As a big fan of the HBO series “Silicon Valley” I have enjoyed the antics this past season whereby Richard Hendricks, CEO of fictional start-up Pied Piper, and his band of misfits worked tirelessly to bring about their take on a new kind of internet, PiperNet, to market. As the product itself is fictitious, Pied Pipers website appears real, and in a twist of life imitating art; a number of players are making progress making this futuristic internet, one that is decentralized so users don’t have to rely on intermediaries like Microsoft, Amazon, Google or Facebook.

Solid (derived from "social linked data"), Holochain, Blockstack, the InterPlanetary File System, MaidSafe and Storj are some of the real-life Pied Pipers working on such a decentralized future of the internet.

Watch this space folks; and with all of this in mind, enjoy our roundup of stories for this week…

Weak hashing leads to Police phone tracking firm being hacked

Securus, which tracks phones for police, was using the MD5 algorithm to hash stored passwords.

After breaching Securus, an unnamed hacker gave Motherboard a spreadsheet titled "Police" that included 2,800 "usernames, email addresses, phone numbers, and hashed passwords and security questions of Securus users," spanning 2011-2018, the report said. Data on Securus staff members was present in the sheet, along with data on law enforcement and government users from cities including Minneapolis, Phoenix, and Indianapolis.

Police phone tracking firm hacked, passwords leaked thanks to weak hashing |  Conner Forrest

Social Engineering your next job using Open Source INTelligence (OSINT)

Many years ago, before the internet existed, a person would use the local newspaper to perform a job search. The usual protocols were often followed, including the sending of a resume, an introductory phone call (if the recipient liked the resume), and then a subsequent job interview. Back then, a job candidate was always advised to “learn something about the company” to which they applied. This was good advice, particularly when the interviewer would inevitably ask the candidate “do you have any questions for me”.

Gather Your OSINT Before the Interview for Your InfoSec Stint | Bob Covello

IT, Security and Buy-in from Business, how do you get it?

The past week or so, I have been reviewing a number of strategies for large enterprises and my take on the state of security risk management is dire, especially when it comes to ratio of Security or even IT to total staff.

The “right” ratio of IT staff to users varies widely, depending on the type of business, the industry’s reliance on technology, etc., and for the most part, if you are looking to find out how many total IT staff your company needs, you can find decent data to start with.

The task becomes a lot harder, however, when you start looking for staffing ratios for information security staff.

You could also look at budgets - consider total cost for all of IT compared to total cost overall - numbers I have researched indicate that your IT spending should be 6-15% of the total spend.

The above numbers are probably already useless, and they apply to all of IT. So how about InfoSec?

Should there be 1 security person per 4 IT? 1 per 10?

Should there be 1% security of total cost?

Much depends on the daily security operations performed by IT. Alternatively if your IT department  manages patching, vulnerability scanning, system hardening, incident management, ticketing and Log retention then maybe only 1 security person for the first 100 employees makes sense, and then add 1 more atop that and scale up to 3-4 for the first 1000.

The ratio should reduce once you get above 300-400 employees, and justifying the scaling of InfoSec in a linear manner with number of employees is virtually an impossibility, and as the number of endpoints goes up, the number of servers does not increase at the same rate after your first 100 employees.

Certainly, my recommended range of 1.5 per 100 to 8.5 per 100 of IT staff. Interestingly, the budget ratios cover a similar spread, just moved slightly higher: 3% to 11% of IT budget.is based on a combination of much research and pondering and more research and mostly past experience;

I think the decision comes down to risk. If you can express to management the risks of something not being done with the desired scope consistently over time, and you can justify that this is not possible with current staffing levels, then it becomes a risk appetite choice for management - they will need to accept the risks and if they cannot, then you should be allowed to hire right then and there.

Or you could just outsource - Talk to us we can help!

This week in the J2 CSC, What can be worse than a false sense of security? Bad Hygiene, the Zuckerbot Privacy Malfunction Protocol and Precision Agriculture.

What a week we have had, and as a scholar and a humble consumer of wisdom and knowledge some days I become a bit overwhelmed by the sheer scale of destruction that I observe on a daily basis. Which brings me back to the now infamous quote by Robert Oppenheimer, after he witnessed the first detonation of a nuclear weapon during the Trinity nuclear tests on July 16, 1945. He was famously quoted from the sacred Hindu text the Bhagavat-Gita: “Now I am become Death, the destroyer of worlds”. It is, perhaps, the most well-known line from the Bhagavad-Gita, and to my mind also the most misunderstood.

