BUSINESS GUIDE TO CYBERSECURITY Innovation & Technology MARCH 2022
www.eset.com/za
We protect your digital life. Protecting more than 110 million users worldwide. Make sure your business is one of them. Contact us to start a free trial: sales@eset.co.za
INNOVATION
CREDITS PUBLISHER Jacques Breytenbach EDITOR Rodney Weidemann (rodneyw@copygen.co.za) SUB-EDITOR Tristan Snijders HEAD OF DESIGN Beren Bauermeister DESIGNER Jaclyn Dollenberg PRODUCTION & CLIENT LIAISON MANAGER
CONTRIBUTORS
Antois-Leigh Nepgen GROUP SALES MANAGER Chilomia Van Wijk KEY ACCOUNTS MANAGER Elri Klee (elri.klee@3smedia.co.za) BOOKKEEPER Tonya Hebenton CIRCULATION MANAGER Nomsa Masina
Editor
Name: Rodney Weidemann Job title: Owner Company: The Copy Generation https://www.linkedin.com/in/rodney-weidemann-32ba601/
Why cybersecurity matters
IDAM: New security options – 2FA, biometrics, zero trust and other ways of improving security Name: Glenn Noome Job title: Director Company: Smart Integration https://www.linkedin.com/in/glenn-noome-7231b03a/
Name: Yotasha Thaver Job title: Research analyst Company: International Data Corporation (IDC) https://www.linkedin.com/in/yotasha-thaver-1b047274/
Name: Sabelo Xaba Job title: Enterprise solutions manager: Infrastructure Company: Ulwembu Business Services https://www.linkedin.com/in/sabelo-xaba-6a26661a/
Payment fraud can kill your business
N-S and E-W security + microsegmentation
Name: Ryan Mer Job title: CEO Company: eftsure Africa https://www.linkedin.com/in/ryan-mer-ca-sa-48628554/
The future of cybersecurity – World of 2030
Name: Ritesh Guttoo Job title: Cybersecurity lead for Africa, India and Middle East Company: EY https://www.linkedin.com/in/riteshguttoo/
Remote working
Name: Ralph Berndt Job title: Director: Sales and Marketing Company: Syrex https://www.linkedin.com/in/ralph-berndt-00a5b09/
Social engineering and ransomware – SME danger
Name: Kate Mollett Job title: Senior director: Africa Company: Commvault https://www.linkedin.com/in/kate-mollett-8795a535/
Setting up secure home infrastructure
Name: Shaun Gordon Job title: Chief security officer Company: Duxbury Networking https://www.linkedin.com/in/shaun-gordon-b8a94359/
Understanding cybersecurity terminology
Name: Carlo Bolzonello Job title: Country lead Company: Trellix SA https://www.linkedin.com/in/carlobolzonello/
IDAM: Physical and cloud – design, automation, data hygiene Name: Andre Lombaard Job title: Technical manager: Security Company: Datacentrix https://www.linkedin.com/in/andre-lombaard-71783019b/
Name: Patrick Assheton-Smith Job title: MD Company: Symbiosys IT https://www.linkedin.com/in/patrick-assheton-smith/
Backup and disaster recovery
Name: Andrew Cruise Job title: CEO Company: Routed https://www.linkedin.com/in/andrew-cruise-b5568a/
Most likely attack vectors and new threats
Name: John McLoughlin Job title: CEO Company: J2 Software https://www.linkedin.com/in/j2johnmcloughlin/
Dedicated security specialist or managed services? Name: Nathan Desfontaine Job title: Cybersecurity executive Company: CyberSec Consultants https://www.linkedin.com/in/ndesfontaines/
Security training and education
Name: Gabriel Le Roux Job title: Specialist account manager Company: ESET Southern Africa https://www.linkedin.com/in/gabrielleroux22/
PoPIA, GDPR and GRC
Name: Adam Philpott Job title: Chief revenue officer Company: Trellix SA https://www.linkedin.com/in/adamphilpott/
DISTRIBUTION COORDINATOR Asha Pursotham PUBLISHED BY
Production Park, 83 Heildelberg Road, City Deep, Johannesburg South, 2136 PO Box 92026, Norwood 2117 Tel: +27 (0)11 233 2600 www.3smedia.co.za NOTICE OF RIGHTS AND DISCLAIMER BUSINESS GUIDE TO CYBERSECURITY, INNOVATION & TECHNOLOGY Information and statistics have been taken from publicly available documents, research as well as interviews that may or may not reflect the absolute correct numbers and statistics applicable at the time of going to print. All rights reserved. This publication, its form and contents vest in Novus Print (Pty) Ltd t/a 3S Media. Reg. No. 2003/021005/07. No part of this publication, including cover and interior designs, may be reproduced or transmitted in any form or by any means, without permission in writing from the publisher, nor be otherwise circulated in any form other than that in which it is published. The publisher obtained permission for the use of images that are protected by copyright. The views contained herein may not necessarily reflect those of the publisher nor editor. While every precaution has been taken in the preparation and compilation of this publication, the publisher, editors and editorial contributors accept no responsibility for errors, omissions, completeness or accuracy of its contents, or for damages resulting from the use of the information contained herein. While every effort has been taken to ensure that no copyright or copyright issues is/are infringed, Novus Print (Pty) Ltd t/a 3S Media, its directors, publisher, officers and employees cannot be held responsible and consequently disclaim any liability for any loss, liability damage, direct or consequential of whatsoever nature and howsoever arising.
CYB ER SECURI TY 2022
1
CONTENTS 01 Editorial Contributors 02 Contents 05 Note from the Publisher When Verticals Become Horizontals 06 Terminology Cybersecurity 101 08 CISOs & CEOs Thought Leadership on the Role of a Modern-Day CISO 10 Critical Role of Cybersecurity Why Cybersecurity Matters: A Brief History of Malicious Intent 12 ESET The SME’s Cyber-defence Strategy
7 16 P ayment Fraud Payment Fraud Can Kill Your Business 18 G overnance, Risk & Compliance GRC and Security: An Alliance for Every Company
22
2
C YB E R S E C U R I T Y 2 0 22 22
20 Cyber-resilience The Rising Tide of Malicious Threats 22 I dentity & Access Management (IDAM) Why You Should Have Zero Trust if You are in the Cloud
34
24 ALTRON ARROW Prevent Compromised File Uploads Threatening Your Business 26 Microsegmentation The Importance of East-West Security 29 Security is an Investment The What to Consider When Buying Cybersecurity Solutions
29
36 B ackup & Disaster Recovery Staving off Disaster – What to Know About Backup and Disaster Recovery 38 I mportance of Security Training Training is the Best Defence 40 F uture-proof Your Business The Future of Cybersecurity 42 W orking Remotely Cybersecurity in a Remote Working World 44 W orking From Home Setting Up and Maintaining a Secure Home IT Infrastructure
30
IDAM – New Security Controls A Digital World Requires Digital Access Management Solutions
33
CYBEREASON Three Questions to Ask About Ransomware Preparedness
34
Social Engineering & Ransomware When Your Data is Held to Ransom
40
THE WORLD’S FASTEST IT RACK IS HERE. FLEXIBLE, FAST AND FUTURE-PROOF. INTRODUCING THE VX IT. A comprehensive modular system for every requirement. • High functionality & load capacity • Seamless compatibility • Strengthened frame • New designer door • Easy locking system • Tool free • High security standards More choice, more benefits and more features than before.
Configure your own VX IT, easily. Contact: info@rittal.co.za or
call your nearest sales representative on 011 609 8294/ info@rittal.co.za
NOTE FROM THE PUBLISHER
When verticals BECOME horizontals Gone are the days of business disciplines such as HR and finance being seen as exclusive functions and responsibilities of HR practitioners or financial managers and directors. Whether a CEO, MD or GM, any business thought leader driving a competitive company has sufficient knowledge of both HR and financial disciplines not only to facilitate growth and deliver ROI but also to contain business risk. IT is no different.
I
n fact, companies where C-suite executives are actively involved in ICT strategies – and not only understand their ICT structure, but carefully develop their IT infrastructure – directly benefit from exponential competitive advantages through IT investment and the deployment of technological applications. The conversation is not restricted to an annual anti-virus renewal discussion with the ICT officer, but more so about
reputation management. Well-executed ICT infrastructure first of all offers a secure environment – protecting confidentiality, privacy, data, intel and intellectual property – and, beyond that, distinct competitive advantages such as the ability to make fast and high-quality decisions based on intel, improved levels of customer service, improved pricing models, and improved efficiencies. Quite simply, technology has made the business environment more agile and responsive. The speed and level of digital transformation have placed ICT and IT security at the centre of most businesses. It is therefore imperative that business leaders and decision-makers upskill themselves to understand critical security-related concepts such as payment fraud, spyware, cyberattacks, password cracking, OTI, malicious software, adware, cyberwarfare, phishing, spoofing, spamming, whaling, VPNs, firewalls, Trojan horse, attack vectors and many more. If you are a C-level decision-maker stuck in a mindset where IT infrastructure is considered a grudge purchase and not a competitive investment, don’t be surprised to find you and your business irrelevant, sooner than expected. Join the movers and shakers by understanding and
The most critical mindset shift has to be that cybersecurity is not just an IT issue, but a business concern.”
deploying ICT measures – and specifically cybersecurity – throughout every fabric of your business. This publication offers the business leader sufficient information to engage meaningfully with your ICT officer or IT manager. Business is all about securing and managing the balance between opportunity and risk; between investment versus return; yin and yang; security versus vulnerability. Needless to say, Covid-19 and the subsequent working-from-home business approach has disrupted businesses on a permanent level. Change facilitates opportunity, but also cultivates risk. As much as change is certain, so is cyber-risk. Cybervillains are a lot more sophisticated and often a step ahead. Critical cybersecurity has to be top of mind for all C-level decision makers. We’ve set ourselves the goal to produce a Business Guide to Cybersecurity as a first attempt to open the communication between the IT Department or external IT supplier and the business leader/ decision-maker. IT is about much more than compliance and good corporate governance. It is also about more than just disaster recovery. We trust you will find the content within this publication useful and hope it serves as a catalyst to consolidate the verticals and horizontals within your mindset and your business strategy. Cybersecurity is a necessity, not a luxury.
CYB ER SECURI TY 2022
5
TERMINOLOGY
CYBER
security 101
Attack vectors: The different methods and approaches used by cybercriminals to infiltrate your networks and compromise devices Exploits: The weaknesses in systems, personnel and architectures that are leveraged by criminals to find ways around your security Bots/Botnets: Botnets are networks of hijacked computer devices – each controlled by one or more bots – that are used to carry out various scams and cyberattacks Malware: The technical term for viruses introduced for criminal purposes Trojan horse: A link or application that appears to be safe and useful, but carries a hidden virus or compromising tool Worm: A computer virus that is designed to replicate and spread around on its own Phishing: When an attacker masquerades as a reputable entity or person in email or other form of communication in order to distribute malicious links or attachments
6
C YB E R S E C U R I T Y 2 0 2 2
Spyware: Software designed to secretly spy on a person’s actions on a computer, such as logging their keystrokes to uncover passwords and other critical data Rootkit: A set of software tools that enable an unauthorised user to gain control of a computer system without being detected Ransomware: A type of virus that locks you out of your own systems until you pay the cybercriminal a ransom determined by them – one of the fastest-growing forms of cybercriminality White/black hat: Signifies good intent versus bad intent. For example, white hat hackers may compromise a company system to demonstrate security weaknesses to the board; black hat hackers would do it for monetary gain Multifactor authentication: An authentication method that requires the user to provide two or more verification factors to gain access to a resource, such as username, password and fingerprint scan or one-time PIN
Biometric security: Unlike a password you must remember, here, your body – through fingerprints, retinal or facial recognition – becomes the key security measure Zero trust: This approach trusts no one, whether outside or inside the network. In other words, all users must be authenticated, authorised, and continuously validated in order to use applications or be granted access Social engineering: The use of deception to manipulate individuals into divulging confidential or personal information that may be used for fraudulent purposes
Phishing: When an attacker masquerades as a reputable entity or person in email or other form of communication in order to distribute malicious links or attachments Whaling: Similar to phishing, but the individual targeted is a C-level executive or senior board member, and it is designed to encourage victims to perform a secondary action, such as initiating a wire transfer of funds Low and slow attack: A stealth type of attack, where the criminal gains access to your system, but hides within and, over a period of weeks or months, slowly steals critical data from the organisation
SECURING YOUR TOMORROW TODAY At Chiief, fostering knowledge and innovation is our purpose. We excel at bringing together leading thinkers in policy, business, and technology to explore the future of technology and produce actionable insight into how technology and innovation can be leveraged to future-proof businesses. All businesses are fundamentally about people, let us connect you to your audience; Events Social Media Lead Generation Podcasts
Radio Digital Assets Content Creation Surveys
Chiief Cultivated Connexions
Chiief.co.za 0114250720
CISOs & CEOs
THOUGHT LEADERSHIP ON THE ROLE OF A MODERN-DAY CISO CYBERSECURITY IS NOT JUST AN IT ISSUE, BUT A BUSINESS CONCERN
Cybersecurity for large corporates demands a modern-day security specialist that is both an IT expert and a business-savvy specialist. Itumeleng Mogaki speaks to Nathan Desfontaines, cybersecurity executive at CyberSec Consultants, about the chief information security officer’s importance.
I
t is no secret that individuals and companies are constantly under attack in what is known as cyberwarfare. This constant cyberwarfare deems it necessary for large corporates to have not only a dedicated security specialist like a chief information security officer (CISO), but
8
C YB E R S E C U R I T Y 2 0 2 2
a chief executive who also sits on the board – expanding their role to more than just a cybersecurity specialist who spends their time fighting the villains of the web. With this in mind, the CISO really needs to understand the business risk, not just the IT risk. After all, an effective information security programme can only be achieved when an integrated approach is adopted. This approach should take into consideration the people, processes and technology of information security, while adopting a risk-balanced, business-based approach. The success of an information security programme has as much to do with people and processes as it does with technology. To this end, having a security team that is responsible for the management and oversight of information security is crucial. And obtaining a strong CISO is one of the most important tasks in an overall strategy to effectively protect your business and critical data. The cybersecurity threat landscape continues to increase in sophistication, and well-funded, highly organised and increasingly complex cyberadversaries continue to capitalise on inadequate defence and remediation strategies. Moreover, protecting an enterprise or preparing for current and future threats requires a great deal of expertise, planning and timely and targeted actions. The reality is that the fight against cybercrime has become increasingly challenging.
