Integrating the prevention of cybercrime into the overall anti-crime strategies of your organisation. Broad overview of the South African law that applies to cyber. Value of information governance and a hands-on approach to the detection and prevention of cyber crime in your organisation.
1. www.pwc.com
Integrating the prevention
of cybercrime into the
overall anti-crime
strategies of your
organisation
Africa Cybercrime Security
Conference
31 March 2011
Adv Jacqueline Fick
2. Agenda
• Common cybercrimes in South Africa
• Getting to grips with the Electronic Communications and
Transactions Act
• The value of information governance
• Implementing a pro-active strategy in your organisation: a hands-
on approach to dealing with cybercrime
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 2
3. Common cybercrimes in South Africa
• Unauthorised access (s86(1))
• Unauthorised modification of data and various forms of malicious
code (s86(2))
• Denial of Service Attacks (S86(5))
• Devices used to gain unauthorised access to data (s86(4))
• Child pornography
• Computer-related fraud
• Copyright infringement
• Industrial espionage
• Piracy
• Online gambling (leave to appeal pending)
• Phishing/identity theft
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
March 2011
PwC 3
4. Phishing attacks
RSA Online Fraud Reports show that
South Africa does not fall within the
top ten countries hosting phishing
attacks, but features high on the list
of top ten countries by attack volume.
For thirteen (13) consecutive months
the US, UK and South Africa have
been the top three targets for mass
phishing.
(RSA Online Fraud Report – March
2011)
RSA statistics for February 2011
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 4
5. Getting to grips with the Electronic
Communications and Transactions Act, No. 25 of
2002 (ECT Act)
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 5
6. The ECT ACT
'data message' means data generated, sent, received or stored by
electronic means and includes-
(a) voice, where the voice is used in an automated transaction; and
(b) a stored record;
15 Admissibility and evidential weight of data messages
(1) In any legal proceedings, the rules of evidence must not be applied
so as to deny the admissibility of a data message, in evidence-
(a) on the mere grounds that it is constituted by a data message; or
(b) if it is the best evidence that the person adducing it could
reasonably be expected to obtain, on the grounds that it is not
in its original form.
(2) Information in the form of a data message must be given due
evidential weight.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 6
7. The ECT ACT
In assessing the evidential weight of a data message, regard must be
had to-
(a) the reliability of the manner in which the data message was
generated, stored or communicated;
(b) the reliability of the manner in which the integrity of the data
message was maintained;
(c) the manner in which its originator was identified; and
(d) any other relevant factor.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 7
8. CHAPTER XIII: ECT ACT
'access' includes the actions of a person who, after taking note of any
data, becomes aware of the fact that he or she is not authorised to
access that data and still continues to access that data.
86 Unauthorised access to, interception of or interference
with data
(1) Subject to the Interception and Monitoring Prohibition Act, 1992,
(Act 129 of 1992) a person who intentionally accesses or
intercepts any data without authority or permission to do so, is
guilty of an offence.
(2) A person who intentionally and without authority to do so,
interferes with data in a way which causes such data to be
modified, destroyed or otherwise rendered ineffective, is guilty of
an offence.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 8
9. CHAPTER XIII: ECT ACT
(3) A person who unlawfully produces, sells, offers to sell, procures for
use, designs, adapts for use, distributes or possesses any device,
including a computer program or a component, which is designed
primarily to overcome security measures for the protection of data,
or performs any of those acts with regard to a password, access code
or any other similar kind of data with the intent to unlawfully utilise
such item to contravene this section, is guilty of an offence.
(4) A person who utilises any device or computer program mentioned
in subsection (3) in order to unlawfully overcome security measures
designed to protect such data or access thereto, is guilty of an
offence.
(5) A person who commits any act described in this section with the
intent to interfere with access to an information system so as to
constitute a denial, including a partial denial, of service to
legitimate users is guilty of an offence.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation
March 2011
PwC 9
10. CHAPTER XIII: ECT ACT
87 Computer-related extortion, fraud and forgery
(1) A person who performs or threatens to perform any of the acts
described in section 86, for the purpose of obtaining any unlawful
proprietary advantage by undertaking to cease or desist from such
action, or by undertaking to restore any damage caused as a result
of those actions, is guilty of an offence.
(2) A person who performs any of the acts described in section 86 for
the purpose of obtaining any unlawful advantage by causing fake
data to be produced with the intent that it be considered or acted
upon as if it were authentic, is guilty of an offence.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 10
11. The value of good information governance
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 11
12. The value of good information governance
• IT is the foundation on which we operate our businesses and
information is fast becoming the most valuable asset an organisation
has.
• The value of information has also led to businesses focusing more on
the information or data they host, process or use than on the
technology employed to perform these functions.
• Need for risk management.
• The IT risk environment is influenced by both internal and external
factors and measures must be put in place to ensure the protection,
confidentiality, availability and authenticity of information, to govern
the use of external service providers to host/process data, to regulate
the access to company networks from remote locations and off
course, to be sensitive to the threat of cyber attacks such as hacking,
identity theft, cyber espionage, denial of service attacks, computer-
related fraud and extortion.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 12
13. Definitions
Information Governance
• King III: … an emerging discipline with an evolving definition.
