About ICT systems security and the recent ZSE website hacking

Francis Kaitano Avatar

The past few weeks have seen news like the following hit the internet and traditional media platforms alike:

“Our current assessment that this is a result of a malicious attack by outside hacking” Charlies Li, chief executive of Hong Kong Exchanges & Clearing

“Details of the ZSE hacking. It happened twice and it was through Joomla”, Techzim

“Hackers attacked the Zimbabwe stock exchange website on Friday, forcing a shutdown of the site and hampering traders monitoring performance on the 79-company bourse.” Bangkok Post

In the past few years we have seen major developments in the availability and growth of high speed internet services in Zimbabwe. Such developments are a characteristic of the modern information and global economic age. At the same time such developments have led to the massive development and production of   all kinds of software (Web Apps, Mobile Apps, etc.) to support and enable the organisations to carry out business over the internet.

Even though a lot of effort goes into designing, developing and deploying such software, there is little done to make it secure. And this is a fatal mistake.

In the past weeks, our own Zimbabwe Stock Exchange (ZSE) was hacked mainly due to some issues around lack software security and failure to enforce third party/service provider security assurance practices. Other examples include the Econet’s and the Parliament of Zimbabwe’s site breaches several months ago. All the aforementioned are big organisations which we expect to have implemented robust security principles.

Independent security consultant James Arlen says that banks and financial services organisations are ignoring the threat of attacks on the systems they use to conduct high frequency trading – sometimes referred to as “algorithmic trading.” The absence of both security and oversight of security for the trading systems could pose a systemic risk to the U.S. – and global financial system, Arlen warns.

Statistics already show that the software application layer is where most hackers are accessing critical data. As far as is apparent at the moment, this is the case in Zimbabwe’s ZSE website.

In a report released by European information technology analysis group, Quocirca, organisations that admitted to being frequently hacked, all outsource at least some of their coding practice, with 90 per cent outsourcing more than 40 per cent!

The Blame Game

Who do we blame when insecure software is breached or exploited? The developers or Management (Represented by either the CIO or IT Manager). Security is as strong as its weakest link, the humans. As humans we thrive on blaming each other. However, organisations should stop the blame game and adopt the fact that “Information Security is everyone’s responsibility. Security should be treated as a responsibility of all stakeholders involved in the development life cycle.

Therefore, the ZSE, Econet and other Zimbabwean organisations including other software industry experts should stop the blame game and adopt security principles that include all the stakeholders and clearly outline their roles and responsibilities across the SDLC.

Don’t underestimate the value of Secure Development Practices

I wrote an article on Techzim on secure software development some time back which outlined some of the most critical things to consider in developing and implementing secure software. I also think that our local developers should understand the current threat landscape. There is a sharp increase in Advanced Persistent Threats (APT) and attacks currently going on across the world.

These attacks are sophisticated and well calculated making them very it hard for organisation to protect themselves against such attacks. However, the surface of being attacked increases especially if you do not implement any form of security especially when Zimbabwean organisations deploy insecure application on the internet. Hence Zimbabwean organisations should invest in training and equipping their developers with the appropriate knowledge and skills. Without the appropriate training developers are bound to make avoidable mistakes such as deploying applications vulnerable to SQL injection, XSS attacks or apps with default settings, hardcoded passwords, etc.

At the same time organisations need to tighten their policies when working with third party software developers. Ensure that the service providers understand your security policies and requirements for software development. All third party developed software should be rigorously tested and should never be deployed into production if it does not meet your security baselines. Never cut corners when it comes to outsourcing, else you will pay the cost.

It’s time also for Zimbabwean organisations to adopt some of the following secure software development principles:

  • Build an application Security program(Policies, standards and procedures)
  • Software Architecture Risk/Threat Modelling
  • Defence in Depth (Secure  and Monitor all layers or zones where your application will exist)
  • Software Security Certification and Accreditation especially for Third party developed software
  • Security Testing (Pen Testing and Vulnerability management)
  • Foster effective Project Management processes into the SDLC
  • Incident Identification and Response(Develop applications with the ability to detect breaches quickly)
  • Implement Encryption in applications that handle critical data
  • Etc.

Finally, organisations should note the cost of building and fostering security into the development life cycle is lower as compare to the cost or being breached/hacked and remedying the effects of the breach. Globally, organisations whose ICT systems have been breached or hacked have lost millions and some  billions of dollars in revenue and the added effect of loosing reputation.

image via technoprince.in

3 comments

  1. Anonymous

    Well said Kaitano, in addition our organisations needs to adopt international recognized standards like ITIL when they are deploying there corporates needs. This should give them operational guidlines  

  2. Robasta

    A popular CMS in the wrong Hands == Disaster!!! The easiest hack is the default password. The webmaster (or whoever) using Joomla/Drupal/DDN/WordPress etc should understand that hackers/devs out there have the source code, default settings everything, so its easy to hack their site.

    You need to go the exta mile to ensure you remove/modify the default settings, and also subscribe to the CMS developer’s Twitter/Site/Fb feed so that when they release a patch, you apply it.

2023 © Techzim All rights reserved. Hosted By Cloud Unboxed