Irrespective of a company’s size or industry, having someone who can establish and facilitate comprehensive, risk-based cybersecurity strategies and processes that protect critical data and systems is critical.
C-suite decisions Organisations often find themselves using existing internal IT professionals who are focused on operations. They have little experience performing a risk assessment, and then implementing recommendations to solve complex business-related issues. The CISO advises the executive team on how the organisation needs to meet security requirements to do business in their given industry. The chief IT executive also oversees a team that together has a view of the risks facing the enterprise and puts in place the necessary security technologies and processes to minimise the risks to the organisation. They should be empowered to communicate risks to decisions-makers and take action independently when necessary, owing to their mandate to also advocate for investment and resources, to ensure security practices are given appropriate attention. The role grows in importance with every security breach, vulnerability and incident that occurs. Security threats have been much more aggressive in the last few years, and range from individual ‘hacktivists’ to organised criminal cartels.
Size does not matter In a perfect world, every company would have a CISO. The role of the CISO has
CISOs & CEOs
become critical to the operation of an organisation, regardless of industry and size; however, an SME may not be able to justify a dedicated CISO. In those cases, it could make sense for the CISO to take on the responsibilities of a chief executive and leverage external consultants to provide targeted guidance and expertise; however, appointing a CISO may be cost-prohibitive for many companies. It can also be difficult to attract and retain individuals with the level of both cybersecurity and business expertise necessary to fill the role. Instead, plenty of organisations lean on managers to incorporate security into existing IT processes, which often results in fragmented policies, as well as challenges with support and adoption, which leave systems and organisations vulnerable. As an alternative, virtual CISOs are becoming a viable option for many companies that do not have a full-time chief IT executive on staff. This solution often delivers both economic and strategic advantages to businesses. Remember that companies produce more data than ever and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational. In addition, a virtual CISO also offers an unbiased, objective view and can sort out the complexity of a company’s IT architecture, applications and services. Moreover, they can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand. For many organisations, their own potential vulnerabilities – especially
those that share a great deal of data within the organisation – may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability, and quantify the impact they could have on your organisation. Obviously, an organisation without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank. A virtual CISO can furthermore coordinate efforts to examine perceived and actual risk, identify critical vulnerabilities, and provide a better picture of risk exposure that can inform future decisions.
Cybervillains are a lot more sophisticated and often a step ahead Big businesses are increasingly digitised and, as a result, they are exposed to greater cyberthreats, which can cause harmful financial and reputational damage to even the most resilient of companies. As cybersecurity is growing more complex, organisations of all sizes – especially those in regulated industries – require a cybersecurity specialist with both technical and business acumen, who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate and minimise security risks. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations. As organisations continue to embrace digital transformation, a virtual CISO represents a viable option to maintain the security posture necessary to succeed while keeping a mindful eye on ever-increasing budgetary concerns.
QUALITIES OF A MODERN CISO • Executive presence: The CISO should have the executive presence to effectively represent the organisation’s position regarding information security, and the ability to influence executives. They need to be able to identify and assess threats, and then translate the risks into language executives can understand. • Business knowledge: The CISO needs to understand business operations and the critical data that organisation is trying to protect. They need to view business operations from a risk versus security perspective and implement controls to minimise risks and business disruptions. • Security knowledge: A CISO must be capable of understanding complex security configurations and reports from the technical perspective, and then be capable of translating the relevant technical details into language that other executives can understand.
INTERVIEWEE’S PROFILE Nathan Desfontaines, cybersecurity executive at CyberSec Consultants, is a highly sought-after and equally qualified cybersecurity practitioner and trusted advisor. He currently consults as a subject matter expert on cybersecurity, security governance, information privacy and regulatory compliance.
CYB ER SECURI TY 2022
9
CRITICAL ROLE OF CYBERSECURITY
WHY CYBERSECURITY MATTERS: A BRIEF HISTORY OF MALICIOUS INTENT Cyberattacks and cybersecurity have grown and developed as IT has become increasingly integral to business operations. This struggle has been ongoing since the early days of the IT industry.
A
ccording to the International Data Corporation (IDC), the 1990s brought the first outbreak of cyber-viruses, as well as the first polymorphic virus – a code that mutates while keeping the original algorithm intact, in order to avoid detection. One of the most memorable viruses the public was introduced to was called ‘Good Times’. This malicious program was sent
10
C YB E R S E C U R I T Y 2 0 2 2
to users’ email addresses with the subject line ‘Good Times’ and, once downloaded, would wipe out the entire hard disk. The growing threat of malicious viruses paved the way for companies such as Symantec to develop the first anti-virus software. However, early anti-virus was unfortunately signature-based. This meant that early anti-virus solutions produced many false positives and used a lot of computational power. During 1995/96, these cyber-viruses evolved and posed more threats as well as challenges for anti-virus solutions that were already on the market. Many people were also introduced to spyware, although the intention of the spyware back then was to monitor activity, rather than disrupt the computer. It was Gibson Research that developed the first anti-spyware program in late 1999. What seemed to be something fairly new turned into something catastrophic as new viruses and malware grew from tens of thousands attacks in the early 1990s to
rising by five million every year until 2007. In the 21st century, malware has evolved to the point that governments can now deploy such programs as cyber-weapons. Stuxnet is one example, which targeted nuclear reactors in Iran. The 2010s were the start of numerous high-profile breaches. Cybercrime had evolved to the point that it began to compromise the security of countries, while also costing companies many millions of dollars. Cybercriminals were and are becoming smarter and more vicious.
A constantly changing picture In recognising the danger of these newer threats, a lot of the larger corporate and financial companies have made the necessary changes to address these rising cyber-threats such as investing in cybersecurity solutions and managed services such as multifactor authentication (MFA), firewalls, endpoint protection,
CRITICAL ROLE OF CYBERSECURITY
Did you know? Since 2013, Africa has been the fastest growing region for cybercrimes, from both an attacker and target perspective. In the year 2016 alone, Symantec observed 24 million malware incidents that targeted Africa. Recent target industries include the mining, healthcare and financial sectors. Cybercrimes will continue to evolve going forward and become more vicious with every year that passes – the only prevention is early detection.
access management, risk and compliance management, encryption, IDS/IPS, antivirus, DLP, DDOS mitigation, vulnerability management, and disaster recovery. Some of the larger corporate companies have adopted a cybersecurity team with their respective chief information security officers (CISOs) monitoring the systems and possible threats; however, many smaller companies still perceive cybersecurity to be a luxury and not a necessity. Since cybercriminals are becoming smarter and more vicious, this has prompted anti-virus companies to transition from signature-based methods of detection to next-generation innovation. This has also prompted cybersecurity companies to improve their offerings and address current threats. Next-gen cybersecurity uses different approaches, in order to increase the detection of new and unprecedented threats, while also reducing the number of false positives. It typically involves: - MFA - network behavioural analysis (NBA) – identifying malicious files based on behavioural deviations or anomalies - threat intelligence and update automation - real-time protection – also referred to as on-access scanning, background guard, resident shield and auto-protect - sandboxing – creating an isolated test environment where you can execute a suspicious file or URL - forensics – replaying attacks to
help security teams better mitigate future breaches - backup and mirroring - web application firewalls (WAF) – protecting against cross-site forgery, cross-site scripting (XSS), file inclusion, and SQL injection - access management - penetration testing - awareness and cybersecurity training for all employees. These are the cybersecurity tactics that enterprises are now deploying. It is vital for them to have a cybersecurity team to constantly monitor the systems – whether internally or outsourcing a managed service. A lot of enterprises have realised that cybersecurity is now a need and not a want. However, most organisations in Africa still lack knowledge of the importance of cybersecurity and the related skills. Some of the impacts a company may face if they do suffer a serious breach include: - a loss in revenue that ranges in the millions - serious reputational damage - if important and confidential client details are stolen, the company could find themselves facing a lawsuit - loss of intellectual property - downtime to the business – e.g. a breach can shut a company’s website down - online vandalism, where criminals can change the company’s website - costs to recover from the breach - compromised safety of employees to the point of being life threatening.
Critical security measures to have in place According to the IDC, to secure your organisation to the best of your ability, you should seriously consider
implementing the following solutions: -e mployee cybersecurity training - r egular software updates - a nti-virus and anti-malware programs - s trong passwords and MFA -e ndpoint protections - VPN - fi rewalls -U TM (unified threat management) system - a spam email filter -d evice encryption - c onstant monitoring of servers - l imited access to critical information through the implementation of effective access management - c onstant backing up of data - a secure Wi-Fi network. It is as important to invest in cybersecurity, as it is to invest in sales and marketing. A lot of businesses are carefully focused on making money and providing a good service, but they should understand that ensuring their data is safe and protected is just as important. The thing is that many organisations often only realise the importance of cybersecurity after they have been breached – when it is, by definition, too late. However, if they had invested prior to this, they could have prevented the breach from ever occurring. In a lot of cases, employees may also be behind the breach, so it is critical that employers are cautious about who they share what information with. In today’s age, having an effective cybersecurity system in place is similar to having a house alarm system and burglar guards in South Africa – it is a need not a luxury.
SOME KNOWN INCIDENTS DURING THE 21ST CENTURY INCLUDE: • 2 012: Saudi hacker 0XOMAR publishes the details of more than 400 000 credit cards online • 2 013: Ex-CIA employee Edward Snowden leaks classified information from the US National Security Agency • 2 013/14: Malicious hackers break into Yahoo, compromising the accounts and
personal information of its three billion users. Yahoo was subsequently fined $35 million for failing to disclose the news • 2 017: WannaCry ransomware infects 230 000 computers in one day • 2 019: Multiple DDoS attacks force New Zealand’s stock market into a temporarily shutdown
CYB ER SECURI TY 2022
11
INNOVATION ESET
THE SME’S CYBER-DEFENCE STRATEGY If you are an SME, your company faces many of the same security challenges as a large corporate – but without the same type of budget. Here’s how to prevent your small to medium business from falling victim to cybercrime. By Carey van Vlaanderen, CEO, ESET Southern Africa
W
hen reading the news, it is easy to assume that hackers almost exclusively target large corporations. Of course, there is a reason why these attacks so often make the headline news – this is because, when they do occur, the resulting data breaches or ransom figures are so large that they cannot be ignored. However, the fact is that SMEs are actually the more frequent targets. In fact, some reports indicate that more than 60% of all data breach victims are businesses with fewer than 1 000 employees. It has also been estimated that more than half of SMEs go out of business within six months following a hack. This demonstrates that avoiding a breach by effectively securing your company against cybercrime
12
C YB E R S E C U R I T Y 2 0 2 2
has become a critical component to business success in the SME space.
Troubling statistics It goes without saying that most SMEs do not typically have the advanced threat detection and security infrastructure deployed in
It has also been estimated that more than half of SMEs go out of business within six months following a hack. This demonstrates that avoiding a breach by effectively securing your company against cybercrime has become a critical component to business success in the SME space.”
large businesses, which is something hackers are quite well aware of. They understand that it is far easier to break into 10 businesses with almost no security than a single large and near-impenetrable company. While the payouts may be smaller, in the end, their final total will make such an effort well worth it. Unfortunately, IT security solutions are often seen as an avoidable operating expense – much like insurance, they are often a grudge purchase – but this is only until something goes wrong. ESET research indicates that 69% of SMEs either do not have sufficient security budget, enough in-house expertise or, in some cases, both. In fact, it highlights that 20% – one in five of these businesses – have no security at all. Furthermore, SME operations are often more relaxed, with less control over endpoint protections like employee passwords, which are the cause of 63% of data breaches. Now, more than ever, with staff working remotely and digital connectivity at an all time high, small to medium businesses need to take meaningful measures to protect their data, activity and systems.
The solution So what is the solution for organisations with large security demands, but small security budgets?
INNOVATION ESET
Installing the first (and, often, least expensive) anti-virus program you find is not enough. In today’s highly connected world, a robust, companywide cybersecurity policy is essential. This policy should outline your organisation’s cybersecurity defence strategy, which should include what assets must be protected, the threats to those assets, and the security controls required to mitigate such threats. Documenting these points ensures that you – and your business – approach cybersecurity comprehensively and efficiently. Here are some important points to consider: • S ecurity systems: Outline which controls are implemented and the threats they address, such as anti-virus software and firewalls. These controls are essential and, today, there are many costeffective products on the market specifically designed for SMEs. Include guidelines on how updates and patches will be applied, such as how regularly browsers and operating systems will be updated. Software providers regularly release patches to fix identified vulnerabilities, and these should be implemented as soon as possible. • Training: A chain is only as strong as its weakest link and it can take just one mistake from an unassuming employee – whether an executive or an intern – for criminals to gain access to your systems. Your policy should outline
Carey van Vlaanderen, CEO, ESET Southern Africa
how employees will be trained in identifying suspicious situations and protecting confidential data. It should also address what happens when an employee doesn’t follow protocol. In most cases, staff error isn’t an isolated incident, but rather a sign that training isn’t adequate. • Remote access: Employees’ home connections are usually less secure than internal company networks. As such, these employees should either be supplied with secure equipment and networks, or prevented from accessing sensitive company information. The solution will depend on the company’s unique situation. • Password requirements: Weak passwords are one of the biggest security threats, so system-generated password requirements or password rules are essential. These should contain a combination of at least eight upper- and lower-case letters, numbers, and special characters. • Backups: Company data must be backed up regularly, and preferably encrypted with multifactor
ESET research indicates that 69% of SMEs either do not have sufficient security budget, enough in-house expertise or, in some cases, both.” verification access, so that work can continue if systems are compromised. With the groundwork of a carefully thought-out policy in place, it simply becomes a matter of adhering to and enforcing it. The pay-off is the peace of mind that – even though you may be small – your company’s assets, and the employees who rely on them, are as safe as they can possibly be.
www.eset.com
CYB ER SECURI TY 2022
13
ESET
2022’S MOST DEMANDING IT ROLE – THE REMOTE IT SECURITY EXPERT With remote work more the norm than the exception in a post-Covid world, providing effective security under such circumstances has become – in a word – complex. By Steve Flynn, director: Sales and Marketing, ESET Southern Africa
I
n a post-Covid world, ‘going to the office’ is not what it used to be – today, the phrase could just as likely mean home or a coffee shop as it might the more traditional office space. It could even be a combination of all of the above. This has made managing devices more complicated because, for many of today’s workforce, the line between home devices and office devices itself is blurred. Unfortunately, most people lean more towards efficiency than security. Typically, in an office-based environment, IT administrators can manage the hardware and software on the network more closely, while the hybrid-work scenario changes all of that. This makes limiting the use of devices to a single network and protecting them far more complex. The challenge is compounded by the growing threat of cybercrime. The
14
C YB E R S E C U R I T Y 2 0 2 2
global ESET Threat Report for the first half of 2021 showed a rise in threats targeting remote workers. And as employees blend remote work with office time, these threats are set to increase. Unfortunately, the reality is that the more time employees spend out in the field on potentially unsafe public Wi-Fi networks, the higher the potential risk of becoming a victim of cybercrime. And, with almost 60% of SMEs stating they’d not be able to recover from the financial impact of a data breach, these risks canbe ill afforded in today’s challenging operating environment. Businesses thus need to ensure that employees enjoy the same level of protection, whether they’re using their devices at home or through any other connection – even their mobile devices.
