Africa, generally, is to be counted among the lucky lot, when it comes to cyber-attacks. You cannot falsify the aforementioned statement; for most African cyber-attacks leap through the Internet, from the more prone countries like the U.S. In addition to this, Africa isn’t that much educated when it comes to hacking hence most attacks are often secondary with the primary ones being the acts of script kiddies like defacing websites. However lucky we are, having escaped an attack by a hungry tiger doesn’t mean that you will never die someday. You will, eventually. How I wish most African organizations knew this. The reason for my painful plea is that cyber, to most African organizations, is an alien world, with their own occupant species. You dare mention the term ‘cyber-attack’, to a well-groomed high profile employee in some organizations; trust me, their imagination is beyond that of Einstein’s E=MC². Some may be imagining ‘a cybercafé raining down upon them (attacking)’. Truth forever on the scaffold, wrong forever on the throne, yet the scaffold controls thy future. A day ago, I took my time and skimmed through the organizational employee code of conduct of one of Kenya’s high profiled banks. Truth in the nude, no single rule targeted cyberspace. It is like, I, the customer, is allowed to give the receptionist or the secretary a flash drive so that my documents can be modified or viewed from her computer. If you are my other eye, then you know how dangerous this is.
Cyberspace is like the heavenly space, so infinite it is, yet it continues to expand. Africa, you should worry more. Performing a successful hack into Los Angeles’ Metro subway, is as of now, kind of difficult. What of an African metro subway? It is extremely cheap, easy, and not risky at all. Where are the established laws that will be used against you? Better still, where are the white hat hackers or the cyber security experts that will detect your malicious activities? Very few, indeed. Imagine this kind of a world. The point is, Africa is the gold mine of hackers, you only got the identity (not even the lives) of the miners risked, but the product is far much invaluable. As of now, the tank projectiles (loaded with cyber-attack mechanisms) are facing other continents. When they will face the defenceless Africa, I pray for your survival. Never forget the coming, even larger, IoT cyberspace. Africa is voted best for loving ‘cool products’. IoT products will ensnare you like a staged trapped rat is to a foolish snake.
The need for cyber code of ethics
Security starts with you and not your machine. Your organization might have deployed cutting-edge intrusion detection systems, the unbreakable public key cryptosystems, hashing algorithms for information integrity; but still, I would be able to bring down all these by just being me. I would social engineer you into speaking out your account credentials or else I just need to hack your personally-owned machine. The latter would work since your organization allows you to Bring Your Own Device (BYOD).
The best weapon to beat an enemy is to possess foreknowledge. This is knowledge about a future likely event. Consider ‘dumpster diving’; if an organization knew that there is a likelihood of an enemy to search through the organizational trash, collect some info, and use the obtained info to hurt the organization in a particular way; only then will the organization have rules governing the nature of documents to be trashed out.
Documented and enforced security policies and security awareness programs are the most critical component of any information security program. Good policies and procedures aren’t effective if they aren’t taught and reinforced to employees. The policies need to be communicated to employees to emphasize their importance and then enforced by management. After receiving security awareness training, employees will be committed to supporting the security policies of the organization.
The following are my heartfelt issues that need to be addressed in the cyber security policies.
An organization (or just a department) without a help desk is worth being renamed a ‘disorganization.’ Without a help desk, a hacker could just act confused and then walk to a high profile employee loaded with his attack weapons, ready to deliver a virus. The wise ones would walk straight to their targets, even a manager (‘since he was never directed’, he will use this to his advantage). Help desks also help the organization to have at least some few records about the current ‘activities’ going on. Even if the receptionist in the help desk doesn’t record (they ought to) anything, at least they are aware that the manager has a visitor by the name Hack Me. It is also a visitor screening stage, and the receptionist should be able to smell the danger and at least, sound an alarm.
Reports have it that hackers have pretended to be employees, and in the event, report earlier than the real employees in order to perform their malicious activities. A pretender garbage collector or janitor may report earlier and collect/clean your useless (often useful in some way or the other) trash. What if it were clearly established that, an employee must report for their arrival, presence, and departure at established stations? Pretenders’ paradise would be doomed.
