ENGINEERING EXERCISECONDUCT A SOCIAL

HOW TO

Africa’s p

remier cyber security p

ublication

Edition 2 - Mar/Apr 2013

RSA 2013CONFERENCE

PERSONAL INSIGHTS FROM THE

• SANS SA Information Security and Forensics Bootcamp• ITWeb Security Summit 2013• CyberCon Africa 2013 Digital Threat Conference

EARMARKS USD12BN FOR AFRICAMICROSOFT

SPECIAL TRAINING AND AWARENESS EDITION

DEFINING A COMPETENT DIGITAL FORENSICSPRACTITIONER

Afr

ica’

s p

rem

ier

cyb

er s

ecu

rity

pu

blic

atio

n

Inside this issue:

A (Graphical) World of Botnets and

Cyber Attacks Page 23

The 3 R’s

Riches, Ruins and Regulations Page 17

Legaslative Changes in South AfricaPage 19

Microsoft Earmarks USD12BN For Africa

Page 13

New EU Cybersecurity Plan

Page 10

INTERNATIONAL NEWS RSA CONFERENCE HIGHLIGHTS 4

NEW EU CYBERSECURITY PLAN 10

HACKERS HIT BIT9 NETWORKS 11

PUTIN ORDERS FSB TO CREATE CYBER DEFENSE SYSTEM 11

AFRICA NEWSKENYA LAUNCHES NATIONAL ICT MASTER PLAN 12

ZIMBABWEAN BANK WEBSITES HACKED 12

UGANDA STEPS UP ICT SECURITY 13

MICROSOFT EARMARKS USD12BN FOR AFRICA 13

RED OCTOBER THE ESPIONAGE PLATFORM EVEN SURFACES IN AFRICA 14

DIY GUIDESHOW TO CONDUCT A SOCIAL ENGINEERING EXERCISE 15

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCETHE SECURITY OBLIGATED EXECUTIVE - THE 3 R’S 17

KEEPING YOU INFORMED - LEGISLATIVE CHANGES 19

POPI BILL TO PASS FINAL HURDLE SHORTLY 19

BYOD CHANGING THE WAY BUSINESS IS DONE IN AFRICA 20

AUDITS AND ASSESSMENTSEXPOSING CHINA’S MOST ACTIVE CYBER ESPIONAGE UNITS 21

MANAGED SERVICESA (GRAPHICAL) WORLD OF BOTNETS AND CYBER ATTACKS 23

CYBER CRIME AND CYBER WARFAREPROTECTING AGAINST CYBER ATTACKS 25

WHY CYBERCRIME REMAINS BIG BUSINESS 26

CYBER FORENSICS AND INCIDENT MANAGEMENTWHAT MAKES UP A COMPETENT DIGITAL FORENSICS PRACTITIONER? 28

AWARENESSSOCIAL NETWORKING SAFELY 32

HOW TO MEASURE DEVELOPER SECURITY KNOWLEDGE 33

LOCAL TRAINING AND EVENTSSANS SOUTH AFRICA 34

CYBERCON AFRICA 2013 DIGITAL THREATS CONFERENCE 3

ITWEB SECURITY SUMMIT 2013 35

OF INTEREST PRIVACY PROTECTION GLASSES 35

Cybershield magazine is a bi-monthly publication owned by Wolfpack Information Risk (Pty) Ltd.No part of this magazine may be reproduced or transmitted in any form without prior permission from Wolfpack. The opinions expressed in Cybershield are not those of the publishers who accept no liability of any nature arising out of or in connection with the contents of the magazine. While every effort is made in compiling Cybershield, the publishers cannot be held liable for loss, damage orinconvenience that may arise therefrom.All rights reserved. Wolfpack does not take anyresponsibility for any services rendered or productsoffered by any of the advertisers or contributorscontained in the publication. Copyright 2013. E&OEon all advertisements, services and features inCybershield magazine.Editorial address:Building 1, Prism Office Park, Ruby Close, Fourways,Johannesburg, South Africa, 2055Enquiries:Telephone - +27 11 367 0613Advertising - sales@wolfpackrisk.comContent - craig@wolfpackrisk.comDesign - design@wolfpackrisk.comGeneral queries - admin@wolfpackrisk.comhttp://www.wolfpackrisk.com/magazine/

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 3

[Website: www.alwaysinnovating.com]

Unveiled earlier in the year at CES 2013, the MeCam consists of a miniature video recorder and chip mounted on a platform surrounded by four rotor blades that keep it in the air. The device does not require a remote control and instead relies on voice command technology. Users can tell it to move up or down, or select the ‘Follow Me’ function – which uses 14 sensors and 3 stabilisation algorithms to ensure the camera is always at close proximity. A sound filter strips any recordings of motor noise. Video can then be streamed through iOS and Android smartphones and uploaded onto social networks.

The MeCam is still in development and Always Innovating – the team behind the concept – are currently looking for licensors.Once it hits the market the creators believe it will retail at around USD 49. One to get in on early?

MECAM UNVEILED AT CES 2013OF INTEREST

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 4

INTERNATIONAL NEWS

HIGHLIGHTS FROM THE 2013 RSA

CONFERENCE

The expression “drinking from a firehose” often came to mind trying to decide on which talk to attend from an average of 20 tracks per session.

All in all it was a very good conference with great topics, serious discussions, and a perspective on what the information securityindustry is focusing on for 2013.

I have summarised the key points from the conference plus shared some of the gems I extracted from the talks I personally attended.

Slip on your dancing shoes, grab your favourite reading gadget and join me on a virtual tour of the conference.

With lights flashing and bass thumping the RSA Conference 2013 kicked off with The Queen Extravaganza tribute band rocking theaudience to “We are the champions” which was used by Arthur Coviello (RSA Executive Chairman) to highlight the progress we’ve made in the face of very significant threats.

He encouraged the audience to gain the upper hand in the rapidly escalating cyber security struggle “Don’t despair this is no time for losers!” he said. He also warned that we must show integrity in our reporting of information security events as irresponsible statements may generate short-term interest but do nothing for ongoing awareness efforts and the credibility of the industry as a whole.

He touched on their anti fragile model which is an adaptive capacity to become stronger or smarter when attacked - similar to a sponge bouncing back when squashed.

He said we need to do away with isolated static controls and instead migrate to a focus on big data controls with as many shared external intelligence sources leveraged as possible. We also need to strengthen our security team’s data science skills as we increase our dependence on data analytics.

His closing statement “Caesar recognised the omens he just didn’t think they applied to him! Big technology data is here embrace it!”

“Don’t despair this is no time for losers!” Arthur Coviello

The Queen Extravaganza rocking the audience to “We are the champions”

We were excited when the local RSA SecurityOffice invited us to join a small team of clients and partners at the largest information security conference on the planet the RSA Conference 2013 in San Francisco, USA.

The stats speak for themselves the 5 day event attracted approximately 25,000 infosec professionals from around the world who were able to feast onhundreds of talks from leading experts in our field and visit the seemingly infinite rows of vendor exhibitors.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 5

“First we had the Cold war… now we have the Code war”

Scott Charney from Microsoft focused on how he believed it was a real accomplishment that they managed to scale their Security Development Lifecycle (SDL) to over 30,000 developers internally.

He commented at an international level on how countries were adopting strategies, policy and legislation to deal with the growing cyber security activity.

He stressed however that a different focus was required to deal with the various categories of cyber threats - cybercrime, commercial or military espionage and cyber warfare.

“We recognise this is a shared problem which we need to work together to fix” he stated. “This is a complex journey and although we will always face difficult security challenges I remain optimistic because as a community we will always rise to meet them”

Francis deSouza from Symantec spoke about how they identified Stuxnet 0.5 - a pre version

to the officially reported Stuxnet event which was apparently released 5 years before.

Another interesting point was they simulated a critical infrastructure environment and brought in some hardware PLCs from the field. Some were hard-wired with passwords that were 12345 - yikes!

He also mentioned that most countries now have access to cyber weapons and often how the smaller more focused nations can disrupt much larger or wealthier counterparts.

Next up was a cryptographers panel with some well known gurus in the field. Ari Juels from RSA moderated a panel including Ron Rivest, Whitfield Diffie, Adi Shamir and Dan Boneh. One of the topics that was discussed a lot was security and cryptography education.

Stanford offers their crypto class online via massive open online courses (MOOC) and their last intake was over 150,000 students with the largest registrations after the USA being China and India.

The course can be found here: https://class.coursera.org/crypto-preview/class/index

According to these experts cryptography as a discipline is under strain and strangely becoming less relevant today.

This is due to the fact that intelligence agencies are often able to bypass encryption and APTs sometimes buried within networks for years simply have to wait for a key to be used in the decryption stage and they are in.

The panel covered a few controversial topics, such as the dangers of online voting, mechanisms for making data exfiltration harder and cryptography in a post-quantum-computing world. The sheer amount of brainpower on the stage at one time during the panel is always inspiring to behold.

Wikipedia fast facts:• Established 12 years ago• 285 Languages• 490 Million unique visitors with 71

million monthly visitors• Of their knowledge contributors

87% are male who are on average 26 years old

• Wikipedia Foundation has 100 employees and 100,000 volunteers

• Their driving vision: “Imagine a world in which every single person on the planet has free access to the sum of all human knowledge”

• They take a hard stance against censorship • They follow a Non Point of View (NPV) and

can not take sides in a debate.

Jimmy Wales - Founder of Wikipedia

SECURITY HELPS KEEP DEMOCRACY ALIVE!KEYNOTE SPEAKER: JIMMY WALES - FOUNDER OF WIKIPEDIA

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 6

Srikanth Nadhamuni, the advisor to the UID Authority of India presented a fascinating case study on how they tackled extreme government authentication and payment system challenges under circumstances quite similar to those found in Africa.

Considering India’s population of 1.2 billion:• 70% Live in villages and only

contribute 30% to GDP• 74% Literacy rate• 300 Million are migrant workers• Over 800 million mobile phones

They have to pay over $40 billion to the poor through various schemes and each service requires validating both identification and address details. Their flagship project is called AADHAAR and India has a vision to create a common national identity solution.

They have already rolled AADHAAR out to over 300 million citizens with hundreds of thousands enrolling each week. The system relies on biometric identification (10 fingerprints / 2 irises / 1 face picture) to eliminate duplicates, fake IDs and

support online authentication options. Off the back of data privacy concerns and public debates AADHAAR also provides a unique number to authenticate a person whilst protecting their personal information. One case study of how technology can be used to reduce costs and improve the wellbeing of their citizens is the national rural employment scheme that provides a guaranteed 100 days work per year to all working citizens.

