CyberSec Consultants

Tag: Penetration Testing

  • Is your organisation confronted by cyber security fatigue?

    Is your organisation confronted by cyber security fatigue?

    With so many factors to consider when it comes to cyber security, how do you avoid total burnout?

    South African companies have seen a drastic increase in cyber security and data protection related requirements. These include, but are not limited to:

    • Recent amendments to The South African Cybercrimes Bill (B6-2017) – initially introduced as the Cybercrimes and Cybersecurity Bill in 2017;
    • The United States CLOUD Act (Clarifying Lawful Overseas Use of Data Act) – enacted on 23 March 2018. This Act applies regardless of where the data in the service providers’ possession, custody or control is stored;
    • The South African POPI Act (Protection of Personal Information Act 4 of 2013) – effective 1 July 2020, with a 12 month grace period to 30 June 2021; and
    • The PCI-SSC (Payment Card Industry Security – Standards Council) has begun work on PCI-DSS v4.0 (Payment Card Industry Security – Data Security Standard). The new standards are expected to be published in mid-2021 and will replace v3.2.1 in 2024.

    Given these changes (among others) with regards to cyber security laws and regulations, coupled with the increase in recent cyber security incidents and breaches, companies will soon be confronted by a growing concern – cyber security fatigue – if they haven’t already.

    It’s no secret that cyber security can cause people to feel overwhelmed, out of their depth and powerless to manage the threats they face today. That’s why ‘cyber security fatigue’ is such a common problem.

    What is cyber security fatigue? It is most simply defined as avoiding additional cyber security measures as a result of being overwhelmed and oversold with little to no measurable risk reduction. In other words, virtually giving up on proactively defending against malicious actors.

    What causes cyber security fatigue? Those confronting cyber security fatigue complain that managing a multi-vendor environment can be extremely challenging. There seems to be a strong relationship between multi-vendor environments and growing fatigue. This complexity is the main cause of burnout.

    If one takes POPIA, for example, in South Africa there has been a drastic number of newly registered domains with domain names associated with POPIA in some way or form. These range from services and technologies to training and memberships. It is important to note that at the time of publishing this article, the South African Information Regulator has not appointed any authoritative body that accredits an organisation to provide certifications, consequently no organisations have been recognised.

    Additionally, complex technology environments with too many alerts are also proven to exacerbate cyber security fatigue. As alerts continue to increase over the time, so does cyber security fatigue.

    A third potential cause of cyber security fatigue, perhaps unsurprisingly, is suffering a major and extended cyber breach, with the number of hours of downtime influencing the extent of the fatigue.

    What is the risk associated with cyber security fatigue? It goes without saying, cyber security fatigue can really have a harmful impact on organisations. This is because, by definition, the inevitable outcome is an increasingly vulnerability attack surface (environment) with a growing risk of becoming a target of a cyber attack and/or data breach.

    How can cyber security fatigue be lessened? Owing to the complexity of security resource management (one of the reasons for cyber security fatigue), outsourcing this management might help. Another strategy is to simplify supply chains.

    As organisations increasingly embrace digital transformation, CISOs are placing higher priority in adopting new security technologies to reduce exposure against malicious actors and threats. Rather than adopting a risk-based approach, often these technologies are not addressing the risk exposure at all, but rather the technology investment is the result of a well-positioned sales pitch.

    To address this issue, organisations should first identify the cyber security risks within their environment and then only perform a needs analysis to determine whether or not a technology is needed to address the risk. This approach would have a far more beneficial outcome than investing in technology in the hopes that an organisation’s risk is being reduced.

    Another solution is automation, which could be the answer to coping with the volume of alerts. Automation enables policies to be enforced more consistently, quickly and efficiently. When a device is determined to be infected or vulnerable, it’s automatically quarantined or denied access, with no action required from an administrator.

    On a positive note, cyber security fatigue should organically reduce as security improves. Increasing reliance on cloud security and automation to strengthen their security posture will reduce the risk of breaches and, along with it, the fatigue arising from them.

    Ultimately, cyber fatigue is a very real and human response to a complex problem. Security leaders need to accept this, looking for ways to reduce stress and burnout if they wish to prevent cyber security fatigue from contributing to major security breaches.

    This article was published to the CyberSec Virtual Press Office at ITWeb

  • Perhaps it’s time to change your cyber security services provider

    Perhaps it’s time to change your cyber security services provider

    Regular rotation as a means of risk reduction is not a new topic, as we already apply it with audit rotations, leadership rotations and password rotations. So why are companies not rotating their cyber security services provider?

    With the ever-evolving changes within the cyber security threat landscape, it is of paramount importance that companies get fresh perspectives and insights on the cyber security threats your business faces and the potential opportunities to minimise your risk exposure.

    Cyber security is a complex issue to tackle for many organisations, with so many varying approaches, technologies and services providers guiding businesses in one direction or another. For this reason, businesses are often left confused, overwhelmed and many are unsure whether or not their efforts are resulting in measurable risk reduction.

    It is important to understand that cyber security is not a destination and, more often than not, requires applied focus on continuous improvement. This is because the attack approaches and defensive techniques are changing regularly. For this reason, companies are encouraged to adopt a resilience mindset with the ability to respond to cyber attacks, rather than the focus being entirely on preventative controls.

    In a joint and collaborative effort to combat these cyber threats, companies have partnered with cyber security service providers to assist in their efforts by performing regular security assessments, recommending technologies and advising them on current and emerging threats.

    Although these relationships are key to demystifying the risks and navigating the complexity of robust cyber security, it is strongly recommended that companies don’t solely rely on the opinions and recommendations of a single service provider for an extended period of time.

    Nathan Desfontaines, MD at CyberSec, says: “The absence of a mandatory cyber security service provider rotation has left companies unknowingly exposed to cyber risk. We encourage our clients to utilise the services of another cyber security services provider between our assessments – not because we don’t believe they may identify further risk, but rather to ensure an additional perspective is considered.”

    Although this thinking may challenge the current, normal accepted business practice, businesses are better off for it.

