OCTOBER IS CYBER SECURITY AWARENESS MONTH - EDITOR’S LETTER CARTOON: CYBERVILLE EPISODE 3- TARGETTED ATTACK
3 4
INTERNATIONAL NEWS CYBER NEWS BYTES : DEPARTMENT OF ENERGY HACKED AGAIN CYBER NEWS BYTES : DR@CUL@ DEFACES 6,000 PAKISTANI WEBSITES CYBER NEWS BYTES : INDIA RANKED 5TH IN PHISHING ATTACKS IRISH INTERNET USERS CONNED BY HIGHLY SOPHISTICATED COMPUTER VIRUS NEW ZEALAND SLOW TO RESPOND TO “INDUSTRIALISED” HACKING FIVE ARRESTED FOR £500,000 ONLINE TAX FRAUD U.S. SPY AGENCIES LAUNCHED 231 OFFENSIVE CYBER OPERATIONS IN 2011
6 6 6 7 7 8 9
AFRICA NEWS TANZANIAN BANKS LOOSE BILLIONS TO CYBERCRIME HACKERS ATTACK NIGERIAN ARMY COMPUTERS CYBERCRIME INCREASE IN UGANDA CITY OF JOBURG ONLINE INFO LEAKS THE REALITY OF CYBER BULLYING IN SOUTH AFRICA SAKAWA - GHANA RANKED 2ND IN AFRICA & 7TH IN THE WORLD IN CYBERCRIME EVERYBODY IN AFRICA HAS BEEN A CYBERCRIME VICTIM EGYPTIAN GOVERNMENT SITES DISRUPTED BY HACKERS NEW CYBERCRIME STRATEGY ON THE CARDS FOR KENYA
10 10 10 10 11 12 12 13 14
LOCAL TRAINING AND EVENTS (ISC)2 CONFERENCE - 14 NOVEMBER 2013 IN JOHANNESBURG CYBERCON AFRICA 2013 - 4, 5 & 6 NOVEMBER 2013 IN JOHANNESBURG
15 16
HOW ITS DONE YOUR PHONE COULD BE SNOOPING ON YOU RIGHT NOW STEALTHGENIE - A SCARY PIECE OF MOBILE SPYWARE! POPI - WHAT THE NEW PRIVACY LAW WILL MEAN FOR SA 4 STEPS TO DETECT & MITIGATE A DISTRIBUTED DENIAL OF SERVICE (DDOS) ATTACK
17 18 19 21
GOVERNANCE RISK MANAGEMENT AND COMPLIANCE INDIAN GOVERNMENT BAN GMAIL ACCOUNTS FOR GOVERNMENT OFFICIALS TOP 3 CYBER BREACHES & RISKS FACING ORGANISATIONS
22 23
AUDITS AND ASSESSMENTS SA BUSINESSES ARE ILL-PREPARED FOR THE HIGH RISK OF CYBER ATTACKS UK BANKS TO BE TESTED ON CYBERCRIME DEFENCE
25 26
MANAGED SERVICES YOU CAN’T USE 20TH CENTURY SECURITY METHODS IN A 21ST CENTURY MOBILE WORLD 27 DATA LOSS INCIDENTS IN YOUR NETWORK 28 CYBER FORENSICS AND INCIDENT MANAGEMENT HOW THE BANKS ARE AWARE WHEN YOU HAVE BEEN PHISHED
31
AWARENESS DATA SECURITY SHOULD BE A BOARDROOM ISSUE CONCERNS OVER FAKE WEB DATING PROFILES CHILD PORN IMAGES EMPLOYED BY FRESH RANSOMWARE - TARGETING INTERNET USERS SIX MEN CONNECTED WITH INTERNATIONAL CHILD PORN RING ARRESTED IN SA MALWARE TAPS MOBILE ADVERT NETWORK TO SIPHON MONEY NOTE TO EMPLOYEES: “WAIT, DON’T TWEET THAT!”
Cybershield magazine is a bi-monthly publication owned by Wolfpack Information Risk (Pty) Ltd. No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine. While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage orinconvenience that may arise therefrom. All rights reserved. Wolfpack does not take any responsibility for any services rendered or products offered by any of the advertisers or contributors contained in the publication. Copyright 2013. E&OE on all advertisements, services and features in Cybershield magazine. Editorial address: Johannesburg, South Africa, 2055 Enquiries: Telephone - +27 11 367 0613 Advertising - sales@wolfpackrisk.com Content - craig@wolfpackrisk.com Design - design@wolfpackrisk.com General queries - admin@wolfpackrisk.com http://www.wolfpackrisk.com/magazine/
33 34 35 35 36 36
OF INTEREST DOES YOUR HANDWRITING SAY SOMETHING ABOUT YOU?
37
FROM THE EDITOR
October Is
Cyber Security Awareness Month October is Cyber Security Awareness Month and as part of a nationwide effort we will be sharing information about protecting business and personal data. In an attempt to promote cyber security in homes, schools and at work. Wolfpack Information Risk has assembled a list of online resources. This is all part of our ongoing online campaign Alert Africa (Sponsored by the British High Commission) to highlight threats, provide tools to prevent becoming a victim and ultimately a contact point for each country in Africa. The goal is to promote a consistent message on cyber security education and awareness and provide products for broad distribution. The materials include posters, cartoons, videos and other awareness material. We even have a cyber security video game launching soon. We hope you enjoy this edition of Cybershield. Yours Securely Craig Rosewarne Director - Wolfpack Information Risk
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 3
This episode looks at a targeted attack against a company and its employees.
Slack was packing up to go home when he discovered a USB memory stick marked with “Salary Info” on the Floor near his desk.
I’ll take it home and keep it safe and return it to HR tomorrow One afternoon in Cyberville at Slack Ethix’s workplace Slack is torn between doing the right thing and his burning curiosity to look at the information
Maybe you were meant to Find this information. Go ahead and open it !
It’s not ethical to look at someone else’s CONFIDENTIAL information . Return it to HR immediately. It won’t really hurt anyone. I need to know what others are earning!
His curiosity Finally got the better of him!
Now that Slack’s computer has been hacked, Cyber criminals can monitor or record all his personal computer activity...
Let me log into my internet banking account.
He inserts the USB into his work laptop & opens the File. (Little does he know that this is malicious software disguised as a spreadsheet File!) Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 4
REC
IN ADDITION, AS THIS WAS HIS WORK LAPTOP ALL HIS CORPORATE INFORMATION CAN BE COMPROMISED AS WELL.
OOPS !!
Think about it - any passwords, reports or emails can now be stolen by the cyber criminals.
Back at the crime boss Robin Moola’s lair...
1. Identify target company 2. Plant USB device 3. Obtain confidential info 4. Become rich
He He He This Cybercrime Business is starting to pay off
Msizi the meerkat on TARGETED ATTACKS: - If you find any suspicious USB devices or CD/DVDs do not open them. - Immediately hand them to information security.
Be alert &
remember you are a target! Follow these awareness tips !
- If a number of these devices are found your company may have been targeted by either criminals or unethical organisations.
For more awareness info visit www.alertafrica.com
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 5
INTERNATIONAL NEWS
Cyber News Bytes
DEPARTMENT OF ENERGY HACKED TWICE IN 2013
PAKISTANI HACKER DR@CUL@,DEFACES 6,000 WEBSITES
The United States Department of Energy (DOE) has been hacked again.
On August 14, when Pakistan celebrated its Independence Day, Pakistani hacker Dr@cul@ defaced around 6,000 Indian websites.
This incident has resulted in the personal details (including social security numbers) of 14,000 current and former employees being compromised. Sources say that the attackers gained access to the department’s networks by hacking into a human resources computer. However, the Department of Energy is positive that no the cybercriminals and is strongly committed to protecting the integrity of each employee. An email sent out by the department read, “The Department’s Cybersecurity
Published by the hacker was a list of close to 6,400 URLs pointing to his defacement pages and some of them leading to subdomains of the same website. Most websites belonged to commercial entities and at least one Indian government of the Consulate General of India and Hong Kong. At the time of writing, the defacement page had been removed from all the websites. On August 14, Pakistani ha ckers defaced several other websites from Police, and the personal site of Indian Minister Rajesh Tope.
The
department
will
send
individual
PHISHING ATTACKS According to a report by leading IT services company EMC, India ranks in as the 5th most targeted country for phishing. Phishing is the illegal act of sending e-mails, purporting to be from legitimate companies or organisations in order to lure individuals to reveal personal information. fraud report prepared by EMC’s security division RSA stated that;
39,966 attacks had taken place in the month of May alone. EMC stated that
. The Report added that “News on the
[SOURCE: News Softpedia]
obtain their current contact information. The employees will all be offered assistance on how to protect themselves against identity theft and be provided with one year of free credit monitoring.
