Jail threat for company bosses over Popi

Company executives who fail to secure data in South Africa may face jail time, the Protection of Personal Information Act, known as Popi says.

However, while the act specifies prison time for people who fail to keep personal information confidential, SA has not yet fully implemented the legislation.

“Until the Act is implemented it is difficult to know what such conditions could be, particularly in light of the fact that similar laws in the UK and Australia do not prescribe custodial sentences for breaches,” Wayne Mann, director of Group Risk at The Unlimited, told Fin24.

Popi legislation specifies penalties of jail time up to 10 years and R10m for contravening sections related to data protection.

“If one breaches the following sections of the Act, 100, 103(1) and 104(2), 105(1) and 106, which deal, among other things with the powers of the Regulator to enforce compliance with its provisions, obstructing the Regulator in the performance of the Regulator’s duties, the selling, disposing or processing of a person’s account number in a manner not authorised by the Act, a prison sentence of up to 10 years can be imposed,” Mann said.

Outright fraud

The legislation demands that people who “knowingly or recklessly, without the consent of the responsible party” share personal data are guilty of an offence in terms of the act.

Mann, though, argued that outright fraud was more likely to result in jail time than contravening Popi.

“In our view the offences that overlap with our common law crimes such as fraud and theft, for example the unauthorised selling of a person’s account number, are more likely to be frowned upon by society and it is these offences that could result in prison sentences being imposed.”

Popi, which was modelled on European legislation, was intended to give citizens the right to protect their reputations, said an attorney.

"Popi is modelled on Europe’s EUDPD [EU Data Protection Directive]. Popi gives ‘data subjects’ (SA citizens) control over their personal information relating to criminal activity or negative and damaging behaviour they may have committed in the past or are suspected to have committed," specialist technology attorney Russel Luck told Fin24.

“Popi categorises this type of personal information as ‘special personal information’ under S26 of Popi and can only be processed by a “responsible party” in certain circumstances,” he added.

In the UK, the Data Protection Act was passed in 1998, but compliance took more than a decade and SA may face a similar situation.

“The Act does provide for a 12 month compliance period from the date that certain provisions become effective – which is only likely to happen once the office of the Information Regulator is established (which has commenced). Given the length of time that the act has been in the public arena, our view is that it is very unlikely that the 12 month compliance period will be extended, said Mann.

South African websites hacked

A hacker successfully hacked into 53 South African Web sites on Friday, says IT security and e-commerce attorney Reinhardt Buys.The hacker, called F3PN, hacked the sites between 8.31am and 8.59am on Friday, setting a new daily South African record. All the attacked Web sites are running on a Linux operating system through a single server. All the domains were registered in the name of a company called Vukanet, says Buys.

"We’ve never seen a local attack of this magnitude before. This person or group of persons succeeded in destroying more than 50 Web sites in less than half an hour." Buys says the hacker only targeted Web sites in the .co.za domain. No other Web sites were attacked during the course of the day.

He says it is highly unusual to see so many sites running on Linux coming under attack. "We do not see a lot of Linux hacks. On average, about 20% of daily worldwide hacks are done on Linux computers." After the attack, all the affected sites had the same message from the hacker: "F3PN 0wnz By FaiSCa_ 0wnz b0x !!"

Only a handful of the affected sites ­ mlasset.co.za, partnet.co.za, iso2000.co.za, safarifeeds.co.za, victoriaplace.co.za and anyjob.co.za ­ were up and running by this morning.

The sites that were hacked included: unica.co.za, rudsatours.co.za, edgeproduction.co.za, einstein.co.za, equadoor.co.za, groundsconsult.co.za, hittube.co.za, galleryclearing.co.za, iabacus.co.za, fouroaks.co.za, icp.co.za, ideasman.co.za, imberbe.co.za, phashasha.co.za, ndawo.co.za, musgravecomp.co.za, itempowerment.co.za, nitropromotions.co.za, incentivewise.co.za, lesserkestrel.co.za, jojotanks.co.za, learnmaths.co.za, pigbrother.co.za, ppmgroup.co.za, jamescaird.co.za, marlen.co.za, megatour.co.za, rmaa.co.za, saqi.co.za, timbercity.co.za, scg.co.za, tiqms.co.za, tubulartrack.co.za, topnet.co.za, thebigdoor.co.za, ultimategh.co.za, vukanet.co.za, anyplace.co.za, aidaprogram.co.za, bangani.co.za, afritrade.co.za, alltrans.co.za, anyrent.co.za.

Alastair Otter, editor of African open source news site Tectonic, says that while the number of sites involved is high, the incident is not exceptional.