    Like with any existing form of rotation within businesses, you may decide to re-engage and utilise the services of a previous service provider and that is perfectly acceptable, as the objective is rotation, not replacement.

    This systemic risk may possibly have surfaced as a result of businesses either placing too much reliance on a single cyber security service provider or perhaps the fear of offending the existing service provider by opting to rotate. However, as this concept is not intended as a question of competence of the existing service provider, but rather a means of risk diversification, it should be encouraged rather than avoided.

    Desfontaines further stated: “CyberSec has assessed many businesses cyber security risk exposures as a new service provider to the business and identified seriously concerning points of exposure and compromise. This is often as a result of a ‘fresh perspective’ rather than a question of competence on the part of the previous incumbent. It would therefore be unwise for a business to solely rely on a single cyber security services provider for an extended period of time as it’s crucial the ‘checker’ is also ‘checked’ regularly.”

    It is in the organisations’ best interests to periodically obtain alternating views of their risk landscape and exposure – not because of a lack of trust in the current service provider, but rather because it is good business practice to never place all your eggs in one basket.

    This article was published to the CyberSec Virtual Press Office at ITWeb

  • Is HTTPS Enough? Consider Implementing HSTS

    Is HTTPS Enough? Consider Implementing HSTS

    HTTP Strict Transport Security (HSTS)

    By now, many organisations are already aware of Hyper-Text Transfer Protocol (HTTP) versus Hyper-Text Transfer Protocol Secure (HTTPS). For those who are not, the only difference between the two protocols is that HTTPS uses Transport-Layer Security (TLS), or its inferior alternative, Secure Socket Layer (SSL) to encrypt normal HTTP requests and responses. As a result, HTTPS is far more secure than HTTP. A website that uses HTTP has ‘http://’ in its URL, while a website that uses HTTPS has ‘https://’ – Simply put, HTTPS is HTTP, but with encryption

    However, cyber-attackers can still use a technique known as SSL Stripping to intercept this connection and replace the valid encryption certificate with their own, as a result, they are now able to view the connection in clear-text (without encryption). Therefore, we should use Hyper-Text Transfer Protocol Strict Transport Security, more easily referred to as HTTP Strict Transport Security or HSTS.

    What is HSTS?

    HSTS is a web security policy mechanism – This technology instructs web browsers that they should ONLY interact with the web server using a HTTPS connection.

    This should not be confused with “Forwarding” or “Redirecting”.

    Even if you forward or redirect all HTTP traffic to HTTPS, this will not prevent SSL Stripping or Man-in-the-Middle attacks. This is because the initial request before the forward or redirect takes please could still be over an unencrypted version of the site (HTTP). For example, the visitor types http://www.securecorp.com/ or even just securecorp.com. This creates an opportunity for a man-in-the-middle attack. The redirect could be exploited to direct visitors to a malicious site instead of the secure version of the original site.

    The difference is that HSTS has an explicit instruction to only use HTTPS upfront and will drop the connection if there is an attempt to do certificate replacement. This is because the HSTS header informs the browser that it should never load a site using HTTP and should automatically convert all attempts to access the site using HTTP to HTTPS requests instead.

    The HSTS function sends a header field named “Strict-Transport-Security” from the website (server) to the browser (user agent), which specifies a period of time when the browser can access the server securely.

    However, there are important considerations to keep in mind: Enable HTTPS before HSTS or browsers cannot accept your HSTS settings. Once HSTS is enabled, HTTPS must remain enabled or visitors cannot access your site.

    Note: The Strict-Transport-Security header is ignored by the browser when your site is accessed using HTTP; this is because an attacker may intercept HTTP connections and inject the header or remove it. When your site is accessed over HTTPS with no certificate errors, the browser knows your site is HTTPS capable and will honor the Strict-Transport-Security header.

    Why Should You Use HSTS?

    As stated above, HTTP requests are unencrypted, in plain-text, which can easily be read or monitored by cybercriminals, which means that with the right kind of technique, a cyber-criminal could potentially spy on all activity between the browser and website. This could be customers using your wi-fi to make payments, or even employees performing business transactions. The possibilities for attackers are endless, yet the effort to implement is low and now additional technology investment is required.

    Example: You log into a free WiFi access point at an airport and start surfing the web, visiting your online banking service to check your balance and pay a couple of bills. Unfortunately, the access point you’re using is actually a hacker’s laptop, and they’re intercepting your original HTTP request and redirecting you to a clone of your bank’s site instead of the real thing. Now your private data is exposed to the hacker.

    Strict Transport Security resolves this problem; as long as you’ve accessed your bank’s web site once using HTTPS, and the bank’s web site uses Strict Transport Security, your browser will know to automatically use only HTTPS, which prevents hackers from performing this sort of man-in-the-middle attack.

    In practical terms, HSTS makes it almost impossible for someone to steal your customers’ information by attempting SSL Stripping or a Man-in-the-Middle Attack. This is because the browser will not allow the connection when the attempt is made. Instead, the browser will display an error message and the user will not have the option to “Accept”, “Ignore” or “Bypass” the error message. Also, any attempt to access your website will be forced to connect over an HTTPS connection and will terminate any connection on a simple HTTP request. This means any online activity you need to run your business will be kept secure and protected.

    Give Me the Technical Details

    • Strict-Transport-Security: max-age=<expire-time>
    • Strict-Transport-Security: max-age=<expire-time>; includeSubDomains
    • Strict-Transport-Security: max-age=<expire-time>; preload

    max-age=<expire-time>

    The time, in seconds, that the browser should remember that a site is only to be accessed using HTTPS.

    includeSubDomains (Optional)

    If this optional parameter is specified, this rule applies to all of the site’s subdomains as well.

    preload (Optional)

    Google maintains an HSTS preload service. By following the guidelines and successfully submitting your domain, browsers will never connect to your domain using an insecure connection.

    Penetration Testing South Africa Johannesburg - Cyber Security Technical & Business Services  

    How Can We Help?

    CyberSec is equipped to offer cybersecurity advisory, consulting and sultions on multiple fronts, including HSTS protocols. Our team can effectively implement this security solution without additional technology investment on your part. With our industry expertise and experience in exposing and protecting cybersecurity vulnerabilities, you’ll know that you’re receiving the best possible protection from the risks identified above.