Smarter protection ESET’s consumer offering, which includes the ESET Smart Security Premium product, boasts a host of new features and improved protection across devices, including mobile phones. At the forefront is LiveGuard, which provides an additional proactive layer of protection against new and unknown threats cropping up in the landscape. LiveGuard employs technology initially built for businesses to safeguard their diverse networks from both known and never-beforeseen types of threats.
In essence, you could call it enterprisegrade security for regular users. A cloud sandbox pulls suspicious files – whether downloaded by web browsers, email services like Microsoft Outlook and Mozilla Thunderbird, or extracted from archives or USB drives – to a secure cloud platform for analysis first. This virtually eliminates the chance of infecting the device and those on the network it connects to, and allows for safe migration between networks whether at home, the office, or anywhere in-between. Equally threatening is malware and ransomware – for good reason. Ransomware attacks continue to evolve to catch unsuspecting users. LiveGuard protects against these sorts of threats regardless of the ‘gift wrapping’ they come in. This offers the person in the business with the most demanding role – the corporate IT security expert – a perfectfit solution that significantly lowers the risk of your employees unintentionally introducing malware or other threats into the business network simply because of their need to work remotely.
Steve Flynn, director: Sales and Marketing, ESET Southern Africa
ESET
KNOW THY ENEMY When it comes to combating the increasing scourge of cybercrime, understanding the world of cyber-threats is the first step to defending against attacks. By Steve Flynn, director: Sales and Marketing, ESET Southern Africa
W
hen no lesser government department than that of Justice and Constitutional Development became the target of a ransomware attack in September 2021, it took a month to simply restore most – although not all – of its systems. The news of this attack and its impact made many executives and business owners understandably stressed and left them wondering whether their businesses would survive a non-operational month. Of course, most executives and business
owners are not necessarily IT or security experts, which is why it is important for them to realise that only by better understanding the world of cybercrime can they mitigate such threats to their own organisation.
Understand the basics Some of the major, and most common, cybercrime threats to businesses include: •P hishing: Criminals impersonate a legitimate source, usually requesting sensitive information such as passwords, with the aim of stealing money or important data, or gaining access to computer systems. •W haling: A type of phishing where criminals masquerade as executives at an organisation and target other senior individuals. Criminals might, for example, send an email posing as the CEO, requesting payroll information. •M alware: This malicious software infiltrates a device without authorised access. While malware doesn’t cause damage to hardware, it can steal, delete and hijack data or spy on activities without users knowing. •R ansomware: A type of malware that can lock a device or encrypt its contents, preventing users from accessing files in order to extort money. • Trojan horse: Another form of malware disguised as legitimate software to gain the victim’s trust. Once installed, cybercriminals can steal, delete, block, copy or modify sensitive data. • Adware: These pop-up advertisements can harm a device by slowing it down, hijacking the browser, or installing viruses and/or spyware. • Spyware: Software that infiltrates a computer with the aim of discovering personal information such as credit card and banking details.
Stay up to date Cybercrime is a sophisticated, lucrative trade and criminals are constantly creating new threats and finding undiscovered loopholes to launch their attacks. ESET’s T2 2021 Threat Report, released in October 2021, highlights several concerning trends, including increasingly aggressive ransomware tactics and deceptive phishing campaigns. Ransomware saw the largest ransom demands to date. A supply-chain attack leveraging a vulnerability in the Kaseya VSA IT management software had a US$70 million (R1.05 billion) ultimatum – the heftiest known ransom demand so far. Password-guessing attacks – also called brute-force attacks – which often serve as a gateway for ransomware, also increased. Between May and August 2021, ESET detected 55 billion new attacks (up 104% compared to T1 2021). Of course, any threat protection should now extend beyond your office walls too, as employees settle into a hybrid model of in-office and remote work. The work-fromhome model has amplified the risks that cybersecurity poses to businesses of all sizes. Employees linking to public Wi-Fi in coffee shops and other ‘open’ networks, while looking for connectivity to work remotely, have exposed even the most secure businesses to increased risk. Therefore, in order to stay ahead of digital crime, it is crucial to remain up to date on the latest tactics and ensure that your organisation is protected against them, and that employees have adequate training in recognising and avoiding threats. Never mind not being able to operate for a month or more due to a breach, being held to ransom is not something any business can afford. Philosophers believe that the greatest victory is that which requires no battle – using ESET will prepare any business to succeed in the ever-evolving war against cybercrime.
www.eset.com
CYB ER SECURI TY 2022
15
PAYMENT FRAUD
Payment fraud can kill your business A specific type of cybercrime, payment fraud is when criminals masquerade as suppliers or senior members of a company, and convince finance staff to make a payment they should not.
P
ayment fraud is a subcategory of cybercrime, which, as the name suggests, will impact your company’s bottom line – potentially drastically. According to Ryan Mer, CEO at eftsure Africa, this type of crime is, in the majority, related to what would be called a ‘push’ payment. In essence, the defrauded party is the one who actively makes a payment (as opposed to having, say, their credit card details stolen). “Essentially, this type of crime is about coercing the business into making an unwitting payment to the bad guys, usually by pretending to be a genuine supplier or leveraging other means to convince your finance department to pay them,” he explains. “There are multiple dangers of falling victim to this: remember that not only will your business reputation potentially be damaged, you will obviously be out of pocket, while there will be conflict with the supplier the criminal impersonated – since they won’t have received the payment they were due, and there may be questions over who is responsible for the
16
C YB E R S E C U R I T Y 2 0 2 2
wrong payment (them or you). “The simple financial damage is potentially catastrophic on its own, and it of course costs additional funds and time to figure out what happened, how it happened and prevent it from happening again.” It’s a lot like dropping a pebble in pond, notes Mer – you feel the big splash, but the real impact is caused by the multitude of ripples.
A threat to all He notes that this is an concern across the board, and that SMEs are often attacked as well. The criminal may steal a smaller amount from an SME, but such a business can be hit much harder even by a smaller sum, simply because the money may mean the difference between failure and survival. “Payment fraud is essentially one of the largest addressable markets globally and, in local terms, virtually every organisation in SA may be a potential target. And the reason the criminals have so much success with it is because – despite adopting a lot of fancy technology – even large corporates sometimes rely on very manual processes for their payments. And anything reliant on human actions, decisions and processes is vulnerable to phishing and social engineering.”
Mer outlines that there remain many manual processes in businesses, even possibly when capturing data into an advanced enterprise resource planning (ERP) system. And the longer the manual chain (the larger the organisation, the more likely this is to be quite lengthy), the more chance of a link breaking. The one comfort for SMEs is that there are fewer links
Essentially, this type of crime is about coercing the business into making an unwitting payment to the bad guys, usually by pretending to be a genuine supplier or leveraging other means to convince your finance department to pay them.” to break – if you receive a message from a ‘supplier’ noting that they wish to update their bank details, you are more likely to call them to check, because you have a personal relationship with them. “So, the key weakness lies in the manual processes, and these tend to be compromised through manipulation – commonly achieved via hacking company emails and compromising these, and from there having access to the network in order to compromise supporting documents and information. “The bad guys also manipulate people through social engineering, using this to convince the finance person to make payments via the impersonation of a senior staff member like the CEO. It’s actually not difficult at all,
PAYMENT FRAUD
when you consider how much publicly available data can be sourced from sites like Facebook and LinkedIn. With a bit of effort, it is relatively easy to work out who is who in a business, and target them by understanding who in the organisation would send these types of mails, and to whom.” Often, the messages sent contain the kind of personal details that one would expect only someone you know to have access to, but one is often capable of accessing such details far more easily than we would like to think, thanks to social media, he adds. “There is obviously plenty of overlap between standard cybercrime attacks with malware or ransomware and payment fraud. Logically, if they can introduce malware into your system, particularly if you are unaware of it, it can simply sit there for months on end, gathering data. That’s something else about these criminals – they can be incredibly patient,” he states.
The simple financial damage is potentially catastrophic on its own, and it of course costs additional funds and time to figure out what happened, how it happened and prevent it from happening again.”
“A further complication is that there are also internal risks – either employees who accidentally let them in, ones who are acting with the criminals, or those with their own criminal intent, manipulating the processes within the business by themselves.”
of duties in the process, thereby ensuring authorisation (and, thus, an extra set of eyes) is required to change or update any banking details on the system, or better verification processes to ensure no one falls victim to business email compromise. All of this should then be supported by the relevant security technologies.”
Responsibility and training The first order of business from a protection perspective is to determine who is responsible for ensuring payment fraud does not occur. While cybersecurity is generally the ambit of the IT department, in this instance, says Mer, it simply has to be the chief financial officer (CFO). “Remember that your most important data resides with the finance team, and it is they too who control the process around making payments. Thus, it falls to the CFO to ensure that the appropriate controls and processes are adopted. This is broadly a combination of technology – which may require liaison with the CIO – and sound processes and controls,” he adds. “Security must be driven from the top, and it is critical to focus on establishing the right culture and mindset. This means effective and ongoing training, as well as better controls and processes. These could be as simple as better segregation
He points out that technology can also be beneficial in automating a lot more of these processes, thereby eliminating human intervention from the chain completely. “While payment fraud can hit you hard, it is something that can be overcome by reasonably applying your mind to it. Most of the defences are fairly logical and, if you think about it carefully, it is easy to put reasonable processes in place. Of course, don’t forget to regularly review these, in order to be able to improve them and ultimately automate as much of the chain as possible, thereby reducing the threat of error, incompetence or criminal intent from your people within the business,” he concludes.
CYB ER SECURI TY 2022
17
GOVERNANCE, RISK & COMPLIANCE
GRC AND SECURITY: an alliance for every company
The combined forces of GRC and security can achieve big things for business. By James Francis
I
f you look at the organisation charts of major digital security companies, you might notice quite a few people versed in the disciplines of governance, risk and compliance (GRC). This trend is not simply to ensure those companies have their GRC ducks in a row. In a digital market, GRC aligns closely with cybersecurity and can help businesses understand their risks and opportunities much more clearly. “Risk is good,” explains Adam Philpott, chief revenue officer at security vendor Trellix. “Let’s take risks in order to thrive and grow; however, let’s not take them foolishly. Let’s be thoughtful about how we manage that risk, how we understand it, and how we execute against it in a very complex and dynamic world.” GRC and security have more in common than one might think. Business operations tend to begrudge both, seeing them more as barriers than enablers. Both have also gained significantly more relevance in the digital world, and they often share the same concerns. For example, successfully
18
C YB E R S E C U R I T Y 2 0 2 2
implementing coverage of laws such as the Protection of Personal Information Act (PoPIA) and the General Data Protection Regulation (GDPR) requires a combination of security and GRC. But there is an even more fundamental reason why the two areas have grown symbiotically relevant: complexity.
It’s a complex, complex world We live in a marvellous world where information is a touch away, fed through networks and devices, right onto our desks or into our hands. Yet, even though we are comfortable with technology as consumers, few of us grasp the incredible behind-the-scenes complexity. Layers upon layers of technologies collaborate to deliver what we experience. Attempts to secure those environments expose and reflect that complexity, ironically breeding more complexity: “The way that companies have sought to secure their environments has increased in complexity to a point where the complexity outweighs the benefits in many cases today,” says Philpott. “Many organisations have a multitude of security tools, but they keep adding more to address new layers in their environment.” Extra security is not more secure. Instead, it creates more gaps for criminals to attack and leads to an overload of security reports – a phenomenon called alert fatigue. The trick is integrating different
security services as part of an overall strategy, enabling them to collaborate. GRC regimes face a similar challenge: they are often complex in nature yet can be routinely hobbled by a ‘more is better’ attitude or over-focus on results for reports (a kind of governance myopia). This means both GRC and security projects can get out of hand, bloating beyond relevance and effectiveness. Yet, as mentioned earlier, they have a lot in common – and if companies exploit these commonalities, they can increase business understanding and ownership of both worlds. “Sometimes we think about the language of business and the language of security being different languages, because often people in the security domain talk about technical things in technical terms, as opposed to the outcomes they’re pursuing. But when we talk about complexity, what we’re really thinking about is our ability to operationalise risk to pursue those outcomes,” Philpott explains.
Security + GRC To understand this relationship, we must define GRC. Governance defines how a company and its people should behave. Risk is the company’s threats and opportunities (i.e. SWOT – strengths,
GOVERNANCE, RISK & COMPLIANCE
weaknesses, opportunities and threats), and compliance covers a company’s legal obligations. Cybersecurity covers these areas too, providing visibility on their activities. GRC and security have thus become bedfellows because many compliance requirements are either implemented through or relate directly to security. For example, if a business stores the personal information of employees or clients, it must ensure that information is protected, yet also accessible to the right people. Compliance such as PoPIA requires this, governance determines how to manage and use such information, and it’s a considerable negative risk if a company loses or exposes personal information to the wrong people. Security can provide a common language and platform to express GRC: “Governance is a really good example. Security provides visibility and as long as we express that visibility in ways that are palatable or consumable to a business audience, that’s a really powerful platform for driving GRC. You start with visibility, then use that to understand the sorts of risks you’re exposed to,” says Philpott. Likewise, GRC can support good security. Using the aforementioned visibility, companies can create policies that reflect their governance and compliance requirements, defined by their risk appetites. Those policies guide employees
towards the proper practices and habits for a more cybersecure environment. It’s a virtuous loop: good security supports GRC, and good GRC supports security. And the net effect is that both sides can emerge from begrudged purchases and become appreciated as strategic assets.