An example was cited of a worker who in order to collect his weekly wages of Rs792 (Rupees) had to walk 6km to the bus station, make a 14km bus trip and wait at least 2 hours at the bank - which closed at 2:30pm resulting in some workers having to repeat the exercise the next day. It was not uncommon for workers to sometimes have to forfeit two thirds of their wages in cost and lost productivity.

Thanks to the new public private partnership model the worker now goes to a local AADHAAR authorised enrollment station in his village, is authenticated via the mobile network and for a small commission receives his cash

payment on the spot.

There are currently around 40,000 enrolment stations operated by over100,000 trained and self employed operators.

They are adding close to one million new registrations daily and adding the equivalent of a Finland each week.

This is a prime example of a complex project implemented with the proper technical and information security controls in place, that now delivers a tremendous services to make the lives of the average impoverished Indian citizen a whole lot easier.

Srikanth Nadhamuni, the advisor to the UID Authority

[Image courtesy of http://forbesindia.com]

Everyone is focussing on preventing a breach but the focus should rather be on detecting and responding to a breach to start as it is close to impossible to stop a zero day. We need to focus on aggressively defending through continuous monitoring.

Hacktivism movements are sometimes used as scapegoats by state actors to hide their attacks. A good way to detect this is if there is no Pastebin entry then its a good early indicator of a state attack.

With defenders increasing their

capabilities attackers now often know they are being tagged and need to adopt more advanced opsec measures themselves. On the point of fighting fire with fire the “hackback” term is now often a topic of conversation.

The law has unfortunately not caught up with this point. There are still unanswered questions of legality as it is hard to be certain that you are attacking the correct perpetrators. Furthermore many companies are hardly able to defend effectively - how will they be able to attack an advanced foe which requires even deeper security skills?

MAYANS, MAYHEM & MALWARE WILL GRAGIDO - RSA FIRSTWATCH / CHRIS VALASEK - THREAT RESEARCH AT IOACTIVE / JOSH CORMAN - AKAMAI / GREG HOGLUND AND BRIAN HONAN

IMPLEMENTING A NATIONAL AUTHENTICATION PROGRAMMEIN INDIAKEYNOTE SPEAKER: SRIKANTH NADHAMUNI

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 7

With cyber breaches personal identifiable information (PII) is often compromised even though it may not have been the asset the intruders were after. As a result companies are still required to notify the relevant authorities and enact the procedures as laid out by applicable privacy notification laws.

ENTERPRISE IMPACT INVESTIGATIONS

Many companies do not conduct a thorough investigation following a breach and if systems are not reviewed in detail and the threats mitigated they will return!

Regulators have also changed their attitudes regarding investigations and insist that more detailed reviews take place. As part of an investigation you need to picture a criminal walking down a street full of shops. He stops along the way turning doorknobs trying to get into certain shops. Some he enters and leaves and finally other shops he enters and actually steals goods. Similarly cyber investigators need to document in this fashion.

WHICH FUNCTIONS SHOULD BE PART OFA CRISIS MANAGEMENT TEAM?

• An experienced public relations firm • Legal experts• Board involvement needed to support and

respond• Intelligence gathering analysts• Incident response professionals• Forensic investigators• Malware analysts• Network traffic monitoring staff• Data analysis service• Breach notification management and business

support teams

These type of services are seldom offered by one company. Ensure you have the necessary partnerships in place before an incident happens.

CYBER THREAT

Big data analytics is the process of examining large amounts of data of a variety of types to uncover hidden patterns, unknown correlations and other useful information.

Such information can provide competitive advantages over rival organisations. These other data sources may include web server logs and internet clickstream data, social media activity reports, mobile-phone call detail records and information captured by sensors.

The primary goal of big data analytics is to help companies make better business decisions by enabling data scientists and other users to analyse huge volumes of transaction data as well as other data sources that may be left untapped by conventional business intelligence programs.

LANDSCAPENew themes iN preveNtioN, deteCtioN, respoNse

DEF

INIT

ION

BIG DATA ANALYTICS

[Source: http://searchbusinessanalytics.techtarget.com]

KEYNOTE SPEAKER: KIMBERLY PERETTI- ALSTON & BIRD, LLP

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 8

3 TYPES OF INSIDER THREATS:

1. insider it sabotageNormally very disgruntled technicalemployees who end up on HR radar.

2. insider theft of ipOften committed by insiders joining a competitor or starting their own business.

3. insider fraudMost internal fraud is committed by tellers or financial employees who steal money once and then get stuck in the cycle.

CASE STUDIES

1. trusted business partnerAn employee of a company’s trustedpartner stole info before accepting a job with the competitor.

2. Secure file sharingThree employees at a law firm installed Dropbox and resigned a few months later. They stole 78,000 client files and had it configured that it synchronised both ways, updating original records damaging the integrity of database.

3. virtual machines evade detection of data exfiltration Employee had plans to start his own hedge fund business and started with the company solely to steal their algorithms. He used virtual machines to bypass security controls and saved the files to an external hard drive.

4. think twice before logging into a shared computer Malware installed by an insider emailed credentials to himself to spy on staff or steal info. One employee walked around a hospital spreading malware to theMission Impossible soundtrack. A fellow hacker reported him after his actions jeopardised the safety of patients.

5. National security risk by insiders The terror watch list was tampered with by an employee working in a government agency, when he added his wife’s name to it when she on holiday to Pakistan. As a result she was unable to return to the USA for 3 years. His actions however backfired on him when he later got a promotion and the background checks conducted by his new employer uncovered his wife’s terror watch listing.

6. embedded malware A contract programmer added in a random line of code which shut the system down on his client’s various systems. He got lots of business as a result charging a premium fee to troubleshoot his client’s systems.

7. Ceo presents pornography to his board of directors A fired IT manager compromised his CEO’s laptop to inject pornographic images into his presentation to the board.

INTRIGUING INSIDER THREAT CASES

Ed Skoudis (Counter Hack)

We ran an exercise of analysing all the large scale breach cases we have investigated. After mapping them to the 20 controls we are confident that had the companies implemented the controls these breaches would have been prevented.

Wolfgang Kandek (Qualys CTO)

Commented that they have seen customers using the 20 controls integrated with automated security solutions run far more successfulsecurity programmes.

Alan Paler (SANS Research Director)

There are opportunities to develop your career across all industries as the 20 controls has fundamentally changed the game. He suggested vendors adopt a more hands-on approach with their clients to assist them to integrate their solutions alongside the guidance from the 20 controls. Both consultants and end user security staff have a limited window to use the controls to implement a robust cyber security programme and impress their management team.

PANEL DISCUSSION ON THE CSIS 20 CRITICAL SECURITY CONTROLS

A new standard of due care for

cybersecurity

The discussion also centred on how to implement the controls and SANS mentioned there was a new roadmap being published shortly which provides security teams guidance on where to start. Their guidance is to focus on the first 5 controls and optimise them - this will give you the most benefit in the short-term.

It was also mentioned that security teams should start focussing more time onactually implementing security solutions instead of generating reams of frameworks and compliance files. Sager stressed the value of building trusted networks

“Let my detection become your prevention!”Panel Chair - Tony Sager

KEYNOTE SPEAKER: DAWN CAPPELLI

Dawn Cappelli CERT Insider Threat Centre Carnegie Mellon University

ABOUT CERT: • CERT was established in 1988 by the

US Department of Defence• Their Insider Threat Centre started in

2001 and works closely with the US Secret Service

• They have a database of over 800 insider threat cases covered since 2001

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 9

RULES OF A BREACH:

• DON’T panic• Establish whether there has actually been

an incident - determine the business impact to see if it is an event or an actual incident?

• Once you are sure then DECLARE an incident (this should then release necessary resources and authority to empower you)

• Set an incident commander and treat as a series of discreet projects that need to be managed as a programme - with goals and start / end points. Ensure the commander has sufficient seniority and empowered so that people listen to them

• Contact resource lists (internal and external) need to be updated, and must be reachable 24/7

• Assess internal capability, and locate them early. They understand what the current state is and will help spot anomalies if a breach is suspected

• Understand what dangers there are to bring in external resources - ensure trusted and reputable people

FIRST STEPS:

1. Lawyer up Get legal involved asap. They will handle reporting requirements plus they have significant authority. Also good to have Head of Audit on your side - they are going to have to help clean up the incident afterwards!

2. Manage up Management will want this to be over yesterday but also need to understand that a thorough investigation and clean up needs to happen. Also harness their energy but don’t exploit their trust whilst they are vulnerable!

3. Look upGet visibility into the incident - the faster the better. Must have visibility into the flow (in/egress points), logs and full packet capture.

THE FIRST 48 HOURSoF iNCideNt respoNse

KEYNOTE SPEAKER: NICK SELBY - N4STRUCT

Intelligence sharing is key to incident management today. • You ARE going to get hit - waste less time trying to show management

that the threat is real and more energy on building your incident response capability

• If you are breached don’t make it worse and lie to your stakeholders especially the media, if they find out they will be after you!

• If you have a breach turn it into an opportunity! Get the “breach discount” with vendors (Offer to tell the media that they helped or that they can use you as a case study for a significant discount)

“ waste less time trying to show management that the threat is real and more energy on building your incident response capability.

LESSONS LEARNT:

• Focus on the impact of: How / Why / When it happened?

• A sound communication strategy is key! • Conduct a brutally honest self-

assessment - post-breach inventory (what we lost) / internal capabilities and weaknesses / where to go to improve

• Capture evidence in detail and according to sound practice. Expect it may take years to get your hard drives back with a chance that they may be gone forever

• Don’t get hung up on attribution - are you going to take on Russia / China?

• It’s always good to get the police involved early - that way you can tell the media - “Sorry we cant comment - this is under police investigation!”

• Your adversary wont send in the A-team if the cheaper D-team can do the job - if your security sucks they will take the easy route.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 10

Since the publication of the EU’s proposed cyber security strategy and supporting directive, much of the focus has been on how difficult it will be to implement and how effective it will be in improving data security.

But what effect will it have on business?

The most obvious effect is that it will mean additional costs for all businesses covered by the proposed directive in terms of creating new processes and ac-quiring new technology to comply.

The directive means that, for the first time, companies will be under a legal obligation to ensure they have suitable IT security mechanisms in place, which is likely to boost IT spending across the EU

Conversely, it will mean additional income for the IT security industry as businesses are forced to find money to invest in whatever additional security technologies they need to become compliant.

Among the measures the strategy recommends are that each European country set up a CERT authority and

designate a “competent authority” tomanage online security for EUorganisations. Such national cybercrime units would share information with each other, law enforcement agencies as well as data protection authorities, and publicly publish early warnings of online threats.