    Contact Us to Find Out More
  • Stop Fraudulent Emails – Implement DMARC

    Stop Fraudulent Emails – Implement DMARC

    Domain-based Message Authentication, Reporting & Conformance (DMARC)

    If you’ve ever been the victim of a phishing scam or gotten an email from someone impersonating an acquaintance or loved one, you will know why you should have Domain-based Message Authentication, Reporting & Conformance (DMARC) in place to protect your business. While many people are aware of these types of attacks and can detect one just by looking at the correspondence, all it takes is one individual to let down their guard and open the door to a cybercriminal.

    Email impersonation attacks are often successful. They involve sending an email to an individual or small group in an organisation with a plausible request. The sender of the message is spoofed so the email appears to have been sent from a known individual or company

    What is DMARC?

    DMARC is an added layer of security for email that helps prevent email address impersonation and spoofing attacks by giving email receivers a consistent method to check identity of email. These attacks are typically used by cybercriminals with the objective of either stealing private information or coercing the individual into performing an activity for them, such as processing an invoice or resetting a password. Owing to the reliance that is placed on an emails ‘FROM:’ address, cybercriminals are capitalising on this by impersonating the address you trust in an email directed to you.

    DMARC is a technical specification that effectively stops exact-domain spoofing and phishing attacks by preventing unauthorised use of a domain in the “From” address of email messages.

    So for example, you work for a company called TrustCorp and the company emails are structured as ‘[email protected]’. Also, your organisation has an awareness programme that includes phishing awareness, so you already know not to respond to emails that are trying to look similar to your domain name, such as ‘@trustc0rp.com” or “@tru5tcorp.com”.

    However, without a properly configured DMARC implementation, a cybercriminal could still send you an email as ‘@trustcorp.com’ – Therefore, you could still receive an email from ‘[email protected]’ with an urgent request.

    Also, without a properly configured DMARC implementation, a cybercriminal could still send an email to your customers as ‘[email protected]’ to inform them that the bank details have changed.

    DMARC combats this by allowing email senders and receivers to cooperate in sharing information about the email they sent to each other. This information helps senders improve the email authentication infrastructure so that all of their mail can be authenticated. Additionally, DMARC gives the legitimate owner of an email address a method to disregard spoofed messages, spam, and phishing communication directly into their spam folder, or even stop them from being delivered.

    Why Should I Enable a DMARC Policy?

    DMARC has two aspects. It prevents spoofing of your domain, which is great, but the more valuable aspect is that it authenticates your legitimate emails and prioritizes delivery into the recipients’ inbox. If you implement DMARC, it is more likely that your genuine marketing emails will be delivered into the inbox rather than into the Junk Mail folder.  DMARC can make marketing campaigns and genuine emails far more effective, which means a greater Return On Investment (ROI). If marketing emails are delivered, there is a greater chance they’ll be read and this allows a better chance of peaking interest.

    Most companies aren’t using technology effectively to combat phishing, and this is contributing to a growing distrust in email.

    The prevalence of fraud and phishing online has caused problems for everyone with any sort of online presence. All it takes is a believable message and cybercriminals can compromise user accounts, steal passwords, access financial information, and much more. It’s too easy to spoof an email, one proven way to get results is by using a well-known email to the user that won’t look out of place.

    A DMARC policy allows a sender to specify that their message is protected by a Sender Policy Framework (SPF). It can also state that it is a DomainKeys Identified Message (DKIM). In both cases, the DMARC will realise that the message is legitimate and allow it to pass to the inbox. If either of those authentication methods fails, the receiver will be warned in some way, either by the email going directly into the junk file or by being rejected entirely.

    Give Me the Technical Details

    DMARC builds up two existing technologies that are used to associate a piece of email with a domain – These technologies have been around for many years and can stand independently from DMARC.

    • Checks where the email comes from
    • “Path Based” – (RFC 7208)
    • Authorised servers published via DNS
    • Forwarding breaks SPF
    • Checks the content of the email
    • “Signature based” – (RFC 6376)
    • Public keys published via DNS
    • Can survive forwarding

    Identifier Alignment checks for a positive signal from either of the above records and further checks them against the email FROM Headers

    In summary, SPF and DKIM are used to generate Domain-Level Identifiers and DMARC ties those results to the FROM Header in an email – Referred to as Identifier Alignment.

    How CyberSec Can Help?

    Adopting DMARC also has a flow-on effect to other areas of your business.  As well as reducing internal fraud, implementing DMARC can also stop fraudulent emails from being delivered to your customers.  By stopping criminals from spoofing your legitimate domain, it lessens the success rate of spear-phishing attacks (where a criminal spoofs a CFO’s email address to send financial transaction instructions to payroll staff). – If someone tries to spoof a domain with DMARC, the email simply won’t be delivered. DMARC also stops criminals from domain-spoofing to send outgoing phishing emails to the masses. Implementing DMARC can preserve your brand equity, eliminate customer support costs related to email fraud, and make email an effective communication method again, which is something that is seriously lacking at the moment.

    Our team is fully capable of assisting with and implementing an end-to-end DMARC protection for your business’s email address. This will ensure that you are given the highest possible protection from cybercriminals using your name (domain name) to scam users. Our team can work with you to secure your business’s email communications.

    Contact Us to Find Out More
  • Why HR should work more closely with IT

    Why HR should work more closely with IT

    CHRO Community Conversation explores HR’s role in cybersecurity


    CyberSec (Pty) Ltd - MD Nathan Desfontaines (Video Conference)

    Cybersecurity expert Nathan Desfontaines explained why HR should work more closely with IT.

    It is often said that people are the weakest link in cybersecurity. With the current mix of working from home, modified office spaces and (financial) stress, criminals can use social engineering to target workforces. This has been evidenced by the ever-increasing frequency of data breaches where human error often being either a cause or catalyst.

    This was the topic for discussion in this week’s CHRO Community Conversation, which was hosted in partnership with Workday.  CHRO SA MD Joël Roerig introduced CyberSec’s MD, Nathan Desfontaines, who led the discussion on the human component of cybersecurity and why IT is not the only department that should feel worried or responsible.