Who watches who? Synergy between cybersecurity and GRC will be great news for many organisations. Both sides offer tremendous value, but can easily lapse into expensive exercises or neglected functions. Having regulations breathing down your neck is not enough motivation to get either right. In fact, too many businesses only realise they have been neglectful after an incident or breach – and fixing the resulting damage is often much more expensive than the damage itself. How can security and GRC collaborate to avoid becoming the proverbial elephants in the room? In most scenarios, the first step is to reduce security complexity and increase its visibility. If security can report effectively, it can provide relevant information to GRC decision-makers. A clear view of security compliance and governance will reveal the status of other compliance and governance considerations, thanks to the consistent presence of digital systems across a business. “Security is an enabler to business,” Philpott notes. “Technology is fundamental to all organisations today – it’s a core part
of their strategy and necessary for them not just to survive, but thrive. So, therefore, security allows them to go faster, to do more, and to take risks so that they can thrive by managing those risks.” But how do you rein in security complexity and create a clear picture for GRC? Don’t do it all yourself. Investment in security is expensive, both for the software and skill sets. It’s essential to have an internal security capacity – the people who make strategic security decisions and align those with business outcomes. But much of the operational needs – such as monitoring, maintenance and responses – can be assigned to managed security service providers. “There are several ways to deliver a service: build, buy or partner,” says Philpott. “You’re still taking risks but you’re finding different ways to manage it. The partnership is about maintaining visibility and the buck stops with the customer organisation around the risks you’re taking.” Security as a catalyst for GRC visibility was not always an option. But, in the past decade, technology has made both parties considerably more agile and responsive. GRC is becoming the dominant way for businesses to understand cybersecurity, and cybersecurity provides GRC with a lot of intelligence. If either keeps you awake from a cost or oversight perspective, try a new angle: see how GRC and security can be a strategic alliance for every company.
CYB ER SECURI TY 2022
19
CYBER-RESILIENCE
THE RISING TIDE OF malicious threats Digital transformation is creating fantastic new business opportunities, but it is also opening up many new angles of attack for cybercriminals. We asked the head of a software security company some pertinent questions about these.
C
ybercrime today is big business – so much so that many security players indicate that the bad guys far outnumber the good guys, working on the side of security. Add to this the nature of digital transformation and the arena in which the criminals are operating is only growing larger, with the number of potential angles of attack increasing all the time. We chat to John McLoughlin, CEO of J2 Software, a valueadded reseller of security software solutions, about the new kinds of attack vectors and threats we face in an increasingly digitising world.
20
C YB E R S E C U R I T Y 2 0 2 2
In today's digitally transforming world, what would you consider to be the most crucial threats we need to defend against? The threats are outcomes driven. Cybercriminals have an outcome in mind, such as to extract a ransom, steal information or embarrass the company or individual – it could even be a combination of these. The threats change all the time, as do the methods, so, really, the biggest threat to defend against is complacency. Do not wait until you are a victim before taking cybersecurity seriously. I speak to people every day, in different parts of the world,
who wish they had not been complacent, who thought it would not happen to them – until it did.
Cybercriminals utilise a multitude of vectors to conduct their attacks. Which attack vectors are the ones most likely to succeed? Generally speaking, email is the most used vector, simply because it provides the most access to the weakest piece of the chain, namely the trusting user on the other side of the keyboard. Social engineering, convincing stories and people with little knowledge of what to look out for make the easiest targets. People inadvertently
share details they shouldn’t. Curiosity gets people to click on links, open files, connect to complete strangers online, respond to queries and so on. Therefore, without a layered, proactive defence, user visibility, insider threat detection and user awareness, it is always going to be a matter of when – not if – you will become another statistic.
Do the attack vectors differ according to the size of the business? The vectors remain the same, but what will differ is the execution once the initial compromise is successful. Some businesses will be better prepared than others
CYBER-RESILIENCE
and these factors will change the method of final attack. Remember that cybercriminals do not just hit and hope; they do research, take their time and work to succeed. Like good salespeople, who will identify their targets, do the research and then work their way to the right person to close the deal, cybercriminals too are persistent and patient. As they learn more about your organisation, they will pivot and adapt their approach, based on what they learn. Once they know which platforms you use, their phishing methods will change and their targets will shift until they get in. The criminals are working on many opportunities at the same time, and while they might be similar, they will adapt for each of their target victims.
What are the most dangerous new threats to have arisen in the past two years? For me, it is the double extortion approach to attacks. This is amplified by people’s fear of reputational damage. The criminals realise that as backup and recovery has improved, the need to first steal the data before destroying it leads to higher success in ransom payments. If you do not pay the ransom, then your sensitive data is leaked online.
Are there any potential threats on the horizon? Every time some new technology is deployed, or there are new gadgets
released, the attackers change their methods. But the biggest threat comes down to how much you are willing to lose before taking action. Criminals already have the outcome in mind – they want your money, data or business.
The need to work remotely during the pandemic also gave rise to a whole slew of new attack vectors and approaches: can you outline what the most dangerous and unexpected or unique ones were? Cybercriminals are constantly adapting their approach to deceive their targets and increase their success rate. There is a new trend developing that speaks directly to this phenomenon – it is an adapted version of the standard ‘completing of a successful change of bank details’ style of fraud. Many people have seen and encountered this approach, also known as invoice fraud. It is where an attacker pretends to be a supplier, creates a fake change of bank details letter, and emails the accounts department to get the banking details updated. The attack method is nothing new, but the execution has simply evolved. The end game is the same – i.e. to steal your money – but the criminal syndicate now uses the fact that most people are working from home to target their prey with a more personal approach. The cybercriminal uses the telephone and identifies themselves as the
supplier's finance contact person. The call is friendly, includes some small talk, pandemic discussions and is made to sound unique, right down to using the correct accent. The attacker informs your team that they’re changing banks and asks about the process to do so. They then confirm the details and send this via email. As this is expected, your finance team has a higher likelihood of being tricked and falling for it. The cybercriminal often uses messaging apps like WhatsApp and Signal to confirm the details have been sent and will then call back again a short while later to confirm receipt of the details and to answer any questions or concerns. This adaptation has been necessitated to get around the usual verification process in place at a business. The attacker does their own verification with your finance team, increasing their success rate exponentially. There have been different versions and levels of sophistication in these attacks, including highly targeted attacks where the cybercriminals have even spoofed the supplier’s telephone numbers.
What are the most critical impacts on a business when cybercriminals get their attack right? Security is taking on a new shape, is being integrated into new business initiatives and is used as a competitive advantage. No one wants to be breached – once consumers are affected, they will fear
working with companies they don’t trust. Providing a secure business environment is every company’s concern and cybersecurity must be an investment priority in every business, regardless of industry or size. However, it is a higher priority for informationbased organisations like professional services firms, banks, financial institutions, insurance companies, telcos, municipalities and power utilities. These industries are already experiencing paralysing attacks that stop critical services such as electricity and water supply. These crippling cyberattacks will ultimately result in increased spend as they cause unprecedented loss of revenue.
Finally, any words of advice to organisations in respect of attack vectors, the dangers posed by cybercriminals or the means to secure your business more effectively? The main thing that needs to be done is to bolster cyberresilience. Cybersecurity is not a single or multiple system or solution. The importance of resilience is to look at the business and its systems and processes holistically. We cannot just deploy anti-virus and firewalls and think all will be well – especially when half the workforce no longer sits behind the firewall. Understanding the risks and taking incremental steps to bolster resilience along with increasing visibility across the entire attack surface are all we can do to stop attacks as they happen. Ultimately, resilience provides visibility, and visibility provides the capability to respond.
CYB ER SECURI TY 2022
21
IDENTITY & ACCESS MANAGEMENT (IDAM)
Why you should have ZERO TRUST if you are in the CLOUD In a world where data is the lifeblood of businesses, identity and access management (IDAM) has never been more important. We pose some questions on IDAM in the cloud to Andre Lombaard, technical manager: Security at Datacentrix. Today, we live in a world of remote work, meaning that increasing numbers of people are accessing corporate networks from their homes. What sort of IDAM solutions need to be implemented in this case, to ensure the person is who they say they are when logging into the network? Today’s world of remote working and cloud-based systems necessitates a ‘zero trust’ approach to keep an organisation’s data and infrastructure secure. This type of strategy – based on
22
C YB E R S E C U R I T Y 2 0 2 2
the premise of ‘never trust, always verify’ – revokes any type of access privileges that users may have previously had on a network, and gives them access to the absolute minimum, while frequently requesting user authentication. The pre-Covid scenario, where a virtual private network (VPN) setup would permit employees/users to access all areas of the network, is no longer a secure strategy. In a zero trust world, legitimate, authorised users may access only those areas of the network, as well as apps and data, that are needed to complete a task, and nothing
more. This should be applied to all the company’s system elements – including a company’s enterprise resource planning (ERP) software, email, and a document repository, for example. This is where technologies like secure access service edge (SASE), in combination with biometrics on endpoint devices – such as laptops, mobile phones and tablets – as well as privileged identity management (PIM) solutions, are playing a critical role in helping companies to scale down access and increase the security of their systems. This decreases the risk of cybersecurity incidents. Concisely, these technologies allow for the security perimeter to be moved away from the enterprise to the user or device. They then require users to be identified and verified, before permitting them to enter the network perimeter, and provide only pre-assigned access to certain areas.
How do these solutions ensure network security and effectively manage cloud identities? With so many businesses currently making use of some type of cloud system, be it Office 365 or Google Drive, the protection of the cloud environment is more important than ever before. A zero trust approach means that the system serves users from either the cloud or on-premises, as there is one central point of access, all channelled through the SASE and IDAM security measures.
What is the importance of system design in enabling the effective management and governance of cloud identities, and how you can ensure that your security system is optimally designed? Designing a zero trust architecture must include, at its core, centralised policy
IDENTITY & ACCESS MANAGEMENT (IDAM)
management, which includes identity-related and allocation policies. It must also align with local governance requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), the International Organisation for Standardisation (ISO) or General Data Protection Regulation (GDPR), regarding the safety and security of data and cloud infrastructure. This is where technologies – including configuration security analysis – have come into play. Traditional auditing methods of analysis of architecture are falling short when it comes to the cloud and its continuous, uncontrolled change. By leaning on solutions like configuration security analysis, businesses can continuously – and in real time – monitor security and compliance on current architectures, highlighting misconfigurations, remote employees, policy validations and so on.
How do digital solutions like automation, big data and artificial intelligence (AI) play into this security approach? The use of digital solutions like automation and AI plays a significant role when it comes to security. As a hybrid IT systems integrator and managed services provider, one of Datacentrix’s offerings is its Security Operations
Centre (SOC), which monitors and defends customer ICT environments in real time against any potential security threats. The SOC uses AI for the analysis of all security events, which are received at an uncontainable pace. It is no longer necessary for analysis to be conducted by people 24/7. Through AI, humans only now see around 40% of the data related to security events, and this is only the information that needs action, making for a faster, more accurate process.
And if you are leveraging big data, please outline the importance of good data hygiene and explain how an organisation can ensure their data is clean and effective? AI is hugely effective when it comes to ensuring cleaner (by cross-verifying the integrity and true identity), more effective data for further analysis. Correctly implemented, AI technology can close the gap between humans and machines, providing human analysts with cleaner, more to-the-point data on security attacks and events, and eliminating any ‘false positives’ already vetted by AI as not relevant.
Can you tell me exactly how a zero trust strategy can play a major role in effectively protecting your corporate network from any form of infiltration, especially as the use of the cloud becomes increasingly prolific? A zero trust strategy is critical to the protection of a company’s assets, which in modern-day terms are its data and information. Through a zero trust approach, who or what connects to your infrastructure is strictly controlled and regulated, and the company is able to limit the exposure of these assets. Traditionally, companies have always worried about who is using a device, where it is, what type of information is on it, and what happens if it is compromised or exfiltrated. Now, with data in the cloud, the focus has moved to who accesses it, and where it is.
The current security mantra seems to be ‘defend in depth’. How would you recommend implementing such a defence, and how important is it to involve all aspects of the ‘people, processes and technology’ trinity? Defence in depth can be defined as “an information security approach in which a series of security mechanisms and controls are thoughtfully layered
throughout a computer network to protect the confidentiality, integrity and availability of the network and the data within”. It refers to the combination of several advanced security tools together – including anti-virus software, anti-spam, firewall and privacy controls – into a multilayer cybersecurity approach that protects a company’s endpoints, data, applications and networks. The major benefit is that there are no capital expenditure requirements, as it is a service that is sold. Aside from the technology element, it is essential to align processes and policies, as – while it might be possible to control the system – it is not necessarily possible to control the human behind the device; this is the one anomaly. You may not be able to change user behaviour but you can enforce processes and policies to best control engagements – leading to one path and one path only.
Since security has never been more critical, what final words of advice relating to the topic would you give to those organisations where IT might be necessary to ensure operations, but is not related to their core business? Although IT might not be the core business of many organisations, the potential effect of a compromise on the integrity and security of its data – and potential knock-on effect on the company’s reputation – is far reaching. A zero trust approach to cybersecurity can assist any business to create a safer remote and cloud environment, simplifying the security architecture and reducing organisational risk.
CYB ER SECURI TY 2022
23
INNOVATION ALTRON ARROW
PREVENT COMPROMISED FILE UPLOADS THREATENING YOUR BUSINESS As cybercriminals become more ingenious, concealing advanced threats in common file types, so the need for a new type of security has arisen. CDR technology is that solution.
A
lthough file uploads are necessary for employee productivity and for certain websites and web applications to perform their functions, they also offer an attack vector to cybercriminals. This is because, by concealing advanced threats that exploit vulnerabilities within common file types, attackers can compromise an end-user or an entire system. Gyula Wendler, senior manager: Engineering at Altron Arrow, explains that document-borne malware is on the rise, meaning that any file entering an organisation’s network really should be audited and analysed, even when the sender seems to be a trusted, reliable source. “Obviously, banning file uploads altogether would be impractical, so it is thus necessary to make file uploading and
24
C YB E R S E C U R I T Y 2 0 2 2
importing more secure, if companies are to function efficiently. This is where CDR technology comes in,” he says. “CDR stands for content disarm and reconstruction, and is highly effective for preventing known and unknown threats. These include zero-day targeted attacks and threats that are equipped with malware evasion technology, such as fully undetectable malware, VMware detection, obfuscation and many others.”