The strategy follows the launch of the European Cybercrime Centre in theNetherlands last month, and is intended to be Europe’s focal point for fighting online crime and sharing information on security threats.her high-profile security

NEW EU CYBERSECURITY PLAN FORCES BUSINESSES TO ADMIT DATA BREACHES

Each country in the European Union will have to set up national authorities charged with defending againstonline attacks under a new EU cybersecurity strategy, which will also see major companies and utilities forced to report any security breaches.

INTERNATIONAL NEWS

[International News Sources: http://ec.europa.eu / http://www.zdnet.com / http://www.computerweekly.com ]

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 11

INTERNATIONAL NEWS

Another high profile security company has been breached. Attackers breached corporate systems at security services company Bit9 and accessed code-signing certificates that they used to make malware appear legitimate.

Bit9, a provider of application whitelisting technology, admitted to being breached by a malicious external party who was able to illegally gain access to one of their digital code-signing certificates. Ironically, the breached Bit9 system appears not to have been protected by the company’s own software. This attack bears similarities to the 2011 attack on RSA, in which attackers stole information that was likely used to conduct attacks on other organisations.

The attackers hastily used the compromised certificates to infil-trate the network of at least three customers. The theory is that the real target of the attack was not the company itself, but the protected network of its customers.

According to an editor from the SANS Institiute Bit9 received $34M in investment funding around 7 months ago and it was highly likely that not enough went into protecting their own crown jewels.

“They simply did not follow the best practices they recommend to their own customers by making certain their product was on all physical and virtual machines within their environment.”

[Source: Sans.org / Hackmageddon.com]

President Vladimir Putin tasked the Federal Security Service with creating a unified system for the “detection, prevention and liquidation” of cyberattacks on government websites in an official decree published Monday.

The main tasks include development of methods for predicting threats, institution of monitoring to determine the levels of protection of critical information systems, and a rendering of accounts for certain computer incidents, Itar-Tass reported Monday.

The resources included in the decree are information systems and data networks in Russia itself or in Russian embassies and diplomatic institutions of abroad.

The decree came into effect Tuesday, the day it was signed. It follows on the heels of charges brought in early January against a Krasnoyarsk resident who launched a recent cyberattack on the president’s website. He faces up to four years in prison.

Last week, an Internet security firm said a spy network had infiltrated government and embassy computers across the former Soviet bloc.

Dubbed Red October, the network used phishing attacks, or unsolicited emails to intended targets, to infect the computers of embassies and other state institutions with a program designed to harvest intelligence and send it back to a server.

HACKERS HIT BIT9 NETWORKS

PUTIN ORDERS FSB TO CREATE CYBER DEFENSE SYSTEM

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 12

AFRICA NEWS

The government’s efforts to transform the country into a knowledge based economy through digital empowerment has today culminated in the launch of the first National ICTMaster Plan.

A five year plan that seeks to drive citizen adoption of the Vision 2030 priorities through ICT policies and initiatives, the Master Plan projects that by 2017 Kenya’s ICT industry will be contributing an estimated USD2 billion (some 25% of Kenya’s GDP) and have created around 500 new tier 1 ICT companies and over 50,000 jobs.

“As a step towards its realisation, the ministry is working on standardising business processes and developing sub-plans that will allow the delivery of innovative public services within government” said Information and Communication PS Dr. Bitange Ndemo

“Strong governance and increasing engagement between the government and private sector will help to remove barriers that would impede execution in order to deliver a society based on knowledge,” added Ndemo.

Guided by the ministry’s policy objectives and to achieve the intended full benefits of ICT, the Masterplan plugs into the vision 2030’s social and economic pillars in seven key intervention areas. Under the social pillars are education and training, health, water and sanitation, environment, housing and urbanisation, gender, youth and vulnerable groups, social equity and poverty reduction.

The economic pillar shall deliver on tourism, agriculture, wholesale and retail trade, manufacturing, business process outsourcing and financial services and the creative industry.

What began as a stakeholder engagement on the hypothesis of what had been adopted in countries like Singapore has taken two years, culminating in the birth of the ICT Master Plan.

“Indeed, the plan is ambitious and it is an attempt to infuse ICT and knowledge into Vision 2030 by enhancing citizen value. This will be achieved by availing channels that will stimulate the set-up of ICT related businesses and therefore employment creation” said Paul Kukubo, ICT Board CEO.

At the core of this Master Plan are three strategic pillars that will be used as a measure of success.

Enhancing public value through service delivery and access of public service, strengthening ICT as a driver of industry by establishing an ecosystem for ICT adoption and the development of ICT business that lead an understanding of the emerging market needs.

“the plan is really just a guideline and offering it to the public means that we are open for further deliberation and feedback. we intend to review the document annually to review progress and realign to the country’s priorities”, added Kukubo.

The launch of the National ICT Master Plan comes just two days after a draft National Cyber Security Master Plan round table, a final review session for the country’s first document that seeks to establish a regulatory and policy framework in information security.

The Strategy and Plan play a fundamental role in managing risks to government processes through the securing of information assets.

[Source: Biztechafrica.com]

Zimbabwean bank, Metropolitan Bank (www.metbank.co.zw) was defaced and subsequently taken down ‘for maintenance’.

According to site defacement archive zone-h.org, the Metropolitan Bank website was defaced on 19 January 2013 by hackers calling themselves “Qifwhysoserious”.

The website was developed by a local company called Hello World, and a source at the company mentioned it was based on the Joomla content management system.

It was later confirmed that Tetrad Holdings and MBCA Bank also had their websites defaced.

[Source: www.techzim.co.zw]

KENYA LAUNCHES NATIONAL ICT MASTER PLAN

THE KENYAN GOVERNMENT HAS UNVEILED A MASTER PLAN AIMED AT HELPING THE ICT SECTOR GROW TO A USD2 BILLION INDUSTRY BY 2017

Dr. Bitange Ndemo

ZIMBABWEAN BANKWEBSITES HACKED

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 13

AFRICA NEWS

The National Information Technology Authority – Uganda (NITA-U)’s Director for Information Security, Peter Kahiigi, has outlined Ugandan Government plans to step up national information security.

Kahiigi said that the Government of Uganda, through NITA-U, in addition to setting up an Information Security Directorate has put a National Information Security Strategy in place.

It has also established UG-CERT in cooperation with UCC and ITU; the role of the UG-CERT is to ensure the protection of the nation’s Critical Information Infrastructures, assist in drafting the overall plan on the country’s approach to cyber security related issues, and thus can serve as a focal point for further building andimplementing the National Culture of Cyber security.

THE GOVERNMENT OF UGANDA OUTLINED THE FOLLOWING KEY PLANS

1. Implementation of an information security strategy2. Implementation of public key infrastructure (PKI)3. Develop a national IS policy4. Set up roles and responsibilities5. Development of an IS framework. [Source: Biztechafrica.com]

UGANDA STEPS UP ICT SECURITY

Microsoft Corporation this week unveiled a package of USD12 billion which it said will be spent in Africa over the next three years to empower the youth on the continent.

Emmanuel Onyeje, country manager, Microsoft Anglophone West Africa, who disclosed this in Lagos, said pursuant to this goal, the firm has launched their Microsoft 4Afrika Initiative, through which it will actively engage in Africa’s economic development to improve its global competitiveness.

Onyeje said the firm’s efforts will focus on acceleratingadoption of smart devices, empowering small and medium businesses, and up-leveling skills development to igniteAfrican innovation for the continent and for the world.

By 2016, Microsoft aims to help place tens of millions of smart devices in the hands of African youths, bring one million African Small Medium Enterprises (SMEs) online, up-skill 100,000 members of Africa’s existing workforce, and help an additional 100,000 recent graduates develop skills for employment, 75% of whom Microsoft will help place in jobs.

Onyeje said: “Microsoft wants to invest in that promise which recognises Africa’s promise. We want to empower African youths, entrepreneurs, developers and business and civic leaders to turn great ideas into reality that can help community, their country, the continent and beyond”

“the initiative is built on the dual beliefs that technology can accelerate growth for Africa, and Africa can also accelerate technology for the world.”

He said that Microsoft was motivated to embark on the projects as part of its contributions to Africa’s transformation initiatives.

[Source: Biztechafrica.com]

MICROSOFT EARMARKS USD12BN FOR AFRICA

“we want to empower African youths, entrepreneurs, developers and business and civic leaders to turn great ideas into reality that can help community, their country, the continent and beyond.”

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 14

The name of the platform paid homage to the novel by Tom Clancy which told the story of a rogue Soviet submarine captain and his planned defection to the United States during the Cold War. However this ‘Red October’ is far more sophisticated and deploys stealth more effectively than the Soviet submarine described in Clancy’s novel.

‘Red October’ is first and foremost not a virus but instead a malware delivery and data collection platform. It is described by Kaspersky Labs as one of the most advanced espionage platforms uncovered. ‘Red October’ operated a number of computers and domain names that acted as proxies to hide the core purpose and functionality of the network platform. Using this layered ‘Command and Control’ structure, attackers had more than 1,000 ‘plug and play’ modules at their disposal which they utilised to customise their attacks on targeted victims.

It is believed that ‘Red October’ has been active since 2007 and has remained undetected for such a long period of time as a result of its tailored execution of exploit code. Code that is received from the ‘Red October’ servers executes in memory only and is then immediately discarded leaving no trace or service to detect. Traditional anti-virus software would therefore not be able to identify this malicious code as it is resident in memory for a short period of time and is not written to local storage media.

Targeted victims are infected by a ‘spear-phishing’ attack which utilises a known exploit in Microsoft Office products. Once infected the victims are then further compromised by one of the many modules the attackers have at their disposal.

These attack modules have been categorised into ten sub-categories

1. Recon – Scanning the infected machine for useful information as well as system specific information which could be used for further exploitation.2. Password – Passwords stored on the local drive are stolen as well as cryptographically hashed account credentials.3. Email – Email data is searched and scanned.4. USB Drives – USB Drives are scanned and data copied and FTP’d to attack servers.5. Keyboard – Keyboard Loggers are installed which capture keystrokes allowing attackers to record username / password combinations.6. Persistence – Some modules exist which provide ‘persistence’ so that attackers can revisit the compromised device at a later date should they lose connection to the victim.7. Spreading – Modules exist which scan network attached devices for vulnerabilities allowing the infection to spread from one connected device to another.8. Mobile – ‘Red October’ has the ability to scan mobile devices that have been docked to the infected device for sensitive information.9.Exfiltration – This code has the ability to copy and transfer data on local drives to FTP servers in the ‘Red October’ network.10. USB Infection – Investigations show that these modules create logs and files which match those in use by current USB malware.