"Many hosting service providers typically house a number of sites on one machine by using a Web server capable of serving virtual domains. If this single machine is compromised and the attacker gains root access, they are very quickly able to deface all the Web sites housed on that machine within minutes of gaining control.

"The fact that the hacker was able to deface 53 local Web sites in less than 30 minutes suggests that this was indeed the case," he says.

To systematically break into more than 50 computers within 30 minutes, and gain control of them, is a near impossible task - unless the individual sites were hosted on identical machines with the same vulnerability across all of them.

Otter says the fact that the sites were hosted on a Linux machine does not automatically make them more secure than any other.

"Typically Linux is a more secure hosting platform than most others, with Linux now one of the most popular Web hosting platforms and the Apache Web server, another open source application, by far the most commonly used server. It is home to more than 60% of the Internet’s Web sites.

"But as the operating system grows in popularity, so does its vulnerability," he says. "The open source community is renowned for being quick to respond to bugs and security risks but if those fixes are not applied, the hosting machine is as vulnerable as any other."

- See more at: http://www.balancingact-africa.com/news/en/issue-no-156/web-and-mobile-data/hacker-targets-south/en#sthash.K1ZFohra.dpuf

Outsourcing and Offshoring as Potential Threats

Should outsourcing and/or offshoring be viewed as potential threats to cyber security?

There are potential risks and benefits associated with Outsourcing and Offshoring.

Outsourcing: Contracting out of a business process to an external party eg. Human Resources and IT services. The reasons why businesses outsource is so that they can focus on the core activities to have a competitive edge over their rivals.

Offshoring: Relocation of a business process to another country eg. Call centres and Customer support.

The advantages of outsourcing and offshoring includes cost savings (Cost is normally the main driver behind outsourcing), Lack of expertise (Outsourcing service providers provides higher quality of service and expertise), Cheaper labour (Provides flexibility as the business does not have to worry about hiring or firing of employees).

The disadvantages of outsourcing include miscommunication between business and vendors, cultural differences,  increased reliance on third parties, lack of in-house knowledge of critical (though not necessarily core) business operations, project failure, service providers subcontracting to other providers and service providers lack of understanding of the client's business.

Outsourcing and Offshoring has its benefits and risks that goes along with it. Businesses need to applying due diligence when deciding on outsourcing or offshoring any part of their business by conducting a proper risk assessment to identify risks.  The business need to build a strong agreement with the service provider such a proper policies and procedure compliance. Business need to include all their requirements in the Service Level Agreement (SLA) to that the service provider can be held accountable for any deviation from the contact. Businesses need to state in the SLA that auditing of service providers information security infrastructure to check for compliance to frameworks such as ISO 17999/27002 or Control Objective for Information and Related Technology (COBIT).

 There will be always be risks associated with businesses outsourcing/offshoring functions. It is therefore my view that it is the businesses prerogative whether outsourcing/offshoring be viewed as potential threat to cyber security.

Physical Security in an Era of Mobility

In today’s world businesses rely on computers to achieve that competitive edge over their competitors. By one click of a button information travels across the entire world in seconds and sensitive information is forwarded via mobile devices by employees while travelling.  

Physical Security is of utmost important to protect the data from falling into the wrong hands (theft, eavesdropping and malware) causing severe reputational damage or even bankruptcy of the company. Since organisations have allowed the BYOD concept employees must take considerable care when using their devices outside of the environment of the company will performing company responsibilities to prevent unauthorized access to or disclosure of the information stored on or accessed by the device eg. Sensitive information and email should be encrypted and the decryption key should be entered manually, establish secure log in via VPN and enabling secure wipe of the device if lost/stolen. Company policies and procedures should be established to address the physical protection of mobile device and information stored on such devices. User awareness training should be conducted on mobility protection as users can be the first point of failure or first line of defence. A defence in depth would be the best approach combining technology, policy, processes, users and training.

Operations Security enables the organisation to view an operation/activity from the perspective of a hacker or competitor. In hand with Risk Assessments it develops protection mechanisms to safeguard information stored on mobile devices. To implement and effective Operations Security Plan, Security Officers should have an understanding of the threats that could affect breaches of mobile devices. Operations Security is the development of cost-effective security countermeasures (encryption) by identifying threats, analysing and controlling of critical information eg. Credit card numbers, customer information, medical information and passwords.

In a nutshell, by allowing mobile devices into the business environment organisations are faced with more risks than before but with proper physical security mechanisms risks can be mitigated. 

TCP/IP Technology in Aircraft Design

How safe is TCP/IP technology in Aircraft Network Architecture 

New aircraft designs use TCP/IP technology for the main aircraft backbone, connecting flight-critical avionics and passenger information and entertainment systems in a manner that virtually makes the aircraft an airborne, interconnected network domain server. What are the implications? Are there or should there be security concerns? Don’t forget to provide details!