Deep CDR He notes that Altron Arrow recommends OPSWAT CDR technology – known as Deep CDR – which assumes all files are malicious. It ingests files and then regenerates these in a way that ensures the regenerated file is both usable and harmless. Basically, it provides protection without needing to know whether a suspected file is ‘good’ or ‘bad’. Wendler indicates that CDR follows a three-step process: • F iles are evaluated and verified as they enter the sanitisation system, to ensure file type and consistency, with identification of over 4 500 file types. Each file is scanned to identify all embedded active content in the file and file extensions are examined to
CDR stands for content disarm and reconstruction, and is highly effective for preventing known and unknown threats.”
prevent seemingly complex files from posing as simpler ones. OPSWAT Deep CDR supports sanitisation for over 100 common file types, including PDF, Microsoft Office, HTML, many image file types, JTD, and HWP. • The files are rebuilt in a fast and secure process. File elements are separated into discrete components, malicious elements are removed, and metadata and all file characteristics are reconstructed. The new files are recompiled, renamed and delivered, preserving file structure integrity so that users can safely use the file without loss of usability. • The newly regenerated files can now be used. Even complex files remain usable – for example, animations embedded in PowerPoint files remain intact after the CDR process is completed. Finally, the original files are quarantined for backup and further examination. By rendering fully usable files with safe content, the CDR engine protects organisations against the most sophisticated threats while maintaining user productivity. “File uploads are a major potential threat vector for any business. Now, thanks to OPSWAT’s Deep CDR technology and Altron Arrow, there are concrete steps that organisations can take in order to mitigate this threat growing vector,” he concludes. For more information, contact: Gyula Wendler, senior manager: Engineering gwendler@arrow-altech.co.za
ALTRON INNOVATION ARROW
COMPREHENSIVE PROTECTION FROM IOT SECURITY VULNERABILITIES Altron Arrow has partnered with Check Point to deliver a complete solution to secure unprotected internet of things (IoT) devices from cyberattacks.
A
s digitisation continues apace, we are witnessing the rise of the ‘connected world’, where everything from IP cameras to company printers and coffee machines is connected to the internet. And the same holds true for industry-specific verticals, which require such solutions as connected medical devices or connected industrial or manufacturing robots. The challenge here is this: as digital transformation increases, so do the attack surfaces for cybercriminals – and the IoT arena of connected devices is an extremely vulnerable space. There is nothing these criminals like more than to find an under-protected angle of attack that allows them to access the business network, explains Gyula Wendler, senior manager: Engineering at
Altron Arrow. Once in, he adds, they seek to disrupt services and operations, obtain financial gains – through ransomware attacks – or simply gain a foothold in sensitive networks. “There are several reasons behind these devices’ IoT vulnerabilities, including the fact that such direct-to-internet connections make devices easily accessible over the web – often without any security countermeasures in place and no control by device makers over their deployment. Then there’s also the use of vulnerable third-party supply chain components and the fact that the devices are unmanaged and often can’t be updated for fixes,” he says. “Altron Arrow provides a total endto-end IoT solution for any industry. Of course, given the huge volume and variety of IoT devices, we understand that companies need an easy way to deploy security across all of them.
A key partnership “We have partnered with Check Point for this very reason – its comprehensive IoT Protect Security solution uses automation and threat intelligence to provide device risk assessment, network segmentation, and threat prevention from the most
sophisticated cyberattacks.” He points out that the integrated solution prevents attacks at both an IoT network and device level – even on unpatchable devices. The solution delivers threat prevention and security management capabilities to block even unknown cyberattacks at both the network and device level, using threat intelligence and innovative IoT-specific security services. “What companies leveraging the IoT really need is a way to undertake both a complete IoT device visibility process and a risk analysis. Check Point identifies and classifies IoT devices on any network – via integration with leading discovery engines – to expose risks such as weak passwords, outdated firmware and known vulnerabilities. “Moreover, the solution is able to implement both vulnerability mitigation and zero-day threat prevention, even on devices that are supposedly unpatchable. These IoT devices can actually be ‘virtually patched’ in order to fix security flaws in firmware or legacy operating systems.” He concludes: “Finally, it is worth noting that Check Point’s solutions for IoT cybersecurity are part of Check Point Infinity. This is the only fully consolidated, cybersecurity architecture that protects your business and IT infrastructure against Gen VI multivector ‘Nano’ cyberattacks – across networks, IoT devices, endpoint, cloud and mobile.”
www.altronarrow.com
CYB ER SECURI TY 2022
25
MICROSEGMENTATION
In a world increasingly beset by cybercrime of many and varied types, your company’s infrastructure security is more essential than ever. Patrick Assheton-Smith, MD at Symbiosys IT, explains how security has shifted from a north-south focus to a more complex, east-west approach.
A
ny organisation that suffers a breach or attack of any kind faces the strong possibility that a successful cyberattack will lead directly to one or more of the following: a negative impact on its earnings, damage to its reputation, and/or placing its operations in jeopardy. With such potential risks on the table, it is clear that infrastructure security should be as tight as possible, meaning you should embrace a full suite of security solutions. What we are talking about here includes perimeter, network, application, endpoint, data and cloud security, as well as cryptography management and
26
C YB E R S E C U R I T Y 2 0 2 2
The Importance of
EAST-WEST
SECURITY
security architecture. One of the major challenges with traditional security is that it is designed from a north-south perspective. Basically, this means that it secures your infrastructure from traffic coming from outside by ensuring that it can only enter your network through a firewall. In today’s digitising world, however, more and
more companies are moving to the cloud, and the nature of its ‘anywhere, any time’ style of access means that a new method of securing things needs to be considered.
Deploying microsegmentation This is why microsegmentation has come to the fore in recent times – it is
MICROSEGMENTATION
I always recommend to clients that they adopt a microsegmentation solution that is agent-based, as this provides true visibility, wherever the machine, container or app resides.” a security technique that allows you to logically divide the network into distinct security segments, down to the individual workload level. This is a critical measure, as, by doing this, you are able to limit an attacker’s ability to move laterally – or east-west, as opposed to the traditional north-south direction taken by traffic entering from outside, through the firewall – across your network. This means that even if they get through the perimeter defences, the damage attackers can do is limited. As the saying goes: if it were easy, everyone would be doing it. And such is the case with microsegmentation, which is tough to achieve at a high level. I always recommend to clients
that they adopt a microsegmentation solution that is agent-based, as this provides true visibility, wherever the machine, container or app resides. The reason for an agent-based solution is simple: most large networks tend to be flat and littered with virtual local area networks (VLANs), which not only offer no visibility, but are also quite restrictive. Microsegmentation should be on every security person’s mind, particularly when you consider that some 85% of network traffic today is reported to travel east-west. Add to this the fact that the average dwell time – the time between being breached and discovering it – is a massive 191 days and it demonstrates just how vulnerable your business is to a ‘low and slow’ attack if you have not adopted microsegmentation. Low and slow is when a criminal breaks into your network and hides there unobtrusively, slowly and stealthily, stealing small bits of information over a long period. It is for this reason you want to implement a solution that allows you to deploy agents, inspect traffic and essentially build a spiderweb that maps traffic across all of your systems. This not only provides better visibility throughout your environment, but
also allows you to ring-fence important apps, create third-party access controls – e.g. for external contractors – and protect older, tough-to-secure assets. It also simplifies and accelerates compliance, enables secure DevOps and, most critically, improves detection – which in turn means dwell time is significantly reduced. All of this is achieved through the implementation of microsegmentation, as this prevents lateral movement across your network, thereby eliminating a critical blind spot. Furthermore, even if your security is penetrated under such circumstances, microsegmentation will play a big role in helping to greatly
THE QUESTIONS YOU NEED TO ASK Data is the lifeblood of any modern organisation and needs to be protected at all costs. Therefore, there are three important questions every business needs to ask: 1. Do you know what data you have? The older, and more sprawling an enterprise is, the easier it is for data to become ‘lost’. 2. What does your data actually relate to? This is how you determine whether the measures you have in place protecting it are sufficient, particularly if the information is among your more valuable digital assets. 3. Where is the data stored? This is also crucial, particularly in light of legislation like PoPIA and GDPR, considering the fines that can be levied, should you be breached.
CYB ER SECURI TY 2022
27
MICROSEGMENTATION
Once you have an effective microsegmentation solution in place, you can add additional solutions that are complementary.” reduce the ‘blast radius’, or the amount of damage the interloper can do.
Complementary solutions Once you have an effective microsegmentation solution in place, you can add additional solutions that are complementary. A good example would be introducing a solution that focuses on discovery and data classification. Basically, this is a tool that helps you to both determine where various data reside in the network and understand how vital these data sets are to your business. Such a solution should also assist with monitoring and reporting – to better understand the risk – as well as remediation, which is essentially the process of fixing the risk, once you understand what and where it is. It will allow you to quickly search for the data you need to secure,
28
C YB E R S E C U R I T Y 2 0 2 2
by seeking out specific types of information that can then be classified according to format or type of data. It is a very powerful tool for finding all the information you have and where it is, he adds – two things you have to clearly understand before you can properly secure it. Bringing together a total solution of this nature will position your business in a way that will enable it to secure its data whether it is structured, unstructured, cloud-based, onpremises, distributed or remote. It has been stated many times that in today’s digital world, data is the new oil, as it is now viewed as the world’s most valuable resource. And logically speaking, anything this valuable should be protected to the best of your ability. Because don’t forget that if you consider it to be this valuable, imagine how important it is to cybercriminals, and they don’t care about the damage they cause to your company in obtaining it. Therefore, my advice is to ensure that you place data at the centre of your business world, and ensure that you partner with a security expert to ensure it always remains safe and secure.
DEFENCE IN DEPTH One thing that is not in any doubt is that cybercrime has risen exponentially since the start of the pandemic. With this in mind, it is important to note that when crafting a security posture, creating one with multiple layers – built on the basic tenets of cybersecurity – is certainly a good start. A prevention-first approach is usually recommended, and means utilising an endpoint security tool, rather than one focused only on endpoint detection and response. Ideally, you want a solution that applies advanced artificial intelligence (AI) to the task of preventing and detecting malware. With an advanced solution like this in place, you can move beyond basic principles like ensuring a user doesn’t have the same password for every service, and begin applying greater levels of security such as multifactor authentication (MFA). Such a solution can also protect email, which is a key infiltration method, as it is seen one of the easiest ways to break into a network. An AI-based security solution can rapidly scrutinise the URLs of anything a user may wish to click on, making it far more difficult for criminals to gain access through malicious links. Much like good home security starts with a wall and electric fence – but also likely includes a dog, an alarm and a security gate – so you need to build multiple layers of security to protect your core. This way, even if one is cracked, the criminal finds they are faced with yet another. Security starts with a good anti-virus solution; it should include an effective password manager; MFA should be enabled; and you should run a program that checks the URLs on email links. Once you have these four key basics in place, you can continue improving your security posture and creating additional layers, such as an AI-based solution. Lastly, it is worth noting that security – even AI-based, mutiple-layer security – is only half the battle. One of the most critical aspects of a layered security approach is to train your employees properly, so that they know the basics as well – this will significantly reduce the security challenges that arise from untrained people clicking on unknown links or opening strange emails.
SECURITY IS AN INVESTMENT
What to CONSIDER
when buying cybersecurity solutions
C
ybersecurity creates one distinct challenge for all organisations, both large and small: it is a grudge purchase, much like insurance – it is one of those things that you don’t really want to have to pay for, but you do because you know you will likely need it at some point. Carlo Bolzonello, country lead for Trellix SA, advises that when purchasing security, you must think wisely, and choose solutions that will allow you to futureproof your business and effectively protect its IP. “Ultimately, you need to think of security not as a grudge purchase, but rather as an investment. It is also important that when you are choosing a security partner to work with, clearly understand what you want to get out of the partner. This means first understanding where you expect your business to be in the future, and then doing your research to understand exactly what you need to ensure such a future. Once you know what you want, it becomes easier to ensure your partner delivers what you need,” he explains. “The key is to choose a single partner that can look after all your security needs. If you consider your household security, you would not want to outsource your burglar alarms, access control and private security to multiple different entities. Ideally, you would want one company and point of contact looking after it all, and you should do the same with cybersecurity.” Of course, he cautions, while this is a great starting point, as your business evolves and grows, the security team should also have an internal component. After all, a managed services partner
is delivering a service, whereas an internal employee has a clearer understanding of the business and its needs. He suggests the first thing to do is to shop around and look closely at what the different vendors are doing in the security space. The vendors can then provide guidance on which of their partners you should use as consultants. These players will undertake an assessment of your current environment, understand what you are trying to achieve, and help you through whatever implementation is necessary. “One caveat though is that, no matter how much technology you buy or how good your partner is, you must still assume the day is coming when you will be breached – it is a fact of life with regard to doing business in a digital world. “In fact, the best approach is to always assume that you are breached and work from there – this is a tough mentality to adopt, but it really is the only way to deal with security today.”