    “The CEO of Experian SA recently argued that his company was ’in no way, shape, or form’ hacked, but that a clever criminal convinced them to part with their data. Nathan later created a social media post explaining that this indeed qualified as a hacking incident. According to Nathan, hacking is not only the result of a technical vulnerability,” said Joël.

    Nathan then proceeded to provide an overview of the threats that HR leaders need to be aware of given the extent to which employee errors, negligence or ignorance can leave a company vulnerable to major financial and reputational damage caused by cybercrime.

    Nathan said there has been an increase in cyberattacks in the last 12 months, including the City of Johannesburg’s website, which was hacked with ransomware with the aim of extorting the city for BitCoin payments. There were also a number of breaches among banks and internet service providers, which suffered a denial of service attacks and data breaches in the same week that the COJ experienced its breaches.

    “Liberty announced that they had been breached and a large amount of data had been exfiltrated and that this was followed by a ransom note. There have also been victims in the healthcare sector where South Africa’s second-largest private hospital operator in SA, Life Healthcare Group, announced that, while in the midst of the Covid-19 outbreak, it had been victims of an attack,” said Nathan, adding that data had overtaken oil as the world’s most valuable resource.

    That is why there has been an increase in social engineering which,  by definition, is the use of deception to manipulate individuals into divulging confidential or personal information.

    Why would that happen to us?

    Nathan said that, while companies were well-protected with firewalls and intrusion prevention systems, they aren’t geared for the phone call to the HR or finance department, saying that had completely blindsided a lot of companies who had great tech but were nevertheless still vulnerable to their employees falling victims to relatively rudimentary attacks.

    Said Nathan: “Over a decade ago, companies were targets of viruses, worms and trojans, and over time  That quickly evolved into very sophisticated attacks like ransomware attacks. That led to companies spending heavily to protect themselves against sophisticated cyber attacks. However, while we were all gearing up for the digital war, to ensure that organisations have the right tech, tools, and capability to withstand even the most sophisticated of attacks, it seems that cybercriminals began targeting the low-hanging fruit – employees.

    Nathan said it is often the case that people and, by extension, organisations, wait to suffer a breach before they take cybersecurity as seriously as they should. That happens because people tend to think an attack is unlikely to happen because ‘why would somebody attack me? I’m just an average Joe’. Nathan said that attitude exists, not only in people’s corporate environments but also in their personal capacities. And that mentality of not investing in security because of the perceived unlikelihood of an attack is a huge weakness that cybercriminals exploit.

    Collaborate more closely with IT

    “In the cybersecurity community, we say there are two types of companies. One is a company that has been hacked and is aware of it, and the type that has been hacked and not aware of it. And the important point to note about the latter is that ignorance is not security.”

    The second reason why cybersecurity is not top-of-mind in many organisations is that there are mixed messages. Providers of cybersecurity solutions sell them as a silver bullet that will solve all a client’s concerns. As a result, organisations and individuals alike believe that once they purchase that particular solution, they have converted the bases and no longer have to worry about cyber threats.

    During the breakaway sessions, HR leaders had the opportunity to share experiences and ideas with one another around the steps they are taking to ensure their people are educated about their responsibility to prevent cybercrime. They also discussed the vulnerabilities created by working from home and how HR leaders can collaborate more effectively with their IT counterparts to prevent cybercrime.

    Nathan closed the discussion saying that the cybersecurity community had overestimated the impact that working from home would have on the number of attacks saying “we prepared for armageddon when we realised that there would be an increase in remote working.” However, expectations far exceeded reality in terms of what that meant for businesses because there simply had not been as many breaches as anticipated. Nathan said, however, that this could simply mean that, “either the breaches have happened but are yet to be identified as organisations currently monitoring and reporting capabilities do not have required visibility; or there is possible an inherent level of inherent security by means of workforce distribution.”

    “Maybe we just haven’t realised those breaches yet, meaning we may only start seeing their impact happening as more employees return to offices.”

    Original Post CHRO South Africa

  • The rise of the virtual CISO

    The rise of the virtual CISO

    The cyber security threat landscape continues to increase in sophistication and well-funded, highly organised and increasingly complex cyber adversaries continue to capitalise on inadequate defence and remediation strategies. Moreover, protecting an enterprise or preparing for current and future threats requires a great deal of expertise, planning and timely and targeted actions. The reality is that the fight against cyber crime has become increasingly challenging.

    Irrespective of a companies size or industry, having someone who can establish and facilitate comprehensive, risk-based cyber security strategies and processes that protect critical data and systems is critical.

    However, appointing a CISO may be cost-prohibitive for many companies. It can also be difficult to attract and retain individuals with the level of both cyber security and business expertise necessary to fill the role. Instead, many organisations lean on managers to incorporate security into existing IT processes, which often results in fragmented policies and challenges with support and adoption that leave systems and organisations vulnerable.

    As an alternative, virtual CISOs are becoming a viable option for many companies that do not have a full-time CISO on staff. This solution often delivers both economic and strategic advantages to businesses.

    Companies produce more data than ever, and keeping track of it all is the first step to securing it. A virtual CISO can identify what data needs to be protected and determine the negative impact that compromised data can have, whether that impact is regulatory, financial or reputational.

    MD at CyberSec, Nathan Desfontaines, says: “A virtual CISO offers an unbiased, objective view and can sort out the complexity of a company’s IT architecture, applications and services. They can also determine how plans for the future add complexity, identify and account for the corresponding risk, and recommend security measures that will scale to support future demand.”

    For many organisations, potential vulnerabilities, especially those that share a great deal of data within the organisation, may not be obvious at first glance. Virtual CISOs can identify both internal and external threats, determine their probability and quantify the impact they could have on your organisation.

    An organisation without a great deal of sensitive data may have a much greater tolerance for risk than a healthcare provider or a bank. A virtual CISO can co-ordinate efforts to examine perceived and actual risk, identify critical vulnerabilities and provide a better picture of risk exposure that can inform future decisions.

