Urgent: gatekeepers needed
The SA cyber crime report says criminals are after logon credentials, credit card details and personally identifiable information.
It's good to know that SA is keeping up with the rest of world when it comes to cyber crime. A new study, 'The South African Cyber Threat Barometer', was recently released by Wolfpack Information Risk, and focuses on cyber crime issues from a local perspective.
Wolfpack deserves a great deal of credit for producing the report and for championing a coordinated response to cyber crime across the public and private sectors. Given the astonishing damage that is being caused by cyber crime in all its guises, Wolfpack's initiative should be commended in terms of galvanising effective responses to escalating incidents of IT-based crime.
Craig Rosewarne, MD of Wolfpack, says: "We are working with various government departments and agencies to assist them to expedite a number of the initiatives proposed by stakeholders that took part in our research for the Cyber Threat Barometer. This is good news for South Africa, and we will definitely see a maturing of our national cyber security capability over the next three to five years.
"I also believe that the faster we can move towards the automation of a number of important controls, including the full range of detective and preventive countermeasures in the authentication arena, the better we will become at thwarting cyber crime."
In its executive summary, the report says: "Criminals are typically mainly after logon credentials, bank or credit card information and personally identifiable information."
Of course, SA is no exception in this respect, because that's pretty much where the country is at globally in terms of cyber crime. When it comes to IT-based crime, the first thing fraudulent insiders and external villains really want to exploit is access credentials. In fact, they want them so badly that credential theft lies at the very heart of almost every sort of cyber crime.
Wolfpack's report re-emphasises this fact when it looks in particular at corporate cyber crime: "Although software and security technology has improved, logon credentials are the main information asset targeted or compromised during a cyber attack."
The same also applies to consumer cyber crime - the sort that steals from bank accounts and payment cards. All those banking phishing mails people receive almost daily are looking for one thing - credentials.
Of course, it makes perfect sense that IT usernames, PINs, passwords and cards are so very attractive to cyber villains. They are the main target because they allow the villains to operate as if they were fully legitimate users.
By stealing credentials, cyber villains can completely sidestep all the expensive, sophisticated security measures like IDS, IDM, SIEM, DLP and firewalls. They can then take a virtual stroll around their victim's systems, stealing whatever they like.
Chances are the user won't know a thing about it until it's too late. Mass customer data has gone, money has been transferred, financials have been stolen and all sorts of highly sensitive operational data is with the competition, or splashed across the media, all because of an essentially worthless PIN, password or a plastic card...
Secure IT access controls? Er, maybe not...
And what's to stop the villains using these access credentials? Just about nothing. The blunt fact is that people can all use one another's cards, PINs, usernames and passwords. Very often, people use other people's credentials simply for convenience when, say, they forget a password or PIN or leave their card at home or in the car. It happens every day, all around the world, and it's really pretty innocent.
But, once the villains have nicked someone's credentials, they do anything and everything in an IT system that the person is allowed to do.
The fact that credentials are a primary target is underlined by pretty much any cyber crime report or study that looks at how cyber villains operate. For example, having investigated over 2 000 data breaches since 2004, the annual Data Breach Investigations Report (DBIR) from Verizon and the US Secret Service is an authoritative examination of what cyber villains are doing and how they are doing it.
In an April 2011 interview with SearchSecurity.com,Bryan Sartin, Verizon's director of investigative response, had this to say about credential theft: "With prices reaching $30 000 per account, usernames and passwords are the most common type of records traded on the cyber black market and have the highest per-record value."
Add to this the fact that successive DBIRs have cited credential theft as the number one cyber 'threat action', and that's a clear picture of the enormous security risks directly caused by CPPs - cards, PINs and passwords.
All of this is extremely bad news in the light of escalating incidents of corporate cyber crime. And it's particularly bad news if a user's IT systems and the data they contain are protected with nothing more effective than CPPs.
Cyber crime is not beyond users' control, but attitudes towards access security need to change.
There are solutions to this mega problem of credential theft. The world of corporate IT security can learn a lot from the world of corporate physical security. Thousands of South African organisations have recognised that CPPs create massive vulnerabilities. In response, these organisations have replaced them with fingerprint-based identification within their physical access control and payroll systems.
And this isn't some gadgety, sci-fi technology that's only being used on a limited scale. Over 75 000 fingerprint scanners from Ideco accurately manage the identities of more than 2.5 million people across SA in environments ranging from mines to residential estates.
This seriously large-scale use of the top fingerprint technology proves two things beyond doubt. Firstly, the technology and the business case for its use are tried, tested and proven - it pays for itself by cutting the losses from unauthorised access.
Secondly, the technology is well accepted by millions of local people who are already accustomed to using it on a daily basis.
For me, this all points to using fingerprint identification instead of cards, PINs and passwords in any IT process that is currently vulnerable to ID-based crime.
It may be an inconvenient truth, but unless companies radically change how system users are authenticated, they will keep losing the cyber crime battle. They need to adapt to the prevailing conditions and today's cyber crime environment. In short, companies need to evolve.
As for the imperative of change, Charles Darwin, the father of evolutionary theory, put it like this: "It is not the strongest of the species that survives, nor the most intelligent, but the one most responsive to change."