Protecting your Business From Cybercrime – Be Cyber Aware

In this present technological age where almost every single organization seems to be reliant to an extent on technology and telecommunications, it is not a case of ‘if’ a cyber security breach will occur but rather a matter of ‘when’. As businesses and organizations such as banks, small and medium scale enterprises(SMEs), educational institutions now are migrating their activities and services online, this comes with it the threats of cyber security breaches.

So many businesses and individuals in Ghana now are reliant upon ICT to serve, as a critical tool to deploy innovative business operations, products and services and customer directed strategies which aid in achieving their business objectives. Security breaches, when they occur, may result in a myriad of issues such as customer data loss, systems compromise leading to their unavailability, issues with integrity, reputational and revenue loss amongst others. In order to make direct cyber-attacks on traditional targets like banks and other online based entities difficult, improving defensive measures is now a must more than ever before.

Due to present and emerging threats and threats such as Malware, Distributed Denial of Service attacks(DDoS), Phishing, Social Engineering, Zero-day attacks and a host of others, there is the need for businesses and organizations especially to adopt preventive instead of the reactive approach. This will go a long way in preventing such threats.

Businesses and organizations should consider these and other information security strategies in helping to protect the Confidentiality, Integrity, and Availability(CIA) of their technologies and data;

  1. Putting in place an information Security Strategy governance process which should be in alignment with the business goals and objectives. This must have buy-in and acceptance from the board of directors, senior management, and other critical decision makers.
  2. Putting in place security awareness and education programs to educate everyone from the senior management through to the system administrators and all other users in the organization. This should not be a one-off process but should be carried out periodically.
  3. Staying current with preventive and defensive controls in terms of security tools to protect the businesses’ infrastructure. This includes putting in place Firewalls, IDS/IPS (Intrusion Detection Systems/Intrusion Prevention Systems), WAF (Web Application Firewalls), and Anti-malware software, Logging, and Monitoring.
  4. Putting in place a hardening and patch management process to ensure that all business systems are properly up-to-date with the latest software/application. This would prevent the likelihood of hackers using vulnerabilities in software to attack systems which are vulnerable.
  5. Perform proper security assurance on all products and services before they are launched. This will include performing also regular vulnerability and penetration assessments to validate that critical security controls are in place before and after launch.
  6. Making regular backups of key business data and systems; make sure they are stored in secure environments. This will aid in the fast recovery of the business operations in terms of a disaster.

Cyber criminals can be equated with antibiotic-resistant bacteria, the more you treat the illness, the quicker they evolve and try to find new ways of infecting your system and doing damage. Looking at this, Information Security is a never ending process. The important thing is to stay ahead of the game, and this can be achieved by conducting business securely in an environment of increasing threats, with a balanced and right strategy and implementation as not to affect the business objectives and goals.

Web Traffic and Content Filtering; a response to indecent & harmful content?

The Government of Ghana has plans to put in place regulations to guide and control indecent social media content. This action the government believes would instill some level of sanity and decency in the way information on social media is disseminated by users. Looking back at various incidents in the recent past, that have engulfed the Ghanaian cyberspace specifically social media sites such as Facebook, it is a call in the right direction.

However, though this is a good decision on the governments’ part, regulations and guidelines should not only be limited to indecent communication on social media but also extended to all other forms of content on the internet such as child pornography, extremism, hacking, malware, copyright infringement amongst others. Also, in order for this regulations and guidelines not to be considered as policies similar to those criticised in totalitarian dispensations, the government has to adopt a careful and right approach towards this move.

Proponents of net neutrality argue that access to the internet should always be enabled for all content and applications regardless of the source, and devoid of favoring or blocking particular products or websites. This move, however, may be seen as a move to curtail the rights of citizens from accessing whatever content they choose to access or send on the internet.

This op-ed seeks to put forward recommendations on how the government of Ghana should consider in the move to guide and control certain content on the internet.

The first approach to regulating and controlling illegal and harmful content on the internet is to put in place laws which make this said content illegal to access. Some of this content includes materials related to pornography, cyberbullying, child pornography, copyrighted materials, hacking, extremism and terrorism, suicide and self-harm, phishing, malware, spyware, and others. Even though there are currently some laws pertaining to cyberspace, they are not adequate enough to cover the fast-growing cyberspace environment. As the internet has evolved, Ghana as a nation has been unable to move with the pace of internet growth and so has inadequate laws in such an area.