    Cyber security is growing more complex, and organisations of all sizes, especially those in regulated industries, require a cyber security specialist, with both technical and business acumen, who can address the aforementioned challenges and ensure that technology and processes are in place to mitigate and minimise security risks. Virtual CISOs bring a wealth of expertise on regulatory standards. They can implement processes to maintain compliance and offer recommendations based on updates to applicable rules and regulations.

    As organisations continue to embrace digital transformation, a virtual CISO represents a viable option to maintain the security posture necessary to succeed while keeping a mindful eye on ever-increasing budgetary concerns.

    This article was published to the CyberSec Virtual Press Office at ITWeb

  • Does cyber security compliance equal good cyber security?

    Does cyber security compliance equal good cyber security?

    There is a notable increase in adoption of industry recognised frameworks, standards and best practices, as many organisations have embraced cyber security compliance as a structured approach to managing their cyber security programmes and strategies. Some of these include, but are not limited to:

    • ISO/IEC 27001 – An international standard that describes best practice for an ISMS (Information Security Management System);
    • ISO/IEC 27002 – A supplementary standard to ISO/IEC 27001 that provides advice on how to implement the security controls listed in Annex A of ISO/IEC 27001;
    • National Institute of Standards & Technology Cybersecurity Framework (NIST CSF) – Provides a high level taxonomy of cyber security outcomes and a methodology to assess and manage those outcomes;
    • Control Objectives for Information and Related Technology (COBIT) – A high level framework focused on identifying and mitigating risk. Initially developed for IT governance professionals to reduce technical risk, but it’s evolved into a standard to align IT with business goals;
    • Center for Information Security (CIS) – Formed in October 2000. Its mission is to “identify, develop, validate, promote, and sustain best practice solutions for cyber defence and build and lead communities to enable an environment of trust in cyber space”; and
    • Information Security Forum (ISF) – Is an independent information security body. The ISF delivers a range of content, activities and tools and is a paid membership organisation; and
    • Among these are also industry-specific standards such as the Payment Card Industry Data Security Standard (PCI-DSS) for credit card handling.

    However, it is important to note that cyber security extends beyond alignment to a (or many) cyber security frameworks, standards and best practices. Even the most mature environments with managed or even optimised compliance implementations fall victim to cyber attacks.

    According to an analysis conducted by CyberSec, 83% of organisations analysed, with mature cyber security compliance, were still considered to have significant room for improvement following an ethical hacking (penetration testing) exercise.

    This is predominantly because compliance addresses a broad-spectrum approach to addressing key controls within an organisation’s control environment. In other words, it should not be ignored, disregarded or set aside, but rather embraced and supported with additional specific cyber security measures and controls.

    Equally, from the opposing viewpoint, an organisation with leading security technology supported by qualified subject-matter experts, may also find themselves short-changed with regards to their cyber security maturity.

    This is usually owing to the core, fundamental controls (usually addressed from a compliance standpoint) being absent or poorly implemented – as a result, exposing the organisation to unnecessary risk, despite the significant investment in people and technology.

    It is therefore critical that businesses embrace cyber security compliance, but also ensure it is supported by additional controls, assessments and technologies that are fit-for-purpose. Do not solely rely on compliance alone for cyber security risk assurance. Ensure that your approach to cyber security encompasses all areas of the business, collectively bringing together a synchronised and robust cyber security programme that touches on people, process and technology.

    This article was published to the CyberSec Virtual Press Office at ITWeb

  • Is cyber security jargon leaving companies confused?

    Is cyber security jargon leaving companies confused?

    Within the cyber security landscape, there is no absence of “cyber security speak”, in fact, it can be quite the opposite. From terms such as phishing, vishing and whaling to cyphers, cookies and zero-days – the list goes on and on! In fact, the list can be so long that companies such as Advanced Network Systems have put together an A-Z list of cyber security jargon (and it’s forever growing). Feel free to check it out here.

    Although every word has a unique reference to something relevant in cyber security, it can be extremely overwhelming to organisational leadership teams, excos and boards. As a result, key decision-makers are often left confused, resulting in a slow (or absent) adoption of business-critical cyber security decisions and investments.

    According to an analysis conducted by CyberSec, more than 50% of companies analysed were reluctant to invest (or further invest) in cyber security; however, after the business case jargon was changed and a risk-based approach to cyber security was adopted, 100% of the same companies opted to make an investment.

    However, the challenge doesn’t lie with cyber security lingo alone. The complicated (often creative) language used to name and describe technical vulnerabilities further fuels this problem.

    For example, the May 2017 worldwide WannaCry attack – WannaCry was (and still is) a ransomware crypto-worm that exploits the EternalBlue vulnerability. EternalBlue is an exploit of Windows Server Message Block (SMB) protocol released by The Shadow Brokers.

    Given this, one can quickly appreciate why this may be overwhelming and confusing for non-cyber security folk.

    Owing to the how complex and technical some of the cybersecurity and vulnerability jargon can be, many cyber security professionals (irrespective of seniority) are trying to educate their business decision-makers, exco and boards on the lingo in the hopes of conveying the message (risk) as accurately as possible. Some cyber security professionals believe that by sticking to exact terminology it demonstrates their comprehensive understanding, competence and expertise on the subject matter.

    However, the result is often not the intended one, often leading to uncertainty, indecision and further hesitation, which eventually results in disinterest. This means the attempt to facilitate awareness, buy-in, adoption or investment is lost and consequently the cyber security professional is also left frustrated and possibly demotivated.

    So what now? The typical response to this type of situation is for the intended message to be over-simplified, or as some would say, put in layman’s terms. Even so, the importance or criticality is often lost and the result may very well be the same.

    So what is the key to business alignment? A viable approach is to adopt a risk-based cyber security approach. This means that when it comes to making cyber security-related decisions, consider risk above all other factors.

    A risk-based cyber security approach to cyber security is proactive rather than reactive. Risk-based cyber security teams are more concerned with reducing their organisation’s real or measurable exposure to cyber attacks and data breaches than they are about checking boxes or passing audits (though those remain worthwhile goals).

