Nigerian organisations have been asked to treat hackers and other perpetrators of cybercrime activities with similar seriousness they will handle fire under their roof.
”Cyber security exploitation hackers are like a fire. The problem is, if we don’t treat cyber security the same way we treat fire prevention, then there is going to be scenarios where we will be caught unaware”, Mr. Muyiwa Olufon, Manager Advisory Services at Ernst & Young (EY) Nigeria, told attendees at the August meeting of the Information Security Society of Africa-Nigeria (ISSAN) held in Lagos
The Ernst & Young Manager told the ISSAN meeting that organisations should henceforth checkmate every would-be cyber-attack with every technical support at their disposal.
“I keep saying it, a cyber-security strategy and incident response plan is as simple as a Google search in most instances, predefined document templates. But the actual interpretation and response becomes an issue in the instance or scenario of a real attack, which is why simulating these scenarios becomes very necessary in preventing future incidents,” Olufon adds.
[quote font=”georgia” font_size=”22″ font_style=”italic” align=”left” arrow=”yes”]“But this is not to talk about doom. It is just to talk about reality. Those that have been breached and know it, and those that have been breached and have no idea. Unfortunately in this part of the world most people have been breached but they actually have no idea. We have conducted forensic reviews for certain organisations and we find them to be oblivious of the fact that they had been breached at one time or the other.”[/quote]The expert says every organisation is prone to hacking activities regardless of defenses they might have put in place, but the important thing is knowing that you have been breached and finding a solution to it.
According to him, “I have always tried to intimate my clients on something: everybody can be hacked regardless of defences that have been put in place. The right motivation, the right resources, the right target and the right end result will make every organization susceptible to a possible exploitation.
“But this is not to talk about doom. It is just to talk about reality. Those that have been breached and know it, and those that have been breached and have no idea. Unfortunately in this part of the world most people have been breached but they actually have no idea. We have conducted forensic reviews for certain organisations and we find them to be oblivious of the fact that they had been breached at one time or the other.”
According to Olufon, there are several reasons why an organization or individual might be a target of malicious act including the stealing of intellectual properties. But the major objective of malicious actors in Nigeria is ”to steal money.”
According to him, “in a scenario where a malicious actor breaks into an email account, he has only one objective to either send a transfer instruction or reset a critical credential just to steal money in this part of the world. Outside the country you have hacktivists seeking for intellectual properties. It happens here but the majority of malicious activity you find in this part of the world is centered on financial gain, which is why security in Nigeria have been focused and geared more towards the financial services organisations”, Olufon added.
The Ernst & Young Manager believes that much improvement has not been seen in terms of cyber security in Nigeria and emphasized the need to always examine the vulnerabilities that are peculiar to Nigeria.
“In 2010, 2011 and 2012, Structured Query Language (SQL), a special-purpose programming language injection was a major issue on certain Internet banking platforms. Unfortunately in 2016, there is still SQL injection issue.”
According to Olufon, “the same vulnerabilities that were found in 2010 are still being found in 2016. Protecting the organisation is not just enough anymore, it is also preparing for a breach. But I think the most important part really is looking at the kind of vulnerabilities in Nigeria within banks, and non-bank organisations, within oil and gas servicing companies.”
Organisations fail to perform a post attack review after a DDOS attack that will still leave such organisations vulnerable to such attack in the future have been seen within most Nigerian firms, he added.
“Over the last one year, there have been quite a number of events. Some of us are victims of the distributed denial-of-service (DDOS) attack that happened not long ago. Now, this was the first time and the question is, why did it take so long? It is because the Internet penetration in Nigeria has really matured, so there is enough bandwidth to launch a DDOS attack,” he said.
[quote font=”georgia” font_size=”22″ font_style=”italic” align=”left” arrow=”yes”]According to Olufon, there are several reasons why an organization or individual might be a target of malicious act including the stealing of intellectual properties. But the major objective of malicious actors in Nigeria is ”to steal money.”[/quote]In Olufon’s opinion, “the response to the DDOS attack was even more surprising as usually most organisations throw money at problems. They bought everything. But that is not the solution to the problem. No matter what you buy, a motivated DDOS attack is still going to take down your platforms, now most of the victims of these DDOS attacks did not perform a post attack review. There is no forensic analysis of critical servers that were affected by this attack.”
Olufon shared some of the things being done today in the cyber security space in Nigeria, which include: Annual VAPT Exercises, Quarterly ASV Scans and Internal VA, PCI-DSS Recommended Solutions (SIEM, DAM, FIM etc), 8×5 passive monitoring and online cyber security awareness training.
In addition to what is being done, he also suggested that the following should be done as well for advanced protection: Vulnerability Management Framework, Threat Intelligence Strategy, Effective Cyber Security Strategy, Continuous Security Monitoring Cyber Security and Threat Awareness –Organisational wide, Advanced Malware Management and Improved Manpower and War Games.