Half the population of America, over 143 million people may have had their Social Security numbers and other data stolen, in the massive data breach at Equifax, the credit bureau. The breach that took place in May 2017 is considered the biggest so far.
www.equifax.com (website is currently not available), is the Uganda’s equivalent of three entities – National Information Registration Authority (NIRA), National Social Security Fund (NSSF) and Credit Reference Bureau (CRB). These entities hold a lot of data about Ugandans. The NIRA contains the NIN which identifies all registered Ugandans by their birth, sex, place of residence, village of origin and family relationships. The NSSF has information about the working class incomes, places of work, employment history, and company information. And the CRB contains records of all bank customers’ financial history, including personal profiles.
According to the Federal Trade Commission (FTC) of the United States of America, the data security breach lasted from mid-May through July 2017. The hackers accessed people’s names, Social Security numbers, birth dates, addresses and, in some instances, driver’s license numbers. They also stole credit card numbers for about 209,000 people and dispute documents with personal identifying information for about 182,000 people. And they grabbed personal information of some people in the UK and Canada too.
Five lessons for Government and private companies
As a policy leader or chief executive of the business, you cannot afford to undertake cyber security risks. Security risks should be a top priority agenda for the board and top management team. The cost of a single breach could lead to business failure. It is much more expensive to recover from a breach than to proactively invest in breach prevention and detection. Below are the steps you must take to prevent such risks from occurring.
1.Conduct a business impact analysis (BIA) to identify your mission critical systems
One of the challenges we have is the tendency of the companies to undertake business impact analysis theoretically. They have a document of BIA, but it is not implemented. To conduct a business impact analysis, you must get a copy of all your assets – IT, software and all key business assets. Thereafter, analyze the criticality of each asset to the business. For example, your core banking application e.g. Flexicube or Equinox, etc holds critical customer information. Its failure could lead to the inability of the bank to operation. Since the ability to know customer balances at any time and enable client transaction on their accounts is a mission critical process in a bank, such a system handling that function is assessed as mission critical. As a bank top honcho, you must secure such a resource. Identify all such resources and get independent assurance of their security, on an on-going basis.
Note: have a list of all mission critical systems and make sure they are safe at all times from threats of internal and external attacks and damage. That is one of your primary roles. You cannot delegate such a role to IT or risk or internal audit departments. It is the business of the Board and CEO.
2. Undertake data classification and implement appropriate data security
Not all data is of equal importance and value. Some data is more sensitive than others. The Uganda constitutions provides for personal privacy. Every business that collects personal data has a constitutional responsibility to protect it from unauthorized access and disclosure.
To comply with such a requirement, you must implement effective data classification and categorization in terms of the degree of sensitivity. Personal data about ones health, age, income, place of residence, children and family relationship is considered very sensitive and private. In fact, Equifax is currently facing a lot of legal challenges due to exposure of confidential personal information. This is a huge challenge and if the company lacks appropriate insurance cover for such a risk, it could file for insolvency.
Once your data is classified, implement proper access mechanism and approvals over the data. You need mechanisms to know who accessed which data, when and how for effective accountability and audit. Since your data is always evolving, technology changing, it is recommended you undertake your data classification audit frequently.
3. Invest in threat intelligence and modelling that your business may be exposed to
As a CEO or leader, you must understand what kind of threats your business is exposed to? If you have a lot of staff turnover in your IT department, the risks of privileged access and abuse of user rights is high. If you have a properly implemented threat intelligence platform, you will receive timely alerts on the attempts to access critical systems by user IDs that are disabled or were assigned to former staff. That way, you are able to act on the risk including cautioning the users in question. This could save your organisation a lot of money that otherwise would have been through a breach.
As a CEO of a bank or any organisation, how confident are you that your network is secured from threats of your most trusted staff in IT? Over the past 10 years, we have undertaken forensic investigations of fraud incidents in banks. And in over 80% of the cases where the bank made a loss, they involved an insider especially some staff in IT department abusing their privileges.
Such abuse include sharing a super administrator password such that no single staff is held accountable. You find the network manager, the database manager, and other IT support staff all have knowledge of the ‘sa’ password as it is written somewhere. In such an environment, it is difficult to hold a particular staff accountable yet the fraudster is among them.
In such a case, even your state of art or next generation firewall or anti-virus cannot detect the threat. However, with threat intelligence, such vulnerabilities and weaknesses would be identified and acted upon in near real time saving you a lot of money.
4. Create incidence response and forensic capabilities for real time monitoring (so that you can identify incidents and also keep evidence of any breach before hackers delete everything to support investigations and prosecution)
One of the big challenges of cybercrime is the failure to know who did what, where, when and how. This occurs where the organisation fails to implement effective data retention and incident response capabilities within and without the organisation. Most of the time attacks leave foot print. However, with involvement of insiders with privileged access, these often clear the tracks in a way to fail and foil a forensic investigation.
For example, at one insurance company which experienced a fraud incident, the firewall logs were not set to automatically backup to an external offsite drive which is not accessible to staff in IT. Immediately after the incident and before the forensic investigation team of Summit Consulting Ltd was called in, the IT staff cleared the network access logs that were very critical in the investigation. The setup of a firewall is such that logs are held in small memory in real time. In absence of external and extended back up of the logs, it is impossible to retrieve and solve such a crime.
In another case, where the company was backing up firewall logs, the IT team which had access to the backup server reported it as being lost. They provided a different server with logs that upon thorough analysis were found not to be relevant for the case at hand. This left the case unsolved.
As a CEO, you must have independent assurance of the security posture in order to support, and not to replace your internal cyber security team. Incident response and forensic capabilities would help provide independent data collection and analysis in real time. And in case of a fraud incident, all critical information and logs would be backed up by a third party and should be reviewed by authorized personnel. This will not only provide independent assurance, but keep your IT team on alert as their failure to do their job would easily be identified and exposed.
5. Implement basic cyber hygiene and don’t tire training your users about cyber security awareness.
Post incident report reveals that the security practices at Equifax were below average. There were use of weak credentials to access critical systems over the cloud. No evidence of offensive external (black box) pen tests had been done. A report by an external audit firm was leaked and published on Equifax’s website thereby giving hackers insight into the security posture – including all weaknesses, systems versions, etc making it easy for exploit.
You are recommended to restrict the circulation of your security audit report. Implement practices of security alert across the board especially all staff on the network must be highly trained in data security.
Written by Mustapha B Mugisa, CEH, CHFI, CFE and Daniel Kirabo, CEH, CHFI. Summit Consulting Ltd is pioneer cyber security and forensic company providing security assurance to both private and public company.
Regulatory notice
On July 13th, 2017 the Bank of Uganda issued a circular number EDS.306.2 to all chief executives of commercial banks, credit institutions, and all microfinance deposit taking institutions in respect to external audit of information and communication technology systems of supervised financial institutions. The BOU circular DIRECTS all Supervised Financial Institutions (SFIs) to engage their appointed External Auditors to audit the IT systems of the respective SFIs starting this financial year and subsequently at least once every two years, in accordance with Section 69(4) of the Financial Institutions Act, 2004.
At Summit Consulting Ltd (www.summitcl.com), we understand that it may be very expensive for some financial institutions to pay for the services as per the regulatory notice. We have come up with a package that meets all the minimum IT governance and security assurance as per BOU regulatory notice. Since such a cost is borne by the Supervised Financial Institution (SFI), you are advised to recommend your external auditors to work with us to deliver to you a seamless solutions that meets the regulatory requirements at an affordable price.
Contact us on pentest@summitcl.com or premium@summitcl.com.
Call +256 031 2517 236