    Finally, this approach is inherently realistic. The goal of a risk-based cyber security programme is meaningful risk reduction, not 100% security. That’s important, because this allows decision-makers, excos and boards to make pragmatic decisions about budget and resource allocation.

    This article was published to the CyberSec Virtual Press Office at ITWeb

  • The Inconvenient Truth about Contactless Payments (RFID / NFC)

    The Inconvenient Truth about Contactless Payments (RFID / NFC)

    RFID or Radio-Frequency Identification and NFC (Near-Field Communication) uses electromagnetic fields to automatically identify and read tags attached to objects. The tags contain electronically stored information. Passive tags, such as payment cards, access cards, ID cards and passports, are powered from the RFID / NFC reader. Active tags, such as E-Tags, mobile phones and some motor vehicle remotes, have a local power source (such as a battery) and may operate hundreds of meters from the RFID / NFC reader. Unlike a barcode, the tags don’t need to be within the line of sight of the reader, so it may be embedded in the tracked object.

    RFID / NFC, as a method for contactless payments has become increasingly popular globally with a recent, rapid increase in South Africa specifically. This capability has allowed consumers to make “tap-and-go” payments without needing to hand over the card, and in some cases, without needing to provide a pin code.

    To better understand the associated risks, I took to the streets to explore how my South African issued bank card behaved – Both locally and abroad.

    • Use Case 1 – Using the RFID / NFC enabled card as a payment method
    • Use Case 2 – Using a (RFID / NFC capable) smart watch or phone, with the card enrolled as a payment method

    To give a further example of how tap-and-go is being adopted overseas, see this vehicle which uses a RFID card to unlock the vehicle and drive it – This is an initiative by GoGet in Australia:

    Before I talk about the observations, I want to briefly unpack the anatomy of card security for context:

    • Magstripe – Although a supposed legacy form of reading card data, this was “replaced” by chip & pin for improved security following a rise in card related fraud, such as skimming. This was owing to the ease of reading the magstripe, which stored the Card Number (PAN), Expiry Date, Service Code, CVV1 (this CVV is different from the one located on the back of your card – CVV2) and Check Digit on Track 2.
    • Chip & Pin – EMV cards are smart cards (also called chip cards, integrated circuit cards, or IC cards) that store their data on integrated circuit chips, in addition to magnetic stripes (for backward compatibility). This was the answer to further securing the card, providing an “unreadable” chip on the card to store the aforementioned information. Furthermore, (following the EMV specification) there are 2 types of PIN parameters possible with EMV:

    a.     Offline PIN, this is stored on the chip-card and verified by the card. This PIN is encoded on the secure element of the chip card. This allows for faster transaction times and potentially offline transactions as the terminal does not need to “contact” the bank for pin verification

    b.     Online PIN, this PIN is not stored on the chip-card and is verified by the Issuer of the card.

     A chip-card may support “a”, “b” or both. If it supports both, the PIN is usually the same, but this is not a requirement. For more about card parameters – See ‘Service Codes’ below.

    • Floor Limits – This is the amount of money above which the card transaction MUST be authorized – The limit can vary from merchant to merchant. In most cases, this capability is available to any merchants to allow for faster processing times. For example, places that may draw large queues, such as a fast-food drive-through, tollgate or cinema. As you can imagine, there is opportunity for fraud and therefore, between the issuer (bank) and the merchant, they must specify a limit to which they accept the risk – Often between R1 and R1000. You may notice this taking effect, when as you finish entering your pin, the transaction authorizes instantly – without dialing up.
    • Service Codes – These are often a series of 3 numbers stored on the card that tell the card “how-to-behave”. For example:
    • Expiry Dates – Interestingly, as mentioned in the first point ‘Magstripe’, the expiry dates of a card are stored on the card itself and can be modified by a card skimmer on the Track 2 data.
    • Check Digits – Check digits, or Longitudinal redundancy check (LRC) — is one validity character calculated from other data on the track, however, most reader devices do not return this value when the card is swiped to the presentation layer, and use it only to verify the input internally to the reader. Also, because this is a form of data integrity rather than data security, it needs to follow the International standard ISO 1155, which has its algorithm for calculating the check digit publically available.
    • Fallback Transactions – A fallback transaction normally occurs when a chip card, presented at a chip terminal, cannot be read due to a technical issue with the chip which results in the technology “falling back” to a magnetic stripe transaction. In some situations, a fraudster may create a counterfeit card with an intentionally damaged chip in order to invoke this scenario. Alternatively, they can purposefully damage the chip, cover it with clear tape or insert the card backwards. For this reason, fallback transactions are deemed risky by the payments industry and it is the issuer (bank) that holds liability on fallback transactions.

    You can read this article from 2016 where I demonstrate the above concerns, here.

    So, just before I jump back into RFID / NFC contactless payments, I think it is worth noting the following, extremely concerning, observations

    • Magstripe, as a form of identifying a payment card, is known to be flawed;
    • For this reason, EMV Introduced the chip & pin capability;
    • In addition, the magstripe remained on the card, with the same data (albeit 1 service code digit) for backward compatibility.

    –  In case the chip is damaged

    –  In case the terminal does not support chip & pin.

    Therefore, it would be safe-to-say that chip & pin, in its current implementation – Is fundamentally flawed. For as long as the magstripe is still on the card, encoded with payment data, card skimming and card fraud is still as possible as without the chip & pin.

    So what have the issuers (banks) actually done to try and reduce the risk? The answer, as it appears to me, is to:

    • Further maximize the use of limits. This would be in effort to reduce the amount (value) of the fraud before it is identified and stopped rather than remove the magstripe entirely, for the reasons stated above; and
    • Introduce 2FA where possible, such as the 3D Secure functionality, Dynamic Passcode Authentication (DPA), and OTP for online, Card Not Present (CNP) transactions.

    However, in credit of the issuers (banks), it would also be necessary to note that there are standards based on ISO/IEC 7816 for contact cards, and standards based on ISO/IEC 14443 for contactless cards that may possibly also act as a restraint to not “do what they like”.

