Dr Frederick Wamala - BarCampAfricaUK 09 FINAL

8/8/2019 Dr Frederick Wamala - BarCampAfricaUK 09 FINAL

1/34

Dr. Frederick Wamala (Ph.D.), CISSP

Securing Africas speedyInternet for development

07 November 2009



2/34


One for the LawyersOne for the Lawyers

Opinions expressed heredo not reflect those of anypast, present, or future

employers.

All trademarks arethe properties of their

respective owners.

Source: Charlie Kaufman, IETF


3/34


AgendaAgenda

We never imagined it this good.

The Cables

Impact on Internet Access

Potential benefits Hackers and espionage paradise?

Information Assurance

Discussion


4/34


We never imagine it this goodWe never imagine it this good

As African Internet service providers connect to. Seacom how can we size up what this reallymeans? For me, this is easy. Thirteen yearsago we had our fantasies about what the Internet

and telecoms paradise in East Africa would looklike. We never imagined that it would be thisgood, that we would turn potential into reality insuch a big way so fast,

Adam Messer, Telecom Advisor, Tanzania/Germany

The East African Newspaper, 03 August 2009


5/34


The Cables!The Cables!Source: Steve Song


6/34


Coverage of the cablesCoverage of the cables

Seacom EASSy TEAMs WACS MainOne GLO-1 ACE

Length(km)

13,700 10,000 4,500 14,000 7,000 9,500 14,000

Capacity 1.28Tb/s

1.4Tb/s

120Gb/s 1.28Tb/s

3.84Tb/s

1.92Tb/s

640Gb/s?

1.92Tb/s

Completion July2009

June2010

Sept2009

Q22011

June2010

Nov2009

2011

Source: Steve Song

* EASSy Eastern African Submarine Cable System* TEAMS The East African Marine System* WACS West African Cable System* ACE Africa Cost to Europe


7/34


Impact of new connectivityImpact of new connectivity

Stanford University Project:

Cables to reduce the cost of bandwidth per Mbps;

Cut Round Trip Times (RTT) from >~480 ms for a

geostationary satellite to 200-350 ms by usingshorter distance terrestrial routes;

Increase in capacity reduces congestion. Thus,more stable RTT and reduced packet loss;

Example, Uganda (August 09) RTT on Starcomlink to Italy reduced from 600ms to 200ms.


8/34


Potential BenefitsPotential Benefits

Cheaper and more reliable connectivity

Data Entry Services;

Business Process Outsourcing;

Call Centre Services and business support; Data warehousing;

Storage Area Networks; and

Software Development


9/34

8

A hackers Paradise?A hackers Paradise?


10/34


ANC Website hacked July 2009ANC Website hacked July 2009


11/34


Points to note: ANC attackPoints to note: ANC attack

Vendor designed and managed website;

Custom built web-application;

The Web Infrastructure not patched;

No incident management process; System owners unaware, ANC Spokesperson,

Brian Sokutu said that he would look into thematter, but could not do anything until Monday.

Embarrassing: ANC site linked to sleazy sites!


12/34


North Africa attacks: 2007-2009North Africa attacks: 2007-2009

Political websites hacked


13/34


Notes: North Africa attacksNotes: North Africa attacks

Hacking of political opposition websites in NorthAfrican countries: Tunisia, Libya and Mauritania;

Opposition and dissident websites de-faced;

Who is behind these attacks?

As Carl Philipp Gottlieb von Clausewitz opined,is there a reason not to say that this CyberWar isa continuation of politics by other means?


14/34


Ministry of Defence Uganda: 2009Ministry of Defence Uganda: 2009


15/34


Notes: Ministry of Defence UgandaNotes: Ministry of Defence Uganda

Ayyildiz Team hackers de-faced the Ministry ofDefence website with pro-Palestinian messages;

No incident detection process apparently sitede-faced for weeks without anybody noticing;

Web design company asked to remove offendingmessages but did not respond for about a week;

Foreign Affairs had to make clearthe posts did

not represent the views of [Uganda] government; Were other systems hacked during this attack?


16/34


Foreign Affairs Uganda: 2008Foreign Affairs Uganda: 2008


17/34


Notes: Foreign Affairs UgandaNotes: Foreign Affairs Uganda

Ministry charged with promoting Ugandas imageabroad encourage investors, tourism etc;

Site vital tool despite typos e.g. investiment

Website a risk (zombie), thus Google blacklisted it;

No incident detection process as Ministry wasunaware of the Google blacklisting;

Vendor did not fix problem in time; and

No evaluation of information loss or whether othersystems were affected by the incident.