. The US was the most targeted country, claiming 52% of the attacks followed by the UK 11%, South Africa 6% and Canada 5%. [Source: The Economic Times]
the personal details of several hundred employees were compromised after a total of 14 servers and 20 workstations from the Washington headquarters were penetrated by cybercriminals. At the time, the main suspect was China, however experts warned that Iran was also targeting the DOE’s systems. [Source: News Softpedia]
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 6
INTERNATIONAL NEWS IN IRELAND
Computer Virus Irish internet users have been conned of millions of Euros by a
In most cases, users
thugs. The scam Irish malicious software.
remained locked.
virus was developed using
Users infect their computers with a by clicking on what may seem to be a harmless popup or email. The scam includes a message showing up on the screen warning users that they have been unlawfully downloading or viewing material and images, and they have to pay 150 Euro to avoid legal prosecution in the court of law. The virus also warns users that their PC has been until the compensation is paid! Once the virus has been downloaded onto the victim’s computer, it blocks almost all the functions of Windows 8, Windows 7, XP and Vista.
In worst cases, some victims innocently provided their bank and credit card details to these online scammers, who then gained access to their accounts and attempted to steal more funds.
• Press Ctrl+Alt+Del keys to open Task Manager and delete the process of this virus virus register entries in the system. If the virus is not removed manually then use an anti-virus software.
A US expert stated that New Zealand businesses have been slow to respond to the global trend in automated cyber security attacks. he added.
Andy Prow, managing director of local company Aura Information Security, agreed that New Zealand had been “ with its cyber security.
Imperva, a US based security company claims that
Prow said. he said.
added Kraynak.
According to the Norton report, more than 900,000 people fell victim to cybercrime in the year, costing the country $462.9 million
An example was the popular collaboration tool SharePoint, which was typically set-up on with security often as an afterthought.
The most common type of cybercrime in the year was computer viruses and malware, followed by online scams and phishing.
Kraynak stated that
[Source: New Zealand Herald] Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 7
INTERNATIONAL NEWS
HMRC has warned against a massive phishing attack and individuals have been emails. a criminal cyber gang on suspicion of tax fraud, after they allegedly attempted to steal £500,000 by falsely claiming rebates using the identities of 700 British citizens. The Guardian has reported that, HM Revenue & Customs is investigating the after it found that a group of individuals were obtaining personal details from third parties to set up false self-assessment accounts with the intention of stealing tax rebates. This investigation has led to the arrest of a 35-year-old man from Bologna at Stansted Airport, as well as four others in London and Chatham in Kent. The Italian state police in charge of investigating cybercrime stated that the man had applied for £500,000 in false rebates and had collected more than £100,000 over more than a year. After the arrest of the Italian suspect, UK his apartment and removed computers.
However Andrew Sackey, assistant director of criminal investigation, said that HMRC’s online systems proved extremely resilient to the online attacks, as they had said Parsell. majority of false repayment attempts from the outset. Sackey added that, “These arrests
Despite HMRC’s reassurances, the arrests do highlight the rising threat of online fraud as central government departments continue to restructure the legacy systems and create new digital products for citizens, as part of the Digital by Default agenda. Ross Parsell, the director of cyber security at defence company Thales UK, said that in order for Whitehall to be successful in its digital drive, it needs to put in place secure identity assurance platforms for users.
A member of the Italian communications police said:
A recent Home Affairs Select Committee stated that the UK is losing the war on online criminal activity and the government is too relaxed when it comes to targeting online criminals. [Source: Computerworlduk.com]
BECAUSE THE BAD GUYS NEVER SLEEP, WE NEVER SLEEP. Ah, the thrill of the hunt. Eradicating the dangers before they get dangerous. Inventing new security measures before they become necessary. At McAfee, we live and breathe digital security. Our job is to stay one step ahead of the bad guys. It’s because we never sleep, that you can sleep better.
©2013 McAfee, Inc. All rights reserved.
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 8
www.mcafee.com/safe
INTERNATIONAL NEWS
Leaked documents reveal that U.S. intelligence agencies were responsible for 231 offensive cyber-operations in 2011 alone, part of a more widespread expansion of cyber warfare in the military and intelligence communities.
Countries like were explained as the The budget document however, did not provide many other details about the ‘underground’ operations. There has been a massive expansion of the National Security Agency’s Tailored Access Operations along with the Central Intelligence Agency’s Information Operations Centre (IOC) due to the frequency of these kinds of operations.
This latest information was revealed in documents leaked by Edward Snowden to The Washington Post. The Post reports that
According to added reports, a $652 million project was launched to carry out some inappropriate online activities and codenamed . This was when the American operatives according to Snowden would hack foreign PC networks so that they can be put under surreptitious U.S. control. Under the GENIE project, specialists would remotely place – advanced malicious software – on tens of year.
The Post reports that the IOC has been responsible for some of the most notable offensive cyber operations and the recruitment of new intelligence sources and many of these operations are apparently coordinated by the NSA’s Remote Operations Centre (ROC). said an anonymous former NSA operative from another section who has worked with the so-called in the past. the individual added.
While this kind of widespread use of malware is not
Command teams along with the NSA’s National Threat Operations Centre and the IOC.
the Post reports. Given the amount of malware purchased and/or developed by
According to the budget, most of the operations carried out under the GENIE program fall under the umbrella of of foreign systems.
from private malware vendors this year. the intelligence budget summary adds. The growth of the U.S. cyber warfare effort is undeniable and it seems that it is only increasing. to the Post. The budget states that almost three-quarters of the 231 offensive operations conducted in 2011 targeted countries deemed to be [Source: Before its news]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 9
AFRICA NEWS TANZANIAN BANKS LOSE OVER 80 BILLION SHILLINGS TO CYBERCRIME Mr Boniface Kanemba, the president of a non-governmental organisation, ISACA Tanzania Chapter revealed that more than 80bn ($49, 581 239) has been stolen from banks within East Africa through cybercrimes. Kanemba stated that Deloitte & Touche conducted research in 2012, and revealed that banks have found themselves losing more than 80bn ($49, 581 239). This amount is set to increase since most African countries do not have measures to curb cybercrimes.
Makamba in Morogoro, and has been coorganised by NRD Company which deals with banking information and technology systems. The seminar will highlight the importance of proper and safe use of the information technology in the banking systems and ” said Mr Kanemba. how they can control cybercrimes not only in banks but with mobile phones Kanemba told journalists in Dar es too. Salaam that his organisation organised a three-day seminar to educate stakeholders on how the whole issue happens and its control measures.
Regarding Tanzania, he said, they do not he said. credibility and customers.
the Deputy Minister for Science and Communication Technology, Mr January
[Source: Tanzania Daily News]
HACKERS ATTACK NIGERIAN ARMY COMPUTERS
computer systems of army headquarters in Abuja and are using one of the email
The Colonel John Agim of the public relations directorate said in a statement that “it has come to the notice of
the public. One of the messages sent out to people with the title reads:
[Source: allafrica.com]
14% INCREASE IN UGANDAN CYBERCRIME indicated that there is a 14.9% surge in economic crime rising from 9,574 cases in 2011 to 11,000 in 2012. Most cases were registered in banks, public service providers and non-governmental organisations (NGOs).
lost to transfers that were unauthorised by telecommunication service providers between August and November 2012.
In another report launched by both the Police chief, Gen. Kale Kayihura and criminal investigations and intelligence directorate boss Grace Akullo, in 2012, a Cybercrime offenses which focused total of 700 victims lost over sh1.2b on mobile money and ATM frauds, ($464,756 000) after using tampered amounted to a loss of approximately sh1, ATMs with scheming devices in Kampala 5 billion ($580,945 000). According to the and other areas. report sh207 million ($80,170 000) was
Money obtained by false pretence crimes were highest amongst the economic crimes lists with 8,250 cases recorded. last year and 728 cases of counterfeiting were recorded. The highest number of cases were recorded at Kampala Central Police station with 979, closely followed by Old Kampala with 607 and Katwe at 473.
CITY OF JOBURG ONLINE INFO LEAKS According to a reporter, The City of internet connection. ratepayer information.
online, but it is claimed that the service is not password protected.
The anonymous user who discovered the
According to a report on MyBroadband, the information was discovered by an anonymous user. The online services system reveals names, addresses, account numbers, PIN codes and
According to another resident, the same vulnerability exists in the Ekurhuleni Municipality’s online system, but it requires a user to log in before being able to access the invoices. [Source: News24]
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 10
AFRICA NEWS The Reality Of An academic has asserted that parents can take action when their children are bullied online.
Riaan Rudman, lecturer at Stellenbosch University told News24. Even though a few studies have been conducted in South Africa on the issue of cyber bullying, there is evidence that suggests that the phenomenon is growing, particularly as more young people use cellphones. In a study conducted by the Centre for Justice and Crime Prevention (CJCP) in 2012 it was found that there are differences in the gender as far as exposure to bullying is concerned. “South
the study says. Most minors have access to sophisticated chat platforms online and relatively few adults are aware of the nature of conversations where users can often anonymously comment. A case in point is the platform where young people across SA are exposed to negative comments and sexual solicitations. one of the messages, which includes the sender’s phone number, reads in part. This platform has few controls in place that ensure that children are not exposed to adult sexual content. Rudman said that child safety should be paramount.
Representatives from the local platform Mxit, said that the platform received few complaints on cyber bullying, but that generally girls were the target of such attacks. Sarah Rice told News24.
Mxit vice president of Communications
Rudman feels that social media companies are not responsible for cyber bullying. he said.