From my very humble and limited understanding; Krishna is stating that you have to simply do your duty as a warrior. Considering the two pole opposites, Peace and War. Within peace time you wouldn't have to do this, but when you are at war you have to. In the larger scheme of things, we are at War (under assault) and have been for quite some time; We are witnessing destruction on a massive scale and have a choice to make: either be on the side-lines or get into the fight! So within Destruction there is renewal, Information Security and Cybersecurity / Defence, whatever you want to call it, for the most part has failed, and the logical conclusion is to break it down (Destroy) and start again, reset you prejudices so that the renewal can begin!

With this in mind, enjoy our roundup of stories for this week…

What is Worse than security?

What are account takeovers (ATOs) and why do we care? How can you decipher between fact or fiction? With Security Vendors and Service Partners promising solutions. Getting it right matters. So here they are, plain and simple, so you can make the best decisions for your company, employees and customers, the six most popular ATO approaches on the market and reasons why ATOs are successful even with them in place.

1. Multi-Factor Authentication
   Usability -
   It’s about how many people would we drive out if we force them to use additional security.
2. Password Managers
   Password Reuse -
   It doesn’t take a mathematician to figure out that passwords are widely re-used among multiple sites and applications and guess your current version of your password.
3. 90-Day Password Rotations
   Password Compromise -
   Frequent password changes only inconvenience attackers, probably not enough to offset the inconvenience to users.
4. Behavior or Heuristics-Based Solutions
   Compromised Detection -
   Detection of Compromised accounts and action upon the compromise without delay.
5. Deep & Dark Web Scanners, Crawlers and Scrapers
   For Our Eyes Only -
   Scanners, therefore, only pick up redacted samples of what threat actors use to advertise their products publicly.
6. Corporate Policy
   General Policy Statements expected to solve Specific Requirements -
   Implementing policies, it becomes clear that threat lurk between the lines for companies to monitor their employees’ exposure due to password reuse between personal and employee accounts.

Six Reasons for a False Sense of Security - ATOs |  SpyCloud

To err is Human to make the same mistakes is just bad Hygiene

My frustration has no bounds while questing to update home routers, trying to find the right firmware is probably the major reason my hair is not a thick and lush as it once was, so without delay, here are the five commonly-forgotten security best practices.

The Biggest “Small” Personal Digital Security Mistakes | Lesley Carhart, Full Spectrum Cyber-Warrior Princess (hacks4pancakes)

The Zuckerbot Malfunction Protocol and WhatsApp with privacy at Facebook?

With the ongoing Zuckerbot privacy malfunctions, the co-founder of WhatsApp, Jan Koum, is leaving Facebook; and trust me this is a loss of one of the strongest advocates for privacy inside Facebook.
Apparently this is due to the ongoing Rock'em Sock'em Robots Clash within the parent company over WhatApp’s strategy and Facebook’s attempts to use its personal data and weaken its encryption.

WhatsApp co-founder to quit in loss of privacy advocate at Facebook | David Ingram

Precision Agriculture and AI

While looking at emerging application of the Digital Transformation Paradigm, I found this really interesting perspective and though you might enjoy this huge opportunity in a cause that is very close to my heart: “Food Waste”.
As human populations increase, utilizing every centimetre of arable land and conserving resources is paramount to meet demand and for sustainable agriculture systems and as automation isn’t new to the agriculture industry, the use of drones to make farm production more precise is still in its infancy.

Why Precision Agriculture Will Change How Food Is Produced | Jennifer Kite-Powell

This past week, has been quite an interesting one, While reviewing our weekly Cyberthreat reports, what continues to strike me; again and again; is the infinite depths to which people will go to prove that there is no such thing a common sense and that Stupidity Reigns Supreme:

Case in point, unauthorised or personal cloud sharing services is a great way to ‘enable’ customer personal information with third parties to process claims, without any kind of limitation on the access, duration and whom the access is provisioned for; so here we go again, doing all the technical stuff preventing the scary hacker guys from destroying reputations only to undone by users that are trying to get their jobs done and being innovate in the process.

Visibility, awareness with positive behaviour nurturing, is the only way to keep out of this dangerous maelstrom, take it from me.

With this in mind, enjoy our roundup of stories for this week…

World Password Day?

Every First Thursday of May is World Password Day. Mark Burnett, Security researcher, whom first encouraged people to have a “password day,” where they’d update important passwords in his 2005 book Perfect Passwords. Inspired by this, Intel Security built upon this idea and to declare the first Thursday in May World Password Day in May 2013.
Password Day is meant to create awareness of the need for good password security.

Fast Forward to Last week when twitter decided to upstage all by notifying all 300 million twitter users to change passwords after the plaintext password debacle.

