Every moment of every day, we remain connected to the digital world through multiple devices and the sharing of our transactional and personal information across multitudes of applications, connected networks, online businesses and all manners of service providers. Please take a moment and let that sink in, take a moment to think about the sheer volume of your personally identifiable information is actually outside of your control and where and how much might be analysed continuously by hordes of Bots, AI and good and evil Research Analyst types? What is known about you and your activities and what safeguards are followed throughout? Like your daily tracking of your banking payments and incomes, no-one I know is completely aware or recalls every time their digital persona such as Current Address, Physical location, Username, E-mail and associated passwords, ID numbers or payment mechanisms like PayPal, bitcoin or credit card details are accessed or used in order to secure a payment or verify access or authorisation to one of their many accounts. In the world that we find ourselves ,we are the digital subject of much digital foot printing and the digital trail in every activity we do. As we are the owners of this digital fingerprint, the question: for what purpose is this data collected, shared and used, and do we have solid understanding of this usage and most importantly have we provided ongoing consent based of this ongoing usage. Do you know what your recourse is if you feel violated or “knock on wood”, you are a victim or source of another massive data breach?

Insider threat visibility and detailed linkage to external threat detection and response is key – chat to us we can help; with this in mind, enjoy our roundup of stories for this week…

Your legal rights when your personal data gets leaked in South Africa

In a developing story iAfrikan.com will be updating us as new information and responses are available. they have already alerted South Africa's Hawks (cybercrime unit) as well as South Africa's Information Regulator on your behalf, if you are part of the breach.

In a recent article published on iAfrikan.com, another breach has occurred, this time South African traffic fines online payments website, ViewFines. In this breach, the personal records of 934,000 South African licensed drivers has been disclosed. Enter Troy Hunt, an Australian security consultant and founder of haveibeenpwned who worked with iAfrikan.com in researching the data leak, and has also been able to positively identify the leaked database as belonging to ViewFines.

Your legal rights when your personal data gets leaked in South Africa |  BusinessTech
South Africa's ViewFines suffered major data leak |  Tefo Mohapi

The Dream of A More Secure Organization

There’s no way of completely ridding your enterprise of all risk. This realization can be an effective motivation to take appropriate measures to dramatically reduce your chances of a leak.
Use this motivation to provide focus and direction and address your risky behaviours and areas of current incidents as priority that may buy you valuable credibility and organisational currency by integrating these recommendations into your security strategy, you just might be able to add a few more hours of peaceful sleep to your nightly routine. The key is to take proactive steps before it’s too late. Sleep Well.

• Assume the Worst
  When it comes to storing credentials, assume that your user database will be accessed and copied by criminals. It’s better to go into this with your eyes wide open.
• Store Credentials the Right Way
  Recommend all credentials be stored by your corporate and customer facing applications using a strong cryptographic hashing algorithm like bcrypt, Argon2 or scrypt. If you mandate this across the board, you will make potentially leaked credentials nearly useless to criminals. The computational requirement make it infeasible to crack these algorithms (today), therefore any of these hashed passwords that are stolen cannot easily be decrypted and used against your customers, limiting your overall liability.
• Don’t Store Credentials the Wrong Way
  The worst way to store credentials is to use SHA1 or MD5, even with salts. Don’t be fooled by their commonality. They are easily cracked and your customers’ passwords will be revealed in plaintext. Once in plaintext, the criminals have free reign to use and sell them at will, opening up risk to both your organization and your customers.
• Transform Bad to Good
  Do a thorough scan of your credential stores. If you find any that use SHA1 or MD5, begin to migrate users to one of the stronger hashing algorithms we mentioned earlier. It’s worth the exercise to ensure all of your organization’s credentials are being stored securely and cannot be cracked.
• Enable Multi-Factor Authentication
  Multi-factor Authentication (MFA) adds another layer of security between your customers’ credentials and the criminals, often squeezing out the less sophisticated and more numerous criminals. While this extra step boosts protection, it could also be perceived as friction for users to log in. Therefore, incentivize customers to implement MFA.
• Use An Exact Match Solution
  The majority of criminals looking to find vulnerable accounts are relatively inexperienced and make use of simple ATO techniques that can be easily recognized by a variety of solutions. The more sophisticated criminals, however, know how to bypass MFA and other detection solutions. To block both kinds of criminals, use an exact match solution that compares your customers’ passwords to a comprehensive and current database of compromised accounts to see if there’s a match. When there is a match, a password reset is automatically enforced.
• Promote The Use of a Password Manager
  Take the hassle out of remembering multiple passwords by championing password managers. Password Managers are effective tools to reduce the threat of employees or customers reusing passwords. They make it much easier to select unique strong passwords for every account. While password managers greatly reduce the potential for ATO via password reuse, they should be implemented in conjunction with the other recommendations above.