It appears that the ‘Red October’ operators focussed their activities on governments, embassies and scientific organisations around the world with victims primarily located in the former Soviet Bloc countries in Eastern Europe. The origin of the operators has been subject to much speculation amongst researchers. There has been conjecture that this may have been a state-sponsored infiltration but this can neither be proved nor disproved. What is known is that exploits used are Chinese in origin and have been published on the Internet for some time. The attackers modified these exploits with a telling first line in the executable they created. This first line of code changed the ‘codepage’ of an infected system to 1251 which is required to address files and directories

that contain Cyrillic characters. This leads one to believe that the authors are Russian or at the very least Russian speaking.

Due to the nature of the stealth capability adopted by ‘Red October’ analysing it could not be done utilising traditional means at the disposal of anti-viruscompanies. Kaspersky Labs conducted its research into ‘Red October’ by setting up fake victim ‘honeypots’ at locations around the globe which then allowed them to monitor and collect hundreds of attack modules and exploit tools used. This analysis was underway in October 2012, hence the name ‘Red October’ being given to this malware espionage platform. Since the discovery and publication of the ‘Red October’ report by Kaspersky Labs the ‘Red October’ network has been shut down by its operators.

What makes this specific case of malware espionage interesting to an African publication is the fact that foreign embassies in African countries were directly attacked by the ‘Red October’ operators. In an infographic provided by Kaspersky Labs, embassies in Algeria, Botswana, Congo, Kenya, Mauritania, Morocco, Mozambique, South Africa, Tanzania and Uganda were all targeted. Based on the infection vectors identified in ‘Red October’ one must take a prudent view and assume that as a result of these base infections, the platform may have extended its tentacles into other organisations in the identified countries.

The lesson one takes from this latest discovery is that the prevalence of sophisticated malware on networks must be assumed and organisations and individuals must act accordingly. A reactive strategy is no longer sufficient in protecting secure networks and data. This case has proven that 5 years’ worth of data may have been siphoned off your network without your knowledge while your anti- malware solution would have reported everything in order. Security professionals must assume at any time that their networks and data may have been compromised and provide solutions to mitigate this advanced persistent threat.

RED OCTOBERTHE ESPIONAGE PLATFORM EVEN SURFACES IN AFRICA

In January 2013 the IT security world was abuzz with a report published by Kaspersky Labs on an espionage platform they dubbed ‘Red October’

AFRICA NEWS

Chris LazariDirector: Infrastructure ServicesAirborne Consulting

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 15

DIY GUIDES

Why spend days, weeks or even months trying to penetrate layers of network security when you can just trick a user into running a file that allows you full access to their machine andbypasses anti-virus, firewalls and manyintrusion prevention systems?

This is most commonly used in phishing attacks today - craft an e-mail, or create a fake website that tricks users into running a malicious file that creates a backdoor into their system. But as a security expert, how could you test this against your network? Would such an attack work, and how could you defend against it?

The Social Engineer Toolkit (SET) incorporates many useful social-engineering attacks all in one interface. The main purpose of SET is to automate and improve on many of the social-engineering attacks out there. It can automatically generate exploit-hiding web pages or email messages, and can use Metasploit payloads to, for example, connect back with a shell once the page is opened.

SET was created and written by the founder of TrustedSec. It is an open-source Python-driven tool aimed at penetration testing around Social-Engineering. SET has been presented at large-scale conferences including Blackhat, Defcon and ShmooCon.

With over two million downloads, SET is the standard for social-engineering penetration tests and supported heavily within the security community. TrustedSec believes that social-engineering is one of the hardest attacks to protect against and now one of the most prevalent.

HOW TO CONDUCT A SOCIAL ENGINEERING EXERCISE

Sample Of Social Engineering Attack Vectors

1) Spear-Phishing Attack Vectors 2) Website Attack Vectors 3) Infectious Media Generator 4) Create a Payload and Listener 5) Mass Mailer Attack 6) Arduino-Based Attack Vector 7) SMS Spoofing Attack Vector 8) Wireless Access Point Attack Vector 9) QRCode Generator Attack Vector 10) Third Party Modules

Social engineering attacks are one of the top hacking

techniques used against companies today

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 16

QUICK INSTALLATION NOTES

SET is included in the latest version of the most popular Linux distribution focused on security, BackTrack.

It’s easiest to run SET from BackTrack. Boot to it via USB or optical media, or run it as a virtual machine.

Navigate to Applications | BackTrack | Exploitation Tools | Social Engineering Tools | Social Engineering Toolkit | set and you’re off to the races.

Social engineering is a term that describes a non-technical kind of intrusion that relies heavily on human interaction and often involves tricking other people

to break normal security procedures.A social engineer runs what used to be called a “con game.” For example, a person using social engineering

to break into a computer network might try to gain the

confidence of an authorized user and get them to reveal

information that compromises the network’s security. Social engineers often rely on the natural helpfulness of

people as well as on their weaknesses. They might, for

example, call the authorized employee with some kind of

urgent problem that requires immediate network access.

Appeal to vanity, appeal to authority, appeal to greed,

and old-fashioned eavesdropping are other typical social

engineering techniques.

DE

FIN

ITIO

N

[Africa News Sources: https://www.trustedsec.com / http://holisticinfosec.blogspot.com / http://www.infosecisland.com]

To download SET and watch sample videos visit: https://www.trustedsec.com/downloads/social-engineer-toolkit/

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 17

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE

Whether they realise it or not, C-suite executives now have ownership over keeping their organisations secure. According to Gartner predictions, by 2015 as much as 25 percent of all organisations will add a new “C” to the C-suite: Chief Digital Officers. Living in the digital age, the CEOs, CFOs, CTOs, COOs and soon to come CDOs, of the world are now responsible for all material threats to their companies,and that includes information security.

Given the fast path the cyber threat landscape is changing, on any given day, a company can suffer a cyber-attack whether it be malware, ransomware or crimeware that can cripple an organisation with potentially irreversible ramifications.

While the C-suite is ultimately responsible for their organisations, many are untrained on what it means to be a security-obligated executive. These executives should know how to identify threats and what warning signs to monitor to circumvent cyber-attacks before they happen.

BELOW ARE KEY POINT THE C-SUITE SHOULD USE TO PREPARE FOR THE BATTLE AGAINST CYBER-ATTACKS:

PAY ATTENTION TO THE TYPES OF SECURITY THREATS THAT EXISTThe types of cyber-warfare and attacks are both increasing and diversifying. With Bring your Own Device (BYOD) heavily on the rise, devices such as smart phones and wireless tablets accessing cloud-based applications provide even more opportunities for attackers.

DON’T ISOLATE “BUSINESS” FROM IT AND SECURITY OPERATIONSEncourage the security team to have a strong understanding of the business. It is too often the case that security teams work in isolation. Security teams should know what business leaders value in order to properly match the levels of protection with the risk.

PERFORM THREAT ANALYSES AND PLAN ACCORDINGLYThe security team should be able to identify risk and threats, while the security-obligated executive should be aware of what those vulnerabilities are and how to mitigate them.

PREPARE A STRATEGIC PLAN Identify what the most important security improvements are, with an explicit understanding of the company’s assets that need to be protected. By creating an alignment between specific business risks and security controls, teams will be able to fit the building blocks together to create a strategic plan of action.

As the security gatekeepers of their organisations, which are constantly evolving and becoming more digital, C-Level executives need to remember that they are responsible for all material threats to their enterprises and networks, including information security. Ticking the boxes in order to be compliant is no longer enough. Moreover efficient and clear communication is paramount to increase the security posture. Historically the C-suite and the security teams haven’t spoken much at all, or security teams haven’t spoken to execs in a simple enough language to be understood.

There are major disconnects we often see when auditing the security of an organisation. A typical security team will assess the ability to defend against generic threats or attacks and will develop a plan to fill in those holes. More often than not, the resulting roll-out plan is missing a key ingredient: an explicit understanding of the company’s assets that need to be protected.

To guarantee that the security strategy is aligned with the business objectives, we created an exercise to uncover business risks in a non-technical way so that the business risk and security plan dovetail together seamlessly. What we call the 3 R’s: Riches, Ruins and Regulations, helps executives and security professional speak in a common language. The exercise is designed to uncover critical and valuable assets that are core to the line of business. Oftentimes it is only the line-of-business employees that are aware of the presence and relevance of these assets and they are outside the purview of the security team. Because of this disconnect, the security controls deployed on these systems are often inappropriate in relation to the risk those assets pose to the organisation.

Governance THE SECURITY OBLIGATED EXECUTIVE - THE 3 R’S: RICHES, RUINS AND REGULATIONS

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 18

Governance HOW IT WORKS IS SIMPLE. THE FIRST STEP IS TO IDENTIFY THE 3R’S AND THEN BASED ON THE RESULTS THE SECURITY TEAM UTILISES THE ANALYSES TO KEEP THE COMPANY SECURE:

RICHES• What assets can be targeted that would be valuable to a thief?• What are the ways assets can be stolen?• Who would be most likely to steal this asset?• How would a thief go about stealing this asset?

RUINS• What could you target specifically to ruin our reputation?• What direct costs or liabilities would our company incur if the

asset is stolen?• What indirect costs, such as harm to reputation, would our

company incur if the asset is stolen?

REGULATIONS• What compliance rules does our company abide by?• Who is responsible for compliance?• Who audits our company’s compliance with these different

regulations?• Do we have any contracts with penalties for non-compliance?

The primary purpose of the exercise is to uncover assets of significant value if stolen, potential attacks that might cause great damage, and finally the costs associated with failure to meet regulatory requirements.

Identifying the 3 R’s will help the security-obligated executives have a clear vision of security as it relates to their company, which is the first step against cyber-threats and attacks.

This article is based on the content of the book “The Security Battleground” by Michael Fey, Brian Kenyon, Kevin Reardon, Bradon Rogers, and Charles Ross.

This article was provided by Craig Hockley, Regional Director, South Africa and Sub Saharan Africa, McAfee.

. innovation

. specialists

. security experts

. professionalism

. system integrators

. thought leader

. Agility

. Easy to do business with

. trustworthy

. information security

. IT risk management

. IT governance

. cybercrime

. subject matter experts

. Security management services

. cybercrime intelligence services

. committed

. strong industry relationships

InnovationSpecialists

Security ExpertsProfessionalism

Security Systems Integrator

Thought Leadership

Agility

TrustworthyInformation Security Experts

It Risk Management

It Governance

Cybercrime

Subject Matter Experts

Management Security Services

Commitment

Cybercrime Intelligence Services Industry Relationships

+27 11 523 1600 • www.drs.co.za

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 19

A Parliamentary update has confirmed that the Protection of Personal Information Bill (“PPI”) will be in front of the security committee of the National Council of Provinces and possibly befinalised in the next few weeks.

Once PPI becomes an Act of Parliament, private and public entities will have 1 year to comply with the requirements therein.

