Subscribe

Security on the spot with Internet Solutions

By Allyson Towle
Johannesburg, 17 May 2016

ITWeb Security Summit 2016

Don't miss out on the definitive event for information security professionals, 17 and 18 May 2016 at Vodacom World. It's not too late - click here to register.

We interviewed Simphiwe Mayisela, Group Information Security Officer, Internet Solutions about his thoughts on cyber security risks.

ITWeb events asked Mayisela about the state of cyber security in South Africa and what he sees as the key risks, mitigating steps, what an enterprise's biggest weak spot is and who has cyber crime evolved?

What do you see as the single biggest information security risk this year?

I would like to think the biggest risk this year is the spread of ransomware. Ransomware infects computers and demands that the victim provide a payment (ransom) to the attackers in order to decrypt and recover their files, with no guarantee that the files will be recovered.

It's the threats driven by financial motive that are continuing to gain prominence. Most ransomware cases are a result of users falling victim of some phishing scam that misleads them to click on a malicious Web link or to open an attachment that contains a malicious payload. We are starting to see a trend where hackers are moving away from malware that steals credentials to malware that yields immediate monetary reward. While stealing credentials or passwords is still an effort deemed lucrative by hackers, particularly those that steal banking credentials, it is not really a gratifying effort as passwords require additional efforts to rake in successful exploits.

With the recent announcement by Google to restrict access into their VirusTotal database, most organisations, especially those that relied on small start-up security firms to assist them with detection of malicious code, will find themselves jumping out of a frying pan, and straight into a fire.

What is the one key risk mitigation step enterprises need to take this year?

Humans continue to be the weakest link in the information security chain. As such, organisations should step up their game in mitigating risks related to social engineering. Social engineering involves hoodwinking an individual into doing something he or she would not otherwise do. Even the current upsurge of ransomware attacks is largely attributed to a social engineering scam know as phishing. Despite this being the peril, organisations still invest more on security technologies, while forgetting that an employee who innocently clicks on an unsolicited e-mail attachment, may render all that investment futile. It's plain as a pikestaff that enterprises should focus more on security awareness campaigns. Even more so that the majority of the workforce today is comprised of the New Media Age (i.e. Generation Y and Generation Z). These younger generations tend to deal with information in a more careless and heedless fashion - they share information widely on social media, they e-mail casually, and they job hop repetitively with sensitive company information. Organisations should therefore apply innovative ways of raising security awareness, such as game-based learning, which appeal more to younger generations.

What, in your view, was the biggest security breach of the past year?

Simphiwe Mayisela, Group Information Security Officer, Internet Solutions
Simphiwe Mayisela, Group Information Security Officer, Internet Solutions

Apart from the recent hacks by a hacktivist team called Anonymous on South African government databases belonging to Department of Water Affairs as well as Government Communication and Information Systems Department, it is difficult to mention the biggest security breach from a local perspective as most these breaches are not reported. With POPI Act still ineffective, there are no laws that impel South African organisations to publicly disclose their security breaches.

Going offshore, the Home Depot and Target data breaches take the prize - not by the number of records leaked, but by the level of effort and impact it had to both retailers. About 40 million cardholder data records were stolen in the Target breach. The Home Depot data breach topped that by having 56 million cardholder data records stolen. These records were in turn sold on the "darknet" to brokers and carders such as Rescator.

What is the biggest information security weak spot in the enterprise?

The weakest link in the enterprise security chain is people. The sooner organisations start realising that information security is more a people and process discipline, rather than a technology discipline, the better. To quote Bruce Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology. "In most organisations, employees still exhibit non-compliant behaviour and tend to use weak passwords and click on phishing links with malicious payload, allowing arbitrary code to execute on their machines, thereby bringing hackers (through botnets or otherwise) into the corporate network.

In a nutshell, how has cyber crime changed in the past years?

As the old cyber security adage goes: "The Internet does not necessarily create new crimes, it merely creates new opportunities for the same crimes to be carried out in a different medium". A few years ago cyber criminals leveraged on the fact that POS servers were accessible on the Internet coupled with the fact that most of them used default credentials. As years progressed, organisations tightened up their security posture, and consequently cyber criminals had to up their game by using more sophisticated means of gaining toehold on victim's networks without coming through the Internet. According to the Verizon 2016 Data Breach Report, 97% of breaches featuring stolen credentials against POS vendors leveraged legitimate partner access.

Malware still remains the greatest arsenal for cyber criminals. The malware used to commit cyber crime does not require any technical expertise since most of it is "off-the-shelf" or available as service on the darknet - a business model coined "crime-as-a-service". The cyber-criminal industry has become so service-oriented to the extent that skilled cyber criminals are now developing malware and services for use by other cyber criminals.

Andre van der Walt, security incident engineer from Internet Solutions will address the cyber threat landscape and associated trends at the ITWeb Security Summit 2016, on 17 and 18 May. Click here for a detailed agenda. Click here to register.

Share