices and services (cloud) into our homes, workplaces, schools, churches, stadiums, shebeens, etc.
Crime prevention and safety is a high priority of the SA government, and Statistics SA has begun with the Victims of Crime Survey (VOCS) 2012 to produce a VOCS series annually. Consumer fraud (26.3%) was the least likely crime to be reported, followed by robbery (excluding home robbery and carjacking) 33.1%), theft of personal property (34.4%) and assault (49.4%) in 2011. Cybercrime related fraud was experienced due to Identity theft (10.9%) and Internet banking (3.5%).
In the quest to fill the gap left in these reports - Craig Rosewarne, MD of Wolfpack Information Risk, presented the findings of the The 2012/3 South African cyber threat barometer report at an event recently hosted at Microsoft SA together with SecureData. The program was lined with exciting speakers which included Susan Potgieter (General Manager: Commercial Crime Office - South African Banking Risk Information Centre (SABRIC)) and she talked with us about “South African banking industry’s response to the cyber threat”. This talk was preceded by Palesa Legoze (Department of communication’s chief director of cybersecurity) who shared with us how the department is addressing safety and security: “All people in South Africa are and feel safe”. The Wolfpack research pointed out that, of the R2.65 billion lost, about 75% was recovered. “Based on the government’s average recovery rate of 75% and similar case study recoveries, the estimated loss figure would be approximately R662.5 million,” noted Rosewarne.
The figure above shows that Internet banking clearly stands out as the most targeted cyber services in SA followed by e-commerce websites. That includes enterprise web portals (Internet facing corporate websites) which are being targeted as more organisations and systems are dependent on the Internet. Bank customers, according to SABRIC, reported phishing related
Losses of R92.4 million in approximately 10,000 incidents reported industry wide. A conservative loss estimate based on other known incidents, makes up the balance. With no other reliable industry stats this is considered to be the minimum loss for this sector. Let us also give credit to the work done by the SAPS towards the release of the Crime Statistics Overview RSA
The defence goes on about how difficult it is to generate cybercrime statistics based on the intricacies involved. Surely, if you can’t define it – you can’t measure it. Will measuring cybercrime in SA provide us with the basis of understanding improvements in the lives of the poor and ensuring that all people in South Africa are and feel safe?
Page 33 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
2011/2012 so far and as W.A. Wallis defined statistics as “a body of methods for making wise decisions in the face of uncertainty.”, we also need to make wise decisions to address the negative impact Internet related crimes is having on our country’s economy. I’m talking about cybercrime, cyberEspionage, and hacktivism towards our government, financial institutions, online services, political organisations, law enforcement (LE), e-Commerce, etc. Let’s just focus on cybercrime for now and look at the work reported to see whether we will be able to identify the gaps. The figure below shows that bank robbery in RSA decreased by 65.7% over a period of three (3) years – an average decrease of 21.9% per annum.
DID YOU KNOW? Crafty click fraud Trojan uses left mouse click to evade detection. A new Trojan horse is shielding itself from detecton by waiting to execute commands and infect a system until the victim makes a left mouseclick. It was reported during the Justice, Crime Prevention and Security (JCPS) cluster media briefing on the 25th June 2012 that a total of 155 cybercrime matters were finalised during the past financial year, 2011. They noted that the majority of cases appear to involve unlawful electronic fund transfers/fraud, etc. where the password of the complainant was obtained or cloned cards being used. The conviction rate on average stands at 89%. This gives hope to the fact that “cybercrime” had being measured in FY11 and hence I trust it will be included soon in the national crime statistics.
In Conclusion
While it is good to see that bank robbery and cash-in-transit has being going down due to the pressure from a collaboration of the law enforcement and financial sector, it’s evident from the Statistics SA data and the South African Cyber Threat Barometer 2012/13 report that the criminals are now focusing on the weaker link - the citizens. Output 8 of the Justice, Crime Prevention and Security talks to Cybercrime being Combated. Cyber-security remains key priorities for JCPS as they have detrimental effect on the economy and most vulnerable people of the country. A clear view of the cybercrime statistics will help us in understanding this emerging crime in SA and enable us to plan for its reduction. Awareness, training and proper management of security controls would therefore reduce the financial impact firstly at a Corporate level, Government and ultimately then for the national economy. The developments around the establishment of the National CSIRT by the Department of Communication in partnership with members of the JCPS are very encouraging. Collaboration with private sector establishment like SABRIC, The Internet Service Providers’ Association (ISPA), Telco’s (e.g. Telkom), The Information Technology Association (ITA), etc. will help in ensuring that we have a coordinated security incidents picture for South Africa. Awareness and skill development across the board is key and it’s good to see some tertiary institutions already contributing to this topic.
