Understanding and preventing cyber crime and its impact on your organisation

Understanding and preventing cyber crime and its impact on your organisation

Adv Jacqueline FickPwC

16 November 2010

www.pwc.com

PwC

Contents

1.Understanding the origins and characteristics of South Africa’s most prevalent cyber crime categories.

2.Exploring the five pillars of information assurance and the Electronic Communications and Transactions Act, 2002.

3.Defining and implementing a defence-in-depth strategy in your organisation.

4.The layered defence approach for dealing with cyber crime in your organisation.

5.The value of good information governance.

Understanding and preventing cybercrime and its impact on your organisation

2

16 November 2010

PwC

Understanding the origins and characteristics of South Africa’s most prevalent cyber crime categories

Cyber crime defined

• “…computer crime encompasses the use of a computer as a tool in theperpetration of a crime, as well as situations in which there has beenunauthorised access to the victim’s computer, or data. Computercrime also extends to physical attacks on the computer and/or relatedequipment as well as illegal use of credit cards and violations ofautomated teller machines, including electronic fund transfer theftsand the counterfeit of hardware and software.” (Credo and Michels)

• …computer crime covers all sets of circumstances where electronicdata processing forms the means for the commission and/or theobject of an offence and represents the basis for the suspicion that anoffence has been committed.” (Van der Merwe)


3

16 November 2010

PwC


Cyber crime defined (cont.)

• Move in South African law to the use of the term cyber crime whichis wide enough to encompass all illegal activities in respect ofcomputers, information networks and cyberspace.

• Watney uses the term cyber crime and defined it as all illegalactivities pertaining to a computer system, irrespective of whetherthe computer is the object of the crime or the instrument with whichthe crime is committed.

• Can be described as crimes that are related to a computer and crimescommitted using a computer e.g. hacking or where information abouta crime was stored on a computer.

• 'access' includes the actions of a person who, after taking note ofany data, becomes aware of the fact that he or she is not authorised toaccess that data and still continues to access that data (ECT Act).


4

16 November 2010

PwC


Types of cyber crime in South Africa

• Unauthorised access (s86(1))

• Unauthorised modification of data and various forms of malicious code (s86(2))

• Denial of service attacks (S86(5))

• Devices used to gain unauthorised access to data (s86(4))

• Computer-related extortion, fraud and forgery (s87)

• Child pornography, cyber obscenity and cyber stalking

• Copyright infringement

• Industrial espionage

• Piracy

• Online gamblingUnderstanding and preventing cybercrime and its impact on your organisation

5

16 November 2010

PwC


What statistics show

RSA Online Fraud Reports show that South Africa does not fall withinthe top ten countries hosting phishing attacks, but features high on thelist of top ten countries by attack volume:

• In August 2010 South Africa endured 9 % of the world’s phishingattacks by volume.

• In September 2010 attacks by volume increased to 20 %.

• In October 2010 attacks increased to 21 %.


6

16 November 2010

PwC

What statistics show: Phishing attacks

Slide 7

Source: RSA Anti-Fraud Command Centre, RSA

Online Fraud Reports for August, September and

October 2010

August 2010 September 2010

October 2010

PwC


The world of cyber crime

• An underground cybercrime economy and cyber black market existswhere the cybercriminal can buy, sell, barter or trade criminal skills,tools and your private information, you can buy IDs, credit cardsbotnet kits.

• Cybercriminals are now less hackers and more like offline crimesyndicates, such as the Mafia or urban gangs.

• One can buy a keystroke logger for about $23 or pay $10 to havesomeone host a phishing scam, pick up a botnet for just $225, or get atool that exploits a vulnerability on a banking site for $740 to $3 000.(Cybercrime Exposed Marian Merritt)

• What happened in South Africa…

• “It’s grown to become a flourishing industry with internationalsyndicates, just like the Mafia” (Pres Jacob Zuma)


8

16 November 2010

PwC

Information Assurance


9

16 November 2010

PwC


Definitions

• The practice of managing information-related risks.

• Seeks to protect and defend information and information systems byensuring confidentiality, integrity, authentication, availability andnon-repudiation (five pillars of Information Assurance)(Wikipedia).

• The process of ensuring that the right users have access to the rightinformation at the right time.

• An umbrella concept bringing together issues of informationsecurity and dependability. It must always be borne in mind that“absolute security” is an unachievable goal.

• Information Assurance proposes providing organisations with anacceptable level of assurance that even when there are attempts tointerfere with the security, availability and reliability of networksand systems, there will still be an acceptable level of functionality.


10

16 November 2010

PwC



11

16 November 2010

Five pillars make up a specific information assurance strategy that ensures the highest level of success for organisation that applies it to their daily operations. Information Assurance focuses on:

• Access controls (physical and logical)

• Individual Accountability

• Audit trails

INFORMATION ASSURANCE

AU

TH

EN

TIC

ITY

NO

N-R

EP

UD

IAT

ION

CO

NF

IDE

NT

IAL

ITY

AV

AIL

AB

ILIT

Y

INT

EG

RIT

Y

PwC


Defence in Depth strategy

Strategy that can be implemented to achieve Information Assurance in today’s highly networked environments (NSA). Also defined as systematic security management of people, processes and technologies in a holistic risk-management approach (TISN):

• “Best practices” strategy in that it relies on the intelligent application of techniques and technologies.

