With no security system impenetrable and the definitions of ‘good guys’ and ‘bad guys’ blurred, IT security professionals face a daunting task in securing data, delegates were told at the 9th annual ITWeb Security Summit in Sandton.

The two-day event attracted around 800 local and international information professionals for in-depth talks on the biggest IT risks facing the world today.

Noting that the past 12 months had seen some of the most significant events the information sector has ever witnessed, SensePost MD Charl van der Walt highlighted the recent Target breach, in which 70 million client accounts were compromised, even though the company’s infrastructure was PCI compliant. “This is a complex and slightly terrifying new environment. Let’s stop kidding ourselves, we can’t stop all attacks,” he said. “Let’s focus on those we can stop and those posing the greatest risk to our specific organisations.”

<a href=<a href=

Jacob Appelbaum" src="http://www.iweek.co.za/images/stories/2010/June14/Jacob_Appelbaum.jpg" />Keynote speakers Jacob Appelbaum, an independent international hacker and researcher, and , principal technologist and senior policy analyst with the Speech, Privacy and Technology Project at the American Civil Liberties Union, focused on state surveillance and civil liberties in their opening talks. They noted that state surveillance was not just a privacy issue – it also presented a threat to the national of countries, as well as to entire businesses that are built on a promise that the data they manage will be kept secure.

Christopher SoghoianChristopher Soghoian

Speakers noted that if data can be accessed by state agencies, it can also be accessed by anyone and used for any purpose.

Appelbaum said: “Where Internet protocols are intentionally weakened because it is useful for one party, we forget that this is useful for other parties too. This whole ‘black hat/white hat’ thing is just too simplistic.”

Soghoian said: “What does it mean for an industry like yours, when you are promising to keep data safe or ‘bad guys’ out, when you can be given coercive orders to give governments access to this data?”

They also pointed out that hardware and software bought from nations with a vested interest in surveillance could easily have surveillance tools built-in. Free and open source software and free and open hardware could present a solution to that exposure, they said.

, founder of Thinkst, echoed this sentiment at a media briefing on the sidelines of the conference; he said South Africa is largely a technology consumer, and needs to develop a home-grown technology sector to avoid the risk of this kind of vulnerability.

Effective cryptography can also reduce the risk of monitoring and exposure, speakers said. However, they noted this could only be truly effective when applied across all communications tools – including landline and cellphone communications.

Not all doom and gloom in infosec world

<a href=<a href=

Charlie Miller" src="http://www.iweek.co.za/images/stories/2010/June14/Charlie_Miller.jpg" />While at first glance the information situation may look dire, some things are getting better, says Charlie Miller, engineer at Twitter.

Miller conceded there were many reasons to be concerned about the state of IT : “In the seven years I have been actively involved in speaking about IT , little has changed. You’d think we would have solved the problems we were talking about seven years ago, but we haven’t,” he said.

“We’re still finding bugs that are 20 years old, enterprises that do everything right are still vulnerable, and the products we use are still insecure,” Miller said.

He pointed out that in an environment where virtually everything could be hacked, there was little incentive for vendors to invest too heavily in the of their products. “Back in 2010, I released a super-cool exploit – the iPhone SMS bug. In its day, it was the world’s coolest exploit. It made headlines. But did it harm Apple? No – in fact Apple’s stock went up that week. Companies don’t feel any pain when their products are shown to be insecure, so why should they work to address this?”

Fighting the information battle means understanding you cannot make an enterprise 100% secure, Miller said. “So the goal has to be to drive up the cost and pain of an exploit. But if attackers have money, they will get in, and governments will always be able to outspend you. On the other hand, governments aren’t likely to be stealing credit card information. You need to target your defence against the real threats,” he said.

Miller said reasons for optimism included the fact that it was becoming harder to fi nd bugs. “The of our products has improved, with fewer bugs and better technology to protect us.” More money is being put into research, crowdsourced audits and ‘bug bounties’, in which rewards are paid to those who can find bugs and vulnerabilities, he said.

“Right now, we might be losing the battle, but there are some things we’re doing right and things are going to get better,” said Miller.

