Security concerns flagged on Public Protector website

Samuel Mungadze
By Samuel Mungadze, Africa editor
Johannesburg, 02 Sept 2022

Major security vulnerabilities have been identified on the Public Protector SA’s (PPSA’s) website, and the State Information Technology Agency (SITA) is now working to improve the security posture of the site.

At the core of the security concerns is that the PPSA’s website doesn’t have Secure Sockets Layer (SSL) certification, which means information sent and received through the site is unprotected and could be stolen or modified by hackers.

The PPSA’s website is hosted and supported by government tech agency SITA.

Websites need SSL certificates to keep user data secure, verify ownership of the website, prevent attackers from creating a fake version of the site, and convey trust to users.

The PPSA website security concerns come on the back of a recent report by cyber security solutions provider Check Point Software, which warned SA’s government departments are vulnerable to cyber attacks.

The PPSA issue was brought to the fore by non-profit entity Public Interest SA, which says lax IT systems security appears to be pervasive in the public sector and this poses grave risk to the public if left unattended.

“We first try to persuade those responsible for discharging public office to make good their identifiable shortcomings and maladministration before we resort to galvanise others to help shine a light on wrongdoings,” says Tebogo Khaas, chairperson of Public Interest SA.

Khaas is also an Internet Service Providers’ Association of SA (ISPA) fellow, having served and been associated with the organisation since its founding in 1995.

Risky business

He tells ITWeb there is a “major security vulnerability” on the PPSA website, and considering the risk level posed by this, SITA should prioritise the matter.

Khaas says SITA is an ISPA member and clause G of the ISPA code of conduct, under the heading cyber crime, demands that “members must take all reasonable measures to prevent unauthorised access to, interception of, or interference with any data on that member’s network and under its control”.

Further, he says, the “not secure” warning on the PPSA’s website means “there is a lack of security for the connection to the site, meaning information sent and received with the PPSA’s website is unprotected and it could potentially be stolen, read or modified by attackers, hackers and entities with access to internet infrastructure”.

According to Khaas, this matter “needs escalation” especially when considering the massive cyber attacks on Transnet and the Department of Justice and Constitutional Development (DOJ).

In July last year, Transnet suffered major “disruption” of IT systems, while the DOJ was attacked in September of the same year.

Priority steps

The PPSA confirmed to ITWeb it had received the security complaint, but cautioned the website is hosted outside the organisation and does not integrate in anyway with its internal systems.

Oupa Segalwe, PPSA spokesperson, says: “The website hosting provider, SITA, has been engaged and they have assured us there are measures in place to mitigate against cyber attack. However, SITA is implementing additional security measures.”

“The need has been identified to improve the security posture of the website. The technical teams are in the process of obtaining relevant approvals to implement changes, which include an SSL certificate,” says Tlali Tlali, SITA head of corporate affairs.

“Due to the changing threat landscape, vulnerability scans are conducted on a regular basis and initiatives to improve the security posture of websites are investigated and addressed on an ongoing basis.

“When new vulnerabilities are published, these are investigated and those that have a high chance of impacting the government environment are tested in a lab environment to enable us to implement required interventions or improvements to mitigate those potential risks.

“These improvements include implementation and review of SSL certificates, as well as deployment of both the CIPS (Coordinated Intrusion Prevention System) and the targeted threat intelligence and response capabilities which have been established.”