What we do in the shadows - Dark Networks?

Not all dark web data is the same. There are three distinct communities of actors and special-access sites: low-tier underground forums, higher-tier dark web forums, and dark web markets. These three clusters line up with expert intuition of the dark web, appearing almost as if no other sensible organisation is feasible. Notable discovery of cross-posting between low-tier and higher-tier forums and the results of this Recorded Future research are directly reflected in their product and ontology. This new approach to categorization assists security teams in obtaining targeted, relevant dark web intelligence, facilitates their understanding of threats, and opens a window into the methods, tactics, and motivations of threat actors.

Dark networks : Social network analysis of dark web communities| Adrian Tirados

This past week, has been quite an interesting one, While reviewing our weekly Cyberthreat reports, what continues to strike me; again and again; is the infinite depths to which people will go to prove that there is no such thing a common sense and that Stupidity Reigns Supreme:

Case in point, unauthorised or personal cloud sharing services is a great way to ‘enable’ customer personal information with third parties to process claims, without any kind of limitation on the access, duration and whom the access is provisioned for; so here we go again, doing all the technical stuff preventing the scary hacker guys from destroying reputations only to undone by users that are trying to get their jobs done and being innovate in the process.

Visibility, awareness with positive behaviour nurturing, is the only way to keep out of this dangerous maelstrom, take it from me.

With this in mind, enjoy our roundup of stories for this week…

World Password Day?

Every First Thursday of May is World Password Day. Mark Burnett, Security researcher, whom first encouraged people to have a “password day,” where they’d update important passwords in his 2005 book Perfect Passwords. Inspired by this, Intel Security built upon this idea and to declare the first Thursday in May World Password Day in May 2013.
Password Day is meant to create awareness of the need for good password security.

Fast Forward to Last week when twitter decided to upstage all by notifying all 300 million twitter users to change passwords after the plaintext password debacle.

Twitter CTO: “We didn’t have to” tell users about the password debacle |  Fast Company

Opportunity for Managed Services: InfoSec

Trying to implement a security program that focusses purely on controls, invariably, fails. Focus purely given to point solutions like firewalls and antivirus just aren’t enough to protect a company from a devastating hack. While it’s usually the big companies that make the headlines, the reality is every organization is a target, regardless of size. In fact, cyber-attacks are on the rise for small and midsize businesses, which is logical since most lack the essential security resources or controls necessary to mitigate risk - in fact, 61% of data breach victims were small & mid-size companies in 2016 (2017 Verizon Data Breach Report). The most disturbing fact is that the majority of small businesses that are breached are forced to close their doors within six months later (US National Cyber Security Alliance).

We have been in consultation with many industry players and the most common issues that customers face are:

1. Where and How to Start
2. What to Fix First and why
3. Insufficient personal
4. Insufficient budget
5. Lack of understanding how to defend against cyber-attacks
6. Insufficient enabling security technologies
7. Lack of in-house expertise

Opportunity for Managed Services: InfoSec | Mke Lapeters
The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses | Commissioner Luis A. Aguilar

POPIA and GDPR (My attempt and Take)

Recently a good friend of mine and a customer asked me to give advice on whether they were on the right track in terms of POPIA and GDPR; this is the long version response I had for them:

As Regulations continue to change, there are principles; that you should adopt as you may or may not be a listed Company, some are but not limited to:
Follow the KING adopt the KING Code of Practice III / IV, look and understand the Laws of the land of South Africa; e.g. POPIA, The Electronic Communications and Transactions Act and the Consumer Protection Act etc. etc. etc.

For Example: Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of; and unlawful access to, personal information.

To comply with this obligation, the responsible party must take reasonable measures to:

Identify all reasonably foreseeable internal and external risks to personal information under its control;

• establish and maintain appropriate safeguards against the risks identified;
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

In a nutshell GDPR vs. POPIA:

The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South African enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that Parliament would need to change POPIA significantly.
The GDPR is more an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR protects data privacy in the world we live in.

But for those who have already done much to comply with POPIA, it is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.

Follow these principles and you should be fine:

EXECUTIVE AWARENESS

GDPR/POPIA affects your business. It’s not simply a security issue. If your organization wants to keep up with global competitors and do business with EU citizens this is everyone’s issue. You have to get your entire executive team and the board on the same page, and in order to mitigate and continuously manage this, you need to name a Data Protection Officer (DPO).