Steve JumpSteve Jump

Steve Jump, head of corporate governance at , spoke at the ITWeb Security Summit on the issue of communicating information value to business.

Hacking: no tools required

Jason JordaanJason Jordaan

Corruption is so prevalent in countries like South Africa that criminals can easily access networks with no hacking tools needed, said Jason Jordaan, head of South Africa’s cyber forensic laboratory special investigating unit.

“Hacking the human is easy, because we are fallible,” he said. Jordaan pointed out that corruption is pervasive in South African society, and organised criminals use corruption as their basic model for operations. Organised crime simply makes use of the human element, he said, noting that where social engineering fails, it is relatively simple to use corruption to gain access to enterprise networks and data. “No real hacking tools required, and corruption is a silent crime, so it’s harder to detect,” he said.

“Everybody has his price,” Jordaan said. “Whether that price is money, benefits, or even threats to a person’s family, criminals can target key individuals and find their price quite easily.”

Jordaan cited a case study of a recent breach of a critical state financial system, in which a systems administrator was paid R10 000 to install keyloggers to steal government user credentials and give criminals access to the financial system. Over R11 million was stolen in around three days. “This case is still in progress, but the upshot of it is – this guy sold his soul for R10 000,” said Jordaan. Mitigating the ‘human element risk’ isn’t easy, Jordaan told delegates. However, there are measures to reduce the risk. “You need to know your people well, and be alert to changes in their behaviour or lifestyle. You also need to keep them happy, and strive to instil a strong culture of ethics throughout the organisation,” he said.

Worst-case scenarios in an always-visible environment

Ritasha JethvaRitasha Jethva

State surveillance is a double edged sword presenting more risk than benefits, speakers at the ITWeb Security Summit said. Addressing a media briefing alongside the summit, international speakers focused on questions of privacy and data following the Snowden revelations.

Keynote speaker Jacob Appelbaum, an independent international hacker and researcher, said intelligence agencies have a great deal of power in a post-9/11 world, and live “outside the law”, with companies becoming secret agents of the state. “There are legitimate things intelligence agencies must be allowed to do,” he said, “but all their capabilities must be brought within the rule of law.”

Fellow keynote speaker Christopher Soghoian said: “There is no magic encryption that allows the police or the NSA to access your data, but still keeps other countries’ surveillance out. If the local authorities can access your mails, so can every foreign hacker.”

Appelbaum noted: “When everyone’s communication is insecure, you face the risk of even the communications of government leaders, police and all their families and friends being open to anyone. In an environment of highly advanced and targeted attacks, combined with RFIDs and smart passports, we are going down a path towards personalised bombs. We have transitioned to an advanced knowledgebased society where you can selectively apply the violence.”

Francis CronjéFrancis Cronjé

Governance, risk and compliance experts Dianne Stigling, an independent consultant, Ritasha Jethva of Liberty, and Francis Cronjé of InfoSeal, elaborated on POPI preparedness in a panel discussion at the ITWeb Security Summit.

SA unprepared for cost of breaches

Dianne StiglingDianne Stigling

South African enterprises are slow to understand that breaches could cost them literally hundreds of millions of rands, says cyber insurance specialist Natalie van de Coolwijk, MD of Cygeist. “Global risk reports are citing cyber as one of the top 10 risks companies should be considering, but in South Africa, specialist cyber insurance is a new concept to most,” she said.

Natalie Van De CoolwijkNatalie Van De Coolwijk

She pointed to incidents such as the Target breach in the US last year, where there is talk that the company’s entire $100 million cyber policy and $65 million directors’ and officers’ policy will be eroded. “In South Africa, enterprises know cyber risks are serious, but they don’t foresee the extent of the costs involved in managing an incident,” she said. said cyber insurance differs from traditional liability cover in that traditional policies tend to cover tangible assets and material damages.

David TaylorDavid Taylor

Legal consultant Prof David Taylor discussed the legal obligation to report IT compromises at the ITWeb Security Summit.

No limits to surveillance

There are a multitude of backdoors, monitoring programs and products that already have been and could continue to be compromised by the National Security Agency (NSA), said Jacob Appelbaum, independent computer researcher, hacker and core member of the Tor project. He said the NSA aims to have utter surveillance of everything it wants, and there is no boundary or limit to what it wants to do.