Regularly reviewing the current and also putting in place new laws is a step in the right direction. The laws will make it a criminal offense for all users of a computer system who make any requests, suggestions or proposals that are deemed harmful, obscene, lewd, or indecent. If users become aware that there are stiff punishments behind the breaking of such laws, then it would serve as a deterrent. It would make them responsible and accountable for what they put out on the internet.

The next approach recommended will be to have the government liaise with all industry players mainly, the NCA, Telecommunication companies, Internet Service Providers (ISPs) and others to come out with technical strategies and modalities to control and block illegal and harmful internet content. These systems can be comparable with the Internet Watch Foundation’s (IWF) system, which is made up of a database of blocked internet content which is made available to various companies and organizations around the world. In addition to this global banned content database, Ghana can also come up with its’ own localized banned internet content database customised to the country’s needs. In line with this approach, the Telcos and ISPs should be mandated to put in place a default filtering program applied to existing and new customers. And this should be both on the fixed broadband and mobile networks. Customers who want to opt-out of filtering for any type of content can request to be removed as long as they can confirm that they are over a certain legal age limit and own the fixed broadband or mobile account. Putting this in place would help with especially the fight on the online child-protection initiative which is currently been championed by J Initiative.

The last approach recommended would be to make Information Security Awareness and Education a priority in all areas of the economy. This would make citizens more aware of the threats that cyberspace brings with it, and this can be done through the development of a national Information Security Awareness program. Aside from making this available on the ‘ordinary Ghanaian’ citizen level, this must be extended to law enforcement agencies and all in the public sector and civil sector, by capacity building through increased certification courses on information and cybersecurity. This would improve prosecution of cybercrime.

Putting in place such regulations, guidelines, and controls to control certain content on the internet seen as indecent or harmful would go a long way in bringing back and maintaining the sanity which we require in the Ghanaian cyberspace. This would help to further the fight on the online child-protection initiative and fight against indecent and harmful content.

 

National ID; Data Security, Privacy and Our Civil Liberties!

Finally, the national identity card scheme is set to take off in September 2017 with the beginning of issuance of cards to citizens who have registered onto the scheme. This is a positive development considering how this scheme will go a long way to promote economic, political and social activities in the country, by the formalisation of the Ghanaian economy.

The scheme with all its positive intents and purposes, however, raises some potential data security and privacy challenges which need to be looked at critically by the government and the entities engaged to deliver the national database, and also issue out ID cards.

First of all, any ID infrastructure requires the existence of a central database. This will have an immense database of personal and sensitive data of all citizens registered. The breakdown of this data includes biometric and other critical data. In the Ghanaian instance, it looks like the databases of several entities such as DVLA, GRA, NHIS, SSNIT and the Ghana Police Service will be utilized to form the core of this central database.

The potential security and privacy encroachments are enormous such that when this central database, whether compromised by outside hackers or the many insiders trusted to work with such data, leaves critical citizens data in the hands of untrusted and malicious actors. This compromised data can be used in a myriad of negative ways such as fraud, targeted telemarketing, etc. — and this goes to impact on the security and privacy of the citizen’s data compromised.

Some of the pertinent questions regarding the security of this data includes location of storage; in Ghana or outside, are there security regulations (e.g. ISO27001) in place in the data centres where the data will be stored, who has access to the data, what precautions are in place against misuse of the data, how long will the data be kept, etc.

A second challenge worth noting is the possibility of the private sector to exploit the national ID system to invade privacy. If the private sector would be allowed not only to rely on the information on the face of the ID card but also scan or swipe it when a citizen presents their card during the provision of service, this enables the service provider to collect personal data on customers. How this customer data would be processed and stored is not known if they are not registered either as a data processor or controller with the Data Protection Commission of Ghana.

Relating to the above challenge is also a challenge around the possible use of the national ID scheme by the government as a surveillance system that creates risks to privacy and anonymity. Basically, this puts citizens in a place where they contribute to their own surveillance and social control.

Another problem is the ID card itself. How assured are we that the cards would be unforgeable? Even if to assume they are unforgeable, how about the worse case of people legitimately acquiring national ID cards with fraudulent names or identities?

The requirements for a national ID system is essential, however, are the security safeguards contained in the National Identification Legislation enough to provide protection for the citizenry?
Looking at the poor data keeping and security culture within government and most of the private sector, calls for tougher sanctions against people who allow losing or misuse of information is encouraged. With the rapidly evolving cyber security landscape currently even with improvements, breaches of databases will be inevitable, but measures to ensure that such problems are dealt with swiftly must also be adequate by all security standards necessary.

