integrating the prevention of cyber crime into the overall anti-crime strategies of your...

Integrating the prevention of cybercrime into the overall anti-crime strategies of your organisation

Africa Cybercrime Security Conference

31 March 2011

Adv Jacqueline Fick

www.pwc.com

PwC

Agenda

• Common cybercrimes in South Africa

• Getting to grips with the Electronic Communications and Transactions Act

• The value of information governance

• Implementing a pro-active strategy in your organisation: a hands-on approach to dealing with cybercrime

2

March 2011Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation

PwC

Common cybercrimes in South Africa

• Unauthorised access (s86(1))

• Unauthorised modification of data and various forms of malicious code (s86(2))

• Denial of Service Attacks (S86(5))

• Devices used to gain unauthorised access to data (s86(4))

• Child pornography

• Computer-related fraud

• Copyright infringement

• Industrial espionage

• Piracy

• Online gambling (leave to appeal pending)

• Phishing/identity theft

3

March 2011Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation

PwC

Phishing attacks

Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation

4

March 2011

RSA statistics for February 2011

RSA Online Fraud Reports show thatSouth Africa does not fall within thetop ten countries hosting phishingattacks, but features high on the listof top ten countries by attack volume.

For thirteen (13) consecutive monthsthe US, UK and South Africa havebeen the top three targets for massphishing.

(RSA Online Fraud Report – March2011)

PwC

Getting to grips with the Electronic Communications and Transactions Act, No. 25 of 2002 (ECT Act)


5

March 2011

PwC

The ECT ACT

'data message' means data generated, sent, received or stored byelectronic means and includes-

(a) voice, where the voice is used in an automated transaction; and

(b) a stored record;

15 Admissibility and evidential weight of data messages

(1) In any legal proceedings, the rules of evidence must not be appliedso as to deny the admissibility of a data message, in evidence-

(a) on the mere grounds that it is constituted by a data message; or

(b) if it is the best evidence that the person adducing it couldreasonably be expected to obtain, on the grounds that it is notin its original form.

(2) Information in the form of a data message must be given dueevidential weight.


6

March 2011

PwC

The ECT ACT

In assessing the evidential weight of a data message, regard must behad to-

(a) the reliability of the manner in which the data message wasgenerated, stored or communicated;

(b) the reliability of the manner in which the integrity of the datamessage was maintained;

(c) the manner in which its originator was identified; and

(d) any other relevant factor.


7

March 2011

PwC

CHAPTER XIII: ECT ACT

'access' includes the actions of a person who, after taking note of anydata, becomes aware of the fact that he or she is not authorised toaccess that data and still continues to access that data.

86 Unauthorised access to, interception of or interferencewith data

(1) Subject to the Interception and Monitoring Prohibition Act, 1992,(Act 129 of 1992) a person who intentionally accesses orintercepts any data without authority or permission to do so, isguilty of an offence.

(2) A person who intentionally and without authority to do so,interferes with data in a way which causes such data to bemodified, destroyed or otherwise rendered ineffective, is guilty ofan offence.


8

March 2011

PwC


(3) A person who unlawfully produces, sells, offers to sell, procures foruse, designs, adapts for use, distributes or possesses any device,including a computer program or a component, which is designedprimarily to overcome security measures for the protection of data,or performs any of those acts with regard to a password, access codeor any other similar kind of data with the intent to unlawfully utilisesuch item to contravene this section, is guilty of an offence.

(4) A person who utilises any device or computer program mentionedin subsection (3) in order to unlawfully overcome security measuresdesigned to protect such data or access thereto, is guilty of anoffence.

(5) A person who commits any act described in this section with theintent to interfere with access to an information system so as toconstitute a denial, including a partial denial, of service tolegitimate users is guilty of an offence.


9

March 2011

PwC


87 Computer-related extortion, fraud and forgery

(1) A person who performs or threatens to perform any of the actsdescribed in section 86, for the purpose of obtaining any unlawfulproprietary advantage by undertaking to cease or desist from suchaction, or by undertaking to restore any damage caused as a resultof those actions, is guilty of an offence.

(2) A person who performs any of the acts described in section 86 forthe purpose of obtaining any unlawful advantage by causing fakedata to be produced with the intent that it be considered or actedupon as if it were authentic, is guilty of an offence.


10

March 2011

PwC

The value of good information governance


11

March 2011

PwC


• IT is the foundation on which we operate our businesses andinformation is fast becoming the most valuable asset an organisationhas.

• The value of information has also led to businesses focusing more onthe information or data they host, process or use than on thetechnology employed to perform these functions.

• Need for risk management.

• The IT risk environment is influenced by both internal and externalfactors and measures must be put in place to ensure the protection,confidentiality, availability and authenticity of information, to governthe use of external service providers to host/process data, to regulatethe access to company networks from remote locations and offcourse, to be sensitive to the threat of cyber attacks such as hacking,identity theft, cyber espionage, denial of service attacks, computer-related fraud and extortion.