Twitter CTO: “We didn’t have to” tell users about the password debacle |  Fast Company

Opportunity for Managed Services: InfoSec

Trying to implement a security program that focusses purely on controls, invariably, fails. Focus purely given to point solutions like firewalls and antivirus just aren’t enough to protect a company from a devastating hack. While it’s usually the big companies that make the headlines, the reality is every organization is a target, regardless of size. In fact, cyber-attacks are on the rise for small and midsize businesses, which is logical since most lack the essential security resources or controls necessary to mitigate risk - in fact, 61% of data breach victims were small & mid-size companies in 2016 (2017 Verizon Data Breach Report). The most disturbing fact is that the majority of small businesses that are breached are forced to close their doors within six months later (US National Cyber Security Alliance).

We have been in consultation with many industry players and the most common issues that customers face are:

1. Where and How to Start
2. What to Fix First and why
3. Insufficient personal
4. Insufficient budget
5. Lack of understanding how to defend against cyber-attacks
6. Insufficient enabling security technologies
7. Lack of in-house expertise

Opportunity for Managed Services: InfoSec | Mke Lapeters
The Need for Greater Focus on the Cybersecurity Challenges Facing Small and Midsize Businesses | Commissioner Luis A. Aguilar

POPIA and GDPR (My attempt and Take)

Recently a good friend of mine and a customer asked me to give advice on whether they were on the right track in terms of POPIA and GDPR; this is the long version response I had for them:

As Regulations continue to change, there are principles; that you should adopt as you may or may not be a listed Company, some are but not limited to:
Follow the KING adopt the KING Code of Practice III / IV, look and understand the Laws of the land of South Africa; e.g. POPIA, The Electronic Communications and Transactions Act and the Consumer Protection Act etc. etc. etc.

For Example: Section 19 of POPIA places an obligation on a responsible party to secure the integrity and confidentiality of personal information in its possession or under its control by taking appropriate, reasonable technical and organisational measures to prevent loss, damage to, or unauthorised destruction of; and unlawful access to, personal information.

To comply with this obligation, the responsible party must take reasonable measures to:

Identify all reasonably foreseeable internal and external risks to personal information under its control;

• establish and maintain appropriate safeguards against the risks identified;
• regularly verify that the safeguards are effectively implemented; and
• ensure that the safeguards are continually updated in response to new risks or deficiencies in previously implemented safeguards.

In a nutshell GDPR vs. POPIA:

The good news is that the GDPR and POPIA are simply different flavours of data protection laws. They are actually quite similar to each other. Obviously, when South African enacted POPIA, South Africa did not know what the GDPR would look like. The concern was that the GDPR would be radically different from POPIA and it would mean that Parliament would need to change POPIA significantly.
The GDPR is more an update to data protection law, rather than a complete overhaul. There is much debate whether this is a good thing and whether the GDPR protects data privacy in the world we live in.

But for those who have already done much to comply with POPIA, it is good news. You won’t need to start again. But you will need to tweak what you have been doing. And in some cases, the GDPR will even help you by providing answers to questions we have been asking.

Follow these principles and you should be fine:

EXECUTIVE AWARENESS

GDPR/POPIA affects your business. It’s not simply a security issue. If your organization wants to keep up with global competitors and do business with EU citizens this is everyone’s issue. You have to get your entire executive team and the board on the same page, and in order to mitigate and continuously manage this, you need to name a Data Protection Officer (DPO).

PRIVACY OFFICE

Once you have the executive team on board—with funding and full commitment—it’s time to organize your privacy office. This should really be a full network; your entire organization should be looped in and everyone should be accurately updated on regulations and rules. Your DPO needs to align a privacy counsel and program manager to help roll out GDPR/POPIA compliance all the way from the CEO to sales and marketing and support to IT ops, and so forth.

MAP PROTECTED DATA

Everyone’s on board? Great. Now it’s time to take a look at what personally identifiable information (PII) is collected and why. Where is it stored and how is it classified? Take an in-depth audit now. Is PII transferred across borders? Why and who is it shared with?

OPERATIONAL IMPLEMENTATION

It’s time to build and customize your company’s processes and Incident Response Process (which has to happen within 72 hours under GDPR/POPIA will probably align to this). Your DPO should also assess your third party vendor risks at this time. Be thorough.

AWARENESS AND TRAINING (REPEAT)

Build new specifics into your new-hire training, but don’t forget about ongoing technical training for senior staff. Make annual security training mandatory and brief your executive leadership on new GDPR/POPIA readiness.

Continuous compliance, detailed mapping and auditing of the “why” and “how” of your customer’s PII and data, and setting up a strong privacy team with a Data Protection Officer who knows the importance of getting buy-in from the board will keep your company compliant.