“Until the letf mouse button is released, the code will remain dormant making it immune from automated analysis by a sandbox.” FireEye Inc. The new research builds on previous analysis of malware that hides itself by using mouse processes. Researchers at FireEye Inc. say cybercriminals are taking it a step further, making the malware more effective at evading detection by antimalware technologies. It also lengthens the time it takes for security vendors to create signatures detecting the malware. Source:
(Source: Dr. Khomotso Kganyago - Chief Security Advisor at Microsoft) Page 34 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
3D PRINTER + DOWNLOADABLE RIFLE PLANS
= MAJOR GUN CONTROL CONCERNS San Francisco - Downloading a gun's design plans to your computer, building it on a three-dimensional printer and firing it minutes later. No background checks, no questions asked. Sound far-fetched? It's not. And that is disquieting for US gun control advocates. At least one group, called Defence Distributed, is claiming to have created downloadable weapon parts that can be built using the increasingly popular new generation of printer that uses plastics and other materials to create 3D objects with moving parts. University of Texas law student Cody Wilson, the 24-year-old "Wiki Weapons" project leader, says the group last month test fired a semi-automatic AR-15 rifle - one of the weapon types used in last week's Connecticut school massacre - which was built with some key parts created on a 3D
"What's chilling is that last month a group of kids used a 3D printer to actually manufacture [key parts] of the AR-15 and fire six bullets" printer. The gun was fired six times before it broke. Though no independent observer was there to verify the test, a short video clip showing the gun firing and breaking was posted to YouTube. Federal firearms regulators said they are aware of the technology's gun-making potential but do not believe an entire weapon has yet been made. Representative Steven Israel said the prospect of such guns becoming reality is reason enough for the renewal of the Undetectable Firearms Act, which makes illegal the building of guns that can't be detected by X-ray or metallic scanners. That law expires at the end of 2013. "What's chilling is that last month a group of kids used a 3D printer to actually manufacture [key parts] of the AR-15 and fire six bullets," the Democrat said. "When the [act] was last renewed in 2003, a gun made by a 3D printer was like a Star Trek episode, but now we know it's real." Even with gun control pushed to the top of the national political conversation, Wilson is steadfast about reaching his goal of making a fully downloadable gun. This weekend, he and his partners plan to print four new lower receivers - the part of the gun that includes the trigger, magazine and grip. He keeps three of these AR-15 parts in his tidy student apartment in Austin, Texas.
Technical hurdles
W h i l e s ad d e n ed b y t h e Connecticut school killing, Wilson said on Thursday that protecting the constitutional right to bear arms by giving everyone access to guns is more important in the long term than a single horrible crime. "Clearly what happened in Connecticut was a tragedy," he told The Associated Press. "Still, by affording the Second Amendment protection, we understand events like these will happen." He said he discussed with his partners whether they should suspend their effort, and they all decided it was too important to stop. Wilson acknowledged there still are many technical hurdles to creating a complete gun from a 3D printer and provided no estimate on when his goal might be reached. Special Agent Helen Dunkel of the Federal Bureau of Alcohol, Tobacco, Firearms and Explosives, which helps Page 35 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
CLICK, PRINT, SHOOT... DOWNLOADABLE GUNS Continued from page 35
enforce gun laws, said the agency is familiar with Wilson's project. She didn't offer an opinion but noted there is nothing illegal about making many types of guns at home. Exceptions would be high-powered weapons like machine guns and those not detectable by airport scanners. 3D printing technology was developed for the car, aerospace and other industries to create product prototypes from the same hard plastics used in toys like Lego. Hobbyists mainly use the printers to design Christmas ornaments, toys and gadget accessories. Prices on the machines have fallen as the consumer market grows, leading to a surge in interest from people in the so-called "maker" scene. Low-end 3D printers can now be purchased online from between $1,500 and $4,000. The more high-end printers needed to make gun parts are still priced from $10,000 and up. Stratasys of Minnesota makes 3D printers. Shane Glenn, director of investor relations, said gun-making was never something envisioned for the machines. "The gun issue is something that the 3D printing industry will have to address going forward," Glenn said.