    EMV originally stood for “Europay, Mastercard, and Visa”, the three companies that created the standards. The standards are now managed by EMVCo, a consortium of financial companies. The most widely known chips of the EMV standard are:

    • VIS – Visa
    • Mastercard chip – Mastercard
    • AEIPS – American Express
    • UICS – China Union Pay
    • J Smart – JCB
    • D-PAS – Discover/Diners Club International.
    • Rupay – NPCI
    • Verve

    So what’s wrong with RFID / NFC enabled contactless payments?

    The answer is quite simple – It is fundamentally no different to the other forms of card identification – Other than its convenience. This being said, it seems to have a higher risk tolerance (for now) which I can only assume is due to its new-ish adoption.

    Following the research, it appears some card issuers (banks):

    • Restrict the number of contactless transactions that can be made before the PIN is requested, to minimize fraud;
    • Force a cash limit for each contactless transaction which differs slightly between issuers;

    At the same time issuers (banks) are supposed to limit the number of contactless payments each day to protect users if their card is stolen. If a certain number of contactless payments are exceeded, usually three, a PIN number is requested or the card may even be blocked.

    However, some issuers (banks) have been known to allow as many contactless payments as the customer wishes to make.

    So let’s not kid ourselves, contactless card fraud is on the rise; in the first half of 2018, thieves stole more than £8 million from contactless fraud.

    In conclusion, although the risks are reportely low:

    1. You card can be targeted with an NFC enabled terminal even when it’s in your wallet or purse:It is possible to be defrauded on your RFID / NFC enabled contactless card. See ‘Are Contactless Cards Cloneable‘ for more information.
    2. It is possible for fraudsters to skim details off your contactless card, for instance, by standing behind you in a queue. (The distances from which you can be skimmed vary depending on the power of the reader. But some researchers say that because the NFC technology in contactless cards uses a 13.56Mhz radio frequency technology that only transmits digital data within a very short range (typically 5 cm or less). No communication should be possible beyond that range.) However, the University of Surrey Journal of Engineering said a team managed to “successfully receive contactless transmission from distances of 18 to 31 inches”.
    3. Your card can be targeted with an NFC enabled terminal even when it’s in your wallet or purse:

    A fraudster could potentially purchase a device like these seen on Takealot:

    That said contactless card fraud (from data publicly available) does not appear to be common. However, I would err on the side of caution when South African banks say:

    This technology protects our customers against card related-fraud, such as card skimming, as they no longer have to insert their card into the point of sale device” – Raj Makanjee, Chief Executive for FNB Retail.

    Some sensational reports show that contactless cards can be remotely read by someone close to you, but upon testing it has shown that the data that can be retrieved is not sufficient to be used in fraudulent transactions – the chip cryptograms are just too strong” – Tshipi Alexander, Head of Consumer Issuing at Absa Card

    Versus that of global research:

    It seems that the banks are taking a very complacent attitude when it comes to stopping the easy to target contactless payment fraud. They casually reassure consumers that they are 100% covered for any stolen money and they will return any lost cash to their accounts.

    Upon reading the publicly accessible data on an NFC banking card compliant with EMV, the following data could be seen:

    1. Card Number – Full card number as displayed on the front of the card
    2. Expiry Date – Full expiry date as displayed on the front of the card
    3. Card Type – ie. Mastercard, VISA, etc.
    4. Card Issuer – VISA, Gemalto, Cryptomate, ACS, etc.
    5. Service Codes – See ‘Service Codes’ above
    6. AID – Application Identifier. Each AID indicates a specific card scheme product that is supported, such as Visa, MasterCard and Maestro
    7. Transaction Counter – The counter results in uniqueness to the cryptograms (ARQC) and provides tracking values for the host verification services, allowing replayed transactions and cloned cards to be identified. See Explaining Unpredictable Numbers (UN’s) for how this has been circumvented. The best the card issuing can do in effort to prevent re-use of old transactions, is to reject transactions with an ATC value lower than the highest ATC value that it observed in a transaction.
    8. Pin Try’s Left – The actual number of invalid pins that can still be entered before locking the card.
    9. Transactions! – A list of the last transactions completed on the card, even transactions that were not contactless. This includes amount, transaction type and terminal country.

    Given the above, I think it is safe to say that despite the belief that more data can be read off the magstripe than the contactless card – This is in fact false.

    Although it is highly likely, that if you were to fall victim to this kind of fraud, the issuer (bank) would refund the money you lost, there is also a lot that cannot be simply “refunded”, such as:

    • Your personal information – In some cases, your Name, Surname or Transaction History, depending on what information the issuer decides to store on the card.
    • Your time – Anyone who has had to report card fraud to a bank would know that most often, these things don’t just happen over night – It is an administrative process to capture, process and have the funds reflect back in your account.
    • Your cashflow – Even though issuers (banks) have set varying limits per transaction (that dont require a pin), you ca still lose hundreds (if not thousands) of rands and this may have a negative impact on your cashflow while navigating the fraud processes.

    How to minimize the chances of contactless card fraud

    • Contrary to being told you don’t need to worry – Be Aware, Be Alert.
    • Don’t hand over your card to anyone, for instance, in a restaurant. If your card is taken out of your sight someone could skim the card, which copies the data.
    • Contactless users aren’t always offered a receipt so if you want to keep track of spending and make sure you aren’t being overcharged, ask for one.
    • Contactless users may also be inclined to tap their card without visually inspecting the amount – be sure to verify the value of your payments.
    • You should check your statements as regularly as possible to look for unusual transactions, including on lost or stolen cards as these can still be used after being cancelled. Especially considering that some amounts may be below your notification threshold/value.
    • Banks issue contactless cards by default today. However, you may not be obliged to take one. If you’d rather have a traditional chip and PIN card, try ask for one instead.
    • Use tinfoil to line your wallet etc. This will block radio-frequency identification signals to and from the card.
    • If your card is lost or stolen, act fast. Contact the necessary companies to cancel your cards immediately.
    • Some banks and card companies allow you to ‘turn off’ your card when you are not using it through their apps – Hopefully this becomes a standard feature in future.