For those that have not yet begun their compliance journey, immediate mobilisation should be a priority since compliance will require significant changes to an organisations’ processing and operational landscape.

PROTECTION OF PERSONAL INFORMATION BILL TO PASS FINAL HURDLE SHORTLY

Candice HollandDeloitte Legal Associate Director

Com

plianceLEGISLATIVE CHANGES

KEEPING YOU INFORMED

Changes in: What’s changed in the law? What does it mean for you?

Financial Services Laws General Amendment Bill

1. Defines “financial sector legislation” and “non-financial sector legislation”

2. Financial institutions no longer bound by non-financial legislation

3. Excludes the financial sector from the application of the Consumer Protection Act

4. Enhanced power of the Regulator to oversee risk

1. Compliance systems needs to be adjusted for applicable legislation

2. Redundant legislation should be identified to improve efficiencies and the impact of new legislation should be determined Preparation for Regulator audits or reviews

Electronic Communications and Transactions Act (“ECTA”) Amendment Bill

1. Concept of prescribed offices introduced2. The Bill redefines electronic transactions,

electronic signatures and unsolicited commercial communications

3. Alignment to other information protection and customer protection laws

4. Penalties increased from R1million and 12 month imprisonment to R10million and 10 years imprisonment respectively

1. Revision and amendment of organisation’s Information, Communication and Technology Policies

2. Implications for the change to an “opt in” model in respect of marketingcommunications to be determined

3. Conduct an ECTA gap analysis to determine compliance

Companies Act 2008 1. Articles and Memoranda of Association (“M&AOA”) are to be aligned by 30 April 2013

2. From 1 May 2013, any unalignedprovisions in each of the MAOA and shareholders’ agreements will beoverridden by the Companies Act

1. Consolidation of the content governing an organisation is necessary

2. Filing of new MOI by 30 April 20133. Definition, training and awareness around

“prescribed officers” is required

Common Market for Eastern and Southern Africa (“COMESA”) Competition Commission regulations

1. COMESA comprises 19 countries: Burundi, Comoros, the Democratic Republic of Congo, Djibouti, Egypt, Eritrea, Ethiopia, Kenya, Libya, Madagascar, Malawi, Mauritius, Rwanda, Seychelles, Sudan, Swaziland, Uganda, Zambia and Zimbabwe

2. In order to ensure fair competition and transparency among economic operators in the region, COMESA has adopted a regional competition policy called the COMESA Competition Regulations

1. Research the merger filing fees and other applicable rules when consideringtransactions in COMESA member states

2. Align existing organisation competition law policies with COMESA requirements

3. Training of impacted staff

GOVERNANCE, RISK MANAGEMENT AND COMPLIANCE

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 20

On a daily basis end users continue the push to allow their own devices on the enterprise networks whilst at the same time business data needs to be analysed on the go and decisions made instantly, creating a new revolution to let employees use their own devices to access the organisation’s network and information.

An Informa Telecoms Media report reveals that there will be up to 265 million data subscribers in Africa by 2015, up from about 12 million today and according to Microsoft South Africa Executive, Fred Baumhardt, mobile devices such as smart phones are entering the African market four times faster than PCs or laptops.

The BYOD phenomenon is already having a significant impact on enterprises worldwide. How will African businesses and individuals adopt to the changing trends.

African businesses embracing BYOD may generate greater business benefits such as:• Improved employee productivity,

faster customer response times and improved operational efficiencies

• Increasing competitive advantage• Enabling Anywhere and Anytime

mobility• Addressing widespread remote access

issues • Staff retention especially the Gen-Y’s• Reducing cost of video and data

comms through unified comms solutions

Despite the rapid growth and realisable benefits of embracing BYOD, it is important that African organisations also consider adopting suitable governance, risk management and compliance controls capable of supporting the broad array of mobile devices.

As with any emerging technology, security is at the core of BYOD. As users shift to mobile and cloud platforms, so will attackers. It should come as no surprise that mobile platforms and cloud services will be likely targets for attacks and breaches in 2013 and beyond.

"Cyber criminals are increasingly targeting employees as access portals to a company's infrastructure, intensifying the need for controls and layered defences that can identify and mitigate attacks," said Jacques Erasmus, chief information security officer at Webroot. “As the popularity of employee-owned devices in the workplace continues to grow, this defence needs to be supplemented with a coherent but simple BYOD management strategy, underpinned by three elements: device control policies, device-level security and mobile workforce security training."

From an African perspective, there is a need for a cultural shift which will be driven by organisations implementing robust BYOD and Security Awareness training programmes to educate users from senior management down to the most junior employee.

The following components should also be taken into consideration as part of the core components of each BYOD program:

• BYOD Governance, Policy & Risk Management Framework

• Funding & Support Model• Identity Management/Authentication/

Encryption• Device Policy Compliance and

Enforcement• Usage and Cost Plans: Maintenance

Liability• Device Diversity and Degree of

Freedom : Bring your own Anything or Company provided devices

• Provisioning, On-Boarding and Exiting Plan

• Configuration Management & Enterprise App Store

• Data Loss Prevention• Converged Security and Policy

Monitoring (Logging & Monitoring)• BYOD Incident Management &

Forensics Plan• Threat & Vulnerability Management• Awareness Training: BYOD involves

significant culture & organisational change

FINAL THOUGHTS:

BYOD and Big Data are the new game-changers offering every organisation in Africa or across the globe serious tangible business benefits.

The time is ripe for African organisations to securely join the revolution that will forever change how business is done on the continent.

RiskBRING YOUR OWN DEVICE (BYOD) CHANGING THE WAY BUSINESS IS DONE IN AFRICA

Francis KaitanoSecurity Manager at CEN NZ

The consumerisation of IT is moving at a faster pace and has triggered a monumental shift on mobility and the way organisations and their employees run their day to day business. As with any other continent, Africa is no exception.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 21

AUDITS AND ASSESSMENTS

Mandiant has named the attack group “APT1”, what is likely a government sponsored group that is one of the most persistent of China’s cyber threat actors, and considered to be one of the most prolific in terms of quantity of information it has stolen.

To further its claims that there are actual individuals behind the keyboard, Mandiant also revealed three “personas” that they say are associated with APT1 attacks.

According to Mandiant’s investigations, APT1 has taken hundreds of terabytes of data from at least 141 organisations across many industries going as far back as early 2006, but this represents just a small fraction of the overall cyber espionage that APT1 has conducted.

It was the massive scale and impact of APT1’s operations that compelled Mandiant to write and publically release the report.

Historically, Mandiant has said there was no way to determine the extent of China’s involvement in many attacks, but the firm now says it has enough evidence to confidently say that “the groups conducting these activities are based primarily in China and that the Chinese Government is aware of them.”

While many firms steer away from publicly calling out China as a culprit in cyber attacks, Mandiant is taking a stance and boldly pointing fingers at China, and bringing many statistics and research to back its case.

“It is time to acknowledge the threat is originating in China, and we wanted to do our part to arm and prepare security professionals to combat that threat effectively.”

“The issue of attribution has always been a missing link in publicly understanding the landscape of APT cyber espionage. Without establishing a solid connection

to China, there will always be room for observers to dismiss APT actions as uncoordinated, solely criminal in nature, or peripheral to larger national security and global economic concerns.”

Mandiant believes APT1 is the 2nd Bureau of the People’s Liberation Army (PLA) General staff Department’s (GSD) 3rd Department, commonly known by its Military unit Cover Designator (MUCD) as Unit 61398.

The security firm estimates that Unit 61398 is staffed by hundreds, or even thousands of people, and that China Telecom provided special fibre optic communications infrastructure for the unit. Additionally, Mandiant said that it conservatively estimates that APT1’s current attack infrastructure includes over 1,000 servers across dozens of countries.

Mandiant said that it was able to confirm 937 command and control servers running on 849 distinct IP addresses and has

MANDIANT ASSESSMENT CLAIMS TO EXPOSE ONE OF CHINA’S MOST ACTIVE

CYBER ESPIONAGE UNITSInafascinating,unprecedented,andstatistics-packedreport,securityfirmMandiantmadedirectallegationsandexposedamulti-year,massivecyberespionagecampaignthattheysaywithconfidenceistheworkofaunitofChina’sPeople’s Liberation Army (PLA).

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 22

confirmed 2,551 domain names attributed to APT1 in the last several years.

“Our research and observations indicate that the Communist Party of China is tasking the Chinese People’s Liberation Army (PLA) to commit systematic cyber espionage and data theft against organizations around the world,” the report alleged.

When APT1 launches an attack against a target, it’s typically not a one shot deal or a quick hit. In fact, according to Mandiant’s research, APT1 maintained access to victim networks for an average of 356 days. The longest time period APT1 maintained access to a victim’s network was four years and ten months.

In one operation, Mandiant witnessed APT1 steal 6.5 terabytes of compressed data from a single organization over a ten-month time period. APT1’s targets include organizations across a broad range of industries, mainly in the United States and other English-speaking countries.

In over 97% of the 1,905 times Mandiant witnessed APT1 intruders connecting to their attack infrastructure, APT1 used IP addresses registered in Shanghai and systems set to use the Simplified Chinese language.

“Once the group establishes access to a victim’s network, they continue to access it periodically over several months or years to steal large volumes of valuable intellectual property, including technology blueprints, proprietary manufacturing processes, test results, business plans, pricing documents, partnership

agreements, emails and contact lists from victim organizations’ leadership,” the report explained.

HACKING FOR ECONOMIC GAIN AND ADVANTAGE

Mandiant’s investigations show that APT1 has targeted at least four of the seven strategic emerging industries that China identified in its 12th Five Year Plan, and warns that any industry related to China’s strategic priorities are potential attack targets. Mandiant highlighted an attack in 2008 that compromised the network of a company involved in a wholesale industry. According to Mandiant, over the next two and a half years, APT1 used various tools to steal an unknown number of files from the victim and repeatedly accessed the email accounts of several executives, including the conpany’s CEO and General Counsel. During this same time period, news organizations reported that China had successfully negotiated a double-digit decrease in price per unit with the victim organization for one of its major commodities, Mandiant said.

While Mandiant hopes its efforts will lead to increased understanding and coordinated action in countering targeted cyber attacks, it also acknowledged that releasing this report has put itself somewhat at risk.

“We are acutely aware of the risk this report poses for us,” Mandiant noted. “We expect reprisals from China as well as an onslaught of criticism.”

In addition to the detailed report, Mandiant provided more than 3,000 APT1 indicators including domain names, IP addresses, X.509 encryption certificates and MD5 hashes of malware used by APT1’s attackers, in order to help organizations identify and defend against APT1 operations.

Russia, Israel, and France have also been named as engaging in similar activity, but China’s alleged activity outstrips theirs by far.