Greg Sinclair, associate practice leader at Security Services, outlined enhanced proactive through research, in his talk at the ITWeb Security Summit.

An architectural approach to

To mitigate the risks posed by today’s complex threat environment, organisations must adopt an architectural approach to , said , CEO of Websense.

He explained that the Internet of Things is presenting more challenges: “If we can’t keep a simple credit card safe, what about the data from the Internet of Things?”

Citing a recent study, McCormack said 57% of the respondents revealed they are not protected from advanced cyber attacks; 63% can’t stop theft of corporate information; and 74% don’t trust their programs. “The end-game of most modern cyber attacks is the theft or destruction of data,” said McCormack. “Cyber criminals steal intellectual property, personally identifiable information or other valuable data for financial gain, for use in other attacks or sometimes to destroy.”

He said the best techniques for catching these attempts exist in a full data theft prevention solution, and include scanning outbound content for proprietary material, scanning images with OCR technology, and using “data drip protection” technology.

Build on open source to reduce risk

Open source isn’t complicated anymore, so it presents a golden opportunity for SA to build on open source to reduce its dependency on imported technologies, said Haroon Meer, founder of Thinkst.

“The Snowden revelations made it clear that South Africa is not part of the ‘inner circle’ of FVEY (Five Eyes Surveillance), an alliance comprising Australia, Canada, New Zealand, the UK and the US. We have Stockholm Syndrome if we think we are exempt from spying,” he said.

SA is so deeply dependent on foreign technology that the country is almost forced to ignore the risk of
surveillance built in to the technology it buys, he said. The solution is to grow the local technology sector, Meer concluded.

Jeremy de Bruyn, senior penetration tester at SensePost, discussed taking penetration testing into the arena.

Walls fail, fight back instead

Kevin KennedyKevin Kennedy

If organisations are to win the war against cyber crime, they must turn the tables against the economy and make it difficult for the cyber criminals to operate, said Kevin Kennedy, Juniper Networks’ senior director for and product management.

“For several years, we have been focusing on building high walls to keep hackers out, but this has failed,” said Kennedy. “We have to change the approach.” According to Kennedy, the economy comprises sophisticated, highly skilled individuals as well as elite researchers, exploit developers, zero-day researchers, writers, identity collectors, programmers and technology experts.

He revealed that, over the years, the economy has seen an increase in activities like spam and hacking. Changing that economy would require organisations to ensure cyber criminals get less return on their investments.

He noted that investing in cyber crime currently has a high return, and, as an example, a $500 investment in can see a criminal evading as well as advanced anti-
solutions. That investment can also be useful for stealing source code and sending it to a server over an
encrypted channel, he added.

Taking legal measures against the spammers can also go a long way in destabilising the economy, said Kennedy.

Technology can also be used to break the economy, said Kennedy. “Organisations can do this by assuming their systems are breached and adopt counter-intelligence techniques like deception and anti-evasion.”

Another way to disrupt the economy will be to prosecute black market banks, said Kennedy.


Nils, researcher for MWR Labs, and Jon Butler, head researcher at MWR InfoSecurity, assessed vulnerabilities in mobile point-of-sale devices in their presentation at the ITWeb Security Summit.

Counter-intelligence to sway balance of power

Cyber counter-intelligence has the potential to sway the balance of power, said Prof , director of the Centre for Cyber Security at the University of Johannesburg. He said that, correctly understood, the call for cyber counter-intelligence was a call for legitimate co-operative action by state and private sector role-players in breaking the traditional mould that is proving so ineffective against sophisticated adversaries.

“We need to draw on successful strategies from history to devise new models for cyber . Now, we need to be more proactive – and possibly even slightly aggressive – in our approach. We need to go to the next level and gather counter-intelligence that allows us to know our enemy and plan our defences accordingly,” he said. ”The more information you can gather, the better you can defend yourself.”

Infosec seen as a grudge purchase

Misdirected information spending is leading enterprises to see information as a grudge buy, said Maiendra Moodley, divisional head (GM) of Financial Systems and Processes at .