12

March 2011

PwC

Definitions

Information Governance

• King III: … an emerging discipline with an evolving definition.

• Wikipedia: … a set of multi-disciplinary structures, policies,procedures, processes and controls implemented to manageinformation on all media in such a way that it supports theorganisations immediate and future regulatory, legal, risk,environmental and operational requirements.

• …an enterprise-wide strategy and framework that establishes thepolicies, responsibilities and decision-making processes controllingthe use of information owned, or accessed by a business. The goalshould be to balance risk avoidance, cost reduction and increasedbusiness value. Information Governance should also be structuredin such a way as to easily adapt to organisational demands, changesin technology and be flexible to provide for new information.


13

March 2011

PwC


• Information governance involves a balanced approach designed tomeet the needs of the organisation and all of its stakeholders,including its customers, shareholders and regulators. Furthermore,information governance is one component of an organisation’s widerenterprise information management strategy, which itself should bedirectly aligned with the overall business strategy. (SAS White Paperhttp://www.eurim.org.uk/activities/ig/SAS_WhitePaper.pdf)


14

March 2011

PwC

Implementing a pro-active strategy in your organisation: A hands-on approach to dealing with cybercrime


15

March 2011

PwC


• Cyber security is just as important as physical security.

• Relationship between physical and network security.

• Know and understand your organisation:

• This includes an understanding of the external environment andthe threats facing the organisation. It also refers to a thoroughunderstanding of the internal environment and the way theorganisation operates – its employees, levels of staff morale,business partners of the organisation, service providers, etc.


16

March 2011

PwC


• Define security roles and responsibilities:

• Although security should be everyone within an organisation’sconcern, ownership of information security should be assigned tospecific individuals, coupled with the necessary levels of authorityand accountability. To assist with the process it is recommendedthat security roles and responsibilities be incorporated into jobdescriptions and that performance in terms of these areas bemeasured accordingly.

• Ensure that you have proper policies and procedures in place for the use of IT.

• Establish clear processes to enable end-users to report suspected cybercrimes.


17

March 2011

PwC


• Effective public private partnerships:

• The effective control of cybercrime requires more than justcooperation between public and private security agencies. Therole of the communications and IT industries in designingproducts that are resistant to crime and that facilitate detectionand investigation is also of critical importance. To effectivelyaddress cyber crime also calls for a less re-active and more pro-active approach to the prevention, detection, investigation andprosecution of these crimes.

• Value of intelligence: Exchange information with lawenforcement agencies. Know your opponent and use theinformation to develop and update security policies. Think like ahacker.


18

March 2011

PwC


• Stay up to date:

• Maintain awareness of new developments in both technology andservices. Use a risk-based approach to determine when it wouldbe necessary to upgrade or adapt current systems and processes toaccommodate new developments.

• Continuous auditing and assessment of process:

• It is recommended that a process of continuous auditing beimplemented to ensure that the strategy remains aligned tobusiness objectives, adapts to changes in technology or identifiedthreats, and to allow for the analysis of information that isgathered from the different implemented controls.


19

March 2011

PwC

Practical Guidelines and Tips

• Email is more than messages. It contains personal information,contact lists, sensitive company information, etc. Email policies:

• Do not open suspicious emails.

• Use spam filters.

• Encrypt important files or records.

• Choose complex passwords and change your password regularly.The Post-it problem.

• Back up regularly.

• Install powerful anti-virus and firewall software and keep it up todate. Regularly update security patches.


20

March 2011

PwC


• Create good habits such as deleting your temporary internet filesand cookies. This protects against hackers who can access youraccounts from where you have been on the internet.

• Turn off your computer and modem/disconnect from the internetwhen not in use.

• Know what information you have, where it is stored and who hasaccess thereto.

• Be wary to provide personal information via a website you are notfamiliar with.

• Never allow strange or unfamiliar individuals to use your computer,not even if they say they are from the IT department!


21

March 2011

PwC


• Educate users:

• Teach IT users how to identify cyber threats and how to respond.

• Share security information with all users of IT in the organisation.

• Read up on the latest ways hackers create phishing scams to gainaccess to your personal information.


22

March 2011

PwC

In summary

• Organisations need to realise the true value of information.

• Cyber criminals steal information.

• We can only effectively combat cybercrime if we share information and collaborate.

• Know your opponent.

• Be pro-active and not re-active.

• Implement good information governance principles in your organisation.

• Educate all IT users.

• Protect your information with the same vigour as you protect physical property, brand names, money, etc!


23

March 2011

“Success in preventing cyber attacks

depends as much on knowing what to

look for as it does on rolling out the right

security.” (Howard Schmidt, ComputerWeekly.com 27 March 2009)

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act upon

the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is given as to

the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its members, employees and

agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or refraining to act, in

reliance on the information contained in this publication or for any decision based on it.

© 2011 PricewaterhouseCoopers (“PwC”), the South African firm. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers in South

Africa, which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity and does

not act as an agent of PwCIL.

integrating the prevention of cyber crime into the overall anti-crime strategies of your...

Law