GIRL, 12, COMMITS SUICIDE AFTER CYBER BULLYING The study suggested that phone calls were the most common form of bullying, and the research showed that this method made up 28% of bullying versus 25.6% via SMS, 12.2% via instant messages and 11.7% in chat rooms. The Protection from Harassment Act was promulgated in 2013 as an attempt to prevent bullying online, but the new law has not yet been tested to check whether it is effective. language that reads, in part, as reasonable grounds for a complaint. PERPETRATORS The CJCP study shows that both genders have equal chances of committing cyber bullying, due partly to the perception of no consequences for the action.
wrote authors Maša Popovac and Lezanne Leoschut. According to Rudman, educating role-players is key to limiting the impact of cyber bullying. Rather than holding ‘others’ accountable, educating scholars, teachers, parents and the like is a powerful weapon to reduce the impact of cyber bullying. [Source: News24]
According to her mother Tricia suffered months of ruthless cyber Norman, Sedwick received text bullying from other girls committed messages that said things like suicide recently. and Rebecca Ann Sedwick of the town Judd, the sheriff, said the girl was USA, jumped from a platform at an abandoned cement plant near her home on Monday, according to the At one point, the mother had pulled her daughter out of school and Her death is the latest in an transferred her to another, closed apparently growing phenomenon of youths driven to taking their took away her cellphone. own lives after suffering cruel treatment online via text and photo Things seemed to be getting better messaging applications. and Rebecca’s spirits seemed to be lifting at her new school. But she had secretly signed on to new the bullying of Sedwick are more apps such as a cellphone message than a dozen girls, Polk County application called Kik Messenger sheriff Grady Judd said at a news and the bullying resumed, the conference Thursday. Times said. The bullying apparently started In Kik Messenger, Sedwick had with a dispute over a boy that changed her user name to “That Sedwick had dated for a while, the the Times said. New York Times reported. [Source: News24]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 11
AFRICA NEWS
Cybercrime Gaining a bad reputation, Ghana is ranked 2nd in Africa and 7th in the world in cybercrime. The act of cybercrime in the country is also termed as . This means that more Ghanaians are engaged in cyber fraud with acts which range from hacking to using the web to solicit young Ghanaian girls for sexual exploitation abroad. According to the Ministry of Communication, about 82 cybercrimes occur in Ghana every month, an average of about 1,000 crimes a year. They are warning the public to be more cautious as the country records such increases in cybercrime. According to Deloitte and Touché, IT Auditor, Jesse Arthur, the lack of password policy by companies and deterring legislations are some of the main challenges facing the country in addressing cyber security issues. Mawusi, is optimistic about and that the department is working hard to
against cyber fraud
Mawusi has explained that a laboratory for training detectives in cybercrime has been set up and that the forensic science laboratory of the police service has been equipped. He further stated that the police are gathering cybercrime intelligence at a faster pace as well as getting a unit for the public to report crime.
Cybercrime Victim In a meeting held in Kigali last month, The Ministry of Youth and ICT, in conjunction with International Telecom Union (HIPPSA), initiated a process to draft Rwanda’s data protection and cyber security policies to improve the country’s ICT legal and regulatory frameworks, taking into account the global socioeconomic and legal challenges.
She stands with the that everybody in Africa has been a victim of cybercrime in one way or the other. Stating that, “As
need for a common legislation to ensure cyber security and data protection. Prof. Marco Gercke of the Cybercrime Research Institute backed Jallow’s argument and said that there were various forms of cybercrime, adding that all computer users around the world have fallen victim. He explained by saying that,
Jallow also added that there was a need to train the police on how to investigate cybercrimes. In a statement, Jallow said,
Emmanuel Dusenge, a senior engineer in charge of ICT Infrastructure Development, said that even though Rwanda had not registered serious cases of cybercrime the country was on the alert. [Source: allafrica.com]
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 12
AFRICA NEWS
The country is becoming a war zone with several people being killed in the clashes between Egyptian security forces and pro-Morsi supporters. The violence increased when at least 60 members of the Muslim Brotherhood were reportedly killed and dozens injured in an attack on two protest camps in Cairo.
distributed denial-of-service (DDOS)
websites of the State Information
of Information, the Center for Information and Decision Support Cabinet and the
The announcements are accompanied by the #RabaaMassacre hashtag which references the late-July massacre outside the Rabaa Mosque when tens of pro-Morsi protesters were shot to death. [Source: News Softpedia]
Visit us at www.nu.co.za for more information or call us on +27 11 304 6200
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 13
End_End_Advert.indd 1
9/12/13 3:08 PM
AFRICA NEWS
A New Cybercrime
Strategy and Master Plan (NCSMP). The Master Plan is supposed to come up with a guide on how to tackle cyber security issues in Kenya. According to Serianu Cyber Intelligence Team (CIT) who prepared the Kenya Cyber Security Report 2012;
As more Kenyans get connected to the Internet, the number of cybercrime cases are expected to rise. By the end of the 2012/13 millions of shillings through cybercrime. indicates that close to Sh1.5 billion ($16,825,600) was lost between April 2012 and April 2013. These are just the reported cases. A worrying trend is the growing number of instances where people’s accounts (emails/bank) and even government websites have been hacked into. Cyber bullying is also on the rise among teenagers as well as cases of misogyny, hate speech and homophobia on social media networks. crashes or they take it over completely. Hundreds of Kenyans are losing money through fraudulent online transactions where people are duped into buying goods that do not exist. based in cyberspace are selling nonexistent cars to unsuspecting buyers on the cyber streets. Monitoring all aspects of information technology is impossible and will always be a challenge. In a country with civil liberties to some compromises will have to be made along the way. As cyberspace grows and becomes a part of our lives, the greater the need to develop strategies which will help deal with cybercriminals.
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 14
LOCAL TRAINING AND EVENTS
present:
Security in the 21st Century – Threats & Trends
(ISC)
2
Members:
- FREE attendance - Earn 8 CPE s Standard Price:
$99.00 Quote “ Cybershield ” to get 15% discount
!
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 15
LOCAL TRAINING AND EVENTS
2n
Africa 2013
dY ea
r
Moving From The Cold War To The Code War
Cyber Crime |Cyber Espionage | Cyber Warfare
4, 5@and 6 November 2013 The Indaba Hotel Fourways - Gauteng About The Conference
BOOK ONLINE
CONFERENCE CONTENT
African governments and the private sector are both extremely vulnerable to the rise in cyber threat ac vity across the globe. Successful interna onal cyber security programmes are recognising the need for increased public private partnerships to deal strategically with all types of cyber threats -
cyber crime, cyber espionage and cyber warfare. Cybe Cybercon Africa 2013 is a three day conference that brings together leading experts in all cyber threat elds to share their experience in preven ng, detec ng and responding to cyber a acks. A key focus of our event is to create an environment that will allow cyber security stakeholders to build rela onships and incubate ini a ves in the eld of cyber threat management.
Day 1 - Cyber Threat Management - Interna onal Expert Programme Day 2 - Advances in Cyber Forensics Programme Day 3 - Strategic Workshop on Cyber Threat Collabora on in Africa "The hands-on nature of the presenta ons will move the conference out of the realm of the mundane lecture by placing workable, invaluable tools and techniques in the hands of delegates."
for more informa on please visit www.cyberconafrica.org
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 16
HOW ITS DONE
The world is going mobile and we can now practically do almost anything from our phones or computers.
ends. In the latest security report,
As the world goes mobile, so does cybercrime. It is claimed 1/3 of the top security threats targeting mobile devices are spyware related.
system and many involved suspicious URLs and mobile malware.
A spyware application tricks targets into downloading it so it can gain access to personal information which is then used for other malicious activities. Though it looks like a harmless application, Spyware, exists for the sole purpose of tricking you into downloading it so it can gain access to your sensitive personal information or mobile data, and transmit it to someone who will most likely use it to malicious
” a number of security
The spyware application can target you in a number of ways, using multiple malware features to gain access to your mobile device. It can be set up as a Trojan, which is a type of malware hidden within a legitimate application, or, entice you to install an infected application through targeted phishing from a message or email sent to you, customised to increase the likelihood of you installing the infected software. Be careful next time you click on that spam email. It could be installing a slew of malware on your phone with the click of a link.
MALWARE INSTALLED ON YOUR PHONE MAY ENABLE THE FOLLOWING: • Track your location through global positioning service (GPS) • Record phone calls and text messages (both made and received) • Watch and record email activity (logins and messages) • Monitor online browsing and social media actions • Access photos and contact information on your mobile device Any one of the mentioned features could be used as a means of impersonating you for identity theft, spamming your friends and contacts, gaining access to bank accounts and other sensitive information online, or any number of disreputable attacks against you.
