Simphiwe Mayisela, CISSP, CISM, TOGAF, SCF, founder and president of (ISC)2 Gauteng Chapter is an information security manager at Sun International.
What do you see as the single biggest information security risk this year?
The biggest information security risk this year is information - information that leaves the corporate boundaries through mobile devices certainly doesn't come without any degree of risk; And with the proliferation of mobile devices, this risk has become paramount. The survey conducted by Check Point in partnership with ITWeb late last year determined, among other things, the large percentage of corporate-liable and personal devices present in the enterprise, as well as the fact that many enterprises (77.48%) allow personal mobile devices to access information stored in the corporate infrastructure. Along with the proliferation of mobile devices, comes the proliferation of cloud-based file sharing services such as Egnyte, iCloud, SugaSync, Skydrive and Dropbox, allowing employees to share corporate information from any mobile device platform. While this service has the benefit of replacing on-premise file servers and reducing the costs associated with remote virtual private network (VPN) access, it exposes organisations to severe information breaches.
What is the one key risk mitigation step enterprises need to take this year?
This year, especially with the enactment of the POPI Bill, enterprises will be required to craft security approaches to mitigate the risks of unauthorised disclosure of personal and/or confidential information, unauthorised access to sensitive corporate application, or malicious code that steals information from mobile devices. According to research conducted by Kaspersky Lab, the volume of malicious software that infects Android devices grew threefold in the second quarter of 2012, where more than 14 900 of the malware targeted information from mobile devices.
Likewise, this risk mitigation step will need to cater for big data problems. The large amount of digital data (big data) that organisations need to share and process on a daily basis results in organisations not always being able to keep track of where confidential information is situated, and consequently not always being able to protect information that cannot be located and controlled. Information contained in these massive data stores could be detrimental to an enterprise if it leaves the enterprise's control, as some of the information includes personal data and sensitive intellectual property.
What, in your view, was the biggest security breach of the past year?
That prize will definitely have to go to the LinkedIn security breach that took place in June of 2012, where about 6.4 million passwords got stolen. This breach in itself signifies that cloud-based applications and file sharing systems that I have previously mentioned still hinge only on username and password to provide protection for information stored in the cloud.
What is the biggest information security weak spot in the enterprise?
The weakest link in the enterprise security chain is people. The sooner organisations start realising that information security is more a people and process discipline, rather than a technology discipline, the better. To quote Bruce Schneier: "If you think technology can solve your security problems, then you don't understand the problems and you don't understand the technology."In most organisations, employees still exhibit non-compliant behaviour and tend to use weak passwords and click on phishing links with malicious payload, allowing arbitrary code to execute on their machines, thereby bringing hackers (through botnets or otherwise) into the corporate network.
In a nutshell, how has cyber crime changed in the past year?
Cyber criminals have expanded their operations to the growing ecosystem of mobile devices and social networks, so much so that the well-known cyber crime toolkits such as "Zeus Banking Trojan" have jumped the bridge to the mobile device space.
What are cyber criminals targeting now, and what will they target in future?
Cyber criminals are now targeting the mobile device platform, and will continue to do so in the foreseeable future. For instance, there is a new variant of 'botnet' that uses Twitter as the command and control (C&C) entity reported in the second quarter of 2012. This new 'botnet' (Android/Twikabot.A) requests commands from other attacker-controlled Twitter accounts running on Android OS, instead of connecting to a dedicated C&C Web server, thereby leveraging the resources of other victims. A majority of threats targeting mobile devices are looking at stealing consumer and business information that resides on mobile devices, primarily targeted at Android devices due to the openness of the platform and its dominance in the marketplace. The Zeus variant, dubbed "Zitmo", that runs on Android phones with the ability to intercept one-time pass codes sent to mobile phones, download authentication credentials and complete the login process to the victim's banking Web site is another good indication that fraudsters and cyber criminals are tightening their ropes on the mobile and social media platforms.
Simphiwe Mayisela, CISSP, CISM, TOGAF, SCF, founder and president of (ISC)2 Gauteng Chapter is an information security manager at Sun International, a leading resort, hotel and casino group in South Africa. He has more than 10 years' experience in security, which he has attained working among various industry verticals, ranging from government, banking, multinational outsourcing and consulting organisations. He holds a Master's degree in Computer Science, specialising in information security from Rhodes University, SA.
Mayisela will participate at this year's ITWeb Security Summit, taking place from 7 to 9 May 2013 at the Sandton Convention Centre. For further information, click here.
Share