Chinese Foreign Ministry spokesman Hong Lei dismissed the Mandiant report’s accusations against China and said that China itself is a victim of countless cyberattacks: “to make groundless accusations based on some rough material is neither responsible nor professional.”

The full report from Mandiant can be found here (PDF), and the Appendix and 3,000+ APT1 Indicators can be found here (.zip).

“it is time to acknowledge the threat is originating

in China, and we wanted to do our part to arm and

prepare security professionals to combat

that threat effectively.”

[Source: www.hotforsecurity.com / www.securityweek.com / www.sans.org ]

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 23

MANAGED SERVICES

HONEYMAP

Probably the most impressive: the HoneyMap shows a real-time visualisation of attacks detected by the Honeynet Project’s sensors deployed around the world. The map shows “automated scans and attacks originating from infected end-user computers or hijacked server systems”. This also means that an “attack” on the HoneyMap is not necessarily conducted by a single malicious person but rather by a computer worm or other forms of malicious programs. Please note that, as the creators of the Project declare, many red dots means there are many machines which are attacking our honeypots but this does notnecessarily imply that those countries are “very active in the cyberwar”. Red markers on the map represent attackers, yellow markers are targets (honeypot sensors).

AKAMAI REAL-TIME WEB MONITOR

Akamai monitors global internet conditions around the clock. With this real-time data the company identifies the global regions with the greatest attack traffic, measuring attack traffic in real time across the internet with their diverse network deployments.

Data is collected on the number of connections that are attempted, the source IP address, the destination IP address and the source and destination ports in real time. The packets captured are generally from automated scanning trojans and worms looking to infect new computers scanning randomly generated IP addresses.

Values are measured in attacks per 24 hours (attacks/24hrs).

A (GRAPHICAL) WORLD OF BOTNETS AND CYBER ATTACKS

Today we live in a cyber world filled with botnets and digital attacks! In an attempt to better manage this malicious landscape an increasing number of security companies, public and private organisations are collecting data from

their security endpoints or network devices. This is being sent to the cloud to be analysed by big data algorithms. The objective is to reduce the time slice between the release of a threat and the availability of an antidote.

The same data can also be used to build spectacular maps that show in real time the status of the internet, an impressive and worrisome spectacle! Here is a short list of a few companies providing services in this space:

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 24

SECURELIST STATISTICS (KASPERSKY LAB)

The information collected by Kaspersky Security Network is shown in the Securelist Statistics section. In the corresponding navigable map, the user can select Local Infections, Online Threats, Network Attacks and Vulnerabilities with Map, Diagrams or Ratings format in a time scale of 24 hours, one week or one month.

TREND MICRO GLOBAL BOTNET MAP

Trend Micro continuously monitors malicious network activities to identify Command-and-Control (C&C) servers, making the ability to rapidly identify and correlate bot activity critical. The real-time map indicates the locations of C&C servers and victimised computers that have been discovered in the previous six hours.

SHADOWSERVER

The Shadowserver Foundation, managed by volunteer security professionals, gathers intelligence from the internet via honeyclients, honeypots, and IDS/IPS Systems. The maps are made by converting all the IP addresses of the aggressor, the Command-and-Control and the target of the DDoS attack in coordinates and placing those points on a map. The maps are updated once a day and are available for DDoS activity and Botnet C&Cs.

ARBOR’S THREAT LEVEL ANALYSIS SYSTEM (ATLAS)

Through its relationships with several worldwide service providers and global network operators, Arbor provides insight on global DDoS attack activity, Internet security and traffic trends. Their Global Activity Map shows data in terms of scan sources, attack sources, phishing websites, botnet IRC servers and fast flux bots.

Paolo Passeri - Hackmageddon.com

the objective is to reduce the time slice between the release of a threat and the availability of an antidote.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 25

A Guide for C

IOs, C

FOs, and C

ISOs

CYBER CRIME AND CYBER WARFARE

THE PROBLEM

Enterprises and government agencies are under serious threat from cyber attacks today. Significant breaches, which have made headlines in recent times affecting high-profile organisations such as RSA, Global Payments, ADP, Symantec, International Monetary Fund, to name a few. All point to the fact that traditional defences are no longer able to keep up with the rapidly evolving threat landscape. Indeed, the emergence of highly advanced malware including the Flame and Stuxnet viruses have set an alarming new standard for the level of complexity and sophistication of the next-generation of cyber attacks.

Fundamentally, these developments make clear that the cybercriminals, nation-states and ‘hacktivists’ behind these attacks are growing increasingly sophisticated and more effective in their efforts to steal sensitive data and sabotage networks. Leveraging dynamic malware, targeted spear phishing emails, elaborate Web attacks and a host of other tactics, these cyber criminals are now adept at circumventing traditional security mechanisms such as firewalls, IPS, anti-virus (AV), and gateways. To assume that your organisation is immune is a dangerous, and in all likelihood, wholly inaccurate assumption. Ninety five percent of organisations are routinely compromised, with the theft of intellectual property, customer records, and other sensitive data increasingly common.

Indeed, a recent report from Gartner (2012) made the following statement: “There is widespread agreement that advanced attacks are bypassing our traditional signature-based security controls and persisting undetected on our systems for extended periods of time. The threat is real. You are compromised; you just don’t know it.”

The question remains as to why today’s security defences are failing? Organisations are all too often typically overly reliant on legacy security platforms based on defences that originated many years ago, using signatures and heuristics based

technology. These tools form a necessary front line in an organisation’s defence architecture, as they are good at blocking basic malware that is known and documented. However, as standalone systems, they are simply inadequate and are incapable of identifying today’s dynamic,multi-pronged cyber attacks, including advanced persistent threats (APTs), zero-day attacks and otheradvanced malware

THE IMPACT

Most organisations are spending vast sums of money, perhaps 10-20 percent of their annual IT budget, on security, but it is simply not working. In addition, organisations need to consider these impacts to the business:

•LossofcompetitivenessWhen cybercriminals successfully circumvent defences, trade secrets, patents and customer records can all be exposed and significantly weaken an organisation’s competitive position.

•Compliancebreaches Organisations not protected from breaches, are in serious jeopardy of being served substantial financial penalties and also risk lost business, and a host of other penalties, as a result of failing to comply with regulatory requirements.

•DamagedreputationCustomer trust and market share are precious commodities. A significant breach hitting the headlines can erode assets. Estimates from companies that have been breached regarding the resulting cost to their business can run into the millions.

•LostproductivitySecurity teams discovering breaches after the event, are going to need time to handle the incident, shore up the vulnerability, assess where similar gaps may lie, rebuild corrupted systems, and so on. The time spent on these efforts is time wasted and as such, will add to the total cost of a breach to an organisation.

THE SOLUTION

To combat the trends and risks outlined above, many organisations are adding a new layer of defence that complements their existing security technologies and enables security teams to effectively spot and thwart advanced cyber attacks. With this added layer of defence, security teams can detect, in real-time, when code is truly malicious and successfully infiltrated other existing defences.

You need to consider solutions that effectively detect and block the advanced cyber threats organisations face. Further, by automating advanced malware detection, security teams are removed from fire-fighting mode to be able to deliver more tactical projects and generate significant operational savings.

PROTECTING DATA, INTELLECTUAL PROPERTY AND BRAND FROM CYBER ATTACKS

[Photo source: Brainstormmag]

Hildburg Hofer, FireEye Product Manager

at AxizWorkgroup

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 26

The disturbing trend in cybercrime is the “enterprise-class” approach crime syndicates take to grow their businesses. Today’s syndicates employ hierarchies of participants with roles that mirror the executive suite, middle management and the rank and file. The executive suite oversees strategy and operations that initiate nefarious acts. Recruiters identify “infantry” that carry outlarge-scale attack schemes on a permanent hire or outsource (affiliate) basis. They also create and handout malware and mold reward programs to pay affiliates once successful attacks are carried out.

Understanding “Crime-as-a-Service” given the ubiquitous adoption of cloud computing, social networking, BYOD and mobile communications, cybercriminals now have unprecedented reach across and into more organisations, databases, desktops and mobile devices than ever before. Infrastructure advances and the enormous number of avenues for attacks are giving cybercriminals a smorgasbord of attack vectors to choose from.

To capitalise on these opportunities, cybercrime syndicates use recruiters to attract new “talent” via fully realised web portals, many of which protect themselves with disclaimers such as, “We do not allow spam or other illicit methods for machine infection.” This is a method of passing off legal responsibility to the hired

BIG BUSINESSWHY CYBERCRIME REMAINS

AND HOW TO STOP ITCybercrime is big business and it is growing in scope and impact. What may not be obvious to the casual observer is that cybercrime is growing in its magnitude and sophistication because of two key factors: the consumerisation of crimeware, and the adoption of time-tested business processes to enhance the profitabilityofcrimesyndicatesworldwide.

CYBER CRIME AND CYBER WARFARE

The threats stop here.

Every day, Fortinet protects the networks of many of the largest and most

successful organizations in the world. We deliver complete content

protection to block hidden threats. Our consolidated security technologies

combine application control with identity-based policy enforcement. Learn

how you can increase security, improve performance, and lower costs.

Visit us at www.nu.co.za for more information

or call 011 304 6200 to find out how you can

protect your network today.

Real Time Network Protection

Healthcare

Government & Defense

Education

Multi-Threat SecurityService Providers

Financial Services

Retail

Utilities

© 2010 Fortinet, Inc. All Rights Reserved. Fortinet and the Fortinet logo are trademarks of Fortinet, Inc.

C

M

Y

CM

MY

CY

CMY

K

NU SA Mag FP Advert.ai 1 2012/11/14 12:26 PM

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 27

“infantry” while providing the necessary malware needed to execute a full-fledged infection campaign.

FANNING THE FLAMES

The drivers of these constantly evolving tools are extensive R&D organisations that create custom-order code to produce private botnets, fake antivirus software and deployment systems. In turn, these are typically carried out for premeditated, targeted attacks known as Advanced Persistent Threats, or APTs. Another key contributor to the expanding influence of cybercrime is the hosting provider.

Simply put, criminals need somewhere to store attack content such as attack code, malware and stolen data. Taking a page out of Wall Street, crime syndicates are engaging in mergers and acquisitions to grow their botnets through the use of other organisation’s botnets. A recent example is Zeus and SpyEye. Zeus, circa 2007 peaked in2010asthemostprolificbankingcrime kit around. The crimeware kit would create new versions of powerful malware which had the capability to steal banking credentials, as well as hijack and manipulate secure online banking sessions.

A rival botnet known as SpyEye emerged in 2010 and tried to take over what was clearly a successful market. The competition hurt profits for both, so in late 2010, the two authors merged source code, retired Zeus support and passed the torch to SpyEye.