By implementing TCP/IP technology for the main aircraft backbone and connecting flight-critical avionics, passenger information and entertainment systems allowing the aircraft to become an interconnected network exposes the aircraft to new security challenges which could lead to system failures and can result in intentionally malicious attacks.

The interconnected system will allow access to external systems (wireless airline operations and maintenance systems), satellite communications, email, World Wide Web etc. There is also security issues regarding wireless devices that may gain access to the aircraft's DDBs which provides flight-critical functions.
To address security issues the Federal Aviation Agency (FAA) implemented a new Operations specification (OpSpec) D301, Aircraft Network Security Program (ANSP). All e-Enabled aircrafts must meet the requirements of the OpSpec to become operational. E-Enabled aircrafts are vulnerable to the misuse/attacks and include the following: 1. Infection of an aircraft system from Malware (Malicious software).2. An attacker can use on board wireless to access aircraft system interfaces.3. Denial of service of wireless interfaces, safety critical systems.4. Passive attacks eg. Eavesdropping and Traffic analysis5. Active attacks eg. Masquerading and Replay attack. Aircraft network threats can lead to operational failure which could cause systems failure and can result in hundreds of human fatalities. 

Proper countermeasures needs to be implemented to provide security assurance which include the following:
1. Security Incident and Event Management (SIEM)
2. Security Log Management and review, alerting and validation.
3. Encryption of data. (Public Key Infrastructure – PKI) (Digital signatures)
4. Monitoring of security logs to identify Policy violations, fraudulent activity and Operational problems.
5. Physical Access Control – Limiting access to network data ports and hardware.
6. Proper security training of personnel – Vulnerability monitoring, Verify security settings, disable unauthorised network devices.
7. Up to date software. (Technology used for communication between controller and pilots are outdated) In conclusion, the implementation of the TCP/IP technology brings about freedom to passengers to use wireless device while 35000km above sea level but also brings about many risks as mentioned in a recent post the FBI is investigating whether Chris Roberts (IT expert) claims of hacking into the entertainment system of a passenger jet several times and manipulated the plane's engines during a flight is true.

Is business continuity and disaster recovery planning important for all organizations?

Business Continuity and Disaster Recovery Planning play an important part in the today’s business, if well planned and designed it will help the business to continue with their day to day functions, losing minimal productivity and profit. In the event that a business does not have a tested BCP and DRP and a disaster occur it will lead to bankruptcy and unemployment as the business only goal was profit and not recovery.

The Business Continuity Plan will help the business to continue after a disaster have occurred meaning they are still able to make money after a disruption. For example, half of the IT Department is down with a contagious illness and have been hospitalised for 3 weeks. The IT staff that’s left will be able to do the work of the sick staff members due to cross training or the BCP may stipulate that support staff from another branch will assist in their absence.

The Disaster Recovery Plan will provide the business with the steps to resume its business after a disruptive event. In the event that the premises is destroyed the DRP will provide the alternate location where the business can be re-established. For example, Due to a fire on the premises that caused major damage the DRP will be implemented and core business process will then either move to the nearest branch or to a hot site identified as part of the recovery point objective.

What is the role of cyber security in an organization?

Cybersecurity Vs Cyber Crime

In today’s world organisations relay on cyber security techniques to protect their data, assets and people in a nutshell providing confidentiality, integrity and availability.  It does not stop there as technology evolves more and more devices are being connected to the internet so too does new threats evolve and become more sophisticated. 

Organisations need to align security with their business objectives if they want to stay in business as cybercrimes incidents are on the increase daily. NSA whistle blower and CIA contractor Edward Snowden revealed in an article in SC Magazine that 660 000 internal security breaches occurred in 2013 in the USA. Cyber security must become a way of life in all organisations and every employee must play his or her part in becoming cyber smart.

Organisations will have to be a step ahead of individuals who are trying to steal, destroy or modify their data by having trained individuals to perform the following:

•  Awareness Training
• Risk Assessments
• Vulnerability Assessments
•  Penetration Testing

Access Control plays an important part in the safe keeping/protection of the organisations assets, data and people as it provides restrictions to who can have access by performing identification (username), authentication (passwords), authorisation (what can a user access) and accountability (monitoring user) .

• Place (Physical Access Control - entry to Data centre) – Access can be controlled via swipe cards. In restricted areas a two-factor authentication system can be used eg. Smartcard with pin.
• Resource (Electronic Access Control - sensitive data on network) – Role based access control (RBAC) is a control to restricting system access to authorized users.