TIPS TO HELP PROTECT YOUR DEVICE FROM MOBILE MALWARE: • Download apps from trusted sources. Look out for apps that come from suspicious URLs as they could be installing software that will later allow a hacker to take over your phone and steal your secure data. • Double check the permissions requested by each app before downloading. A risky app will ask for access to more than it should need, sometimes looking to gain access to all the data on your device. • Most apps do not require this type of access, especially entertainment or game apps. • Regularly change passwords to email, social media channels and other programs you access through mobile devices. utilise it. • Use caution when opting out of advertisements on free apps. The somewhat innocent act of choosing to remove ads from your apps could be unknowingly downloading malware to your phone. Secure your device with comprehensive mobile protection, such as McAfee Mobile Security, that scans your device for spyware be accessing too much of your mobile data. [Source: McAfee.com]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 17
HOW ITS DONE
To On Their Phone? StealthGenie is a powerful cell phone spy and tracking piece of software that lets you monitor ALL the activities of any iPhone, Blackberry or Android phone. The application is easy to install on the phone you want to monitor and starts uploading the monitored phone’s usage information and its exact location instantly which can be viewed by logging in to your StealthGenie user area from any computer in the world within minutes.
StealthGenie is an easy-to-install cell phone spy software that is compatible with Android, iPhone and Blackberry. Equipped with highly advanced features, it hardly takes a minute to install and begins uploading information from the target phone silently and undetectably. Just install the application onto the smartphone of the person you wish to monitor. It works in the phone’s background without disrupting or interrupting with its functionality. WITH STEALTHGENIE MOBILE PHONE SPY APP, YOU CAN: • • • •
Listen to the calls, read the text messages, emails and messenger chats of anyone through Geo location features Record phone surroundings Access phone contacts, memos, call logs and calendar appointments Get a full view of internet browsing history and saved bookmarks
MOBILE PHONE SPY FEATURES YOU GET WITH STEALTHGENIE.
•Listen to phone calls Live •View send and receive •Record calls SMS •View call history •View deleted SMS •Redirect SMS
•Get access to photos
•Look at current GPS location •Look at location history
•View address book •View web browser history •View calendar entries •View bookmarks •Look at meeting scheduler •View Task Logs
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 18
•View Viber Chats •Read sent/receive emails •View Skype Chats •Read Gmail •View WhatsApp Chats •View email contacts list •View iMessage Chats •View BBM Chats
•The Phone surroundings •Control Panel •Record phone •Remote access surroundings •Lock phone •View Installed Apps
HOW ITS DONE
POPI “ THE PROTECTION OF PERSONAL INFORMATION (POPI) BILL WAS DRAFTED TO PROMOTE THE PROTECTION OF PERSONAL INFORMATION PROCESSED BY PUBLIC AND PRIVATE BODIES. IT FURTHERMORE SETS OUT: • To introduce information protection principles so as to establish minimum requirements for the processing of personal information; • To provide for the establishment of an Information Protection Regulator; • To provide for the issuing of codes of conduct; • To provide for the rights of persons regarding unsolicited electronic communications and automated decision making; • To provide for matters connected therewith. THE CONDITIONS INCLUDE: • Safeguarding when by a • Regulating the manner in which personal information may be processed by establishing • Providing with rights and remedies to protect their personal information • Establishing the to protect rights, enforce remedies and issuing • Personal information means any information related to a person, such as his/her: - Name, address and ID number;
/
- Views or opinions; and Information relating to the race, gender, sex, pregnancy, marital status, nationality, ethnic or social origin, colour, sexual pregnancy, marital status, nationality, ethnic or social origin, colour, sexual orientation, age, physical or mental health, well-being, disability, religion, conscience, belief, culture, language and birth of the person.
. Privacy Laws and Business editor, Professor Graham Greenleaf said:
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 19
HOW ITS DONE
WHAT ARE THE IMPLICATIONS OF THE PROTECTION OF PERSONAL INFORMATION BILL FOR YOU? Every organisation processes personal information - therefore it is an important part of business. There have been very few laws and regulations that an organisation had to comply with in regards to personal information but that is about to change. This does not mean organisations will not process personal information, but it will have to be done in accordance with the regulatory environment. People are tired of getting unsolicited calls from call centres to their phone, unsolicited SMS’s and emails. They say they do not need Viagra (yet) and are not interested in getting a PhD (from any university, whether in South Africa or abroad). People would rather be left alone and only be contacted when they request it. Everyone wants to sleep safely at night knowing that their various information is being protected.
Those in social media marketing on the other hand may continue participating on social media. providing passive approval to communicate. If a person follows you on Twitter, you have every right to share information with them until they you. Now is the time for the serious online marketers to get their act business-to-business marketing perspective, online marketers should get out of the Marketing 1.0 mindset of broadcasting product related information and rather embrace new media principles which revolve around producing interesting, valueadding, topical content which your target wants to consume and share. Jonathan Houston a digital marketing specialist advises the following: Planning your content creation and dissemination is critical.
information already unwittingly in the hands of marketing companies who create lists (with personal information on them) which are then sold to people who think it includes their target market. Personal information may also be scraped off websites where these details appear. Because of the frequency of unsolicited communications people receive, people often think that Scott McNealy was right when he said:
work harder than ever as they need to show the value as to why someone needs to part with their personal information in order for you to get them further down your conversion funnel. With regards to social media organisations must try a different angle and look towards undergoing privacy compliance in
WHAT DOES THIS MEAN FOR ANYONE IN BUSINESS (ESPECIALLY DIRECT MARKETING): The Bill states that companies HAVE TO receive consent from individuals to collect, retain and share their personal information. At the moment, marketers using email and SMS to promote products may retain contact information and communicate with an individual until the individual which is an UNSUBSCRIBE on email and for SMS communication a reply of STOP. Until the declaration of the Bill, there has never really been an OPT-IN requirement, whereby explicit voluntary consent is required prior to marketing an individual.
social media presence and essentially what you can and cannot share. Acceptable use of any online platform is certainly a privacy touch point for compliance. The new legislation should be welcomed by all. The POPI Bill is good for marketers and consumers alike. It will serve to separate the wheat from the chaff, allowing consumers to receive communication from companies they WANT to engage and ultimately allow citizens tohave the peace of mind that the government is protecting their rights to privacy.
Once the Bill is given the go ahead by President Zuma, marketers will have to obtain permission from an individual before they can obtain and retain personal information and communicate any further. approval before the communication takes place. The subscriber will still have the option to which the marketer will need to consider before sending out ads. Daniella Kafouris a data privacy specialist at Deloitte Risk Advisory, states that if a company is reported or fails an audit, they Daniella advises companies to seek and use the services of a legal specialist to audit their current environment and to provide advice on changes that may need to make in order to comply with legislative requirements.
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 20
HOW ITS DONE
The
STEP 1: OVER-PROVISION BANDWIDTH TO ABSORB DDOS BANDWIDTH PEAKS • This is one of the most common and probably most expensive way to alleviate DDoS attacks, especially since DDoS attacks can be ten times or one hundred times greater than standard Internet • Alternatively companies can use a security service to scale on
agents have unique characteristics that differentiate them from regular Web browser agents. DDos sources can be stopped by tools that recognise bot agents. • By conducting validation tests one can determine whether the browser can accept cookies, perform JavaScript calculations or understand HTTP redirects, then it is most likely a real browser and not a bot script. • Limit and restrict access by geographic location. With some
• DDoS protection services are designed to stop massive DDoS attacks without burdening businesses’ Internet connections. undesirable countries can be a simple yet effective way to stop STEP 2: MONITOR APPLICATION AND NETWORK TRAFFIC STEP 4: DETECT AND STOP MALICIOUS REQUESTS to detect when you are under an attack. That way, you can determine if poor application performance is due to service provider outages or a DDoS attack.
• Since application DDoS attacks mimic regular Web application techniques. But, by using a combination of application-level controls and anomaly detection, organisations can identify and
anomalous behaviour, protocol violations, and Web server error codes. Since DDoS attacks are almost always triggered by botnets, application tools used should be able to differentiate administrators with instant visibility into DDoS attack status.
MEASURES INCLUDE: • Detecting an excessive number of requests from a single source or user session automated attack sources always request web pages more frequently than standard users. • Preventing known network and application DDoS attacks because most types of DDoS attacks rely on simple network
STEP 3: DETECT AND STOP MALICIOUS USERS TCP handshakes. • More advanced attacks, typically application-level attacks, attempt to overwhelm server resources. • These attacks can be detected through unusual user activity and known application attack signatures.
