Both the private and public sector must engage out-of-the-box complex systems and more holistic security models to protect themselves from the increasing threat posed by online and cyber-related crimes, says MICHIEL JONKER.
“Due to the complex nature of cyberspace, whereby billions of users and infinite systems and networks are intertwined, it has now become virtually impossible to control the ecosystem,” he says. “Security therefore could not be treated in isolation but effective security management should employ a 360-degree complex systems philosophy that engages multiple conventional and unconventional (e.g. futuristic) models of security assessment.”
While statistics are not readily available in South Africa, numerous breaches have been recorded over the past few years. In 2013 Bloomberg reported that South African banks had lost tens of millions of rands to an international organisation that hacked the bank card details of fast-food restaurant customers. Based on data from the Payments Association of SA, the report found that every South African bank had been affected.
“Recent breaches, including JP Morgan Chase, The White House, Sony and even South African government website hacking incidents, have called into question the future of cyberspace as a means of safe transaction. Cybercrime holds potentially catastrophic consequences for businesses and government – not to mention the security of nation states. 2014 was a watershed year for cyberspace security and in 2015 the issues will become even more noticeable,” Jonker said.
“The current model of applying ‘best practices’ addresses many aspects of cyber security but is not enough. A new approach designed to deal with threats requires more than standard analytical IT frameworks because we are steadily losing the war against cyber criminals, like hackers and information thieves,” said Jonker.
He said that in addition to legislation, such as the Protection of Personal Information (POPI) partly enacted last year, and best practice guides, it is now imperative that measures be scaled up. The POPI Act, which was gazetted in November 2013, and which is currently awaiting an effective enactment date, provides strict guidelines, among other things, on what data can be obtained, how that data can be used, and the requirement that it should be kept up-to-date.
In a recent Grant Thornton International Business Report (IBR) survey, for the first quarter of 2015, SA businesses were asked if their current business strategy plans included breaches to IT security as a potential threat to the future of the business.
“It is encouraging to note that 72% of the 150 SA business executives who were asked this question responded that their strategies DO include plans to prevent IT security breaches,” says Jonker. “One very important measure needed and which is often overlooked, is the thorough testing of systems by skilled individuals whose sole purpose would be to find compromising points of entry into the system. Ironically, the majority of cyber criminals do not have formal IT qualifications.”
Jonker suggested a holistic approach incorporating the futuristic concept of “exploration-discovery.”
“The IT security industry has to change its recruitment policies. There is a need for certain IT security personnel to come from non-formal education, those who employ outside-of-the-box thinking. These persons tend to think more in systemic ways – while formally educated IT professionals traditionally think analytically. We need to have conventional and unconventional IT skills in place that will test for infiltration by those whose sole purpose is to exploit the weaknesses of IT and online systems.”
He said the concept of “exploration-discovery” in systems development practice is not new. For example, when testing new systems, software companies will often monitor how children interact with the system – with the aim of detecting any unforeseen failures not picked up by standard testing procedures.
“A similar methodology in devising security for cyberspace would allow private and public sector organisations to view their systems as an outsider, or specifically as a criminal (i.e. to ‘think or explore/discover like a criminal’). This creates a vastly improved context for security as it not only allows mitigating the rational threats but the anticipation of those systemic threats for intentional nefarious purposes,” Jonker concluded.
* Michiel Jonker, Director: IT Advisory at Grant Thornton Johannesburg.
Samsung unfolds the future
At the #Unpacked launch, Samsung delivered the world’s first foldable phone from a major brand. ARTHUR GOLDSTUCK tried it out.
Everything that could be known about the new Samsung Galaxy S10 range, launched on Wednesday in San Francisco, seems to have been known before the event.
Most predictions were spot-on, including those in Gadget (see our preview here), thanks to a series of leaks so large, they competed with the hole an iceberg made in the Titanic.
The big surprise was that there was a big surprise. While it was widely expected that Samsung would announce a foldable phone, few predicted what would emerge from that announcement. About the only thing that was guessed right was the name: Galaxy Fold.
The real surprise was the versatility of the foldable phone, and the fact that units were available at the launch. During the Johannesburg event, at which the San Francisco launch was streamed live, small groups of media took turns to enter a private Fold viewing area where photos were banned, personal phones had to be handed in, and the Fold could be tried out under close supervision.
The first impression is of a compact smartphone with a relatively small screen on the front – it measures 4.6-inches – and a second layer of phone at the back. With a click of a button, the phone folds out to reveal a 7.3-inch inside screen – the equivalent of a mini tablet.
The fold itself is based on a sophisticated hinge design that probably took more engineering than the foldable display. The result is a large screen with no visible seam.
The device introduces the concept of “app continuity”, which means an app can be opened on the front and, in mid-use, if the handset is folded open, continue on the inside from where the user left off on the front. The difference is that the app will the have far more space for viewing or other activity.
Click here to read about the app experience on the inside of the Fold.
Password managers don’t protect you from hackers
Using a password manager to protect yourself online? Research reveals serious weaknesses…
Top password manager products have fundamental flaws that expose the data they are designed to protect, rendering them no more secure than saving passwords in a text file, according to a new study by researchers at Independent Security Evaluators (ISE).
“100 percent of the products that ISE analyzed failed to provide the security to safeguard a user’s passwords as advertised,” says ISE CEO Stephen Bono. “Although password managers provide some utility for storing login/passwords and limit password reuse, these applications are a vulnerable target for the mass collection of this data through malicious hacking campaigns.”
In the new report titled “Under the Hood of Secrets Management,” ISE researchers revealed serious weaknesses with top password managers: 1Password, Dashlane, KeePass and LastPass. ISE examined the underlying functionality of these products on Windows 10 to understand how users’ secrets are stored even when the password manager is locked. More than 60 million individuals 93,000 businesses worldwide rely on password managers. Click here for a copy of the report.
Password managers are marketed as a solution to eliminate the security risks of storing passwords or secrets for applications and browsers in plain text documents. Having previously examined these and other password managers, ISE researchers expected an improved level of security standards preventing malicious credential extraction. Instead ISE found just the opposite.
Click here to read the findings from the report.