    Considering RFID / NFC as a technology has many more uses than purely for payments, such as, but not limited to:

    • Smart Identification Cards (South African ID Cards)
    • Passports
    • Access Cards (For office buildings, parking, secure areas, etc)
    • Smart Keys (Keyless Entry Vehicles)
    • Public Services (Gautrain, Busses, etc)

    CyberSec (Pty) Ltd has a RFID / NFC Blocking Card accessory. Just place it near any of your RFID / NFC enabled items to protect your information and reduce the likelihood of falling victim to RFID / NFC fraud

    Just grab one of our business cards to start protecting your RFID / NFC financial & personal information!

  • The challenges of unstructured data

    The challenges of unstructured data

    Data is crucial for success. But you don’t know what you should know if it’s not structured…. There is much evidence that data is growing fast and furiously. This is creating vast pools of information that is not being classified. Unstructured data can’t be mined, let alone understood. Is this a serious issue? If so, what can be done about it? We posed these questions at our roundtable discussion. Is unstructured data a growing problem? Yolanda Cornelius, technical team leader at Discovery: Anybody who doesn’t have unstructured data is very lucky. Up until two or three years ago, we were in the same boat where we had vast unstructured data, but we’re better off now. It takes changing the mindset of business to work towards classification and identifying what they are saving and where. But there is still a big learning curve. Belinda Milwidsky, head of IT at Fluxmans Attorneys: Smaller companies are in a worse position, and are not necessarily getting the help they need from the IT industry. Enterprises have done a good job in their classifications strategy. The challenge is in the SME market, where we don’t necessarily have the budget to cope with this amount of unstructured data. The people who make the decisions don’t necessarily realise the risk. So how will SME markets deal with this amount of data? Guy Taylor, head of data driven intelligence, Nedbank: The way it runs is on a use case basis. We all have unstructured data. The way I think about it is: how to identify the unstructured data you’re willing to keep and is it going to be an asset? Everything is unstructured until you structure it. unstructured data
    Nathan Desfontaines, Managing Director, CyberSec: It’s the rubbish, the reports and the spinoffs from systems and the log outputs and Excel spreadsheets. It’s all that. If I had a datastore that only had the right data in it, and I didn’t understand it, then I’d gladly go on the journey and get intelligence from it. But it’s 80% garbage, 20% good stuff.
    What’s driving the problem of unclassified data? Bryan Botha, CIO of retail & business banking at Standard Bank: The conversation from our side is being driven more by the cost/size of the data than it is about caring what the data is and what to do with it. The better part of me wants to say there is so much intelligence there, but the reality is we’re tackling this because we find ourselves buying storage more frequently than any other part of our IT business, and that has to stop, or at least slow down. Olwethu Sinxoto, head of information security at Wesbank: The problem is really complex. It’s not just file shares. It’s email, which is one of the biggest sources of unstructured data and we’re trying to deal with it. So this is not an IT problem. It’s a business problem. It touches technology, people and processes. If you don’t have data stewards, someone on the ground who is enforcing certain practices, you’ll never achieve classification. IT and business are not separate. So it’s a collective effort. Karin Höne, chief information security and risk officer, Barloworld Logistics: The drive is that we buy businesses that have to be profitable. There is no time for going through an exercise to bring everything elegantly on board. So we end up with a lot of duplication of systems and data. We may become one business, but I don’t have a view overall of what exactly is happening end to end on the processes. The other challenge is business doesn’t always understand what they bought from a data perspective – every business brings data with it – and they don’t want to invest in the time and energy to mine it. Yet they ask IT for more information and for it to be more intelligent. You cannot get to that end state if business is not prepared to invest in finding out what they have. How can we get the business involved? Dumisani Hlongwane, senior manager of IT & KM, Rand Water: Because business doesn’t know where to start, they just expect IT to sort it out. But when you start looking at it, you realise it’s not all mine. Somebody in the business owns this – and that’s where we start. Dr Stanley Mpofu, CIO at Wits University: Everyone at Wits thinks they know everything. I’ve used creating awareness first as my strategy. It doesn’t matter if you start with first principles – academics will find a reason to disagree with you. So I focus on creating awareness first. I sit with different people and explain why we want to do things in a certain way. Julian Ramiah, Group information & security officer at Liberty Group: We IT-born professionals inherited that thinking, whereby we own the problem as well. But now we have the business dudes around the table, and the first thing we want to deal with is the terminology we’re using is business lingo. We start with a problem statement and the roles and responsibilities. Now we find much more engagement from the business, because we could quickly show them, using some Hadoop platform, a single view of the customer across the portfolio. So don’t tick a compliance box. Rather show the business value, where you’ll get more buy-in and budget. Abdul Baba, head of IT, Kwesé Holdings: We need to understand the drivers of the business: why do they need this information? We need to cater for the data, but we don’t understand where we can add value and use this data in the right way for quick decisions around profitability and growth. But that’s how business is seeing it. IT has a different perspective: we need to mine and store the data. But we need to also understand the drivers from the business and that’s where the conversation should happen. How can we deal with the problem? Ebrahim Samodien, CIO of Enterprise Functions at Barclays Africa: We’ve pulled data out of tech and launched data as separate in the business – call it the data office. We’ve done a lot of work building visualisation tools, the backend, working with delivery teams, trying to understand what we have and putting that into a strategy or how we consolidate multiple enterprise data warehouses. We have a strategy to move to a Hadoop platform, but that may take five or six years. Our biggest challenge is to fasttrack our evolution, because our business is going to transform and change. Russell Clarke, head of Business Intelligence at iDigi-Tech Infrastructure and Operations, FNB: We have many systems that do duplication collection. You have to look at the overlap and build that one master set. It takes a lot of putting it all together, defining which is more true than the other. Once you have those master sets, those are the ones everybody guards. You have strict change control. Because it is a thing that gives shared value, everyone focuses inwards. The more you bring those on, the better it becomes. Mornay Walters, chief information security officer at AngloGold Ashanti: I agree with this approach. That sounds like coding discipline, where you’ve got your branches that you merge, and you have your source of truth that you work on. Then you discard what you don’t use. Original Post Brainstorm Magazine