• Based on balancing protection capability and cost, performance and operational considerations.

• Delivers:

- Effective risk-based decisions;

- Enhanced operational effectiveness;

- Reduced overall cost and risk; and

- Improved information security.Understanding and preventing cybercrime and its impact on your organisation

12

16 November 2010

PwC


Threats

To protect an organisations’ information and information systems against cyber attacks, it is necessary to determine who the enemy is, why they would want to launch an attack and how they would attack the organisation. Threats can be internal and external and can be as a result of intentional and unintentional actions.


13

16 November 2010

People Trading Partners

Disgruntled employees

Financially troubled employees

Corporate espionage

Uneducated/uninformed users

Business partners with poor data

security

Physical access to shared systems

Misunderstanding of allowed access

Competitive environment

External Threats Technological Innovation

Hackers

Organised crime

Changes in regulatory framework

Faster networks

More storage in smaller devices

Technological convergence

Increasingly mobile workforce

PwC



14

16 November 2010

Achieving Information Assurance requires a balanced focus on:

• People

• Processes

• Technology

• Governance

INFORMATION ASSURANCE

PEOPLEPROCESSES/

OPERATIONSTECHNOLOGY

DEFENCE IN DEPTH STRATEGY

GOVERNANCE

PwC


Implementing a Defence in Depth strategy

• Requires a shift in paradigm: IT security/Information Assurance cannot be viewed as stand-alone issues, but must become part of business planning, overall strategy, governance and operations.

• Reasons for implementing strategy:

- Expanding organisational boundaries.

- Mobile workforce.

- Decentralisation of services.

- Increasing value of information.


15

16 November 2010

PwC


Layered defence/controls

• The most effective way to secure information within modern day parameters would be through implementing different layers of control as part of Defence in Depth strategy (Murali 2007). Controls include both technical and process control mechanisms.


16

16 November 2010

Physical Security

OS Security

Network Security

Database Security

Application Security

User Security

INFORMATION

Physical Security

OS Security

Network Security

Database Security

Application Security

User Security

INFORMATION

PwC


Practical guidelines for maintaining and improving on the strategy

• Know and understand your organisation.

• Define security roles and responsibilities: security is everyone’s concern but assign ownership to specific individuals with the necessary levels of authority and accountability.

• Adopt appropriate policies and procedures and update regularly.

• Continuous auditing and assessment of process.

• Stay up to date.

• Effective public private partnerships.


17

16 November 2010

PwC

Information Governance


18

16 November 2010

PwC


Information Governance defined

• King III: … an emerging discipline with an evolving definition.

• Wikipedia: … a set of multi-disciplinary structures, policies,procedures, processes and controls implemented to manageinformation on all media in such a way that it supports theorganisations immediate and future regulatory, legal, risk,environmental and operational requirements.

• …an enterprise-wide strategy and framework that establishes thepolicies, responsibilities and decision-making processes controllingthe use of information owned, or accessed by a business. The goalshould be to balance risk avoidance, cost reduction and increasedbusiness value. Information Governance should also be structuredin such a way as to easily adapt to organisational demands, changesin technology and be flexible to provide for new information.


19

16 November 2010

PwC


Importance of Information Governance

• IT is the foundation on which we operate our businesses.

• Information is fast becoming the most valuable asset an organisationhas.

• Value of information has also led to businesses focusing more on theinformation or data they host, process or use than on the technologyemployed to perform these functions.

• Need for risk management

• IT risk environment is influenced by both internal and externalfactors and measures must be put in place to ensure the protection,confidentiality, availability and authenticity of information, to governthe use of external service providers to host/process data, to regulatethe access to company networks from remote locations and to besensitive to the threat of cyber attacks.


20

16 November 2010

PwC

Closing remarks

• Effectively and efficiently addressing cyber crime requires a shift inparadigm.

• Protect information as a valuable asset.

• Pro-active vs re-active approach: prevention is better thanprosecution.

• Don’t just throw money at IT.

• Understand your organisation, your data and the value of IT.

• Have appropriate policies and enforcement monitoring in place.

• Value of intelligence and integrated systems in the prevention ofcyber crime.

• Commitment from senior management (Board).


21

16 November 2010

It is widely accepted that in today’s technology-driven environment, information is worth a king’s ransom;

successful businesses know how to protect and capitalise on it. Information is fast becoming the biggest contributor

to the bottom-line and an asset that should be jealously guarded with the same vigour as financial assets. The best

of the best employ information technology (IT) and information resources to create competitive advantage and

ensure the good governance thereof.

Thank you

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon

the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to

the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PricewaterhouseCoopers Inc, its

members, employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or

refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2010 PricewaterhouseCoopers (“PwC”), a South African firm, PwC is part of the PricewaterhouseCoopers International Limited (“PwCIL”) network that

consists of separate and independent legal entities that do not act as agents of PwCIL or any other member firm, nor is PwCIL or the separate firms

responsible or liable for the acts or omissions of each other in any way. No portion of this document may be reproduced by any process without the written

permission of PwC.

Law

Understanding and preventing cyber crime and its impact on your organisation