Moodley said the pace of information adoption was impacted by issues such as budget, as well as external factors such as new legislation and the fact that companies overlook the importance of information when all is running well and there are no breaches.

He said achieving the right levels of should begin with a thorough risk assessment encompassing both information and physical , which combines a firm grasp of processes under the enterprise governance and risk banner, along with a holistic strategy. “Implement measures around mitigating these risks,” he said.

Changing role for CISO

<a href=<a href=

Andrew Mpofu" src="http://www.iweek.co.za/images/stories/2010/June14/Andrew_Mpofu.jpg" />Enterprises are now wholly dependent on their IT systems, making the chief information officer (CISO) a critical link between IT and business, said Andrew Mpofu, IT audit manager at the South African Post Office. Mpofu said: “Enterprises now need to realise that IT is the medium of doing business.”

This means the CISO must now be a C-level business executive with multidimensional skills combining business and technology, rather than the traditional systems administrator only worried about systems availability, Mpofu said. “The CISO needs to be a risk manager as well as an advocate for , identifying opportunities to deliver an enterprise’s cyber footprint in a secure manner that bears compliance to applicable regulations.”

Legitimate apps expose data

While makes headlines, the risk of legitimate mobile apps exposing enterprise data to unauthorised third parties should be of greater concern to enterprises, said , advisor at BlackBerry’s group.

Heinen noted that vast numbers of mobile applications connect to users’ personal information and contact lists. “While these applications may be legitimate, they may share the data on a mobile device – such as contact lists – with a third party, without the consent of those contacts. This could be in contravention of privacy laws,” he said. Heinen said in a BYOD era, having enterprise data on the same devices as vulnerable consumer apps raises serious governance, risk and compliance issues for the enterprise.

BlackBerry believes the solution lies in multi-layered , careful management of the app store, and the segregation of enterprise content from personal content on the mobile device.

Information : SA lacks the ‘how’ component

<a href=<a href=

Guy Golan" src="http://www.iweek.co.za/images/stories/2010/June14/Guy_Golan.jpg" />South African enterprises are taking information increasingly seriously, but in many cases they lack an understanding of practical steps to mitigate risk, said Guy Golan, CEO of event sponsor, the Performanta Group.

Golan said: “Recent high-profile international events and actual breaches with associated financial losses have renewed the focus on information . For years, the information industry has been warning of the risk of industrial espionage and hacking, but only now that we see actual incidents resulting in substantial financial losses, are companies taking the risk seriously.” These losses, combined with new legislation that makes the board accountable for data , is driving greater interest in information from business management too.

However, Golan said there is a shortage of practical information available to guide local enterprises on the tools and strategies needed to mitigate risk.

Companies disregard need for response teams

Matteo MicheliniMatteo Michelini

Companies that do not have a computer incident response team (CSIRT) in place will have a problem when it comes to containing a incident, said Matteo Michelini, senior consultant at MWR InfoSecurity.

Many firms do not believe they need a CSIRT, because they have business continuity, risk management,
an incident manager or operations centres, which fill the same function, said Michelini. However, this leaves companies in a precarious position when incidents, such as unauthorised access to a core system, happen, he said.

He explained that without a CSIRT, no one is responsible for containment of issues, and the question of who is responsible for fixing the incident is also left hanging.

Cyber resilience demands strategic action

Cyber resilience now calls for strategic action if enterprises are to mitigate risks, said Antonio Forzieri, EMEA cyber practice lead at Symantec. “The problem with the emerging technologies is that organisations have to embrace them or they die,” he said.

He noted that modern-day attacks are being driven by hacktivism – mostly characterised by DDOS attacks and Web defacement. Cyber criminals are also being motivated by the need for financial gain and they have developed tactics like banking Trojans, extortion and scams to steal money.

Espionage and sabotage are the other drivers, with the cyber criminals making use of targeted attacks to meet this end, he explained.

Thus, we can call 2013 “the year of the mega breach”, said Forzieri, explaining that eight of the top 10 breaches involved more than 10 million identities, while the average number of identities exposed was four times greater than 2012.

“Faced with risks such as these, organisations must break through the glass ceiling between IT and the business,” he urged. “They should also review their programme and become risk-aware by involving technology, people and processes.”