And with creative profit-sharing flair, crime syndicates are continuing to grow sophisticated pay-per-click/install/purchase affiliate programs to reward up and coming cybercriminal affiliates on a performance-based scale.

HOW TO STOP IT

Given this grim outlook, what successes are turning the tide? Several large-scale botnet takedowns showcase the advantages of working groups and task forces.

With the help of the Microsoft Digital Crime Unit, the Kelihos botnet rumoured to have as many as 40,000 bots, was taken offline in September 2011. This collaboration between Microsoft and the U.S. government led to prosecuting Kelihos operators.

In January of this year, the large, Eastern European botnet Virut was taken down with the help of local CERT teams and partners. This particular botnet had control of close to 900,000 unique IP addresses in Poland alone and was thought to be the fifth most widespread threat in 2012. Virut was a widespread threat as early as 2008, as it had a unique hybrid capability that allowed it to spread through other botnets. In essence, it was using the competition to amplify its success. Since Virut code was complex and could embed itself in other infections, detection and take-down was difficult over a five year run.

Regrettably, these “stops” are a drop in the bucket. Kelihos, for example, came back in another form after being stopped. While the dismantlement of a botnet’s command and control center is optimal, another preventive strategy to clamping down on cybercrime is to vet domain registrations to avoid the creation of these domains. A good case in point is the Conficker Working Group that helped filter out domains before they could be registered to prevent the spread of that particular botnet.

But the best approach to effectively fight cybercrime requires global participation. We need an international body that can mediate disputes and dispatch resources to share information about cybercrime trends. A central reporting and information sharing channel between the private and public sectors is also needed.

The best example of this kind of information sharing thus far is FIRST (Forum of Incident Response and Security Teams), circa 1990. When it comes to law enforcement, varying jurisdictions and laws complicate the prosecution of cybercriminals. FIRST helps address this problem through collaboration. Unfortunately, many attacks are handled outside this forum and

ad-hoc crime fighting groups seem to pop up like a game of whack-a-mole.

It is apparent that the best way to take a chunk out of cybercrime is attacking its Achilles heel: going after the cash flow itself. The best targets would be affiliate programs, the cash cows that pay out commission and rewards to hired affiliates (“infantry”) who carry out malicious attacks. If the well dries up, so will the rest of the food chain.

So, where does this leave us? Practically speaking, the most effective way to secure a business from crimeware is from the inside out. Organisations need to take matters into their own hands to proactively prevent the spread of cybercrime among its employees, partners and customers.

What this amounts to is a highly layered security strategy consisting of vital elements that include intrusion prevention, botnet and application control, web filtering, antispam and antivirus. Companies must engage in regular accounting of digital assets and assessment of potential security flaws.

Organisations must aggressively educate users about security best practices while implementing enforceable mechanisms for security policy violations. They must also implement an incident response plan “what happens if?” It is imperative for companies to work together with security experts in this highly dynamic threat landscape.

Through collaborative global efforts and organisational commitment to deploying aggressive multi-layered security policies, the cybercrime epidemic can eventually be contained.

Derek Manky Global security strategist for Fortinet.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 28

CYBER FORENSICS AND INCIDENT MANAGEMENT

As a digital forensic scientist within South Africa, an area that has been a cause for significant concern for me is that any person can simply state that they are a digital forensics practitioner, and realistically there is no way to objectively determine competency and skills in this highly specialised field. There is no professional board or body that one must belong to before they are allowed to practice as a digital forensics practitioner.

Could you imagine a situation where anyone who had an interest in medicine was simply allowed to practice as a medical doctor? It could be argued that doctors need to be well qualified and regulated because they often literally can make life or death decisions about their patients.

However, in my view this is no different to the digital forensic practitioner who stands up in court claiming a position of expertise

and interprets evidence for a judge that may lead to a person being convicted. Getting it wrong can just as easily destroy a person’s life.

One merely has to do an internet search for computer forensics and digital forensics and a whole host of service providers are identified, many of which seem to offer digital forensics as an add-on service to some other service, such as forensic auditing or IT security.

Could you imagine making use of the services of a professional chef, who because they were good with a knife, dabbled in a little surgery on the side? You would never seek medical services from someone that was not a full-time and professional medical practitioner, so why would you make use of a part-time digital forensic practitioner?Digital forensics is a highly technical forensic science involving the acquisition,

examination and analysis of digital evidence for purposes of proving or disproving a legal issue. As a discipline, it combines elements of computer science, digital engineering, mathematics, statistics, investigation and criminalistics, and the law. It is for all intents and purposes a very distinct profession.

However, in the absence of professional regulatory bodies requiring the registration of digital forensic practitioners, how does one determine whether or not a digital forensics practitioner is competent and capable?

The problem is that many people are not in a position to realistically and objectively determine whether or not a digital forensic practitioner is competent and qualified to perform a digital forensics task, or even exactly what skills and knowledge a digital forensics practitioner should have, or even what their typical duties are.

WHAT MAKES UP A COMPETENT

DIGITAL FORENSICS PRACTITIONER?

There is no professional board or body that one must belong to before they are allowed to practice as a digital forensics practitioner.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 29

THE CYBERSECURITY WORKFORCE FRAMEWORK

In the United States of America, the National Initiative for Cybersecurity Education is an initiative of the National Institute of Standards and Technology (NIST), and has developed a cybersecurity workforce framework, which includes skills and competencies which are required for various cybersecurity occupations and functions, one of which is digital forensics. The cybersecurity workforce framework can be found athttp://csrc.nist.gov/nice/framework/

This framework is fairly comprehensive and well researched, and describes the typical tasks that a digital forensics practitioner would engage in, as well as the typical skills and knowledge that a digital forensic practitioner should have.

SOME OF THE KNOWLEDGE AND SKILLS THAT A DIGITAL FORENSIC PRACTITIONER SHOULD HAVE ARE

• Knowledge of concepts and practices of processing digital information

• Knowledge of critical protocols (e.g., IPSEC, AES, GRE, IKE, MD5, SHA, 3DES)

• Knowledge of cybercrime response and handling methodologies

• Knowledge of network architecture concepts including topology, protocols, and components

• Knowledge of data backup, types of backups (e.g., full, incremental), and recovery concepts and tools

• Knowledge of legal governance related to information security, computer monitoring, and collection

• Knowledge of server diagnostic tools and fault identification techniques

• Knowledge of system administration concepts for Unix/Linux and/or Windows operating systems

• Knowledge of basic physical computer components and architectures, including the functions of various components and peripherals (e.g., CPUs, Network Interface Cards, data storage)

• Knowledge of binary analysis• Knowledge of file system implementations• Knowledge of Forensic Chain of Evidence• Knowledge of hacking methodologies in Windows or Unix/

Linux environment

• Knowledge of substantive and procedural law dealing with cyber crime and digital evidence

• Knowledge of processes for packaging, transporting, and storage of electronic evidence to avoid alteration, loss, physical damage, or destruction of data

• Knowledge of types and collection of persistent data• Knowledge of web mail collection, searching/analysing

techniques, and cookies• Knowledge of which system files (e.g., log files, registry files,

configuration files) contain relevant information and where to find those system files

• Knowledge of types of digital forensics data and how to recognise them

• Knowledge of deployable forensics• Knowledge of forensics in multiple operating system

environments• Knowledge of security event correlation tools• Knowledge of legal governance related to admissibility

(Criminal Procedure Act, Civil Proceedings and Evidence Act, Electronic Communications and Related Matters Act)

• Knowledge of electronic devices such as computer systems and their components, access control devices, digital cameras, handheld devices, electronic organisers, hard drives, memory cards, modems, network components, connectors, pagers, printers, removable storage devices, scanners, telephones, copiers, credit card skimmers, facsimile machines, global positioning systems, and other miscellaneous electronic items

• Knowledge of social dynamics of computer attackers in a global context

• Skill in analysing memory dumps to extract information• Skill in identifying, modifying, and manipulating applicable

system components (Windows and/or Unix/Linux) (e.g., passwords, user accounts, files)

• Skill in processing, packaging, transporting and storing electronic evidence to avoid alteration, loss, physical damage, or destruction of data

• Skill in setting up a forensic workstation• Skill in using digital forensic tools (hardware and software)• Skill in using virtual machines• Skill in disassembling PCs• Ability to decrypt digital data collections• Skill in seizing and preserving digital evidence• Skill in finding and extracting information of evidentiary value• Skill in using scientific rules and methods to solve problems

CONNECTED SECURITY IS SMARTER SECURITYSecurity is no longer about where. It’s about everywhere. So that’s exactly where McAfee focuses its efforts.

The Security Connected framework from McAfee provides a seamless integration of solutions, services, and partnerships that intelligently reduces overall risk.

With unmatched brainpower and unmatched obsession, we build global connected solutions that deliver smarter security. On every device, every network, everywhere.

www.mcafee.com/smarter

©2013 McAfee, Inc. All rights reserved.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 30

If a digital forensic practitioner possessed the knowledge and skills contained within the digital forensics domain of the framework, then they could be said to be competent digital forensic examiners, the problem is how can one objectively determine whether or not a digital forensic examiner is actually competent.

CERTIFICATIONS AS A MEANS OF DEMONSTRATING COMPETENCY IN DIGITAL FORENSICS

Certifications have become a common method within the field of computer science and information technology to demonstrate competency in various information technology domains. Within the field of digital forensics a number of certification programs are available.

Two of these certification programs are of particular interest, as together they are aligned to the digital forensics domain of the Cybersecurity Workforce Framework. These are the Global Information Assurance Certification Computer Forensic Examiner (GCFE) and Computer Forensic Analyst (GCFA) certifications offered by the SANS Institute.

THE GCFE CERTIFICATION TESTS COMPETENCY IN THE FOLLOWING AREAS OF DIGITAL FORENSIC PRACTICE

• Digital forensics fundamentals• Digital evidence acquisition• Computer system and device

profiling and analysis• File and program activity analysis• Log file analysis• E-mail and communication analysis• Internet browser forensic analysis

THE GCFA CERTIFICATION TESTS COMPETENCY IN THE FOLLOWING AREAS OF DIGITAL FORENSIC PRACTICE

• Digital forensics investigation methodologies

• Digital forensics and incident response

• Acquiring and analysing volatile data• Intrusion analysis• Operating systems and file system

analysis• Data layer examination and analysis• Metadata and file name layer examination and analysis• Timeline analysis

A digital forensics practitioner that has earned both the GCFE and GCFA certification has demonstrated that they satisfy the requirements of the digital forensics domain of the Cybersecurity Workforce Framework. In other words, a digital forensics practitioner that has achieved both the GCFE and GCFA can objectively be considered to be competent as a digital forensics practitioner.

