Hack attacks are on the rise. And even if you’re not the immediate target, you could still end up a victim. It’s just a matter of time. This is generally true for big organisations. Targeted hacking is becoming a multibillion industry and the more profitable it becomes it means more skilled and talented hackers will join the bandwagon and hack for monetary gains. Another growing concern is the art of Hacktivism i.e. hacking driven by a certain motive which could be religious, hatred, or a group of people who are not happy with an organisation or the way it conducts its business at the expense of its customers.
Most if not all of Zimbabwean blue chip companies undermine the value of information security. You’d be amazed that most of these organisation’s websites can be hacked by rudimentary methods. Maybe the main reason is that nobody cares about security or worse that they just haven’t heard about it.
I am sad to say it but all organisations in Zimbabwe are still operating on this notion: “Security through obscurity, what we don’t know doesn’t hurt “
The tides have changed and the playing field is calling for a complete overhaul in the way organisations perceive enterprise information security.
I was saddened to read about the hacking incident that happened at Econet….A real shame. What is wrong with our blue chip companies? If they can hacked through such basic methods, just how insecure are their other public facing systems? What image are they sending to customers who entrust them with their information?
As the availability of super fast ubiquitous broadband grows in Zimbabwe, and e-commerce starts to become more than just a buzzword, all organisations must without fail know that the risks of being attacked/hacked also increase. Organisations need to understand what this whole playing ground called the Internet is about. Contrary to common use in Zimbabwe (and therefore common perception) the internet is not limited to Facebook, Youtube and Email alone. The internet is an open playfield full of business benefits but also full of security risks and threats.
Now back to the hacking incident that happened at Econet. I will not comment on why or the reason it happened but as a security expert it’s pretty much clear that this was a targeted hacking activity which exploited very poor security controls. To me it felt like fall of Goliath. He was a giant but didn’t know how to defend himself. I’m not mocking Econet here. This applies to all big organisations in Zimbabwe; they should not only have giant balance sheets but should also implement giant secure IT infrastructures. I believe this calms the air.
Moving forward I would recommend that organisations should implement at least the following controls in order to mitigate the risks of being hacked or any other type of security breach:
- Put in place formal information security governance structures and invest in security
- Develop a functional information security program using repeatable standards such as ISO 27002, SABSA etc
- Treat security as a business process and not as a cost
- Implement a viable Information Security Architecture Reference program
- Adopt Secure Software Development lifecycle Standards and ensure that all software developed goes through rigorous testing and attestation (SafeCode, OWASP, BSMMI)
- Design and Implement secure infrastructure this applies to the web servers. Firewalls, routers, switches, IDS/IPS, SIEM, databases, Load balancer, Web application firewalls, application servers etc. Also know your trust boundaries.
- Apply security patches regularly
- Avoid using or adopting in secure code or scripts. Any third part code should undergo rigorous trust testing.
- Train all IT staff to understand the basics of security risk this should include all the programmers, Sys admins, business analysts, network chaps and managers.
- Implements security Monitoring on all ends of the network if possible adopts a Security information events monitoring (SIEM) system. Without monitoring you will not pick up any suspicious activities on your network.
- Periodically perform Vulnerability and threat assessment on your e-commerce and IT infrastructure. If possible hire external consultants to perform penetration testing. Any weaknesses found during the assessments must be reported to senior management and fixed within a reasonable time frame.
- Form an information security Incident Response and Management Team. This team will act as the point of reference in identifying, managing and responding to security incidents or attacks
Finally, It’s now up to the organisations and IT professionals in Zimbabwe to adopt the step by step basics of security and start acting and thinking outside the box especially when it comes to protecting critical information assets. It is a costly thing in other countries to get hacked because the organisation will loose its reputation or share value. So I hope our local blue chips will improve and get prepared because sooner or latter the legislations governing internet security such as PCI DSS and others will catch up with Zim.