- Identify malicious users. - Identify malicious requests. users can be the most effective way to mitigate attacks. • Identify known attack sources, such as malicious IP addresses that are actively attacking other sites, and identifying anonymous proxies and TOR networks. Known attack sources account for a large percentage of all DDoS attacks. Due to the fact that malicious sources constantly change, organisations should have a current list of active attack sources. • Recognise known bot agents as DDoS attacks are usually performed by an automated client. Many of these client or bot
[Source: Imperva.com]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 21
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
On In what appears to be a reaction to the alleged internet snooping by U.S. government agencies on users of U.S. based email services, the Indian government is said to be planning a ban on
some government ministers, use hosted email accounts as they systems. India’s IT minister, Kapil Sibal, said there is no evidence of the U.S. accessing any Internet data from India. This a step by the government to stop employees from using
of state for communications & IT Milind Deora and Kruparani Killi, email. A spokeswoman of Google India, said the company has not been informed about the ban, and hence it cannot comment on speculation. Google said in an email response. anonymity that employees turn to service providers such as Gmail as well as the bureaucratic processes that govern creation of new accounts.
revelations of widespread cyber-spying by the U.S.
service provided by India’s National Informatics Centre and will be
The IT Minister Kapil Sibal last week said, the new policy would
them from email service providers such as Gmail that have their servers in the U.S.
that are directly linked to a server in India while accessing government email services. Sibal said there has been no evidence of the US accessing Internet data from India.
said J Satyanarayana, secretary in the department of electronics and information technology. This move comes in the wake of revelations by former U.S. National Security Agency contractor Edward Snowden that the U.S. government had direct access to large amounts of personal data on the Internet such as emails and chat messages programme called PRISM.
for Internet and Society, Sunil Abraham, said he agrees with the
he said. Abraham, however, called the government’s decision a as the use of Gmail and other free email services by bureaucrats has increased in the past.
may have accessed network infrastructure in many countries, causing concerns of potential security threats and data breaches. Compliance is not certain even though the new privacy policy has been formulated. [Source: The Economic Times]
Innovation
Professionalism
Agility
Thought Leadership
Specialists
Commitment
Security Experts
Security Systems Integrator
Trustworthy It Risk Management
Information Security Experts Cybercrime It Governance
Subject Matter Experts
Management Security Services Cybercrime Intelligence Services
Industry Relationships
+27 11 523 1600 s www.drs.co.za Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 22
. innovation . specialists . security experts . professionalism . system integrators . thought leader . Agility . Easy to do business with . trustworthy . information security . IT risk management . IT governance . cybercrime . subject matter experts . Security management services . cybercrime intelligence services . committed . strong industry relationships
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
Cyber Breaches The survey asked respondents about : 1. Business and strategic risk 2. Economic, regulatory and market risk 3. Political, crime and security risk 4. Environmental and health risk 5. Natural hazard risk Respondents were asked to rate both the overall risk category and a number categories for both their corporate risk priorities and for the degree of their business preparedness to manage those risks. A score was calculated for each, with zero being the lowest level of priority or preparedness and ten being the highest. • 77% Of respondents represented smaller businesses with an annual turnover of US$499 million or less, • 23% Were from larger companies with annual turnover of US$500 million or more. • Survey respondents were distributed North America (26%), Latin America (10%) and South Africa (5%).
Cyber breaches were given low weightings in the 2011 Risk Indices (not even in the top 10), which showed that many businesses were underestimating its impact. This idea has since changed. Cyber risk has moved from position 12 (malicious) and 19 (non-malicious) in 2011 to the world’s number three risk overall. This change has been motivated by cyber
denial of service and web-based attacks. It seems like businesses across the world have encountered a partial reality check about the degree of cyber risk.
In 2012 we saw the takedown of the Interpol, CIA and Boeing websites, the suspension of alternative currency Bitcoin’s
The mind boggling factor is their sense of preparedness to deal with the level of risk, which still appears remarkably complacent. With all the evidence of the past two years, businesses believe they are slightly more able to deal with the risk, with an overall preparedness score of 5.9, against the priority given to the risk itself at 5.7. In 2011, the U.S. was the only world region where the cyber threat was included in the
from professional networking site LinkedIn, the outage of the websites of six major US banks and many more.
number two risk. And yet U.S. businesses still score their preparedness (at 5.4) at a higher rate than the risk itself (at 5.1).
The number of incidents attributed to statesponsored hacking and revenge attacks by networks is growing. So are the costs of cyber breaches. In a 2012 study by the Ponemon Institute it was found that the average annualised cost for 56 benchmarked organisations was US$8.9 million a year, up from US$8.4 million in 2011, with a range from US$1.4 million to a staggering US$46 million per year, per company. The most costly cybercrimes involved malicious code,
The EU’s Digital Agenda Commissioner, Neelie Kroes, has pointed out: “Cyber
political and ideological attacks.
and many governments have been progressing the issue over the past two years. In May 2013, Republican and Democrat senators came together in a rare agreement to propose the Deter Cyber Theft Act to stop the theft of valuable commercial data from US companies by
The survey of more than 500 of the world’s most senior business leaders also suggests executives are focusing on more pressing problems including cyber-attacks and increased material costs, rather than longer-term strategic decisions. High taxation is now seen as the number one threat to global business according to the third Lloyd’s Risk Index. Index provides an in-depth picture of how global business leaders prioritise and prepare for major risks. risk faced by business leaders after prolonged public and political exposure and debate. It has soared up the Risk Index ranking from 13th to 1st place in the last two years. Cyber security now sits fairly towards the top of the agenda for boards around the world with cyber risk moving from 12th to 3rd place in the index. Business leaders have awakened to recognise the importance of cyber security following a
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 23
GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE
NGFW_POSTER_2013_3.pdf
1
9/12/13
2:44 PM
The European Commission, is at the same time considering proposals to ensure companies that store data on the internet report the loss or theft of personal information or may face sanctions. In terms of event frequency, most businesses would be wise to look closer to home for solutions. According to a report published in April 2013 by the Insurance Information Institute, employee negligence is responsible for 39% of data breaches, system glitches for 24% and malicious or criminal attacks for only C 37%. That leaves nearly twothirds of incidents caused by M issues which should be withinY a business’ control. CM
As in 2011, we should question MY if despite the escalating expenses on cyber security, CY businesses are actually CMY spending money on the right K things? Cyber insurance specialists are offering increasingly integrated cyber products, including those that provide cover for data breach costs, forensic analysis and crisis public relations services in one package. Despite these products being highly effective in an emergency, spending money upfront on risk management – and ensuring recommendations are implemented throughout a company – might go a long way to preventing a cyber-disaster before it starts.
FortiGate-3600C NGFW:
Bring High-Performance Security Intelligence To Your Network Mobility, BYOD, use of Web-based applications are all trends reshaping the way business is done and security should be addressed. Fortinet's FortiGate-3600C Next-Generation Firewall (NGFW), powered by the cutting-edge FortiOS 5 operating system, brings intelligence to network security. Its unique features enable granular visibility and control on applications, devices and users for broad protection of the enterprise.
ENTERPRISE SECURITY
Integrating superior firewall, IPS, application control and VPN functionality with advanced behavior inspection, the FortiGate-3600C NGFW helps defeat today’s targeted external and internal attacks that intend to compromise your network. Whether protecting your data center and network perimeter or deployed as part of a managed security service, the FortiGate-3600C NGFW delivers exceptional performance via its purpose-built processor technology, making it ideal for securing high-bandwidth networks. The continuous evolution of your enterprise network requires next generation security.
Visit us at www.nu.co.za for more information or call us on +27 11 304 6200 [Source: lloyds.com]
Talk to Fortinet today about moving your network to next generation security.
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 24
www.fortinet.com
AUDITS AND ASSESSMENTS South African Businesses Are
With the increased frequency and extent of cyber attacks worldwide, it is estimated that over 70% of South African
tedious demands on how a client’s personal data is managed, stored and used by a business.
and in turn, extremely underinsured when it comes to managing
The increased use of cloud computing also brings with it its own set of security challenges. According to Deloitte, people refer to cloud computing without a clear knowledge of what it is, and cloud computing is really just accessing a server somewhere in the world and it is often that it is outside of South Africa. The reality is that most companies have no idea where their information is stored. What they do know is that they outsource to a company but where that company sends information next, they have no idea. Organisations need to be aware of the fact that while they may be depositing their data in a public cloud, they do not transfer their risk. If any information is compromised the liability remains with the organisation and while they may have some recourse against the cloud provider, its cold comfort if their reputation gets blown.
breach. Business leaders are encouraged to get very serious about managing their cyber breach risks which should be a priority in boardrooms, rather than left to IT departments to deal with in isolation. According to Jenny Jooste, account executive for professional risks at Aon South Africa, in a period where there has been spectacular cyber attacks against large organisations such as Sony, Citibank, Lockheed Martin, the UK’s National Health Service recently 16 Hong Kong gold and silver investment and securities trading companies, it is essential that business leaders understand the level of network security threats, the consequences of those risks, and the availability of cyber insurance policies. Legislatively, the Protection of Private Information Bill (POPI), which has just been passed by parliament and is expected to be signed into South African law within months, will also make
says Jenny.
The most publicised and recent security attack was on Sony, after its Playstation network was shut down by LulzSec. It is reported that Sony lost almost $171 million. The hack affected 77 million accounts and is still considered the worst gaming community data breach ever. The hackers stole valuable personal client information – names, logins, passwords, e-mails, home addresses, purchase history and credit card numbers. The really sad part of it all was that Sony’s losses were not insured. warns Jenny. Reports have shown that hackers earned $12.5 billion in 2011, mainly by spamming, phishing, and online fraud. Most of the attacks could have been prevented. The businesses did not just lose money, but their clients, reputation and market shares went down just as their data. Millions are affected by security breaches worldwide, and court cases in this regard are stepping into high gear. The websites of 16 Hong Kong gold and silver investment and securities trading companies – with a combined estimated daily trading volume of HK$44 billion ($5 billion) – were compromised by mainland computer hackers in July this year. The hackers launched targeted distributed denial-of-service (DDoS) attacks on those websites and blackmailed the affected companies for a total of HK $563,000 ($72, 589 000).