It is not to say that unless a digital forensics practitioner has both the GCFE and GCFA that they are not competent digital forensic practitioners, merely that it makes it more difficult for a person who is not an experienced digital forensics practitioner to determine whether or not they are competent examiners against an objective criteria.

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 31

CONTINUED: WHAT MAKES UP A COMPETENT

DIGITAL FORENSICS PRACTITIONER?

THE WAY FORWARD

With digital forensics being “sexy” at the moment, and with no formal regulation of the profession, there is a real risk of engaging the services of a person who is not really competent in this field.

ADVANCED TARGETED ATTACKS HAVE PENETRATED 95% OF ALL NETWORKS. THINK YOU’RE IN THE 5%?

You may think your existing security defenses prevent advanced targeted attacks from entering your network and stealing your data. They don’t. Advanced attacks easily evade traditional and next generation firewalls, IPS, AV and gateways. Your best defense is FireEye. Trusted by the Fortune 500, and over 60 government agencies globally, FireEye is the leader in helping organizations combat advanced malware and targeted APT attacks.

© 2013 FireEye. All rights reserved.

Put a stop to advanced attacks with advanced security. Visit us today at www.FireEye.com/StopAPTs and let us help you close the hole in your network.

Jason Jordaan - Head at Cyber Forensic Laboratory Special Investigating Unit

with digital forensics being “sexy” at the moment, and with no formal regulation of the profession, there is a real risk of engaging the services of a person who is not really competent in this field.

This has several risks, the least of which is losing a case in court, with the worst facing potential criminal or civil action as a result of the digital forensic practitioners actions.

The best way to mitigate these risks going forward it to make use of an objective measureof competency, such as the Cybersecurity Workforce Framework and certifications that are aligned thereto.

ABOUT THE AUTHOR

• Jason Jordaan is head of the Cyber Forensic Laboratory of the Special Investigating Unit in South Africa

• He is a practicing digital forensic scientist, academic, and researcher• He has earned MTech (Forensic Investigation), BComHons (Information Systems),

BSc (CJ Computer Science) and BTech (Policing) degrees• He is a Certified Forensic Computer Examiner, a Certified Fraud Examiner and a

Professional Member of the Computer Society of South Africa

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 32

AWARENESS

PRIVACYA common concern about social networking sites is privacy protecting your personal information and the sensitive information of others.

POTENTIAL DANGERS INCLUDE:Impacting Your Future Many organisations search social networking sites as part of background checks. Embarrassing or incriminating posts, no matter how old, can prevent you from getting hired or promoted. In addition, many universities conduct similar checks for new student applications. Privacy options may not protect you, as these organisations can ask you to “Like” or join their pages prior to the application process.

Attacks Against YouCyber criminals can harvest yourpersonal information and use it for attacks against you. For example, they can use your information to guess the answers to your “secret questions” to reset your online passwords, create targeted email attacks called spear phishing or apply for a credit card using your name. In addition these attacks can spill into the physical world, such as identifying where you work or live.

Harming Your EmployerCriminals or competitors can use any sensitive information you post aboutyour organisation against youremployer. In addition, your posts canpotentially cause reputational harm for your organisation. Be sure to check with your organisation’s policies before posting anything about your employer.

SOUND ADVICEThe best protection is to limit the information you post. Yes, privacy options can provide some protection; however, keep in mind that privacy options are often confusing and can change frequently without you knowing.

What you thought was private could become public for a variety of reasons. In addition, the privacy of your information is only as secure as the people you share it with. The more friends or contacts you share private information with, the more likely that information will become public.

Ultimately, the best way to protect your privacy is to follow this rule: if you do not want your mother or boss to see your post, you most likely should not post it.

Also be aware of what information friends are posting about you. It can be just as damaging If they post private information or embarrassing photos of you. Make sure your friends understand what they can or cannot post about you. If they post something you are not comfortable with, ask them to take it down. At the same time, be respectful of what you post about others.

SECURITYIn addition to privacy concerns, social networking sites can be used by cyber criminals to attack you or your devices. Here are some steps to protect yourself:

LoginProtect your social networking account with a strong password and do not share this password with anyone or re-use it for other sites. In addition, some social networking sites support stronger authentication, such as two-step verification. Enable stronger authentication methods whenever possible.

EncryptionMany social networking sites allow you to use encryption called HTTPS to secure your connection to the site. Some sites like Twitter and Google+ have this en-abled by default, while other sites require you to manually enabled HTTPS via ac-count settings. Whenever possible use HTTPS.

EmailBe suspicious of emails that claim to come from a social networking site; these can easily be spoofed attacks sent by cyber criminals. The safest way to reply to such messages is to log in to the website directly, perhaps from a saved bookmark, and check any messages or notifications using the website.

SOCIAL NETWORKINGSAFELY

Social networking sites such as Facebook, Twitter, Google+, Pinterest and LinkedIn are powerful, allowing you to meet, interact and share with people around the world. However, with all these capabilities come risks; not to just you, but your family, friends and employer. In this article we will discuss what these dangers are and how to use these sites more safely.

“social networking sites are powerful and fun, but be careful what you post and whom you trust.”

[Source: OUCH Awareness Newsletter http://www.securingthuman.org]

Ted Demopoulos - SANS Certified Instructor

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 33

Aspect Security has launched a free baseline knowledge tool that claims to produce an accurate assessment of a development team’s knowledge of application security. Secure Coder Analytics can be accessed online to determine the skill set and level of a group of developers or individuals.

“How do you know what you don’t know? That’s the challenge facing development teams that want to develop secure code. There’s no shame in not knowing all of the tricky aspects of application security, and now you can find out where your gaps are,” said Jeff Williams, CEO of Aspect Security.

Williams is also cofounder of the Open Web Application Security Project (OWASP), and he contends his firm’s Secure Coder

Analytics takes a developer approximately 20 minutes to complete and tests knowledge in various security areas via a multiple-choice assessment.

Questions are randomised from what is said to be an “extensive” pool of questions. Managers of development teams can set up their own tests and invite developers to participate anonymously. After participating, each developer sees their own grade and managers can see aggregate scores that reveal the strengths and weaknesses of the team as a whole.

Aspect Security’s eLearning curriculum features 53 learning modules at three different levels of technical depth. The company says that its eLearning solution is in use by developers worldwide at many corporate entities, including giants in the financial, shipping and logistics, airline industries and government agencies.

HOW TO MEASURE DEVELOPER SECURITY

KNOWLEDGEAspect Security launches free analytics tool to

determine strengths and weaknesses

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 34

LOCAL TRAINING AND EVENTS

As the frequency and voracity of cyber attacks increases worldwide, most African businesses are significantly unprepared to effectively detect, prevent or respond to a major cyber breach.

Training from the SANS Institute equips your teams with the necessary skills to fight back. We are pleased to return to Johannesburg between May 9th to the 25th to bring you SANS South Africa 2013. We are introducing three new bootcamp courses in forensics, information security and audit in addition to a new two day course on mobile security.

Don’tmissthisopportunitytoupgradeyourskills,worktowardyourGIACCertification,and network with other top information security professionals.

South Africa

JOIN US IN MAY IN JOHANNESBURG, SOUTH AFRICA FOR THE LARGEST SANS INFORMATION SECURITY AND FORENSICS TRAINING EVENT EVER HELD ON THE AFRICAN CONTINENT!

9-10 May:SEC440 - by Ted Demopoulos

20 Critical Security ControlsPlanning, Implementing and Auditing

SEC571 (NEW)

Mobile Device Security Run in partnership with the ITWeb Security Summit 2013 conference

http://www.securitysummit.co.za/

13-18 May:FOR408 - by Jess Garcia

Computer Forensic Investigations Windows In-Depth taught

SEC401 - by Ted Demopoulos

Security Essentials Bootcamp Style

http://www.sans.org/event/south-africa-may-2013

20-25 May:FOR508 (NEW) - by Jess Garcia

Advanced Computer Forensic Analysis and Incident Response taught

http://www.sans.org/event/south-africa-may-2013

For information on government or team discount eligibility please contact our African Director Craig Rosewarne at crosewarne@sans.org

BOOK NOW

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 35

Attend the eighth annual ITWeb Security Summit, where you will be briefed on how to improve your infosec strategy and tactics.

REASONS WHY THIS IS A MUST-ATTEND EVENT:1. Must-hear keynotes by Misha Glenny, investigative journalist and leading expert

on cyber crime and Richard Bejtlich, chief security offi cer, MANDIANT2. Sought-after SANS training: 20 Critical Security Controls: Planning, Implementing

and Auditing and Mobile Device Security3. Thirty-four conference sessions with key insights from leading international and

local infosec experts4. Three practical workshops to equip you for the challenges you face5. An extensive expo area with leading solutions providers6. Unparalleled networking opportunities with business matchmaking

Make sure you attend the annual gathering of information security experts and professionals.

Contact Maggie Pienaar on 011 807 3294 or maggie@itweb.co.za.

www.securitysummit.co.za #ITWebSec

Than

ks t

o ou

r sp

onso

rs:

Display SponsorsBronze Sponsors Coffee Bar Sponsor

Endorsed bySponsorEvent Sponsor

in partnership within partnership with

ARE YOU PREPARED FOR ONGOING INFOSEC THREATS?

BOOK YOUR SEAT TODAY!

Security Summit Ad_ISG_Half Page.indd 1 2013/03/01 03:11:40 PM

It’s no secret that facial recognition technologies are becoming increasingly common, with applications ranging from security to targeted marketing. For those uncomfortable with the idea of a world without anonymity, however, two Japanese professors have invented privacy-protecting glasses designed specifically to thwart such facial recognition attempts.

Developed by Isao Echizen of Japan’s National Institute of Informatics and Seiichi Gohshi of Kogakuin University, the new glasses incorporate a near-infrared light source that affects only the camera and not people’s vision.

So, the glasses look like a simple pair of goggles to people nearby; for cameras, however, the near-infrared LEDs built in emit rays appear as visual “noise” in the camera’s imaging device.

“Because this noise appended to the facial image causes a considerable change in the amount of features that is referenced at facial detection, facial detection is misjudged and recognition of people’s faces is prevented,” explain the inventors, who also anticipate applications for their technology in preventing similar invasions of privacy via augmented reality apps.

Style improvements are currently in the works for these privacy-protecting goggles, which are currently in prototype form. Ultimately, pricing is expected to be about USD 1 per pair, according to a Slate report. Tech-minded entrepreneurs: one to help commercialize?

PRIVACY PROTECTION GLASSES

OF INTEREST

[Website: www.nii.ac.jp/userimg/press_details_20121212.pdf]

Cybershield Magazine • March / April 2013 • Special Training and Awareness Edition • Page 36