Spotlight on public InfoSec
When it comes to public sector security, information security (InfoSec) is often more important than physical security.
This, says Edwin Moremi, COO of DRS, is because cyber attacks often come out of the blue, and it is much harder to define cyber boundaries, and train people to respect them, than those for physical security.
Doros Hadjizenonos, country manager of Check Point South Africa, notes that physical security solutions are a good first step when it comes to preventing data theft as a result of stolen devices - although these do not mitigate the need for InfoSec solutions such as encryption.
Moremi cites as an example the difference between cash being transported physically, versus over a network, where there are more risks and points of access. "It takes a lot more to protect the money travelling virtually than the money travelling physically."
InfoSec is now especially important with a technology revolution underway in the public sector as government digitises information and processes, and stores confidential information - opening it up to risk, says Jeremy Matthews, regional manager of Panda Security Africa. This comes at a time when the first half of 2017 came to be defined by two sophisticated global cyber attacks, he adds. "The public sector has a responsibility to keep citizens' personal information safe, but insider threats, hacktivism and simple human error opens it up to huge risks."
Andrew Potgieter, director, Security Solutions, at Westcon-Comstor Southern Africa, adds: "We, as individuals and businesses, digitise everything, and whether we like it or not, our real money and value is not sitting in a safe behind a painting of the board of directors in the CEO's office, it resides in data files, digital identity, and other key transactional databases."
Neil Cosser, Identity and Data Protection manager for Africa at Gemalto, says because information is increasingly stored digitally, "physically carrying gigabytes of compromised data out of an organisation on storage media smaller than a postage stamp is a realistic option." This same data, he adds, could also be targeted from outside the organisation - with the thief simply needing to bypass the digital protection in place.
Yet, Potgieter notes, beyond this is the threat of cyber terrorism extending into the world of the Internet of Things - making physical security just as important as InfoSec when it comes to aspects such as power grids, water networks, public transport networks and traffic lights.
Recent - and continued - data breaches in the public space are causing many citizens to reconsider how, and where, they share personal details and information, says Cosser. However, he notes "an extensive digital footprint is unavoidable and often non-negotiable when it comes to Home Affairs and other government departments."
When there is a breach, Moremi says, it is harder for the public sector to repair the damage than the private sector, because the reputational risk is higher. "Imagine Home Affairs is breached and the criminals gain access to the ID numbers and addresses stored on the database...Information in government is the equivalent of money in a private company."
The public sector has a responsibility to keep citizens' personal information safe, and insider threats, hacktivism and simple human error open it up to huge risks.Jeremy Matthews, Panda Security Africa
This is especially pertinent given that cyber criminals are increasingly targeting people's identities, with Cosser noting that governments hold large volumes of citizen data or personal identifiable information that would allow identity theft. "If they are successful in penetrating a government department, cyber criminals can potentially walk away with a huge number of identities - creating not only a security, but a logistical, nightmare for both parties. Breaches like this will also have a terrible impact on citizen confidence in terms of using e-services and trusting government competence."
In addition, says Potgieter, there is also the risk that cyber terrorism can affect citizens right down to the ability of a hospital to dispense lifesaving medicines and procedures.
Cosser says most government departments have systems and processes in place to lay complaints and hold relevant parties accountable in the event of a breach. However, citizens will have to drive this process, and this involves quite a bit of administration, such as keeping track of every step of the process and all reference numbers. However, he says, the biggest challenge is trying to monitor if - and how - your personal data is being used fraudulently, with the best way being to check credit records on a regular basis.
While there are offerings such as cyber insurance, everyone must play their part, taking personal responsibility where possible, adds Potgieter.
What is needed?
Public sector InfoSec has recently been in the spotlight, with several government institutions having been broken into and PCs containing sensitive information - especially in instances involving the National Prosecuting Authority, the Hawks and the Offices of the Chief Justice in Midrand - being stolen.
John Mc Loughlin, MD of J2 Software, says the burglaries show that a secure building does not stop theft, and neither does locking a device in the boot. "The only prevention is not having the data accessible and ensuring that people are working with information in the correct manner to ensure this does not lie around unprotected."
An extensive digital footprint is unavoidable and often non-negotiable when it comes to Home Affairs and other government departments.Neil Cosser, Gemalto
Moremi says what is vital to protect such information are tools that provide encryption and data leakage protection. "Government needs to have database security in place so it can recover information, if needed."
Cosser says encryption is important because passwords are easy to crack - making them insufficient as standalone protection. Encrypting data means that it can only be used once decrypted. This introduces two important considerations for institutions using it:
a) They must be able to identify the legitimate users of decrypted data and only give those users access to the decrypted data.
b) The keys used to encrypt the data cannot be compromised.