Cybershield • July - September 2013 • Special Espionage Edition Edition •• Page Page 25 25 Cybershield Magazine • October Magazine - December 2013 • Special Governance RiskCyber and Compliance
AUDITS AND ASSESSMENTS Servers running the targeted websites were bombarded with DDoS attacks with more incoming data than the computers could handle, effectively shutting them down. In August 2012, a wave of DDoS attacks crashed the regulatory disclosure website of Hong Kong Exchanges and Clearing (HKEx). This attack resulted in investors not being able to access company announcements. The attack also forced the suspension of shares in seven
UK GOVERNMENT:
On Cybercrime Defence
billion), including blue-chips HSBC Holdings, HKEx itself listed debt security and 419 warrants and derivatives linked to the suspended stocks. The South African risks are no different, however it seems that businesses are more laissez-faire in their handling of their cyber and data breach risks, despite the fact that South Africa is fast becoming a leading target for cyber criminals. There is a tendency within the South African environment to leave regulatory and security compliance until late in the game.
Lenders are currently being benchmarked by a joint team at the Treasury and the Bank of England on the basis of the ability of their IT systems to defend themselves against concerted attempts to steal customer information or funds. They are also looking at
attacks.
Sources from the treasury said the “cyber stress were becoming as important as the more highregulators, with banks considered to have weak defences being ordered to strengthen their security. The benchmarking is currently being compiled from information gathered during an industry-wide cyber attack exercise conducted last year and a follow-up drill is planned for later this year.
Local companies could soon also be forced to comply with US Security and Exchange Commission requirements too.
The threat of cyber attacks was discussed at a private meeting in July by George Osborne, the Chancellor and Mark Carney, the Governor of the Bank of England. The minutes of the meeting released last week, Mr Osborne said the problem was Believed to be facing several thousand electronic attacks everyday, banks have spent hundreds of millions of pounds improving their systems to make them more secure.
nerally only respond to third party claims, certain cyber liability for the costs incurred by the policy holder to rectify and recover from the breach.
Andrew Haldane, warned in June that cyber attacks were now a greater risk to the banking system than the eurozone debt crisis.
It is important for companies to consider the security implications that their businesses are exposed to. Organisations that are at high risk are those who provide technology services, and those who are heavily reliant on technological systems to provide a service.
of Britain’s biggest banks and that four had said that cyber attacks had become the greatest threat to their upgraded cyber attacks as one of its key risks.
said Mr Haldane. He added: Cyber threat to banks has become one of the main
After investigating insurance options, local businesses should ensure that information security protection measures are in place and regular tests are run to gauge effectiveness. 2011 was not
the year of the hack for nothing. Yet
African businesses continue to face online threats and continue to be exploited because of poor security measures. Regardless of size or status, no business is safe from e-threats, unless it includes security as a major priority.
concludes Jenny. [Source: aon.co.za] Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 26
Committee and has recommended that government departments and the industry work together more closely to monitor the problem. Given the security risk of revealing which lenders might be particularly vulnerable, the results of the regulator’s cyber attack benchmark of the banks is unlikely to be published. Every major bank provides online banking services to their customers, however with this has come the individual accounts or even bringing down entire systems. The U.S. authorities revealed earlier this year that one crime gang had stolen $45m from banks in the Middle East by hacking credit card processing systems.
MANAGED SERVICES
In A Richard Broeke at Securicom advises that when it comes to choosing security solutions, companies must look for solutions that are able to evolve as old threats adapt and new ones arise to ensure the highest level of protection. Advances in technology have certainly made life more convenient in many ways - from not having to get out of your chair to change the channel on the TV to cooking meals fast in the microwave, but they have created new challenges too. IT security, like many things in the modern world, has proved to become more complicated because of technological advances. few years ago is nowhere near adequate today. Still, a lot of companies are stuck in the old way of doing things and the methodologies just do not cut it. Times have drastically changed. Back then, companies had their data where it was easily controlled. Employees sat at their workstations and went the day, data stayed where it was on a desktop equipped with adequate security within a contained and secured environment. for the most part safe. Today, it’s an entirely different story. The whole scene has shifted and continues to shift. With the mass proliferation of mobile devices, an increasinglygrowing mobile workforce and remote users, data is no longer where it used to be and it is out of companies’ control.
IN YOUR ORGANISATION: 1. Your data has left the building 2. You are not in control of it anymore - your users are 3. Your data is everywhere your employees have decided 4. If you’re still using 20th century security methods, your data is at risk
WHAT IS THE BIG DEAL? Anyone who wonders what the big deal is about having data essentially roaming freely in and out of company networks needs to ask a few questions: • Is your company at risk of non-compliance with legislation by not securing company information? exposed to unauthorised people? • Could you afford the costs of containing the leak and legal expenses? • Do you have important business information or trade secrets that you want to protect from outsiders? • Do you want your customers information shared with a competitor?
• Do you want to protect your business, your employees and your customers against fraud? • What impact would it have on your business if your business critical systems failed? People most certainly need to think about such issues because legislation places a tedious amount of responsibilities on companies to take the necessary measures to protect the information they collect, process and store. With the drafting of the Protection of Personal Information (PPI) bill, company directors could be held personally liable in the face of not taking appropriate steps to safeguard their business critical sentences among the possibilities for them. It is not only about avoiding lawsuits or even fraud but it’s about companies having control over their data and doing what they can to protect it because it is their intellectual property the lifeblood of their business.
WHERE ARE COMPANIES GOING WRONG? • Companies applying 20th century mindsets and methodologies in 21st century mobile world. an anti-virus solution were enough to protect a company’s data. • Now, companies need a more holistic and structured approach, with layers of security solutions to protect data in the most outlying places and on the diversity of mobiles devices upon which it is found, right to the core, being the network. • The truth is that securing an IT environment is extremely complex, and it’s not something that is stagnant either. Companies need to have an accurate view of their security environment and use appropriate solutions to close the loopholes, end-to-end.
PROTECTING DATA END-TO-END • Companies must look for solutions that are able to evolve as old threats evolve and new ones arise to ensure the highest level of protection when it comes to choosing security solutions. It is also ideal for companies to protect data end-to-end by having multiple layers of security which provide defence against threats from the outside and the inside. • A holistic, end-to-end solution would include web security to browser-based threats such as bots, phishing, and other prevention technologies; encryption for data in transit; endpoint security, and a mobile device management solution to secure and manage portable devices. [Source: fmessentials.com]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 27
MANAGED SERVICES
A meta-analysis of network security events at 888 companies
for 134 hours. • In addition, over 111.7 million events from 1,494 Security Gateways were analysed using data generated by Check Point’s ThreatCloud. • ThreatCloud is a massive security database updated in real time and populated with data collected from a large network of global sensors, strategically placed around the globe. • Lastly, a meta-analysis of 628 endpoint security reports in a variety of organisations was conducted. Corporate Data is an organisations’ most valuable asset is now more accessible and transferable today than ever before; the vast majority of which is sensitive at various levels. information which is not intended to be made public. requirements, national laws, or international regulations. In most cases, the value of the data is ranked according to competitive information. The issue on corporate data is further complicated by the fact that there are numerous tools and practices which can lead to data leakage. Some of these include cloud servers, Google Docs and the simple unintentional abuse of company procedures such as an employee bringing work home.
• A sensitive document might be shared on a public site These scenarios may accidentally happen to anybody and have devastating results. Loss of sensitive data can lead to brand
be sent externally, a number of variables must be considered: • What type of data is it? • Who owns it? Who is sending it? • Who is the intended recipient? • When is it being sent? What are the associated business disruption repercussions caused by a hyper-restrictive security policy? THE RESEARCH FOCUSED ON ANALYSING TRAFFIC SENT EXTERNALLY FROM ORGANISATIONS: • When emails were sent to an external recipient, a Check Point device inspected the email body, email recipients and • Web browsing activities such as web posts and web mails were also inspected. data types to detect sensitive data, forms and templates were that may indicate a potential data leak to unlawful recipients. organisations of the selected companies had at least one event Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 28
MANAGED SERVICES which may indicate a potential data loss occurrence over a 6-day average period.
organisations were at the highest risk of potential data loss. In many cases internal emails sent outside of the organisation leads to data loss. This may occur unintentionally through employees sending email communications to the wrong recipients. THE RESEARCH LOOKED AT TWO TYPES OF EMAILS THAT MAY INDICATE SUCH INCIDENTS; most cases, seemed to be internal but actually left the company. 2. The second type consisted of emails sent to several internal recipients and a single external party. Such emails were usually sent unintentionally to a wrong external recipient. One or both of these types of events were found in 28% of organisations examined. Data that employees send to external recipients or posted online.