Against firearms
Right now, most people interested in 3D printing rent time on one. There are a number of businesses and coops in major cities that allow access to the machines for a nominal fee. At San Francisco's TechShop, which features a 3D printer for its members, "assembling firearms is strictly prohibited and our staff is trained on that policy," company spokesperson Carrie Motamedi said. Wilson acknowledged his idea has met resistance from those active in 3D printing. "The early adopters of 3D printing technology seem to be an educated, more liberal group who were against firearms to begin with," he said. Wilson said some are worried the gun project might spur regulations that will hurt or curtail their projects. Early schematics created by Wilson's group were posted on Thingiverse, a New York-based website that serves as a hub for 3D printing aficionados. After the school shooting, Thingiverse took down Wilson's links. The site's spokesperson, Jenifer Howard, said its focus is "to empower the creative process and make things for good." Howard said. Thingiverse's terms of service state that users cannot use the site to share content that contributes to the creation of weapons. Wilson said the group has already posted the links on its own website.
He said the technology exists now for a highly motivated group to make a plastic gun on a 3-D printer that could avoid airport scanners. But the equipment is still too expensive for most people. "Nobody right now needs to worry about the bright teenager making a gun on a printer in their bedroom," he said. Source: http://www.news24.com
Virtual roleplaying game helps teenagers deal with depression SPARX is a 3D fantasy game that teaches young people with mental health issues the skills they need to boost their confidence. While the gamification of real-world tasks can help liven up dull tasks, it can also provide health benefits – as recently proven by Cambridge Consultants’ T-Haler, which monitors the user’s inhaler technique and offers pointers for improvement. Now we’ve found another example in the form of SPARX, a 3D fantasy game that aims to boost the confidence of adolescents suffering from depression. Developed by the University of Auckland, players can choose an avatar which they must guide through seven ‘provinces’ related to problems they may come across while experiencing mental health issues. For instance, the Volcano Province contains tasks which can help teens deal with disruptive emotions, while on another level users have to fight GNATS (Gloomy Negative Automatic Thoughts). Each level takes around 30 minutes to complete and it is recommended that players attempt one or two provinces each week. SPARX, which stands for Smart, Positive, Active, Realistic, X-factor thoughts, has already been tested among 187 young people with varying symptoms of depression, with the results appearing in the British Medical Journal. According to PsychCentral, one group was given typical treatment while the other played the game. Both groups experienced an average reduced anxiety of around one-third and remission rates were actually higher in the group given the game. Depression can be a difficult subject to broach, especially when it comes to teenagers, but the developers have found a way to integrate therapy into a form already popular with the younger demographic. Medical professionals: could this programme form part of your treatment? Website: http://www.sparx.org.nz
Paul Saffo, a Silicon Valley technology forecaster who teaches at Stanford University's engineering school, said Defence. Distributed's work carries on a long tradition of tech geeks using innovation to make a political point, in this case on gun control and constitutional freedoms. "If you want to get people's attention in Washington, you say something. If you want to do it in Silicon Valley, you make something," Saffo said. Page 36 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
DATA BREACHES:
PREVENTION IS BETTER THAN CURE Unauthorised access to information is one of the most prevalent cyber crimes in South Africa. Data has become the lifeblood of business – from financial information to the details of a company’s customers, data is the basis of every business transaction today. Unlawful access to this information therefore poses a serious threat, and yet many businesses have insufficient safeguards to ensure that their data is secure. This will change with the enactment of the Protection of Personal Information (POPI) Bill which is set to be enacted this year. POPI will provide comprehensive protection of information relating to personal detail of an individual, and will require that companies be careful how the information is used as well as how secure it is. “Comprehensive data handling strategies, processes and procedures as well as systems will need to be devised and implemented in order to comply with this legislation,” says Danny Myburgh, MD of Cyanre, a company specialising in cyber forensics and data recovery. “But even without a legislative requirement to manage the security of data, businesses are increasingly becoming aware of the need to protect their information, and of the potential cost