Ghana and it’s Cyber Security Laws

At the turn of the twentieth century, Ghana has seen an increase in the development of the Information Technology(IT) industry and this has come with it recently the huge growth in e-commerce. The Internet(cyberspace) which makes the use of both the IT and e-commerce industries possible have in the last few years been at the end of risks such as cyber-crime. Since cyberspace is basically made up of networks, services, hardware, software, etc. they are susceptible to all kinds of attack just like any other computer network.

Before 2014 Ghana had no Cyber Security Policy and Strategy plan. In 2014 the Ghana government through the Ministry of Communications came up with a National Cyber Security Policy and Strategy document. An ad-hoc technical committee was tasked with developing a cyber security policy for Ghana. The result of the work of the committee was the Ghana National Cyber Security and Strategy plan which outlines the framework of the cyber security policy and the implementation strategies with specific initiatives to enforce the policy objectives.

For all its intents and purposes, the National Cyber Security Policy provides an outlook at securing Ghana’s critical information technology infrastructure and help put together a robust cyberspace for the put in place government, citizens, businesses, and visitors. If the strategies outlined in the plan are put in place this would help minimize any risks as a result of any cyber-attack on the country. Below are some major takeaways from the National Cyber Security Policy and Strategy drafted in March 2014:

Effective Governance – This will involve government setting up security institutions and governance structures to ensure long-term sustenance of cyber security activities.

Legislative and regulatory framework – Through the Attorney Generals Department, the government will set up a Cyber Law review committee to do a study on the current laws of Ghana to include legal challenges regarding the cyberspace environment.

Cyber Security Technology Framework – Government to collaborate with various stakeholders to review and adopt international Information Security Framework Standards such as ISO27001 to strengthen the robustness of critical Information Technology Infrastructure.

The Culture of Security and Capacity Building – Information Security Awareness and Education to be increased to reduce the number of Information Security Incidents. This will be done through developing a National Information Security Awareness program. Also capacity building through increased certification courses on information and cyber security, and also targeted capacity building for law enforcement agencies on cyber investigations and enforcement which would improve prosecution of cyber-crime.

Research and Development towards self-reliance – Developing a National Research and Development Roadmap for Cyber Security to ensure that Ghana will be self-sufficient in attending to its Cyber Security requirements.

Compliance and Enforcement – Developing of a uniform risk assessment framework for the Ghana’s National Critical Information Infrastructure.

Cyber Security Emergency Readiness – Set up a framework for the mitigation of risk relating to cyber security attacks and ensuring structures for swift responses to this attacks are put in place.

International Co-operation – Ghana will engage in relevant international cyber security opportunities and prioritize actions and join and sign international/regional conventions.

As a nation, we have come to be more and more reliant upon technology especially the internet, and this is opening us up to cyber-based threats. These threats with the way technology is changing by the day is bound to increase. With a national cyber security policy in place and all the strategies implemented effectively, Ghana would be taking steps in protecting its cyberspace to a large degree. Collectively the responsibility lies with public and private individuals and companies to help safeguard customer and confidential data and systems.

 

Reference(s)

WannaCry Ransomware

Over the last few days, you may have heard or read about the world-wide cyber-attacks which involved about 200,000 computers been locked out. This attack affected so many organizations worldwide including the UK’s National Health Service(NHS) and some Universities also. The attack involved a form of ransomware and targeted many organizations in as many as 90 countries across the world. In the latest map several African countries including Nigeria, Tanzania and Eqypt seem to be among the hit countries.

So what is Ransomware?

Ransomware is a type of malicious software which is used by hackers in taking control of a computer system or mobile device and asking for a payment before access is given back. This control involves encryption of the data files on the computer which makes the system unusable. The mode of spread is usually through malicious email attachments or web links which users are tricked into opening or clicking on. Once opened the ransomware begins to do its’ work of encrypting the computers’ hard drive and making it impossible to access anything residing on the computer. Such attacks are mostly waged against big enterprises, but this can also affect individual users.

WannaCry?

“WannaCry” or Wanna Decryptor was the ransomware that was used during the worldwide cyber-attack which hit organizations in as many as 74 countries. Anti-Malware company, Kaspersky’s analysis reveals that “WannaCry” is initiated through an SMBv2 remote code execution in Microsoft Windows. This exploit (codenamed EternalBlue) was made available on the internet through the ‘Shadowbrokers’ dump on April 14th, 2017.