Credit card information led the list, source registered second and third respectively. Other information included salary compensation information, emails marked bank account numbers. IS YOUR ORGANISATION PCI COMPLIANT? Staff members routinely send their own and their customers’ credit card numbers over the Internet. Customer payment receipts that contain credit card information in email attachments are often sent by employees. They reply to customer emails that contain credit card information in the original email body text. At times, employees even send spreadsheets with customer data to private email accounts or to email addresses of business partners. Credit card number related incidents resulted due to broken business processes or employees’ lack of attention and awareness. Such cases may indicate that the corporate security policy does not meet the objective of promoting secure and careful use of corporate property. Moreover, sending credit card numbers over the Internet is not compliant with PCI DSS requirement 4, which mandates that cardholder data must be encrypted during transmission across open public networks. result in a damaged corporate reputation, lawsuits, insurance claims, cancelled accounts, payment card issues and
from organisations and scanned the content of all message parts, including attachments and archives. We also searched for emails containing credit card numbers or cardholder data. The inspections were based on regular expressions, validation of check digits, and PCI DSS compliance regulations.
Visit us at www.nu.co.za for more information or call us on +27 11 304 6200 Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 29
MANAGED SERVICES
policy that catches such incidents before the data leaves the organisation would be the best solution to prevent unintentional data loss. Such solutions are known as Data Loss Prevention (DLP). Contentaware DLP products have a broad set of capabilities and present organisations with multiple deployment options.
PROTECTION AGAINST INNER DATA BREACHES
requirements such as:
departments. Examples of data that might need protecting from accidental interdepartmental leakage include:
information? • Who can send it?
resource documents, mergers and acquisitions documents or medical forms.
DATA CLASSIFICATION ENGINE
DATA PROTECTION FOR ENDPOINT HARD DRIVES
• A critical component of a DLP should be high accuracy in identifying sensitive data. • The DLP solution must be able to detect compliance-related data for example, organisations, at least one event was found during the analysis period which showed that PCI-related information was sent outside of the organisation.
business data. • The DLP solution should inspect content
Results also indicated that within 36% of
• Solution must also be able to conduct
usually obligated to be compliant with PCI regulations, at least one PCI- related event had occurred. HIPAA HIPAA is a Privacy Rule that provides federal protection for personal health information and grants patients with an array of rights with respect to that information. The Privacy Rule is balanced and permits the disclosure of personal health information needed for proper patient care and other important purposes. With reasonable safeguards applied the HIPAA Privacy Rule permits healthcare providers to use email to discuss health issues with their patients. However, encryption is not mandated, but, other safeguards should be applied to reasonably protect privacy. monitored from organisations while scanning all parts of messages and attachments, searching for emails containing patient private information by for example, social security numbers and related medical terms like CPT, ICD-9, LOINC, DME and NDC terms. and insurance organisations, HIPAA Protected Health Information was either sent outside of the organisation to an external email recipient or was posted online. SECURITY RECOMMENDATIONS • With the present increase in the world of increasing data losses, organisations need to take action to protect sensitive data. • Implementing an automated corporate
widely used TCP protocols, including
extension or compression format. • Additionally, the DLP solution must be able to identify and protect sensitive forms, form matching. • The ability to create custom data types vendor’s out-of-the-box data types is an important feature of a DLP solution. ALLOW USERS TO REMEDIATE INCIDENTS • Traditional DLP solutions can detect, cannot capture the user’s intention behind the sharing of sensitive information. • Technology alone is not enough because it cannot identify this intention and respond to it accordingly. Hence, organisations must come up with a quality DLP solution that engages users in order to achieve optimal results. This may be achieved by using an approach that empowers users to remediate incidents in real-time. • The DLP solution should inform the user that his/her action may result in a potential data leak incident. This then gives the user a choice to decide whether to discard the message or to continue with sending it. • This methodology improves security by raising data storage policy awareness and alerting users of potential mistakes in real time. This approach allows for quick self-authorisation of legitimate communications. As a result, security administrator can track DLP events for analysis without having to personally attend to each external data send request as it happens.
• The ability to not only control sensitive data from leaving the company, but also to inspect and control sensitive emails sent between departments within the same company is an additional important DLP capability. • Policies can be employed to prevent
• Securing laptop data must be done as part of a comprehensive security policy. Outsiders can obtain valuable information through lost or stolen computers when hard drive data is not secured; this can • A strong solution should prevent unauthorised users from accessing information by encrypting the data on all endpoint hard drives, including user data,
DATA PROTECTION FOR REMOVABLE STORAGE DEVICES • To minimise and stop incidences of corporate data compromised via USB storage devices and other removable media, encryption and prevention of unauthorised access for these devices are required. such as music, pictures, and documents portable media. This makes corporate data even more challenging to control. • By encrypting removable storage the devices, security breaches can be minimized in case the devices become lost or stolen. • Business documents are regularly applications, sent to personal smartphones, copied to removable media devices and/or shared externally with business partners. These actions place sensitive data at risk of being lost or used inappropriately. A security solution must be able to enforce a document encryption policy and grant access exclusively to authorised individuals in order to secure corporate documents. OCCURRENCE MANAGEMENT • Management should ensure that DLP rules meet the organisation’s data usage policies and accompany quality monitoring and reporting capabilities. • To reduce the potential of data leakage in an organisation, the security solution must include monitoring and analysis of real-time and historical DLP events. This gives the security administrator a clear and broad view of the information being sent externally, their sources, and it also provides the organisation with the ability to respond in real time if necessary. [Source: checkpoint.com]
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 30
CYBER FORENSICS AND INCIDENT MANAGEMENT DIGITAL FORENSICS CASE STUDY:
banks have policies in place that protect them, simply because it is impossible to insure the billions of rands kept in all those accounts. Those policies – part of the internet banking terms and conditions – stipulate that users need to ensure the security of their login if you have been reckless with your internet banking credentials, been careless with their credentials.
The malware would sit and log activity when users typed in passwords and details for internet banking. In some of those cases, banks could compensate clients for money that they had lost. It would still be up to the banks to determine if negligence was an issue, and who was at fault. However, there are cases that required more extensive investigating. In a case that may need extensive sleuthing, technicians can bring up deleted information in email archives as well as internet browsing histories. Through this, and lots of hours of linking the dots, they can pin point the exact moment when a user clicked on a phishing link in an email.
reached critical mass, and due to the high technical nature of When users are presented with this information they often recall the circumstances under which they clicked the links and entered their details – honest mistakes, caused by having a busy day, or being distracted while working said Myburgh. In such cases the
help investigate. expertise in digital crimes and forensics. Most of the victims were certain that their computers were free of malware, and others insisted they never once clicked on a link in a phishing email. The banks send the computers of those affected to Cyanre’s team of data forensics analysts to get the real answers. By taking this stance, an independent body that adheres to international standards could review the evidence, without bias. The following actions were taken on the computers: drives were cloned, in a clean environment where the source drives had none of their data malware. Cyanre’s managing director, Danny Myburgh, says that in 15 to 20% of cases it is possible to run up to four different virus
being careless with their login credentials. records, no matter how hidden or obscure, that solve the mystery. In every investigation the outcomes are published for peer expertise in presenting evidence in the high courts. Any evidence collected and analysed still has to comply with the ECT act, which has provisions for submission of digital evidence. In due course, clients can also get a copy of the report. Myburgh points out that while banks are not obliged to, they are still assisting clients cases of fraud.
– more than reasonable, for the average computer user. Even then, the analysts dug deeper and found malware that had gone undetected.
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 31
viruses, use applications on the computer, and sift through data evidence. Mobile phones are increasingly involved in digital crimes, and the mobile toolkit comes with everything needed to rescue (or search for) data on mobile phones.
SIM-SWAP FRAUD • The scam after information is retrieved through the traditional phishing email, whereby a person enters their banking details on a fraudulent website after clicking on a link in an email. Once those details are obtained fraudsters then have a victim to target. • With the victims credentials captured, it is a matter of exploiting a (now-plugged) loopholes in a providers SIM swapping procedure. This allowed a third party to apply for a SIM swap, despite the person who owns the phone number not being present, or even needing to give consent for a SIM swap to take place. • In turn, this gave fraudsters control of their victim’s phone line – the same number that would receive a one-time password (OTP) when logging in to internet banking. • With both the bank details and phone number secured, scammers could then log in using banking credentials, receive the OTP and transfer money without the account holder being aware.
TOOLS OF THE TRADE • With some of the tools used in digital forensics, investigators can mirror a computer hard drive of a client that is being investigated, to ensure forensic consistency. internet histories, received emails, and password-encrypted
Almost all phones can have their memory banks read by this machine, except for iPhones, which have high-end hardware encryption.
A write-blocker tool aids in the mirroring of hard drives without manipulating any data on the source hard drive. By plugging in the source drive, with the data that needs to be analysed, it will copy that drive in its entirety to a new hard drive. The new drive can be treated as normal while investigators search
operating system on a hard drive. This way they can scan for
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 32
[Source: htxt.co.za]
AWARENESS
user, you are at risk. Cybercrime has
Comprehensive data handling strategies, processes and procedures as well as systems need to be devised and implemented in order for companies to ensure they remain protected, and in the event of a breach, effectively managing the recovery process – from data recovery to instituting criminal proceedings – is just as important.
business that makes millions of dollars annually for worldwide perpetrators.
contact a forensic expert?
every computer user is at risk. If you are visible on the web, then you are a potential victim. Whether you are a multinational corporation with hundreds of
Preserving the integrity of your data is a continuous struggle. Organisations may notice that when they think they have an impermeable system in place, a new threat comes on to the scene. A single computer or an entire network can be compromised in a number of ways with different degrees of data loss. In addition to malware, spyware, trojans, and other devices used by hackers, a system crash or the corruption of data lead to the same result: valuable information going missing or being misused. The threats to data are not limited to attacks from external sources. Cyber criminals today target employees not technology. With some security measures being increasingly more effective, criminals have found that the only point of entry to a company’s network is through an employee. In addition, the mobility of employees and company data present a growing challenge. It is advisable for organisations to treat digital security the same way they treat their corporate governance and brand protection, and make it a boardroom issue. Most businesses assume that because they have security software installed on their PCs, they are protected. However, the threat landscape is growing exponentially, and the rising threats are coming from every angle.