of a data breach.” He explains that these costs can be extensive, and range from the easily calculable costs of notification costs and business loss to less tangible threats to a company’s brand and business continuity. “Criminals are perpetrating this type of crime for a number of reasons, and the effects are just as diverse. The reasons can be for financial advantage or to commit fraud, or they can be more sinister, such as extortion, or deliberately placing a firm in disrepute. Industrial espionage is as much of a motivation as disgruntled employees who want to ruin a business’ reputation, or employees who want to set up companies in competition with their employers.” The results of this are similarly wide-ranging. From the frustration of having to evaluate how wide the damage is, to potential operational paralysis, a data breach is as significant a threat as the theft of all of a company’s physical assets. Myburgh says that there some basic guidelines to preventing a breach, and to ensuring that business can continue should the worst happen. “Establish a comprehensive pre-breach response plan that will enable decisive action and prevent operational paralysis when a data breach occurs. Your efforts will demonstrate to consumers and regulators that your organisation has taken anticipatory steps to address data security threats. This plan can be integrated with your ICT contingency plan and should cater for internal and external breaches. Page 37 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
But look beyond IT security when assessing your company’s data breach risks. To eliminate additional threats, a company must evaluate employee exit strategies, remote project protocol, onand off-site data storage practices and more – then establish and enforce new appropriate policies and procedures and physical safeguards.” He adds that thieves can’t steal what they don’t have. Data minimisation is a powerful element of preparedness, he says. “The rules are simple: Don’t collect information that you don’t need, reduce the number of places where you retain the data, grant employees access to sensitive data only on an ‘as needed’ basis, keep current records of who has access to the data while it is in your company’s possession, and don’t forget to purge the data repository once the need for it has expired.” Employee education is another vital step to avoiding a data breach. “The continuing saga of lost and stolen laptops containing critical information illustrates that corporate policy designed to safeguard portable data only works when employees follow the rules. Data encryption on portable and mobile devices is a must for modern business,” says Myburgh. However, the simplest and most convenient way to prevent a data breach – and to recover should one occur - is to retain a third-party corporate breach and data security expert. Not only will they analyse the level of risk and exposure of a company, but they will be able to effectively manage the recovery process for a business, from data recovery to instituting criminal proceedings. “An evaluation performed by an objective, neutral party leads to a clear and credible picture of what’s at stake, without pressurising staff who might otherwise worry that their budgets and careers are in jeopardy if a flaw is revealed,” says Myburgh. “The true value of this approach is only evident in the worstcase scenario, however. Should a company suffer from the losses caused by a data breach, contingency plans and effective preparation can mean the difference between complete operational paralysis and a minor inconvenience.” Source: Danny Myburgh - Cyanre
ATM THIEVES SWOP SECURITY CAMERA FOR KEYBOARD There is a vast array of impressive, high-tech devices used to steal money from automated teller machines (ATMs). But every so often thieves think up an innovation that makes all of the current ATM skimmers look like child’s play. Case in point: Authorities in Brazil have arrested a man who allegedly stole more than USD $41,000 from an ATM after swapping its security camera with a portable keyboard that let him hack the cash machine. The story comes from a daily newspaper in Brazil. According to the paper, late last month a crook approached an ATM at the Bank of Brazil and somehow removed the security camera from the machine. Apparently, the camera was a USB-based device which the thief then was able to insert his own USB stick into the slot previously occupied by the camera. The attacker was then able to connect a folding keyboard to the ATM’s computer and restart the machine. The newspaper story isn’t crystal clear on the role of the USB device — whether it served as a replacement operating system or merely served to connect the keyboard to the machine (it’s not hard to imagine why this could be so easy, since most ATMs run on some version of Microsoft windows, which automatically installs drivers for most USB-based input devices). After the thief rebooted the ATM’s computer, he was reportedly able to type the value of the currency notes that he intended to withdraw. According to the story, the thief started by removing all of the R$100 bills, and then moved on to the R $50 notes, and so on.