• Wikipedia: … a set of multi-disciplinary structures, policies,
procedures, processes and controls implemented to manage
information on all media in such a way that it supports the
organisations immediate and future regulatory, legal, risk,
environmental and operational requirements.
• …an enterprise-wide strategy and framework that establishes the
policies, responsibilities and decision-making processes controlling
the use of information owned, or accessed by a business. The goal
should be to balance risk avoidance, cost reduction and increased
business value. Information Governance should also be structured
in such a way as to easily adapt to organisational demands, changes
in technology and be flexible to provide for new information.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 13
14. The value of good information governance
• Information governance involves a balanced approach designed to
meet the needs of the organisation and all of its stakeholders,
including its customers, shareholders and regulators. Furthermore,
information governance is one component of an organisation’s wider
enterprise information management strategy, which itself should be
directly aligned with the overall business strategy. (SAS White Paper
http://www.eurim.org.uk/activities/ig/SAS_WhitePaper.pdf)
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 14
15. Implementing a pro-active strategy in your
organisation: A hands-on approach to dealing
with cybercrime
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 15
16. Implementing a pro-active strategy in your
organisation: A hands-on approach to dealing
with cybercrime
• Cyber security is just as important as physical security.
• Relationship between physical and network security.
• Know and understand your organisation:
• This includes an understanding of the external environment and
the threats facing the organisation. It also refers to a thorough
understanding of the internal environment and the way the
organisation operates – its employees, levels of staff morale,
business partners of the organisation, service providers, etc.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 16
17. Implementing a pro-active strategy in your
organisation: A hands-on approach to dealing
with cybercrime
• Define security roles and responsibilities:
• Although security should be everyone within an organisation’s
concern, ownership of information security should be assigned to
specific individuals, coupled with the necessary levels of authority
and accountability. To assist with the process it is recommended
that security roles and responsibilities be incorporated into job
descriptions and that performance in terms of these areas be
measured accordingly.
• Ensure that you have proper policies and procedures in place for the
use of IT.
• Establish clear processes to enable end-users to report suspected
cybercrimes.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 17
18. Implementing a pro-active strategy in your
organisation: A hands-on approach to dealing
with cybercrime
• Effective public private partnerships:
• The effective control of cybercrime requires more than just
cooperation between public and private security agencies. The
role of the communications and IT industries in designing
products that are resistant to crime and that facilitate detection
and investigation is also of critical importance. To effectively
address cyber crime also calls for a less re-active and more pro-
active approach to the prevention, detection, investigation and
prosecution of these crimes.
• Value of intelligence: Exchange information with law
enforcement agencies. Know your opponent and use the
information to develop and update security policies. Think like a
hacker.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 18
19. Implementing a pro-active strategy in your
organisation: A hands-on approach to dealing
with cybercrime
• Stay up to date:
• Maintain awareness of new developments in both technology and
services. Use a risk-based approach to determine when it would
be necessary to upgrade or adapt current systems and processes to
accommodate new developments.
• Continuous auditing and assessment of process:
• It is recommended that a process of continuous auditing be
implemented to ensure that the strategy remains aligned to
business objectives, adapts to changes in technology or identified
threats, and to allow for the analysis of information that is
gathered from the different implemented controls.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 19
20. Practical Guidelines and Tips
• Email is more than messages. It contains personal information,
contact lists, sensitive company information, etc. Email policies:
• Do not open suspicious emails.
• Use spam filters.
• Encrypt important files or records.
• Choose complex passwords and change your password regularly.
The Post-it problem.
• Back up regularly.
• Install powerful anti-virus and firewall software and keep it up to
date. Regularly update security patches.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 20
21. Practical Guidelines and Tips
• Create good habits such as deleting your temporary internet files
and cookies. This protects against hackers who can access your
accounts from where you have been on the internet.
• Turn off your computer and modem/disconnect from the internet
when not in use.
• Know what information you have, where it is stored and who has
access thereto.
• Be wary to provide personal information via a website you are not
familiar with.
• Never allow strange or unfamiliar individuals to use your computer,
not even if they say they are from the IT department!
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 21
22. Practical Guidelines and Tips
• Educate users:
• Teach IT users how to identify cyber threats and how to respond.
• Share security information with all users of IT in the organisation.
• Read up on the latest ways hackers create phishing scams to gain
access to your personal information.
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 22
23. In summary
• Organisations need to realise the true value of information.
• Cyber criminals steal information.
• We can only effectively combat cybercrime if we share information
and collaborate.
• Know your opponent.
• Be pro-active and not re-active.
• Implement good information governance principles in your
organisation.
• Educate all IT users.
• Protect your information with the same vigour as you protect
physical property, brand names, money, etc!
Integrating the prevention of cyber crime into the overall anti-crime strategies of your organisation March 2011
PwC 23