Institute of Forensics and ICT Security in partnership with Summit Consulting Ltd is organizing the 1st Annual Cyber Security and Risk Management Conference.What has so far changed in the cyber security landscape?
We are organizing the 1st Annual Cyber Security and Risk Management (CSRM) conference because a lot has changed in the cyber space. We need a conversation with leaders across board on how to proactively anticipate and manage risk which is attendant to automation. We are dealing in an era of artificial intelligence, bigdata and advanced analytics. So if you are not able to go deep into that area as a financial institution, a telecom companyand regardless of any business, you are excessively overexposed because the era of automationis upon us.
As we talk all most every business is powered by technology and computers in the field of operations. You can’t therefore sit back because the risk landscape, things that prevent your business from achieving its objectives have also changed. The leaders must bring the conservation to the level of the Board as well as senior management team to ask what might happen to the systems and cause business failure. And that is the conversation the conference brings on the table.
You have had stories about Equifax and many other businesses whose systems have been hacked.Even organizations that run critical missions have also been attacked. The current case in the United States were over 150 m credit cards and National Social Security Fund numbers of citizens are in the hands of cyber criminals. It means that you are not safe. You do not know when the attack will come but it is better to anticipate it. The landscape and space for cyber attacks have changed significantly and people need to know from a practical point of view by real professionals.
Why must one attend the CSRM conference?
Cyber Security and Risk Management conference is the first of its kind. We are organizing it from the perspective that we have been investigating financial institutions, telecom and insurance companies in the areas of fraud. We want to bring the right discussion to the right people. You should attend because as a policy person concerned about doing the right things, the future of the business from lawyers to accountants, chief executives to board members up to tactical members, you need to understand your role in the journey of automation.
Good corporate governance is being seen as the reason why any businesses succeed, and excessively outperform. But good corporate governance entails that the Board must run two pillars of governance; on one hand is growth (strategy execution) andon the other is sustainability(risk andcompliance).
Now which core risks expose the business?For example if you undertake a business impact analysis of the critical assets, get the company register and analyze it to establish which asset is critical to the business. Meaning if a certain asset failed, can the business remain in operation? In a bank for example, if the core banking application failed, can the bank remain operating? It will remain operating but the chances of succeeding with its customers becomes significantly affected. We want therefore to highlight this kind of risk management to the right people to make sure they strengthen their governance processes and put the right resources to what matters most.
In Uganda, you realize that the Central Bank or Financial Institutions Act has been so clear in terms of managing physical cash. But when it comes to managing ICT resources like digital applications, you find that there is limited management and proactive engagement to save them. You find a given bank spending around US$50m monthly in physical security and armed guards, yet the total exposure amount in a given bank, at any one branch for example is Ugx. 1 billion. What about the amount of money which in the core banking system that is not catered for? We want to make sure that this role is so clear to decision makers and those who execute them so that the right accountability is done. That is the reason you must attend. Come and understand the latest development in cyber security, how you can easily be hacked. What you can do to protect yourself.
Some people think WhatsApp is most secure. WhatsApp is most secure as much as the awareness of the user is concerned. When messages come onto your phone, it comes insecure. Whenanyone gets hold of your phone, they have access to all your messages. The assumption that WhatsApp is secure is false security. However hard a given technology has been set up or encrypted, as a user must have skills to strengthen thetechnical security.
Come and meet young professionals. They will open the computer, close it up but also show you the current attack vectors from cases we have been investigating. We will protect the identity of our clients.We will focus on lessons from Kenya. Uganda has been growing lagging behind in terms of technology. We have investigated cases of the most upcoming attacks especially from South Africa and Kenya. That way, you are ready to get ahead of your park to tighten and strengthen your bolt before the bad guys come.
What are the financial costs in maintaining standards in the cyber security environment?
At the beginning, there is minimum security you have to set up. For example, investing in a firewall. That is old technology but still works. The firewall has to be updated on going because cyber risks keep evolving depending on the technology of the day. What worked yesterday might not be relied upon tomorrow. You must keep up to date. Because technology is always evolving, the bad guys are always thinking and are motivated too. As a financial institution, telecom must strengthen the IT department. But not only relyon the internal team, also have externalprofessionals who are investing significantly in intelligence to make sure you are on top of the cyber exposures of the day.
This calls for investment into minimum technologies but also people. When it becomes to proactive prevention, the cost is small. The problem comes when you are doing reactive. It digs deep into your bottom line. On average regardless of how big you are, if you spend a maximum US$30,000 monthly, that is an adequate investment to protect a bank. You get solution which gives the bank real time monitoring.
As a forensics investigator who has been often called to respond to cyber security exposures both in Uganda and Kenya,recently in Dubai, my experience has shown that if you do not put in place proactive real time monitoring systems, knowing who did what, how, when and where becomes almost impossible. When a bridge does not take place, most of the time such incidents originate within the organization. Internal people internally are part of the problem. They collude with external people to committee the fraud.You find it difficult to recover the most critical data.
When we come as security experts, people try to say forensics is about recovering what has taken place and recreate the story,that is a false alarm used to discredit the work of the professionals. A typical CEO does not understand what is called‘anti-forensics.’There is no bulletproof system anywhere; it is very difficult to recover any evidence in such a circumstance. There are critical systems which protect the networks like the firewall. It captures the logs of logins as they happen. If the firewall has a memory of 350 gigabytes of data, or just 1 gigabyte it can keep at a given moment. They are so many logins. Within an hour, the live backup of logins is lost. The system is always full.
Here is the puzzle: if I want to find out what happened three days back, can I find it in the storage of the live firewalls logs? The answer is no. As a security expert, to protect your financial institutional, we set up a huge backup of your logins in the firewall system. We attain it for the last one year. We give you peace of mind that even if a fraud takes place, the chances of knowing who did it, or where the attack originated from is very high.
Most of the time when we come to investigate, we ask you; “where was the source of data? Is it internal or external originating?” We can only exclude external originating if the firewall logs were captured. If we say any information going/coming from outside, it must be through the firewall. If we establish may be the logs have been deleted and IT did not capture it, we come deflated. That’s what we call anti-forensics. Your IT people understand this kind of weakness in your system. Unless you outsource this work to external professionals who understand and have been investigating the physiology of fraudsters especially in the cyber arena, it becomes very difficult. That is why am inviting you as a top honcho whether you are a manager,IT expert, please come and you share experiences. Learning is the best cure for cyber ignorance.
The bad guys are always evolving, what three recommendations would you give to organizationsto be at the top of cyber security?
Identify your core systems and classify them accordingly. Most of the time, people say you cannot monitor all the systems at the same time. Identify what is critical to the business by undertaking a business impact analysis. Keep a close eye on them.
Make sure you put proper controls; both physical and logic access. Train the users who manage them. For the users who managing such resources, make sure you do a thorough background check up on them including the village from where they are come from. If they steal because they are holding the gold of your business, you are able to follow them up and prosecute. As investigators, that is the best cure for people who are not trust worthy.
For critical assets, get independent assurance which is ongoing. You have external people to audit the work of your internal team. You have a balance of external team doing black box penetration testing on your network. The internal team is kept on their toes not to have completely different reports from those of the external team. This creates assurance and good practice. I also advise CEO’s that IT shouldn’t be recruit people who are going to give third party assurance on the security status of the core systems.