SITE ENABLES PETS TO BE PLAYED WITH REMOTELY. iPet Companion uses robotically controlled toys to allow web users to play with sheltered cats remotely to keep them entertained. 7th December 2012 in Entertainment, Non-profit, Social cause. Technology such as the Gatefeeder has already enabled cat owners to feed their pets while they’re away. Now iPet Companion uses robotically controlled toys to allow web users to play with sheltered cats remotely to keep them entertained. Using technology provided by Reach-in, the website hosts live video streams of cat shelters in nine different location in the US, such as the Oregon Humane Society and the Foothills Animal Shelter in Denver. Users can take control of both the camera view and remotecontrolled toys placed around the room where the animals are located for a period of two minutes at a time. Moving the toys attracts the attention of nearby cats, enabling web users to play with the animals remotely in real-time. This provides entertainment for both the user and the pets, reduces the burden on staff at the shelters and – according to the company – has a positive effect on the amount of time users spend on shelter webpages, boosting donation and adoption numbers. Although it is used for animal charities in this instance, the technology is available for busy pet owners to implement in their own homes to ensure their pets don’t get bored when left alone. Could this kind of technology be used in other industries or areas? Website: http://www.ipetcompanion.com
As clever as this hack was, the crook didn’t get away. The police were alerted by the central bank’s security team, and caught the thief in the process of withdrawing the funds. Brazilian authorities said they believe the man was being coached via phone, but that the guy they apprehended refused to give up the identity of his accomplice. My guess is the one coaching the thief had inside knowledge about how these machines operated, and perhaps even worked at a financial institution at one point. These kinds of attacks make traditional ATM skimmer scams look positively prehistoric by comparison. But the sad part is that even really crude skimming devices can be very lucrative and go undetected for months.
SANS Advanced Forensics Training coming to Africa. Read more on page 39
Source: http://krebsonsecurity.com Page 38 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
SANS ADVANCED FORENSICS TRAINING COMING TO AFRICA Wolfpack partnered with the SANS Institute to bring their excellent range of hands-on security and forensics training courses to the African continent. We have already run their Computer Forensics Investigations (FOR408) course in South Africa and Kenya with plans for more events across Africa in 2013. We are now excited to run the Advanced Computer Forensic Analysis and Incident Response (FOR508) course in Cape Town, South Africa in May 2013. This 6 day course has recently been updated and according to the rave reviews it has been getting around the world we just know it will be a hit here in Africa. This course focuses on providing incident responders with the necessary skills to hunt down and counter a wide range of threats within enterprise networks, including economic espionage, hactivism, and financial crime syndicates. The completely updated FOR508 addresses today's incidents by providing real-life, hands-on response tactics.
Free Forensics Assessment If you are considering doing the FOR408 course there is a free online assessment you can do to see whether you are best suited to do FOR408 or the more advanced FOR508. Visit http://computerforensics.sans.org/training/assessment
• Course DVD loaded with case examples, tools, and documentation.
Who should attend this course?
The updated FOR508 trains digital forensic analysts and incident response teams to identify, contain, and remediate sophisticated threats-including APT groups and financial crime syndicates. A hands-on lab-developed from a real-world targeted attack on an enterprise network-leads you through the challenges and solutions. You will identify where the initial targeted attack occurred and which systems an APT group compromised. The course will prepare you to find out which data was stolen and by whom, contain the threat, and provide your organization the capabilities to manage and counter the attack. During a targeted attack, an organization needs the best incident responders and forensic analysts in the field. FOR508 will train you and your team to be ready to do this work.
• Information Security Professionals who respond to data breach incidents and intrusions. • Incident Response Team Members who respond to complex security incidents/intrusions from an APT group /advanced adversaries and need to know how to detect, investigate, recover, and remediate compromised systems across an enterprise. • Experienced Digital Forensic Analysts who want to solidify and expand their understanding of file system forensics, investigating technically advanced individuals, incident response tactics, and advanced intrusion investigations targeting APT groups. • Intelligence and Law Enforcement agents, who want to master advanced intrusion investigations, incident response, and expand their investigative skill beyond traditional hostbased digital forensics • Red Team Members, Penetration Testers, and Exploit Developers who want to learn how their opponents can identify their actions. Discover how common mistakes can compromise operations on remote systems, and how to avoid them. This course covers remote system forensics and data collection techniques that can be easily integrated into postexploit operating procedures and exploit testing batteries.