PRIVACY OFFICE

Once you have the executive team on board—with funding and full commitment—it’s time to organize your privacy office. This should really be a full network; your entire organization should be looped in and everyone should be accurately updated on regulations and rules. Your DPO needs to align a privacy counsel and program manager to help roll out GDPR/POPIA compliance all the way from the CEO to sales and marketing and support to IT ops, and so forth.

MAP PROTECTED DATA

Everyone’s on board? Great. Now it’s time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it classified? Take an in-depth audit now. Is PII transferred across borders? Why and who is it shared with?

OPERATIONAL IMPLEMENTATION

It’s time to build and customize your company’s processes and Incident Response Process (which has to happen within 72 hours under GDPR/POPIA will probably align to this). Your DPO should also assess your third party vendor risks at this time. Be thorough.

AWARENESS AND TRAINING (REPEAT)

Build new specifics into your new-hire training, but don’t forget about ongoing technical training for senior staff. Make annual security training mandatory and brief your executive leadership on new GDPR/POPIA readiness.

Continuous compliance, detailed mapping and auditing of the “why” and “how” of your customer’s PII and data, and setting up a strong privacy team with a Data Protection Officer who knows the importance of getting buy-in from the board will keep your company compliant.

Talk to us we can help!

As a big fan of the HBO series “Silicon Valley” I have enjoyed the antics this past season whereby Richard Hendricks, CEO of fictional start-up Pied Piper, and his band of misfits worked tirelessly to bring about their take on a new kind of internet, PiperNet, to market. As the product itself is fictitious, Pied Pipers website appears real, and in a twist of life imitating art; a number of players are making progress making this futuristic internet, one that is decentralized so users don’t have to rely on intermediaries like Microsoft, Amazon, Google or Facebook.

Solid (derived from "social linked data"), Holochain, Blockstack, the InterPlanetary File System, MaidSafe and Storj are some of the real-life Pied Pipers working on such a decentralized future of the internet.

Watch this space folks; and with all of this in mind, enjoy our roundup of stories for this week…

Weak hashing leads to Police phone tracking firm being hacked

Securus, which tracks phones for police, was using the MD5 algorithm to hash stored passwords.

After breaching Securus, an unnamed hacker gave Motherboard a spreadsheet titled "Police" that included 2,800 "usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users," spanning 2011-2018, the report said. Data on Securus staff members was present in the sheet, along with data on law enforcement and government users from cities including Minneapolis, Phoenix, and Indianapolis.

Police phone tracking firm hacked, passwords leaked thanks to weak hashing |  Conner Forrest

Social Engineering your next job using Open Source INTelligence (OSINT)

Many years ago, before the internet existed, a person would use the local newspaper to perform a job search. The usual protocols were often followed, including the sending of a resume, an introductory phone call (if the recipient liked the resume), and then a subsequent job interview. Back then, a job candidate was always advised to “learn something about the company” to which they applied. This was good advice, particularly when the interviewer would inevitably ask the candidate “do you have any questions for me”.

Gather Your OSINT Before the Interview for Your InfoSec Stint | Bob Covello

IT, Security and Buy-in from Business, how do you get it?

The past week or so, I have been reviewing a number of strategies for large enterprises and my take on the state of security risk management is dire, especially when it comes to ratio of Security or even IT to total staff.

The “right” ratio of IT staff to users varies widely, depending on the type of business, the industry’s reliance on technology, etc., and for the most part, if you are looking to find out how many total IT staff your company needs, you can find decent data to start with.

The task becomes a lot harder, however, when you start looking for staffing ratios for information security staff.

You could also look at budgets - consider total cost for all of IT compared to total cost overall - numbers I have researched indicate that your IT spending should be 6-15% of the total spend.

The above numbers are probably already useless, and they apply to all of IT. So how about InfoSec?

Should there be 1 security person per 4 IT? 1 per 10?

Should there be 1% security of total cost?

Much depends on the daily security operations performed by IT. Alternatively if your IT department  manages patching, vulnerability scanning, system hardening, incident management, ticketing and Log retention then maybe only 1 security person for the first 100 employees makes sense, and then add 1 more atop that and scale up to 3-4 for the first 1000.

The ratio should reduce once you get above 300-400 employees, and justifying the scaling of InfoSec in a linear manner with number of employees is virtually an impossibility, and as the number of endpoints goes up, the number of servers does not increase at the same rate after your first 100 employees.

