Reporting on the growth and acceleration of membership around the country, Group founder Craig Rosewarne, outlined the success of the security user group initiative launched in July of this year. Apart from monthly meetings, member companies within the group have joined forces to combat the lack of security awareness materials available to the average SA company. Projects currently on the go include security awareness posters, screen wipes printed with security tips and the creation of a security awareness DVD.
Summary of presentations
1. Ivan Holman of Medscheme presented `Internal Security Threats and Countermeasures`, which highlighted specific challenges within the organisation. These included exposures to confidential data, user or account admin staff, legal requirements, management buy-in and partner connections (data system sharing).
He identified two types of disclosure, typically malicious and inadvertent, which result in loss of IP and business sensitive data. Holman suggested centralised administration under a secure system and processes to manage staff lifecycles (long leave and resignation). For legal requirements he advocates adherence within the structures that exist, such as the Film and Publications Act, ECT, RICA, PROATIA and establishing security measures through internal forensic processes, data retention and privacy.
2. "Who are your competitors? What do they want? - and how will they go about getting it?" These are important questions to consider when approaching Corporate Counter Intelligence, said Steve Whitehead, managing member of CBIA.
Trade secrets, marketing plans, medical records, vendor information, billing records etc. all form part of the vital information that makes your company tick and there is the danger of showing too much in a public environment. So while infiltration is not new, the methodology has stepped up from simple techniques (physical security) to highly sophisticated attacks on data accessed by foreign, local, government or intelligence entities. This collection of information is a form of business espionage combining legal, illegal and unethical techniques.
Signs of spying include enquiries by strangers on unreleased information, competitor knowledge of your business, getting beaten on tenders continuously by the same company and theft of confidential material.
The counter, Whitehead says, is to protect information from those not authorised to receive - not to be confused with security - through active or passive approaches. An active counter is to practise deception and denial by creating false perceptions, while the passive approach includes education, employee assisted programmes (EAP), technical surveillance counter measures (TSCM), protective programmes and penetration testing.
3. Eric McGee, Senior Security Architect at Business Connexion, presented `Internet Threat Trends`, from his interpretation of the Symantec Internet Security Threat Report, published biannually.
McGee pointed out a trend indicative of an increase in volume and severity of attacks, as well as an increase in attacks of financial motive. Bot networks are on the rise, web applications and browsers are increasingly targets, malicious code is more sophisticated and as a result, more difficult to detect and remove.
Statistics revealed an increase in unique bot network machines of 143% translating to 10 352 per day, in the period January to June 2005. Reporting vulnerability trends, McGee said the number of Windows 32 malicious code variants had surpassed 28 000 - along with an exponential increase in Spybot. He also noted an increase in phishing attacks, currently at the level of 19 million per day.
4. In the vulnerability demonstration, Nithen Naidoo, Security Consultant at Deloitte & Touche, showed a Bluetooth pairing attack, effectively capturing and deleting an entire Nokia 6310i address book. Using an ATI command, incorporating the manufacturer and phoneware version, with the HCI tool scan he was able to pick up the first 100 addresses and proceeded to edit and delete the phone book in less than 60 seconds. "The weakness is in the application level, not Bluetooth itself," remarked Naidoo.
5. Panel Discussion: Privacy concerns dominated the panel discussion and Medscheme`s Holman suggested central controls, functional responsibilities and monitoring and reporting processes to culminate as business compliance, as opposed to technological compliance.
In asking for an example of business spying in South Africa, Whitehead said that although information gathering is mostly legal, there is a pocket of rogues who may install listening devices or recruit someone on the inside. A company in Sandton had a box of 14 lines tapped and going through trash remains popular, to the extent that there is an organisation who call themselves the Trash Archaeology Service. Dignity in dustbins!
Another question from the floor raised the issue of policy enforcement and coercion. Holman stressed the importance of making individuals aware and commented on the varying legal opinions but pointed out that any banner log on required an agreement to terms and conditions denoting the ease of compliance. "Constant awareness and reinforcement is most practical," he concluded.
Share
ISGSA was created in response to the increase of Information security threats facing companies in Southern Africa. This volunteer Group aims to provide a monthly forum for the exchange of IT security information and experience between members and raise awareness of potential vulnerabilities within organisations. The Group consists of IT security professionals from Corporate, Government and IT Security firms within Southern Africa. ISGSA is a non-profit user group and is not biased toward any single vendor or technology!
We are a volunteer group of individuals who are passionate about IT Security. Irrespective of your IT Security experience level...if you are interested in developing your security skills and believe in sharing this knowledge to assist others...then you will greatly benefit from this user group!