Threat evolution He points out that in the past, developing an online presence was quite complex, but anyone can do it today. With just a few clicks and a credit card payment, you have a website and a back-end processing system, because it is now driven via the cloud. The issue is that if it is so easy to get on, it means it is easy for the bad guys to steal from you. “Today, there is an app for everything, and there is also risk in how the company you are using as a third-party app provider handles your data. If they aren’t properly secure, your business might ultimately be damaged – either reputationally, financially or legally. “Remember that what the criminals are after in the end is your data – many call this the 21st century oil – and if you are using the cloud, you also have a level of responsibility for your security… you cannot leave it all to your service provider. There is sometimes a perception in business that the cloud is some kind of garden of Eden – but, remember, even that had a snake.” Asked how a smaller business should go about implementing security, he says that it goes without saying that an
anti-malware product is your first line of defence. Following this, it is important to understand that threat vectors vary and protection ultimately comes down to investment. Thus, if you are adopting a cloud-first strategy – and you should – you should partner with a cloud access security broker (CASB). Remember that if all your data is going to be in the cloud, you want a cloud security expert involved. Such an approach is not necessarily the cheapest option, but it certainly is the best way to look after yourself. “Today, the evolution of IT – and thus the threats to it – is ongoing, so businesses need to be talking security at the board or owner level, since this is where the financial discussions happen – and finance plays a key role in what level of security you can access.” He adds that it is important not to rush into things. Do your research, understand what is going to fit you best, absorb the information that is out there, and work closely with the vendors and their partners. “A last word of advice: always ensure you fully understand the terms and conditions of the providers of third-party apps and solutions you purchase. It is important to know exactly who owns that data, and thus who has control over your company’s information. This is especially true regarding free solutions you might use, such as those that convert a Word document to .pdf. “A lot of time this sort of stuff is hidden, so it is critical to pay attention all the time, keep reading up on new developments in the industry and, most crucially, understand that, ultimately, although you are responsible for your own data, you must understand how it is secured by third-party providers,” concludes Bolzonello.
CYB ER SECURI TY 2022
29
IDAM - NEW SECURITY CONTROLS
A DIGITAL WORLD REQUIRES DIGITAL ACCESS MANAGEMENT SOLUTIONS In the identity and access management (IDAM) space, new security solutions – such as two-factor authentication (2FA), biometrics and zero trust security – are among the ways of improving your security posture. Ulwembu’s Glenn Noome, director: Smart Integration, and Sabelo Xaba, enterprise solutions manager: Infrastructure, answer our questions on this topic. Why do you feel IDAM is vital in today’s digitally transforming world. In today’s world, there is one thing that is for certain: all aspects of life are going digital. We have critical information at work, as well as personal
30
C YB E R S E C U R I T Y 2 0 2 2
information for everything – from health to banking – and it is all becoming digital. The currency and value of data are increasing at a rapid rate. Every part of the working environment is generating data, which has become invaluable and, to that end, needs to be protected and accessed strictly by those who have the authorisation to do so. IDAM refers to identity and access management, meaning the correct person (identity) is given access (access management) to the permitted data. Access management, as it states, is more than just viewing data, but also covers the user’s permissions to change or delete that data. It is my belief that eventually every person will have a digital signature. A simple example of this is your smartphone verifying your identity through facial recognition, and allowing you to pay a bill at a retail store via your device, which is linked to your bank account. Eventually, all services – like banking, health, driving licences and so on – will be linked to a person’s digital ID, which will include both business and personal information. This is of particular importance, as we’ve
seen a greater intertwining of personal and work life than ever before, since the advent of Covid-19 and the attendant increase in remote working.
With threats constantly evolving, what are the challenges that current IDAM solutions face and why are such solutions now inadequate, in the face of the increasing evolution of cyberattacks? As we know when it comes to digital information, there are more ways than ever of duplicating data, as well as data being more accessible in the cloud. This means that anyone could gain access to data if security is lacking. We are now seeing devices like smartphones upping the ante on the requirements around the identification of the correct user and the provision of access to certain data. Previously, this type of device was less secure, as all that was required was a digital password. Today, we’re seeing additional measures – like dual authentication, where it verifies you through a password, and biometrics, through a fingerprint scanner or facial recognition.
What would you say is the answer to these challenges? How can we improve IDAM in order to get ahead of the bad guys? Multiple levels of authentication are a must – including the use of passwords, authenticator applications, location-based access and, most importantly, verifying the person themselves.
What are the benefits of, and the challenges to, implementing the following types of IDAM solutions? Multifactor authentication (MFA): This is one of the best ways to verify that the correct access is granted, as it adds a layer of protection to the sign-in process. MFA does take longer and may require multiple apps, fingerprint scanning, or entering a code or PIN received, but
IDAM - NEW SECURITY CONTROLS
is one of the most secure authentication methods. Biometrics: The challenges of this type of technology have been reduced, due to the fact that devices like your laptops and smartphones now have in-built biometric or facial recognition. This in turn confirms you are the correct person who is connecting to the information or services. In these times, where touching things is frowned on due to Covid, facial recognition is the better way to go. Behavioural biometrics: Behavioural biometrics analyse a user’s digital physical and cognitive behaviour and are most commonly used today to prevent fraud. This type of technology is able to distinguish between authorised users and cybercriminals – it monitors their actual behaviour online as opposed to static data, which can be duplicated. As a fairly new technology, behavioural biometrics are being used predominantly within the banking industry, but are seeing some uptake in other verticals.
Zero trust: Also known as ‘never trust, always verify’, zero trust is an architecture designed to consider every request on the network to be a threat and therefore requires the user to continually verify that they are who they say they are.
Are there any other current security options for an organisation to consider? If so, what are they and how do they work? Staff awareness is a huge consideration. Two of the biggest threats organisations face are phishing and ransomware – both of which exploit human error. If employees receive phishing emails and are unable to spot that they are scams, the whole organisation is at risk. Similarly, internal error, privilege misuse and data loss are all the result of employees not understanding their information security obligations. These are issues that you can’t fix with technological solutions alone. Organisations must instead support their IT department
by conducting regular staff awareness training.
The current security mantra seems to be ‘defend in depth’. How would you recommend implementing such a defence, and how important is it to involve all aspects of the ‘people, processes and technology’ trinity? Defend in depth is a concept used in IT security where multiple layers of security controls are put in place throughout an IT system. The digital world – especially now in the new normal – has changed how we live, work and play. The digital world is constantly open to attack and, because there are so many potential attackers, we need to ensure we have the right security in place to prevent systems and networks being compromised. Unfortunately, there is no single method that can successfully protect against every single type of attack. This is where a defence in depth architecture comes into play. A layered security
approach is key – organisations can be never be fully protected by a single layer of security. Where one door may be closed, others will be left wide open, and hackers will find these vulnerabilities very quickly. Considerations should include applying proper security protocols at the network access level, including software such as proper anti-virus, data protection and integrity. A good firewall can assist with the above.
What final words of advice relating to the topic would you give to those organisations where IT might be necessary to ensure operations, but is not related to their core business? Organisations need assistance in identifying where their IT security risks are and how they can be mitigated. Because cyberattacks can be so detrimental to a business, if their primary business is not IT, the outsourcing of IT security to an expert in this area might be the best answer.
CYB ER SECURI TY 2022
31
FROM ENDPOINT TO EVERYWHERE UNIFIED PROTECTION
THIS IS XDR
CYBEREASON INNOVATION
THREE QUESTIONS TO ASK ABOUT RANSOMWARE PREPAREDNESS Ransomware operations, or RansomOps, have grown from a small subset of mostly nuisance attacks to a mature business model specialisation and an increasing pace of innovation and technical sophistication.
R
ansomOps involve highly targeted, complex attack sequences by sophisticated threat actors that are much more intricate and akin to the stealthy operations conducted by nation-state threat actors. RansomOps are typically ‘low and slow’ attacks that can take weeks to months to quietly spread through as much of the targeted network as possible before the ransomware payload is ever delivered. Several factors have contributed to the success of RansomOps, resulting in a significant surge in ransomware attacks with multimillion-dollar ransom demands. There is a distinct need for organisations to think strategically about their ransomware defences going into 2022, with three key questions organisations should ask their cybersecurity teams:
Can we detect ransomware attacks beyond the endpoint? The question here is one of visibility, context and correlations. The reality is that other approaches to threat detection and response are limited in their ability to defend against ransomware – take endpoint detection and response (EDR) solutions for example. EDR might provide greater visibility over endpoint devices than traditional anti-virus and anti-malware solutions, but it ignores the fact that many complex RansomOps attacks don’t necessarily start at the endpoint.
H ow quickly can we mount a response? Ransomware attacks require a swift response, which requires actionable context and correlations. Tools like SIEM (security information and event management) and SOAR (security orchestration, automation and response) were supposed to solve for this, but were never able to effectively deliver. SIEM solutions require a data lake structure and cloud analytics to centralise event information, but don’t provide the necessary context and correlations to allow for an autonomous response. Event correlation requires manual processes that create operational inefficiencies, takes up analysts’ time, and prevents security teams from launching a quick response. Organisations therefore need to automate their response capabilities so that they can react as quickly as possible, which SOAR tools have struggled to deliver on. In practice, analysts still need to manually intervene. Without the necessary correlations and context, SOAR cannot effectively coordinate a response across a diversified network and multiple security tools.
id we stop the malicious D operation or just an activity? Once a ransomware attack has been detected and an initial response determined, analysts need to understand if they are actually disrupting the larger RansomOp or just one aspect of the attack. Blocking ransomware on an endpoint does not address issues like compromised credentials, persistence on the network, and does not guarantee the attackers are not also living off the land or committing in-memory attacks. That’s where extended detection and response (XDR) solutions can be a game changer for defenders. An AI-driven XDR solution can quickly assimilate and correlate telemetry from across multiple network assets to
reveal the entire attack sequence. An AI-driven XDR solution detecting based on indicators of behaviour can enable defenders to quickly identify and end all associated malicious activity, even when that activity consists of otherwise benign behaviours one would expect to see on the network.
An operation-centric approach to defeating RansomOps The combination of increased visibility across siloed network assets to produce context-rich correlations based on chained attacker behaviours is at the heart of an AI-driven XDR solution. This operation-centric approach also provides defenders the ability to predict, detect and respond to other types of cyberattacks across the entire enterprise network earlier and faster to protect endpoints, identities, cloud, application workspaces and more. And this is why Cybereason is the only security provider that remains undefeated in the fight against ransomware, protecting organisations from threats like the DarkSide Ransomware that shut down Colonial Pipeline, the REvil Ransomware that disrupted meatpacking giant JBS and IT services provider Kaseya, the LockBit Ransomware that struck Accenture, and every other known ransomware family. Cybereason is dedicated to teaming up with defenders to end ransomware attacks on the endpoint, across the enterprise, and everywhere the battle is taking place. Learn more about the Cybereason Predictive Ransomware Protection solution, browse our ransomware defence resources, or schedule a demo at https://www.cybereason.com/platform/ ransomware-protection.
Brandon Rochat, sales director: Africa, Cybereason
CYB ER SECURI TY 2022
33
SOCIAL ENGINEERING & RANSOMWARE
WHEN YOUR DATA IS HELD TO RANSOM Ransomware – the latest and nastiest way in which cybercriminals seek to steal from you – is sweeping the globe, hammering businesses both large and small. We speak to security firm Commvault to gain a clearer understanding.
P
erhaps the biggest – and certainly the most talked about – form of cybercrime is ransomware, which has quickly become the most frightening form of attack faced by companies, as it has rapidly propagated across the globe. The success of ransomware has been accelerated by social engineering, itself exacerbated by people’s growing utilisation of social media platforms. Taking a realistic look at ransomware, one can admit it is probably the most prevalent and sophisticated type of cybercrime. By broad definition, it is when hackers are able to gain access either to a company’s data, network or systems, and then deny their use to legitimate business owners, through encryption. Essentially, they encrypt your data so you can’t use it, and then offer to give you the decryption keys in exchange for the payment of a ransom, explains Kate Mollett, senior director: Africa at Commvault.
34
C YB E R S E C U R I T Y 2 0 22 22
“What makes it such a dangerous form of attack is that not only is it sophisticated, but if the data they encrypt is critical to your business, they can easily bring your operations to a temporary or permanent halt,” she says. “Remember too that not only does such an attack create downtime for the business, but if, through the process, sensitive information data or consumer information is exposed, then you may face hefty fines in line with the relevant legislation, like PoPIA.” Furthermore, she notes, an attack can lead to reputational damage – ransomware attacks, especially involving larger companies, tend to be headlinegrabbing ones – which in turn creates a loss of confidence among consumers and shareholders. “Also, never forget that just because you pay the ransom, it doesn’t necessarily follow that they will unlock your data. Acquiescence is really no guarantee of recovery.” The way it works, she continues, is that the attackers use malware that is commonly introduced through phishing attacks, which are formulated via social engineering. This is usually via emails, texts or other ways of communicating that appear legitimate, and are designed to deceive
you into believing you are dealing with a genuine entity like your bank or insurance provider. Once you have been fooled into clicking on the mail’s attachment, your system is infected.
Fighting back “The best way to fight ransomware is via user awareness and training. It is imperative to ensure your staff understand what these attacks look like, so they can spot them early. This type of training has to be ongoing too, to keep these concerns top of mind for employees. “People are undoubtedly the weakest link in your security chain – some 54% of ransomware attacks are successful simply because people don’t pay enough attention. Another key barrier in the fight is that if your company utilises VPN services, you should encourage staff to use these all the time, and try to avoid using public Wi-Fi, especially if they are working with sensitive data,” notes Mollett. Then, from an organisational perspective, she adds, it is vital to have good monitoring in place. Automated monitoring solutions are designed to search for various types of malware across numerous attack scenarios.
SOCIAL ENGINEERING & RANSOMWARE
A business should also undertake frequent backups and have at least three copies of their data – This should be on two types of storage media and then there should be a third that is stored off-site. This is the key to being able to recover quickly from a ransomware attack. “Another method these criminals often use to introduce malware onto corporate devices is through an infected USB drive. Once it is introduced to your device, the moment you connect to your corporate network, the ransomware can move laterally across the domains and becomes very difficult to stop. “Something else people should be aware of is the concept of ‘dwell time’, which talks to how long the malware is in your system before you identify it. Often these malicious codes are in your system for months prior to detection, stealing small tranches of data at a time.” As for social engineering, she adds, this requires constant education of employees, as this approach relies on deception and uses data freely available – or freely given – on social media platforms to create a knowledge base of the individual. They usually start by gathering seemingly innocuous data about you, with the aim of making you think a mail or message has come from someone you know. “Do you seriously think all these posts on Facebook that ask you if you can remember the name of your first dog or the colour and make of your first car are innocent games?” she asks. “People need to understand the level of sophistication the bad guys have, and their determination to steal critical data or earn a large ransom. In fact, in all likelihood, the cybercrime fraternity is larger than the legitimate security industry – meaning their workforce is not only larger, but the rewards tend to be better too. “Some of the other tactics used to get people to unintentionally click on malicious links include ‘baiting’, where they
DOS AND DON’TS • If you receive a strange email from a friend or colleague that doesn’t feel right, it’s probably not from them. • If it’s an offer of help you didn’t request, you should reject it. • If it’s an urgent request from your bank – especially because they constantly remind people they won’t send e-mails – or a mail from HR, when you have never received one before, be cautious. • If it’s an unsolicited offer that seems too good to be true, it most likely is. • Secure your devices with a top anti-virus solution and adopt a ‘zero trust’ stance. • Treat anything even slightly suspicious as a threat, and ensure your employees are trained in security protocols on an ongoing basis. • Ultimately, it is safer to be paranoid, even if this entails conducting ‘white phishing’ exercises to identify employees who are more prone to falling for the above – but only to train them further, not to punish them for making such mistakes.
pretend to be affiliated to a relative from your hometown (because they have learned where you were born), indicating there is a small inheritance to be claimed, if you contact them. Another is scareware, which includes fake threats, supposed warnings from your ‘bank’, or suggestions that they have accessed intimate information about you.”