In addition, says Cosser, adding a second factor of authentication, such as a smart card, token or a password, will also improve and strengthen security levels. However, he adds, it's important to focus on the need for dynamic passwords, given the high level of `password fatigue' among users - which sees them have to remember 10 to 25 passwords at a time. "Having dynamic passwords in place, as well as solutions that allow them to be used effectively, will help counter any unsecure habits adopted by users."
The question, though, says Moremi, is whether these solutions are a solution to the problem. "If the right process and method are lacking, security solutions will only solve part of the problem. The use of encryption will depend on how valuable the information being protected is, but in many cases, that information shouldn't be sitting on those devices."
Where it falls down
There are huge loopholes in security, says Moremi. He notes that government staff members lack education, so they're unaware of the dangers when they plug a flash drive, which may contain a virus, into the network.
Cosser adds workers who take laptops home also run the risk of losing them, or having them stolen, creating new points of weakness into the organisation. Furthermore, accessing emails and other company data (including off the server) using personal devices or even public devices (such as at internet cafes) can also create new backdoors into companies.
Hadjizenonos cites the example of employees who download data from a laptop onto a flash drive and then lose that flash drive. He also notes many employees set up their email on their phones, devices that aren't secured.
Then, he adds, there are employees who send sensitive information to their Gmail and Dropbox accounts. "Luckily, there are solutions in place that can help mitigate these risks. For example, when employees do save data onto a memory stick, we can enforce that it remains encrypted, then it won't matter where that data goes, because only the user will be able to access it."
Ethan Pitts, underwriter at Camargue Commercial Crime & Cyber Risks, says a common approach to illegally accessing a personal laptop is to hide key loggers or spy-ware in pirated copies of movies downloaded from sites like Piratebay. The spy-ware then enables the hacker to `watch' the employee as they log into work the next day, giving them sight of sensitive corporate information.
"Another ingenious way that hackers have found their way into networks is to leave an infected memory stick on the grounds of a public area. Curiosity will always kill the cat, and anyone who picks up the infected USB and plugs it into their computer will unknowingly expose the entire company to whatever is lurking inside," adds Pitts.
Percy Gumede, senior manager in risk advisory at Deloitte, says the State IT Agency is responsible for government's IT infrastructure, yet some government departments have been in charge of some of their own infrastructure too.
Currently, says Moremi, government has a multifaceted security and there is no single go-to solution across all spheres. Yet, he says, a single security approach is essential for any company as it achieves cost savings and standardises silos. Moremi adds that because of the way government works, it has the ability to centralise security.
"Government is spending more money by allowing each organisation to be run as its own business. Having said that, something is better than nothing. There is always room for improvement, and government departments are working together to improve their security."
Pitts adds that government departments work on a very strict budget of allocated resources and, all too often, budgets fail to cater for adequate security (cyber or otherwise), which leaves organisations of all types vulnerable to malicious parties.
Yet, every department or entity is different, and a single method cannot be forced upon them, says Mc Loughlin.
Despite this, Hadjizenonos says a multi-layered (onion) security approach is also necessary, because then, when an attack makes it through one layer, there are others in place to make a breach of your system that much more difficult. "Many government departments still use traditional security approaches such as network security. Some of them are starting to talk about mobile security, but they are not necessarily implementing these solutions yet. Almost none are talking about advanced threat prevention."
Potgieter notes it is also vital to have centralised policies that are enforced, while Moremi says the skills shortage often means specialists need to be flown in, but don't always get the necessary access as a result of the security checks and regulations in place.
Any security solution will be moot if users don't save the data and information centrally, such as on a server or in the cloud, says Cosser. "In that instance, while data might be unreadable given the protection in place on the physical device, it could also end up being irretrievable - which is what we've seen in some instances."
Yet, Moremi notes, the sector doesn't go out into the cloud because of concerns around where public information is being stored - locally or internationally, for example.
Mc Loughlin says although there are several solutions available, the real question needs to be whether there is the will to protect this information. "I am constantly dismayed at the lack of information security in government and private organisations alike."
Adds Potgieter: "Every citizen should be concerned about the vulnerability and lack of security surrounding our critical governmental systems that manage and support the very existence of our society."
How hackers get in:
82% of hackers use the following three techniques:
- 50% exploit credentials that are lost, stolen, or weak
- 13% exploit sql injection vulnerabilities caused by bad code
- 19% exploit systems that are poorly configured
This article was first published in the November 2017 edition of ITWeb Brainstorm magazine. To read more, go to the Brainstorm website.