Like any other ransomware, it locks and encrypts all the data on a computer system and other connected network devices. The only files left not encrypted are the ransom payment instruction file and also the WannaCry program itself. With what is known so far when the computer is infected it makes users aware that their files have been encrypted and gives them a timeframe for the ransom to be paid otherwise the amount would be increased. Bitcoin is the mode of payment used by the hackers because it’s untraceable.

Criminals are not obligated to supplying the decryption keys following the payment of a ransom, this should be noted. It is strongly advised that anyone who has fallen a victim should avoid paying the ransom if possible, as paying the ransom directly funds development of these criminal campaigns.

Mitigation and Prevention!

Organizations and individuals looking to mitigate the risk of becoming compromised are advised to follow the following recommendations;

  • Ensure all Windows-based systems are fully patched and hardened according to best and current security standards. At a very minimum, ensure Microsoft bulletin MS17-010 has been applied.
  • In accordance with known best practices, any organization or individuals who have SMB publically accessible via the internet (ports 139, 445) or enabled on their computers should immediately block inbound traffic or disable SMB.
  • Additionally, organizations should strongly consider blocking connections to TOR nodes and TOR traffic on the network.

In addition to the mitigations listed above, organizations are advised to also take the following industry-standard recommended best practices to prevent attacks and campaigns like this and similar ones.

  • Ensure organization is running an actively supported operating system that receives security updates.
  • Have an effective patch management that deploys security updates to endpoints and other critical parts of their infrastructure in a timely manner.
  • Use anti-malware software on systems and ensure regular malware signature updates are received and installed accordingly.
  • Implement a disaster recovery plan that includes backing up and restoring data from devices that are kept offline.
  • Don’t open suspicious email or attachments.
  • Restrict access to network resources (ransomware can only encrypt what it can access or what machines it can propagate to can access).
  • Block unnecessary ports on your network firewalls.

As is been done by various organizations and countries(CERT), security alerts have been put out with recommendations relating to the installation of patches as a means to stopping the spread of the attack. Checks on the CERT-Ghana website shows no such alerts.

 

Phishy business going on here!

Have you ever received emails having subject lines such as ‘verify your account details’, ‘you won a lottery’, ‘claim your free gift card’, etc? How about that SMS saying you’ve had money transferred mistakenly into your mobile money wallet so you have to transfer it back to the purported sender? If you answered yes to any of the above, then may have been at the end of receiving phishing communication or SPAM as many will usually refer to it.

Phishing is a form of cyber-attack where malicious attackers try to trick users into giving away confidential information by sending a fraudulent communication, which appears to be legitimately from a legitimate source or impersonating a known individual or company. The end game of phishing most of the time is not only for the user to end up giving out confidential information but also this may lead to loss of money, reputation, holding data to ransom, malware infection and others.

In order for this phishing emails to serve their intended purposes, attackers most of the time put a lot of effort in making sure they have well-crafted and composed emails with catchy subject lines. These subject lines are usually what push users into opening this emails.

Currently, email phishing is the most popular amongst the phishing attack trend. Under the email phishing technique, other specific forms of obtaining personal data of users include Spear phishing, CEO phishing, etc. However recently different types of phishing attack techniques have also emerged. This includes Vishing(Voice phishing), Smishing(SMS phishing), Pharming amongst others.

Spot the signs!

  • Grammar, spelling graphic design or image quality is of poor quality.
  • They don’t usually address you by your name. What they address you with may include ‘To our cherished customer’, or ‘Dear customer’ amongst other salutations.
  • The website or email address doesn’t look right; authentic website addresses are usually short and don’t use irrelevant words, phrases or special characters. Serious business entities do not use free email services such as Hotmail, Yahoo or Gmail.
  • Contents of the mail or SMS include links or images which require users to click on them in order to direct them to other locations which may be malicious. This may contain malware or even ransomware.

What you can do so you don’t become a victim – Security Awareness is key!

  • Don’t assume anyone who’s sent you an email or an SMS is who they claim they are. – Verification is key.
  • If a phone call, email or SMS requests that you make a payment, log in to an online account or offers you a deal, be cautious. Your bank or mobile phone provider will never email or SMS you for passwords or any other sensitive information, by asking you to click on links in emails or SMS that they send you.
  • If in doubt, run a check directly by the company involved.
  • Use the SPAM feature in your email account. It will help to block such SPAM mails greatly.
  • Don’t click on URLs, videos and images in such communication. Delete such emails immediately if they contain such things.

Phishing is becoming a big issue and to aid in the fight users need to be vigilant at all times. Security awareness is important in this process. Be vigilant and stay aware always.