DoDs and physical accesses
The destruction of paper documents and physical access restrictions are additional areas the security policy should address. In a nutshell, the organization should be keen in identifying the right types of document shredders. This would avoid the disposal of readable sections of documents. What kind of shredded documents are to be disposed off, should also be addressed. Documents relating to key infrastructures such as server configurations should be properly shredded. Lastly, who has access to what rooms and sections, and who doesn’t, should be clearly outlined. If the company has deployed radio frequency ID tags (RFID) tags to be used to access rooms and facilities, then rules should also be outlined that govern their use. Is an employee allowed to offer a fellow employee their tags if the latter misplaces theirs? Are they allowed to hold open doors for fellow employees without tags to pass? This is how reports have it that hackers obtained physical access to facilities.
Bring Your Own Device (BYOD)
If you bring your WannaCry vulnerable (with their Samba/SMB protocols unpatched) Windows 8 PC to your office, connect it to the corporate’s network, which happens to be connected to the internet, then the whole corporate’s devices would be vulnerable to the WannaCry ransomware attack. Better still, your computer might be having malware (like a virus or Trojan horse) and if connected to other devices in the corporates network, office files (digital only, please) might be infected. So what do we do? It should be clear, the extent to which an employee-owned device should get close to an organization’s devices. The organization should also deploy more than one network, one for the organization alone, maybe an intranet, and another for the employees, maybe the Internet. It should be clear what devices and/or personnel can get access to what network.
If presented, reject, else, stay cautious
Technology has gone so far that I’m able to hide a video inside another video, an executable (.exe) inside another executable, an audio inside another audio or video or executable, an executable inside an image etc. This is basically ok, the only problem, on opening or just clicking the visible file, the invisible file may have been programmed to run, sometimes without your knowledge. How unfortunate. So, how can you be sure that the resume word document presented to you by a self-proclaimed interviewee, so that you can edit it in your desk machine, doesn’t contain a hidden executable? The answer is none, you can never be sure. The following gadgets should, with immediate effect, be rejected if presented. Flash drives, compact disks, other memory sticks like hard disk drives (HDDs) and mem cards. These files share the same destiny of reject; image files, audio, video, graphics files. Handed to you through the previously mentioned conventional memory sticks or sent via file transfer technologies e.g. Wireless Fidelity (Wi-Fi) hotspots (like flashare), Bluetooth tech, ZigBee, emails, etc.
Just to be sure you keep your human nature, as God prescribes it, you cannot just refuse to help a genuine stranger in need on the pretext that he may be loaded with a virus. As of Ebola virus, there should be a quarantine for handling the alleged virus-loaded gadgets and files. I would recommend that the organization should have a quarantine centre for any other third party servicing like printing, document editing, and the like. This quarantine zone is, of course, isolated from the corporate’s network. It should be for validating the security of gadgets and files before they are plugged into a corporate’s system. Better still, they should be able to handle everything and just forward the documents to appropriate recipients, if necessary. Security comes at a price, indeed.
The corporate security policy should address how and when accounts are set up and terminated, how often passwords are changed, who can access what information, and how policy violations are to be handled. Also, the policy should spell out help desk procedures for the previous tasks as well as a process for identifying employees—for example, using an employee number or other information to validate a password change.
Above all, employee education is paramount. All employees should be trained on how to keep confidential data safe. Management teams are involved in the creation and implementation of the security policy so that they fully understand it and support it throughout the organization. The company security awareness policy should require all new employees to go through a security orientation. Annual classes should be required to provide refreshers and updated information for employees. Another way to increase involvement is through a monthly newsletter with security awareness articles.
One of the advantages of a strong security policy is that it removes the responsibility of employees to make judgment calls regarding a hacker’s request. These decisions are always a big burden to whomever is to make them. If the requested action is prohibited by the policy, the employee has guidelines for denying it. This is a difficult task simplified, which is at the core or strategy. It would melt my heart to see African organizations implement these recommendations to further their claim as the motherland. The mother ought to be more strategic that the child.