• Most executives think that corporate criminal activities that involve computer systems are the work of outsiders, fraudsters and hackers, but often these unlawful activities happen from within the organisation. • Criminal activities that occur within organisations are mainly committed by disgruntled or former employees, or employees that have been recruited by syndicates. The individuals can steal information, either to sell to competitors or to use the information to commit fraudulent activities. If an organisation has discovered that such crimes have been committed, they should call on the expertise of computer forensic investigators. Wikipedia describes computer forensics as
Through various techniques and to scrutinise the digital environment in a forensically and lawfully sound manner analysed, and then presented in a factual and consistent manner that stands up in the court of law. While forensic investigations are not necessary in every case involving computer crime, below are some scenarios where it is essential to call on the expertise of forensic investigators.
INFORMATION THAT HAS BEEN DELETED • Many fraudsters think that they can cover their tracks by deleting crucial information, such as emails, logs, and browser history. Computer forensic experts are able, through sophisticated tools and techniques, to recover information from hard disk drives even after the information has been deleted. • Deleted information on a computer hard drive resides in unallocated space on the disk and even if a disk is physically or even brute force, it is sometimes still possible to retrieve vital evidence from these drives. INFORMATION THAT HAS BEEN STOLEN • While stealing information is as easy as ‘copy and paste’, these actions leave traces on computers that can be discovered by forensic experts. • Information can be stolen by physically information by gaining access to the computer network via the internet. what and when the information was accessed, copied or downloaded. This is particularly useful when former employees make off with company intellectual property such as sales lists, supplier INFORMATION THAT HAS BEEN USED FOR FRAUD Because business fraud involves complex accounting practices in billing and accounting software, it therefore requires high-level forensic expertise to uncover how exactly the virtual books have been created. Cyanre has a team of experts that specialises in the detection of business and accounting fraud, to uncover inconsistencies in large amounts years.
[Source: cyanre.co.za]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 33
Some dating sites have found to be swarmed with fake people to pay a subscription to a Scottish internet dating company. Evidence has found that Cupid plc dating sites seemed subscribe. The Information Commissioner said it appeared to breach data protection laws and wants to investigate of celebrities. In other cases web dating employees are even asked to communicate with clients and pretend to be from another city and keep them interested. Cupid plc one of the UK’s biggest online dating companies in Edinburgh-based, denied using fakes and Internet dating is an industry worth about £2.5bn a year globally and there are an estimated 1,500 online dating sites in the UK alone. Cupid plc generated revenue of £81m last year.
undercover. She applied for a job with Cupid plc as a motivation manager. Tuchynska said:
analysts, about 5.7m people in Britain used the sites last year. Cupid plc hired auditors earlier this year, after users told a BBC 5 live investigation they had lots of messages when they signed up to the sites as free users, but when they paid up, interest rapidly tailed off. Cupid commissioned KPMG to look at working practices, and conducted interviews with staff in Edinburgh and Ukraine. The report found that were a problem but said there was no evidence of use of fake The BBC was still contacted by Cupid daters complaining of
of a man called James from Glasgow, to see how many of the people who approached were real. Kristine based in London. The woman behind Kristine told the
was fake.
The programme contacted Cupid plc and said with regard to the contact from genuine users. Cupid plc stated that: Cupid described Ms Tuchynska’s allegations as “ They said a review earlier this month by their auditors KPMG found:
found employees on the sites users.
to
Cupid says it has now replaced the motivation teams with dating advisors
The investigation also found its with a woman called Kaz B. However, Kaz B is Karen Bartke, a Scottish actress, who has appeared in primetime BBC on shows Karen said:
of scammers. Most of Cupid plc’s work is conducted in Ukraine where journalist Svitlana Tuchynska from the Kyiv Post newspaper went
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 34
[Source: BBC News]
AWARENESS
Experts at Sophos have found a ransomware sample, which
The malware becomes active as soon as any end-user accesses the Internet displays one screen that locks the Web-browser, while Criminal Cops of Germany. The scammers, show apparent child porn images together with victim’s location, full-name and age, claims they were seen on the target’s computer. According to Senior Technology Consultant Graham Cluley from Sophos, he commented. As the target clicks along there is the display of the ISP and Internet Protocol address of the end-user on the lock page. An active webcam image shows the end-user operating his PC, provided the hardware exists for the system. Instructions follow telling the end-user (target) he can unlock his computer by Sophos reported the latest ransomware scam to authorities, actively prevents potentially offensive material on the Internet from
suggested how somebody nowhere near searching child porn pictures could unexpectedly encounter them. According to her, adult content that Internauts usually watched was pretty different from anything associated with children. Smith said they had received reports of people expressing their anguish regarding what they had viewed. The organisation’s reporters explained precisely how the crime occurred so its analysts could track it down whilst adopting measures against the pictures of children being sexually exploited, she concluded.
Six men allegedly linked to an international child-pornography ring have been arrested in parts of South Africa.
The case includes links to Canada, the United Kingdom, the United States, Western Europe and Australasia.
Carletonville, a school principal from Nelspruit, a lawyer from Lichtenburg, a Pretoria dermatologist and a North West businessman.
to have been groomed to have sex with each other and adults. The images are believed to have been generated overseas, and police – with the help of their international counterparts – are investigating whether children from South Africa participated.
Another 26 people are still investigated and more arrests are imminent, police told the publication. Police also raided several homes at the weekend in KwaZuluPolice spokesman Lt-Gen Solomon Makgale stated that,
Police overseas were also investigating if any of the children were murdered. The six accused face several charges including child-pornography manufacturing, possession and distribution. [Source: citypress.co.za]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 35
AWARENESS
To Siphon Money a mobile ad network to siphon money from their victims. The mobile ad networks open up the perfect backdoor for downloading code. This has This new method represents another step in the evolution of mobile malware, which is booming thanks to large shipments of smartphones. In legitimate partnerships between ad distributors and developers, the latter (developers) embeds the former’s software development kit (SDK) into the app, so it can download and track ads in order to split revenue. Unfortunately, how well developers vet the ad networks their side varies from one app maker to another. If the developer does not care or simply goes with the highest bidder, then the chances of siding with a malicious ad network is high. Williamson, a senior security analyst at Palo Alto Networks, stated that one such network’s SDK embedded in legitimate apps provided through online Android stores across Asian countries, such as Malaysia, Taiwan and China. (APK) and runs it in memory where the user cannot easily discover it. The APK waits until another app is being installed before triggering a popup window that seeks permission to access Android’s SMS service. Once installed, the APK takes control of the phone’s messaging service to send text to premium rate numbers and to download instructions from a command and control server. Williamson said. Because of the effectiveness of the latest malware, it is expected that criminals in the future will use the same scheme to download more insidious malware capable of stealing credentials to online banking and retail sites where credit card numbers are stored. [Sources: csoonline.com]
The risk in not complying with social media ethics has resulted in some individuals losing their jobs or undergoing disciplinary procedures.
down as a sensitive topic especially in South Africa where there are high challenges of the pandemic. Steven Ambrose, Managing Director of Strategy Worx told eNCA that typing a thought onto a social network gave users a false sense of security. he said. He addressed the permanence of the internet domain, as well as the immediacy and absence of context on social media platforms. Employees should be aware that when they post information on social media networks, they are indirectly representing their company. Any misconduct may cost the company and cost the employee his or her job. added Ambrose. He said there are consequences for inappropriate behaviour of an employee in a public domain regardless of their personal capacity that is assumed to be detached from the company.
As a way of avoiding misconduct, he said
and rather
[Source: enca.com] Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 36
OF INTEREST
Since we were children, we have heard myths about how handwriting has a direct correlation to our personalities. Statements such us: • If your hand writing is messy then you must not be smart or care about being presentable. • If you write big you must be loud and if you write small you must be quiet. However, when it comes to character nothing is ever black and in regards to the human condition. If these myths were true I would be a recluse with no friends little self-esteem and poor hygiene.
like artwork and text tell some truth about an artist or writer, handwriting will tell some truth about the person who put the pen to paper. We all want to know ourselves better and honestly the better you do the more successful you will be. Be more self-aware and you will be more aware of the people around you. [Source: dailyinfographic.com]
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 37
Cybershield Magazine •October - December 2013 • Special Governance Risk and Compliance Edition • Page 38
Cybershield Magazine • October - December 2013 • Special Governance Risk and Compliance Edition • Page 39