Tangible impacts She points out that the highest known ransom paid so far has been some US$3.2 million (R48 million), which gives an indication of the kind of purely financial impact this could have – demonstrating how one such attack could quite easily mean the end of your business. Remember too, she adds, that once in your system, they have access to information like your insurance policies related to data loss – so they know the exact price to position the ransom at. And for smaller businesses thinking they are unlikely to be targets, think again: some 43% of ransomware attacks globally target SMEs. So how can organisations defend
against this? Engage with security experts to learn where the gaps in your security are and how to plug these, suggests Mollett, and know what data you have, where you store it, and why you are keeping it. “You could compare your business security posture to how you would secure your home – think of your data as your family, which are the crown jewels you want to protect. In your home, you may have security gates, alarms, an electric fence, large dogs and a security response company. “It should be similar with your business – secure your data and then build layers out from there to secure your different workloads, endpoint devices and so on, and then surround all of this with a perimeter defence. It’s about introducing a layered security posture that is rigid enough to guarantee the data is safe, but flexible enough to allow you to use your data as required. This balance is a fine one to strike, which is why, once again, you should be talking to the security experts, as they will enable you to obtain the greatest flexibility for your data, while keeping it as secure as possible,” she concludes.
CYB ER SECURI TY 2022
35
BACKUP & DISASTER RECOVERY
How to backup data strategically and affordably. By James Francis
STAVING OFF DISASTER: WHAT TO KNOW ABOUT BACKUP AND DISASTER RECOVERY
F
ile not found” – a message that sends chills down all our spines. Not being able to access digital assets, especially in a business context, represents a big problem – and it is getting worse. Companies once only had to fear disasters such as broken hard drives or employee mistakes. Today, security concerns – particularly ransomware attacks (which encrypt your files and demand a ransom) – add more reasons to stay awake at night thinking about your company data. According to IBM’s Cost Of A Data Breach report, it can cost upwards of US$4 million (R60 million) to fix a security breach, much of which goes towards cleaning up the damage and recovering lost data. Yet many organisations still don't consider backup and disaster recovery
36
C YB E R S E C U R I T Y 2 0 2 2
as an investment, says Andrew Cruise, CEO of cloud infrastructure provider Routed. “Sadly, both disaster recovery and data loss prevention are seen as grudge purchases. Many organisations feel that the money spent does not drive top-line growth and reduces bottom-line profit. Unfortunately, when systems have been compromised, organisations realise how costly the full or partial loss of workloads and data is.” Failing to secure company data could become the most expensive mistake you can make from a risk management perspective – and the risks have never been higher in today’s connected hybrid workplaces. What should you know about backup and disaster recovery?
BACKUP & DISASTER RECOVERY
The tiers of business continuity Backing up files was once seen as a primarily archival function, with some disaster recovery coverage. But it’s a more complicated picture today: companies rely on digital information to be competitive and create efficiencies, and they have to comply with data laws that require care and security. These concepts combine into a concept called business continuity. Business continuity (also called business resilience) determines how well an organisation can withstand or rebuff disruptions. Such disruptions can manifest at different levels in the company. From a data perspective, we can split this concern into two primary groups: data needed in day-today activities and data that lingers in the background. Disaster recovery (DR) focuses on the former: it backs up ‘hot’ data such as application workloads, system configurations and actively used files onto secondary environments. If something goes wrong, recovering such data and resuming operations should be relatively quick. Data loss prevention (DLP) focuses on securing primary data that isn't used as actively but mustn’t go missing. The significant difference is how quickly you’d need the data restored: right now (DR) or later (DLP). “There is a mindset shift that needs to take place where businesses ensure they are protected on all levels of their company data, be it production or secondary data,” explains Lourens Sanders, solution architect at data storage provider Infinidat. “Data protection, backup and recovery is therefore not an aspect of only ticking insurance boxes, but rather forms an integral part of a cyberresilience strategy.”
Data in the cloud Business continuity (BC) has two critical dimensions. First, it requires a robust strategy fitted to the business’s needs. Data is a living component of a business, and strategy must consider what data
you have and how it is used. You cannot put everything in a DR backup – that would cost too much. Yet you can’t put everything in a DLP backup – it would take too long to recover time-sensitive information. Strategy is about striking that balance between cost and utility. Such a strategy also lays out how you’d recover from a disaster: what are your priorities? Knowing these processes can save a lot of time and money. For this reason, the second dimension is to create and test recovery plans. Doing so can be complicated, which is why many companies skip testing. Collaborating with a business continuity service provider can significantly reduce the complexity of developing and testing BC strategies. “Data protection – backup and recovery – needs to be prioritised the same way that primary production data is treated. It needs to provide company-wide peace of mind that if a disaster hits, that protected data can be used not only to recover from the disaster, but also for verification before recovery,” says Sanders. The cloud is a major advantage for companies wanting proper data resilience. Backup specialists subscribe to the
3-2-1 rule: one primary and two backups (3); save backups on two different types of media (2); and keep one backup off-site (1). Applying this approach is much more expensive if you rely purely on your own backup systems. Cloud services provide additional choice and cost management avenues, and enable smaller businesses to access high-grade storage products. “Traditionally, each business has implemented disaster recovery in isolation, and building and maintaining secondary environments can be very costly,” says Cruise. “Multi-tenancy (sharing a large infrastructure stack securely between multiple businesses) offered by the cloud presents organisations with a 'slice' of this kind of enterprise environment, opening the door to smaller organisations to use enterprise-grade DR solutions. Combined with the usage principle of the cloud (pay for what you use), the DR ‘insurance policy’ becomes more cost-effective and accessible to virtually any organisation,” he concludes.
IMPORTANCE OF SECURITY TRAINING
TRAINING
is the best defence moment they are initiated into the organisation, he suggests.
While technology is critical in the fight against cybercrime, and processes are vital to maintaining the rules of engagement, it is your people that matter most – they require regular, ongoing training in security matters.
A
voiding security challenges within an organisation obviously requires utilising strong defensive technologies, but it equally requires employees to undergo training, training and more training, suggests Gabriel Le Roux, specialist account manager at ESET Southern Africa, an anti-malware and security solutions company. “Online security is similar in principle to driving a car. When seatbelts were first made law, people had to adjust their behaviours to suit this new safety mechanism. In much the same way, people need to be convinced to change their behaviours to suit the demands of a digital world – despite this, however, many people in a business environment are given PCs to enable their work, but are not given any training around how to deal with security in an IT environment,” he explains. “There are three angles to an effective security posture: first,
38
C YB E R S E C U R I T Y 2 0 2 2
there is physical security, such as gates and cameras, then there is the software level, which is where the heavy lifting happens, as companies seek to keep up with evolving security challenges. The final leg is the ‘people factor’, which may be the most crucial, as they are the easiest attack vector.” Remember, he continues, that one well-thought-out email that dupes one individual in a business into clicking on a malicious link could provide access to your corporate data. A well-done email to a network administrator could conceivably lead to millions of rand in losses. With this in mind, it is imperative that all employees are able to recognise potentially malicious communications. “Personally, I think such education should begin at school level – this is the digital era, after all – as this will not only protect children from a personal safety perspective, but will also inculcate a kind of security approach that will serve them well from a future business point of view,” states Le Roux. “If you think about it, we teach life orientation, and since IT is a key part of life today, so IT security should be taught. Similar to how we teach youngsters to look both ways before crossing the street, so they need to practise the same caution when it comes to this new ‘e-street’ we are all travelling on.” While this is not yet a part of school curricula, it is clear that business owners should understand the importance of having employees with a clear understanding of security, and should make basic security training a part of the culture from the
Everybody must train “You should be implementing programmes designed to ingrain security in your corporate culture, as it is ultimately something everybody needs to learn – from the lowliest employee to the most senior member of the board.” There are a number of areas that should form part of the training, notes Le Roux, including the types of hacking (some 43% of attacks still come via phishing attacks), as well as the dangers of removable media, which may be infected with malware. Another key focus should be on passwords and authentication, which includes driving an understanding of why it is critical to regularly change your passwords, as well as instilling simple caution, such as not typing in passwords or viewing sensitive information if someone is standing behind you. “If you are working remotely, then you need an understanding of mobile device security and cloud security, so you can understand how it affects a network. It is vital to have knowledge of what social engineering is and how it occurs and, of course, if you are working from home, you need to ensure your security there is adequate to protect your office network from intrusion. “An organisation that covers all of the above will find itself in a good space, and achieving this doesn’t necessarily require the most expensive courses. No one needs a security degree to be good at this – it really is mostly simple and basic dayto-day logic.”
IMPORTANCE OF SECURITY TRAINING
Inculcate good security habits Le Roux stresses that training employees around social engineering is absolutely critical, as it helps them develop awareness of how people are the weakest link, and assists them to understand how not to be that link, how to spot the con, and thus how to become more secure. “The simple reality is that the more people there are who understand how the bad guys mine data and leverage it to convince you to do something stupid, the less often people will fall into such traps. While policies are vital in controlling your security posture, the secret to success lies in inculcating good security habits instead,” he states. “Of course, you also need to regularly test that these habits have ‘stuck’, which means possibly bringing in what they sometimes call a ‘white hat hacker’. This is an expert who uses the same nefarious means the bad guys do to run simulated phishing attacks or password enumeration tests – where they try to hack company passwords using common hacking methods, including social engineering – to see how many passwords they can crack. What is amazing is how many times it has been senior, C-level executives that get
caught out – which is a little ironic, as they are the ones paying for the course.” Other methods used by these experts include dropping an infected USB on a desk, to see if the employee will use it without question, or the basic walk around the office to see what can be viewed over people’s shoulders. “The key to leveraging this expertise to drive home the security message is to ensure it is treated as a learning exercise, rather than an ‘I told you so’ moment that involves punishment. Rather offer incentives for those who don’t get duped, as a rewards-based approach is much better than ‘naming and shaming’. You want to encourage your people to have the security conversation in an open and transparent manner, after all,” Le Roux notes. Even the smallest of businesses, he continues, can undertake such courses, as there are many free cybersecurity training programmes that are thus suitable for an SME of limited means, which will undoubtedly help to foster a much higher level of awareness. “I feel that future-proofing your business against security threats is not only about having the latest technologies, but also
There are three angles to an effective security posture: first, there is physical security, such as gates and cameras, then there is the software level, which is where the heavy lifting happens, as companies seek to keep up with evolving security challenges. The final leg is the ‘people factor’, which may be the most crucial, as they are the easiest attack vector.” about ensuring employees understand why they must never keep the same password for years; why their Facebook settings should always be on private; why applications must be kept up to date and so on.” He concludes, “Of course, if you are making systematic changes to your business operations, such as with the current drive towards digital transformation, then you may be creating new attack vectors. Therefore, it is imperative to ensure training around this is added to the schedule, while you are consistently having employees brush up on all the old security faithfuls as well.”
CYB ER SECURI TY 2022
39
FUTURE-PROOF YOUR BUSINESS
The future of CYBERSECURITY Cybercrime is a fastevolving challenge, so the best prepared companies know what lies ahead, to the best of their ability, and plan how to combat it early.
I
t is clear that cybercrime has evolved massively from its early days of individual hackers creating mischief with selfdeveloped worms and viruses. Today, there are organised syndicates of criminals actively working to break into companies and steal their critical intellectual property, customer databases and financial records. In fact, entire countries are known to participate in forms of cyberwarfare – again, usually by targeting key businesses or utilities in the ‘enemy’ nation. By recognising the rapid and continuing evolution of cybersecurity, we are more easily able to understand how we can best position our businesses to remain protected, regardless of the speed at which the criminals are evolving their approaches and techniques, suggests Ritesh Guttoo, Cybersecurity Lead for Africa, India and Middle East at EY. “Cybersecurity is only going to become more important as we move forward. It is quite obvious that the threat landscape
40
C YB E R S E C U R I T Y 2 0 2 2
is evolving rapidly – driven by the huge upheavals in the way we’ve been working over the past two years – which has opened up new attack surfaces and vectors for the bad guys to exploit. Remember that, in business, we traditionally utilised what could be called a ‘closed environment’, in that your systems were within a network that was protected by a firewall to prevent intrusions, as well as internal controls like anti-virus, which ensured that files were scanned and malware was avoided,” says Guttoo.