Talk to us we can help!

My 18 year old son recently decided to become a scuba-diver. Not a hobbyist scuba-diver, a full-blown professional. His journey starts here at the south western tip of Africa where the wild and unforgiving Indian and Atlantic oceans meet. Not only that, his want is to be the best scuba-diver in the world - Ever! Astronaut good. He dives every day, and every week-end to the point where he complains about the aches and pains that goes with frequent diving activities. There are a few home truths about scuba-diving, you cannot do it by yourself, you need a buddy. Every day he learns and improves his techniques and goes out as crew on boats from Simons Town, Kommetjie or Hout Bay harbours. Yes, I know what you’re thinking, some of the biggest and “bitiest” sea creatures and sharks existing within this part of the ocean. This does not deter him, he is fearless in his quest, and relentless in perusing his passion.

This made me reflect on my peers and the cybersecurity industry; can we say the same for our tenacity and passion? Do we hold ourselves up to the same high standards. To achieve high standards for ourselves or as part of a team, we must proactively communicate realistic beliefs within ourselves about how hard things are and are going to be – something that I believe each of us face each and every day. Some of us more successfully than others.

Learn from my son.
With this in mind, enjoy our roundup of stories for this week…

How Lucrative is Cybercrime, anyway?

The volume boggles the mind, I found this intriguing perspective. If cybercrime was a country, it would have the 13th highest GDP in the world.
Attackers generate $1.5 trillion in annual profit, which is about equal to the GDP of Russia, according to a new study on the interconnected economy of cybercrime.

Cybercrime Economy Generates $1.5 Trillion a Year |  Kelly Sheridan

SPY V. SPY

Spy vs. Spy is a wordless meme before memes were memes Published in Mad magazine. As a kid, I was always fascinated by their antics. Basically the cartoon features two agents involved in stereotypical and comical espionage activities. One is dressed in white, and the other in black, but they are otherwise identical, and are particularly known for their long, beaklike heads. The pair are constantly at war with each other, using a variety of booby-traps to inflict harm on another. The spies usually alternate between victory and defeat with each new strip.
This brings me to an NSA leak that revealed the agency's list of enemy hackers.

Spy v. Spy: an NSA leak reveals the agency's list of enemy hackers | Andy Greenberg

The InfoSec Marshmallow

The marshmallow experiment, is based on a delayed gratification test conducted back in the 1970s at Stanford University.  It was designed to see if children who exercised delayed gratification would end up (many years later) performing better on aptitude tests as well as other positive life outcomes. I wonder how some of us in the InfoSec community would have fared if we were subjects of that experiment.  Given the various InfoSec personality types, here are some of Bob’s comical thoughts about how we would potentially measure up.

The InfoSec Marshmallow | Bob Covello

Cyber protection for SMEs

According to the South African Banking Risk Information Centre (SABRIC), SA ranks third highest in the world for cyber-attacks. Whilst there do not appear to be stats on the local SME sector, internationally a report by Deloitte reveals that in Holland, cybercrime costs the Dutch SME sector 1 billion Euro each year. At today’s exchange rate, that equates to R16704 250 000,00. The figure for the Dutch economy as a whole is put at around €10 billion, or 1,3% of that country’s GDP.

Cyber protection for SMEs | Technews
SA Ranks World’s Third Highest Cybercrime Victims | Business Media MAGS
Cybercrime costs Dutch SME sector €1 billion each year | Deloitte NL

Worm Resurfaces

(Guest Post by my friend and colleague Jarred Reid-Robertson)
Over the past week, I have seen an upsurge in alerts across the customer base; whereby a worm has been seen surfacing introduced by removable media devices.

Let me give a short boring description of what a computer worm is “A computer worm is a form of malware computer program that replicates itself in order to spread to other computers with the ability to change itself to avoid being detected by signature based anti-viruses”.

This worm is doing the rounds and seems to exploit the windows autorun.ini feature which automatically execute the worm. It spreads to the computer which in turn could infect files such as “google chrome.ink” and if left unchecked your entire environment.

I have two pieces of advice:

The First One, check your antivirus solutions and confirm with your managed service providers and teams that they are aware and ensuring the latest antivirus detection rules and latest patching levels.  As my team and I continuously monitor these types of threats, please contact me for advice and support. 

The Second piece of advice I can give is to review the autorun feature within your IT environments and enforce centralised policy. I always, as a rule, disable them within managed IT environments and as a policy we block this feature.

Does your Anti-Virus still only do signature-based Detection? | Rakesh Sharma
Worm:Win32/Autorun.gen!inf | Microsoft