What tools do you receive on the training?
For more info on this course visit:
• SIFT Workstation Virtual Machine used with many of the class hands-on exercises. This course uses the SIFT Workstation to teach incident responders and forensic analysts how to respond to and investigate sophisticated attacks. SIFT contains hundreds of free and open source tools, easily matching any modern forensic and incident response tool suite. • F-Response TACTICAL. - TACTICAL enables incident responders to access remote systems and physical memory of a remote computer via the network - Gives any IR or forensic tool the capability to be used across the enterprise - Perfect for intrusion investigations and data breach incident response situations. • Best-selling book "File System Forensic Analysis" by Brian Carrier
http://www.sans.org/course/advanced-computer-forensic-analysis-incidentresponse
FOR508: Advanced Computer Forensic Analysis and Incident Response will help you determine: 1. How did the breach occur? 2. What systems were compromised? 3. What did they take? What did they change? 4. How do we remediate the incident?
Page 39 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
(The South African FOR508 course in May will shortly be uploaded to the SANS portal) To download a brochure of SANS Forensics courses please visit: http://computer-forensics.sans.org/media/courses/forensics_curriculum.pdf
We are running the FOR408 course in March 2013in Johannesburg. See http://www.sans.org/event/south-africa-2013 for details on location / pricing. Please contact craig@wolfpackrisk.com directly for discount structures for groups or government employees.
AN AFRICAN-DEVELOPED
AWARENESS SOLUTION A CSIR INITITATIVE
Staying safe in cyberspace The CSIR in partnership with The University of Venda (UNIVEN) has created a program to raise awareness about cyber security among novice technology users. The package covers four main streams of cyber securityrelated topics -physical security, malware and malware countermeasures, safe surfing and the social aspects of cyber security. Not to be confused with a PC literacy course, the training is best described as a self-defence course for cyberspace users. The program has already been rolled out to several South African communities, tertiary education institutions and schools.
Understanding the risks in the cyber realm With so many people embracing the ease and speed of operating as netizens, criminal minds are quick to employ a number of tactics to exploit online activity to access information that allows access to banking, purchasing and other identity-related cyber transactions. This leaves many cyberspace users vulnerable to become victims of cyber scams and attacks. The Cyber Defence Research Group of the CSIR developed a cyber security awareness programme to drive greater cyber security awareness within communities. The goal of this project is to roll-out effective cybersecurity awareness programs within communities by means of voluntary community participation. Through published material and information sessions, the aim is to help users understand why they need to be more responsible with information they share online through computers and smartphones – including social networks such as twitter and facebook.
The awareness programme looks at practical cyber security awareness tips and tricks, as well as social networking and social media. “Sharing personal information online about ourselves and those around us has become second nature; and we don’t always realise how much we are exposing. Our children, friends, partners, helpers and even colleagues have inadvertently posted pictures online; whether it is a picture of you at a team-building exercise, or a picture of your new car showing its registration number outside your house, which might also happen to have the address in bold. All this information can be used against you by cyber criminals,” says CSIR researcher Zama Dlamini. “People usually do not know that they have been victimised until collection agencies begin pursuing them to cover debts they did not even know they had, or they find they were married off to someone they don’t even know” says Dlamini. Information that is regarded as private include - but is not limited to - bank and credit card numbers, income, ID number, full names, street address, phone numbers, e-mail address, name and address of children’s school and photos.