Changing environment “However, this environment has changed dramatically, because of the shift to remote working, the increasing use of the cloud and the increase in automation tools being implemented by businesses. Thus, the system is no longer a closed one. There are many companies adopting the cloud, both for collaboration purposes and for the cost and efficiency benefits. While the core systems may still be hosted at the office, unstructured information like Word documents, emails and so on are stored in the cloud.” The challenge here, he notes, is that the criminals are targeting users directly, as they are aware that if they can gain access
to that individual’s workstation, it will be much easier to access the company’s private network. So recent months have seen a surge in email threats and social engineering attempts, in order to convince the home user – where security is likely to be less sophisticated – to unknowingly introduce malware into their system. “We have witnessed a significant increase in threats targeting the end user, and this is simply down to the global switch to the work-from-home environment. The other things we have noticed is an increase in the targeting of cloud service providers, simply because of how much valuable information is help in the cloud. And it is for this reason that it is imperative businesses today fully understand the security practices of their third-party providers – be they providers of the cloud, an application or third-party software accessed through the cloud,” Guttoo adds. “If you wish to future-proof your business, it becomes more difficult. Remember that the cybercriminals are investing massive resources in their attacks, including malware driven by artificial intelligence (AI), which enables it – should it be blocked by a security program – to automatically change its signature, pattern or file name before trying again. And it may keep doing
FUTURE-PROOF YOUR BUSINESS
this until it finds one that your security system allows through. These are known as advanced persistent threats (APTs) and, even when deleted, may remain in your computer’s random-access memory (RAM), and thus be able to attempt to reinstall itself later.” Guttoo offers some advice on how to deal with such threats: change your company’s servers every few years, because – as he points out – “you simply don’t know what’s on there by that stage”. Moreover, he indicates that, with APTs, you simply cannot only rely on traditional security controls, despite this being exactly what many SMEs do. “If you are relying on such controls, you have probably already been breached and are unaware of the fact. If you undertake a thorough investigation, you will likely find numerous hidden malware files, which are usually introduced into the system via phishing e-mails, unknown USB devices, or visits to ‘bad’ websites. Realistically speaking, anti-virus programs and firewalls are never 100% effective at detecting ATP malware. So, there is definitely a need to evolve in order to protect your systems against these kinds of threats.” He advises you start by relooking at your security controls. Large enterprises usually implement a security operations centre (SOC), which includes a full time security team that considers everything in the environment on a 24/7 basis. If there is anything that differs from the security baseline, they investigate in order to detect such threats. However, this is a costly approach, so it also has its limitations.
Leveraging technology Something that offers great potential are data science platforms, which can be used to identify what is normal (baseline) and if something does not match, it triggers an alert to warn the security team. These platforms utilise AI-driven algorithms to detect anomalies. “The problem with a data science platform is that the data has to come from the business security logs, and a lot of organisations out there don’t have proper security logs. Therefore, the first order of business if you want to leverage such a platform is to ensure that the logs related to all electronic devices connecting to your network are properly kept. This is a much more cost-effective approach than implementing an SOC.” He adds that as such platforms become the norm, they will also become more affordable for smaller businesses. He notes that an analysis of forecasted threats and attacks for the year ahead indicates that the top threats are likely to remain the same as in the past, but now usually with an altered attack vector or a new electronic signature making it harder to identify. “On the other hand, looking a little further ahead, I suspect the next big challenge is going to arise with industrial control systems and smart devices – what is basically the internet of things (IoT). Here, we have devices that never used to be ‘smart’, such as printers, CCTV cameras or even coffee machines connecting to the network, but these devices seldom have sufficient security controls to protect your network, thus providing a back door for the bad guys.
“Then ransomware is also becoming much more advanced, as well as becoming increasingly accessible to virtually any potential cybercriminal – today, much as a business may purchase software as a service, so the criminals using the dark web can now buy ransomware as a service!” Guttoo notes that when defending against IoT-focused attacks, the first thing you need is to be able to understand the data coming out of these machines. To this end, he says, you need to foster strong relations with your technology vendors, so you can ensure you have the solutions that can clearly understand the data from these systems. Then, when dealing with ransomware, you should adopt a back-to-basics approach – sometimes called the 3-2-1 rule – which involves your primary data and two backups thereof, saved on two different types of media, and one of the backups should be kept off site. “The other critical aspect to understand about the future of cybersecurity is that prevention is no longer enough. It is equally crucial to carefully plan your response to an intrusion or attack: you will need strong incident response plans, and these need to be tested regularly to ensure they work – the last thing you want is to put a plan into action the first time you are hit, only to find out it doesn’t work the way it should. “Ultimately, the best way to future-proof your business and be prepared for a future with an increasing number and variety of threats is to ensure that security is always at the centre of your business planning,” Guttoo concludes.
CYB ER SECURI TY 2022
41
WORKING REMOTELY
CYBERSECURITY
IN A REMOTE WORKING WORLD When the world became aware of the Covid-19 pandemic and the global lockdowns began, the shift to remote working happened virtually overnight. This obviously created a whole host of new security challenges that had to be overcome.
T
he difference between February of 2020 – when most business users sat behind a corporate firewall all the time, with very few remote users operating – and March, when the largest majority of users were suddenly working from home, was enormous. According to Ralph Berndt, director: Sales and Marketing at Syrex, a provider of remote solutions, this opened a whole new angle of attack for cybercriminals. He notes that from the outset, slews of bot emails were sent out with the aim of compromising users whose home environments were far less secure than their corporate one. “People were bombarded with spoof mails designed to compromise their
42
C YB E R S E C U R I T Y 2 0 2 2
security, many playing on the fears of the then unknown virus and the thirst for information about the global crisis,” he explains. “The criminals knew most users were in a position where they were unlikely to be able to afford to run their own virtual private network (VPN), so they conducted massive email campaigns trying to compromise users in order to gain access to their corporate networks.” Ultimately, says Berndt, it came down to how prepared organisations were for remote work. Moreover, while the mass move to remote work demonstrated the importance of tackling SA’s connectivity issues, it also showed how vital it was to be able to securely access critical systems that were still on-premises. This led to a knee-jerk reaction from many companies to obtain more VPN licences, in order to be able to authenticate large numbers of users.
A new dynamic “The rise of collaboration software also created a whole new dynamic in terms of how business was done, but while the ability to collaborate with and share information among employees was wonderful, the pandemic also forced the development of such tools at a rapid pace. Years were shaved off the adoption timetable, and although a straightforward Teams or Zoom call was less of a security challenge, anything involving the sharing
of documents, screens or data was a target for the bad guys.” “One thing we definitively noticed was a rise in website honeycombing, which is when duplicate websites that look similar to the real one are created to fool people into going to these compromised sites.” Another security challenge he highlights was the rise in manipulated invoices and bank information. He explains that an increasing number of invoices were illegally manipulated to convince finance departments to release payments they were not supposed to. This, he adds,
KEY FINDINGS FROM THE CITRIX THE STATE OF SECURITY IN A HYBRID WORLD REPORT 2021 • O ver half of global businesses have reimagined their businesses • W ork from anywhere is here to stay • T echnology response has been swift • S ecurity and the employee experience can’t be separated • N ew protocols enhanced employee experience and increased productivity • K nowledge workers embrace the notion of security as shared responsibility
WORKING REMOTELY The top three challenges to hybrid/anywhere working, according to end users: 1. poor connectivity (43%); 2. having to solve technical problems virtually (34%); 3. the inability to get IT support quickly/ easily (32%). – Citrix’s The State of Security in a Hybrid World report 2021
occurred either through manipulation by an employee, or an external party that had compromised enough machines within the business to understand where and how to make such changes on an invoice. “The key to reducing the cybercrime prevalent in the early months of lockdown was the implementation of multifactor authentication (MFA). The requirement for two or more methods of authentication reduced the reliance on easily compromised passwords. “Other areas of security that were comprehensively boosted during this period included the hardening of endpoint protection, strengthening of firewalls, and improved security around applications that may otherwise have exposed users further. However, the real key lay in identifying the user from the beginning.” This, he continues, was a game changer, as it made it easy to securely identify the user and ensure they are who they say they are, through the use of additional security measures like fingerprints or one-time PIN (OTP). “With the implementation of MFA, a balance had to be found between strong security and enabling workers to perform optimally, without getting bogged down in endless security processes,” states Berndt.
A partner is the answer Asked what advice he would give organisations seeking to improve their security at present, he says that the simple answer is to work with a partner that is a security specialist. “Remember that the speed with which the criminals are adapting to technology development, the increasingly ingenious methods they use, and the rapid pace at which security technologies themselves are
evolving mean it is nearly impossible for organisations to remain secure without an experienced partner. “It’s also human nature that as people become more familiar with a particular technology, they also become more complacent about the security surrounding it. On the other hand, this would be a security partner’s bread and butter, so their focus on the challenge should remain resolute.” Pointing out that the required security tools are not necessarily expensive, he adds that by bringing in the right partner – a trusted advisor, as he calls it – means they will not only be able to roll these out effectively for your business, but also assist with comprehensive end-to-end security management. They should also provide economies of scale to the client, which will reduce the cost. “Today, you simply cannot do it all yourself. If you try to do so in order to cut costs, you may achieve this in the short term, but the long-term damage inflicted by an attack will prove to be far worse. Moreover, if you are an SME, you don’t want to be distracted from your core business by issues around IT and security, when all you require is simplicity and ease of use. “The other thing to consider is how rapidly and fundamentally the world has changed recently. The rise of collaboration software has created a whole new work paradigm, boosted productivity and significantly reduced costs. The rapid changes to both technology and work method have opened up new attack paradigms and vectors, so working with a security expert is more critical than ever.”
Lessons to be learned One of the key lessons learned by organisations during this time, he says, relates to how businesses can better manage their internal systems and information, while ensuring which remote workers are granted access to particular parts of the business. Another lesson has been around how to simplify endpoint access – vital when so many staff members work from home – while at the same time hardening these points from a security point of view. “Looking at the longer-term impacts, I think businesses will find they are ultimately better prepared for the more technically and digitally enhanced world that has arrived. At the same time, they have learned that remote working does not make employees less likely to complete their work – in fact, it has led to an increase in outcomes-focused results. “With all the tools we now have to enable this, I highly doubt we will again see a situation where every employee works from the office. From a technology point of view, workforce management tools will become increasingly important. From a security perspective, he continues, organisations have mostly adapted their systems to suit the new normal. Although the plethora of tools that now exist to facilitate remote working open new attack vectors, companies are also adapting. “I believe the next key security discussion to be had will be around the issue of zero trust, which is the next logical security step after MFA. After all, it remains imperative that companies continue to evolve their security posture because, as the pandemic has proven, cybercriminals are constantly adapting their attack methods,” concludes Berndt.
The top three information security protocols companies have prioritised to better secure remote and hybrid workforces are multifactor authentication, additional employee education, and cloud/SAAS use visibility/control/security (all 28%). – The State of Security in a Hybrid World CYB ER SECURI TY 2022
43
WORKING FROM HOME
Setting up and maintaining A SECURE HOME IT INFRASTRUCTURE The dos and don’ts of setting up a secure home IT infrastructure. Itumeleng Mogaki speaks to Shaun Gordon, chief security officer, Duxbury Networking.
B
efore the pandemic, only a fraction of the workforce was working from home, and usually only occasionally. With remote working being the new normal, an increasing number of people have had to set up secure home infrastructures to operate from. According to Gartner, some 54% of HR leaders in a snap poll indicated that poor technology and/or infrastructure for remote working is the biggest barrier to effective remote working. The requirements of setting up remotework IT infrastructure with end-user computing and dispelling cyberthreats can be a daunting task for the average (non-technical) home user. The first thing you need is a stable internet connection with a decent quality router and an effective firewall at the office, within which to run a virtual private network (VPN) in full tunnel mode. That is, of course, in an ideal world. With that said and depending on your budget, there are many affordable firewalls such as the Sophos XG87/107, which are ideal for a much smaller environment. Sophos also offers free home XG firewall, but it does require one to have a spare computer to convert into a firewall. It’s important to mention that prior to finalising working-from-home conditions, at this point, your company should have made sure that there is an acceptable use policy (AUP), which all employees working at home must sign. This should clearly outline the acceptable use of company
44
C YB E R S E C U R I T Y 2 0 2 2
equipment, such as laptops, desktops and other mobile devices. Next, you will need a decent anti-virus or malware. There are several free options out there but – as the old saying goes – you get what you pay for. Therefore, it is important to note that one of the dangers of working remotely via VPN is that whatever affects the home user’s computer has the potential to infiltrate the company’s network. In other words, a decent anti-virus/malware should be nonnegotiable at this point. The protection of intellectual property against cyberthreats is highly dependent on your company’s budget, user awareness training and implementation. For example, Duxbury Networking’s own work from home information protection policy includes installing dual Sophos XG310s running in a cluster. So should one fail, the other immediately takes over with various local area network (LAN) to wide area network (WAN) policies designed to limit access to questionable websites. All internal computers are connected remotely and run the Sophos Intercept X anti-malware. That is to ensure all company equipment is encrypted, safe from malware, and is able connect to company resources, regardless of geographic location.
Threats closer to home The biggest threat any information security (infosec) engineer needs to look out for is not some mysterious hacker sitting in a basement somewhere, but is much closer to home in the form of the end-user. Many companies unfortunately do not allocate sufficient resources to end-user awareness training, which makes every employee within a company a potential attack vector. Employees who are not trained for what to look out for can very easily become victims of phishing attempts, social engineering and various other ploys
designed to compromise their computers. And, should they be compromised, the company’s network integrity as a whole may be too. Even if you have the most advanced security system in place, humans unfortunately tend to be easily fooled. It is like having a house that has burglar bars, dogs, IP cameras, electric fencing, armed response, a moat, etc. but then a child that has never been taught the concept of ‘stranger danger’ simply opens the door for a would-be burglar. End-user awareness training is key because potential hackers know that they are the easiest to bypass.
In- or outsourcing? So, should you install your own security IT infrastructure or hire managed services? For anyone willing to learn and try to figure out something themselves, the former is always a good thing – but only if you are confident that you know what you are doing. With that said, in the realm of infosec, engineers and architects are trained to think as hackers and would, in fact, carry the certified ethical hackers (CEH) certification. They will always know to look for each vector that could potentially bring the whole house of cards down. A DIY approach from an untrained professional would pose a similar risk to your data as would a plumber trying to perform open heart surgery. One just wouldn't know what to look for and anything overlooked can spell disaster. Shaun Gordon is the chief security officer of Duxbury Networking and the head security architect for Johannesburg and Durban. He has over a decade of experience in cybersecurity, risk mitigation and technical training.
Universe 2022 Solve your digital dilemma. Universe 2022 is for those journeying into the unfamiliar to solve a digital dilemma – how to balance today’s needs with tomorrow’s opportunities. Join us as we show you how to achieve the outcomes needed to run and transform at the same time and boost your transformation journey without ever leaving your home or office.
Register at: www.microfocus.com/en-us/events EMEA
March 22-23, 2022
Americas
March 22-23, 2022
APJ
April 5-7, 2022
EXCITED ABOUT SECURITY
012 941 2032 www.obscuretech.net Obscure Technologies is inspired by blazing new trails in our niche; by forging new paths in the Cybersecurity industry. We’re driven by creativity, courage and spirit, and to develop technology brands alongside our partners and clients. It’s about serving as a valued channel for our vendors and customers, promoting and distributing Information Security products, and demystifying murky concepts and technologies.
OUR PRODUCT STACK