Certainly, my recommended range of 1.5 per 100 to 8.5 per 100 of IT staff. Interestingly, the budget ratios cover a similar spread, just moved slightly higher: 3% to 11% of IT budget.is based on a combination of much research and pondering and more research and mostly past experience;

I think the decision comes down to risk. If you can express to management the risks of something not being done with the desired scope consistently over time, and you can justify that this is not possible with current staffing levels, then it becomes a risk appetite choice for management - they will need to accept the risks and if they cannot, then you should be allowed to hire right then and there.

Or you could just outsource - Talk to us we can help!

This week in the J2 CSC, What can be worse than a false sense of security? Bad Hygiene, the Zuckerbot Privacy Malfunction Protocol and Precision Agriculture.

What a week we have had, and as a scholar and a humble consumer of wisdom and knowledge some days I become a bit overwhelmed by the sheer scale of destruction that I observe on a daily basis. Which brings me back to the now infamous quote by Robert Oppenheimer, after he witnessed the first detonation of a nuclear weapon during the Trinity nuclear tests on July 16, 1945. He was famously quoted from the sacred Hindu text the Bhagavat-Gita: “Now I am become Death, the destroyer of worlds”. It is, perhaps, the most well-known line from the Bhagavad-Gita, and to my mind also the most misunderstood.

From my very humble and limited understanding; Krishna is stating that you have to simply do your duty as a warrior. Considering the two pole opposites, Peace and War. Within peace time you wouldn't have to do this, but when you are at war you have to. In the larger scheme of things, we are at War (under assault) and have been for quite some time; We are witnessing destruction on a massive scale and have a choice to make: either be on the side-lines or get into the fight! So within Destruction there is renewal, Information Security and Cybersecurity / Defence, whatever you want to call it, for the most part has failed, and the logical conclusion is to break it down (Destroy) and start again, reset you prejudices so that the renewal can begin!

With this in mind, enjoy our roundup of stories for this week…

What is Worse than security?

What are account takeovers (ATOs) and why do we care? How can you decipher between fact or fiction? With Security Vendors and Service Partners promising solutions. Getting it right matters. So here they are, plain and simple, so you can make the best decisions for your company, employees and customers, the six most popular ATO approaches on the market and reasons why ATOs are successful even with them in place.

1. Multi-Factor Authentication
   Usability -
   It’s about how many people would we drive out if we force them to use additional security.
2. Password Managers
   Password Reuse -
   It doesn’t take a mathematician to figure out that passwords are widely re-used among multiple sites and applications and guess your current version of your password.
3. 90-Day Password Rotations
   Password Compromise -
   Frequent password changes only inconvenience attackers, probably not enough to offset the inconvenience to users.
4. Behavior or Heuristics-Based Solutions
   Compromised Detection -
   Detection of Compromised accounts and action upon the compromise without delay.
5. Deep & Dark Web Scanners, Crawlers and Scrapers
   For Our Eyes Only -
   Scanners, therefore, only pick up redacted samples of what threat actors use to advertise their products publicly.
6. Corporate Policy
   General Policy Statements expected to solve Specific Requirements -
   Implementing policies, it becomes clear that threat lurk between the lines for companies to monitor their employees’ exposure due to password reuse between personal and employee accounts.

Six Reasons for a False Sense of Security - ATOs |  SpyCloud

To err is Human to make the same mistakes is just bad Hygiene

My frustration has no bounds while questing to update home routers, trying to find the right firmware is probably the major reason my hair is not a thick and lush as it once was, so without delay, here are the five commonly-forgotten security best practices.

The Biggest “Small” Personal Digital Security Mistakes | Lesley Carhart, Full Spectrum Cyber-Warrior Princess (hacks4pancakes)

The Zuckerbot Malfunction Protocol and WhatsApp with privacy at Facebook?

With the ongoing Zuckerbot privacy malfunctions, the co-founder of WhatsApp, Jan Koum, is leaving Facebook; and trust me this is a loss of one of the strongest advocates for privacy inside Facebook.
Apparently this is due to the ongoing Rock'em Sock'em Robots Clash within the parent company over WhatApp’s strategy and Facebook’s attempts to use its personal data and weaken its encryption.

WhatsApp co-founder to quit in loss of privacy advocate at Facebook | David Ingram

Precision Agriculture and AI

While looking at emerging application of the Digital Transformation Paradigm, I found this really interesting perspective and though you might enjoy this huge opportunity in a cause that is very close to my heart: “Food Waste”.
As human populations increase, utilizing every centimetre of arable land and conserving resources is paramount to meet demand and for sustainable agriculture systems and as automation isn’t new to the agriculture industry, the use of drones to make farm production more precise is still in its infancy.

Why Precision Agriculture Will Change How Food Is Produced | Jennifer Kite-Powell