Fun, interactive gaming sessions to drive greater cyber security savviness The cyber security awareness program is packaged to be simple and easy to understand, comprising modules and games. The modules are customised for different age groups to ensure relevance and better understanding of the content. Specific programmes are therefore geared to be appropriate to secondary school learners; students at further education training colleges; technical and nontechnical university students; users at community centres; educators and teachers; support staff; and learners at primary schools. Presentations are enhanced with movie clips, and posters and practical work sessions also form part of the training package. In addition, board games, computer games and playing card games are used as an even more fun and entertaining way to get the cyber security awareness messages across. Roll out of the awareness modules. The roll-out of the training has been done in a train-the-trainer methodology to build capacity in local communities. The Thohoyandou community in Limpopo was selected as pilot group due to proximity to UNIVEN and to ensure language preferences could be accommodated. Undergraduate students from UNIVEN were invited to voluntary participate in the project as trainers. Page 40 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Continued from Page 40
“Sharing personal information online about ourselves and those around us has become second nature; and we don’t always realise how much we are exposing.”
NEW (ISC)2 CHAPTER OPENS IN GAUTENG
The first intake of 17 students comprised mainly third year computer science students, who were then required to attend a training programme at UNIVEN to prepare them for their sessions. A group leader was appointed to take responsibility for the logistical arrangements and the students did training, testing and handling of surveys to evaluate the effectiveness of the programme. Since the roll-out in 2010, 60 students have been trained as trainers, and more than 600 netizens participated in community-based awareness raising events. In June 2011 and again in June 2012, students from the University of Pretoria underwent coaching to manage awareness raising events at schools in Mpumalanga. An important part of the roll-out is the opportunity to conduct a statistical analysis of an audience’s cyber security awareness prior to and after the sessions. From the first implementation, an analysis of the surveys revealed an extremely low level of understanding of the spectrum of cyber security risks, - and, subsequently a distinct increase in understanding and awareness following exposure to the programme. It appears the sophistication of tools and the malicious aims of cyber criminals can be underestimated. According to Sipho Ngobeni, also a CSIR Researcher, consequences can be far reaching. “Once they have obtained personal information, they could perform malicious activities such as infecting your computer with malware, which in turn can lead to your computer being used as a botnet (internet-connected computers with breached security defences that are controlled by a ‘botmaster’); steal confidential information that resides on your computer and perhaps sell it to the blackmarket, and use your computer to launch further criminal activities,” he says.
The (ISC)2 Gauteng Chapter was officially formed on the 7th of May 2012, and currently has 138 members. Their mission is to advance information security in communities situated in and around Gauteng and South Africa at large by providing members and other security professionals with the opportunity for networking, professional development, and a forum for knowledge exchange.
As for the cyber security awareness program, further enhancements are already in progress. These include translation of the material into a variety of languages, and equipping the community-based teams with mobile communication tools. Contact: Zama Dlamini on E-mail address: idlamini@csir.co.za
The chapter goals include providing chapter members with opportunities for enhancing skills in leadership, writing for publications, speaking publically, and working with other local chapter organizations to advance information security and awareness within the local community, from children to seniors. (ISC)2 Gauteng Chapter held its inaugural meeting on 10 October 2012; a four-hour event with 46 members in attendance. The inaugural meeting included a welcome presentation from the chapter president, Simphiwe Mayisela, and four keynote speakers covering a range of topics, such as IP version 6, security assessments, and forensic investigations. This event was marketed through security forum newsletters, such as ISGAfrica and CSSA (Computer Society South Africa). Event partner ITWeb (South Africa’s leading technology news website and publisher)also had the opportunity to inform members of the upcoming ITWeb Security Summit 2013. Performata and Accenture were the event sponsors. An online press release was distributed by ITWeb following the event. The next (ISC)2 Gauteng Chapter event will be held on 20 February 2013. For more details about the meeting, review the agenda on the chapter website or contact the chapter for more information.
(ISC)2 Gauteng Chapter Contact Information: Email: xolile.mthembu@isc2chapter-gauteng.co.za Website: http://isc2chapter-gauteng.co.za LinkedIn: http://www.linkedin.com/groups?gid=4393638& Twitter: @isc2gauteng Page 41 • Cybershield Magazine Jan/Feb 2013 • Special Cybercrime Edition
Page 42 • Cyber Shield Magazine Jan/Feb 2013 • Special Cyber Crime Issue
Page 43 • Cyber Shield Magazine Jan/Feb 2013 • Special Cyber Crime Issue