18/34


From President to Cartoon: 2004From President to Cartoon: 2004


19/34


Notes: Zambian AttackNotes: Zambian Attack

Young hacker broke into State House website andreplaced the picture of then president FrederickChiluba with a cartoon;

Web server likely poorly configured;

Hacker arrested and charged with defaming theHead of State but the case dropped as there wasno law to deal with cyber crimes;

Zambia's parliament unanimously passed a toughlaw to curb cyber crime with convicted computerhackers jailed for between 15 to 25 years.


20/34

19

Espionage/hacking in actionEspionage/hacking in action


21/34


A global paradise for hackers/spiesA global paradise for hackers/spies

Tracking GhostNet (29 March 2009): Documented evidence of a cyber espionage

network GhostNet infecting at least 1,295computers in 103 countries, of which close to 30%can be considered as high value diplomatic,political, economic and military targets.

A covert, difficult-to-detect and elaborate cyber

espionage system capable of taking fullcontrol of affected systems.


22/34


GhostNet .GhostNet .

The GhostNet Trojan is capable of taking fullcontrol of infected computers, including searchingand downloading specific files, and covertlyoperating attached devices, including

microphones and web cameras. Oncecompromised, files located on infected computersmay be mined for contact information and used tospread malware.


23/34


Notes about GhostNetNotes about GhostNet

GhostNet uses low key surveillance to get data; Trojan spread in seemingly genuine e-mail

messages and attachments;

Limited user awareness of cyber vulnerabilities;

Indeed, many users barely computer literate;

Users do not adhere to even basic security rules;

No vulnerability management or patching policies;

Besides, patching difficult on pirated software.


24/34


Lessons from hacked Africa sitesLessons from hacked Africa sites

Confidentiality, Integrity and Availability affected; Websites largely run by Third Party companies;

Security not in Service Contracts/No penalties;

Websites not patched or poorly configured; Incident Management processes not defined;

No business continuity and recovery plans;

Real Impact e.g. Diplomatic incident with Israel;

No evidence breach investigated/lessons learned.


25/34

24

Information Assurance (IA) Value and ProcessInformation Assurance (IA) Value and Process


26/34


What is Information Assurance (IA)?What is Information Assurance (IA)?

The solution to the issues is IA. It is defined as: The confidence that Information Systems will

protect the information they handle and willfunction as they need to, when they need to,under control of legitimate users.

Or: The confidence that risks to informationsystems are being properly managed.

- HMG Information Assurance Standard No. 2


27/34


Why is IA vital for Africa?Why is IA vital for Africa?

Without IA, Africas newly acquired fast Internet linkswill fail to spur development because:

Confidentiality Limited confidence that accessto data is restricted to authorised parties only;

Integrity Low trust in the accuracy,completeness and hence reliability of information;

Availability Limited confidence that information,systems or physical assets will be available toauthorised users in a timely manner if required.

Thus, with EU, SEC, FSA etc rules, no IA meanslimited outsourcing business from the West.


28/34


Lack of IA institutional memory.Lack of IA institutional memory.

Silicon Valley - A product of work in the fields ofradio, television and military electronics;

Generous funding from an assured client DoD;

Companies and universities had follow DoD rules; CESG is the UK Technical Authority for IA;

Africa Computing business/private sector driven;

IA a nuisance in face of poor infrastructure/profit;

Governments relying on private firms to supply IT.Thus, inheriting a similar/reactive security view.


29/34


IA Institutional InfrastructureIA Institutional Infrastructure

National Security Strategy recognising thecritical role of IT in economic and military security;

Cyber Security Strategy;

Laws of EvidenceL

egal admissibility andevidential weight for electronic information;

Risk Management Identify Critical National ITinfrastructure and protect it accordingly


30/34


Information Assurance controlsInformation Assurance controls

Procedural Controls Incident Management detect, analyse and resolve

Backup and disaster recovery fallback position

Audit and Monitoring help detect and analyse

Personnel Controls

Managing Third Party staff i.e. Enemy in the Gate!!

SecurityV

etting and Clearance regime W

ho are they? User Education and Awareness training Best defence


31/34


IA controlsIA controls

Physical Controls Site security Control access to computer facilities

Backup storage to facilitate recovery from disasters.

Technical Controls

Robust infrastructure is your network bugged?

Adoption of security principles e.g. zoning

Service minimisation turn off services by default!


32/34


Focus on security house keepingFocus on security house keeping

As GhostNet shows, educate your users!

Stop poor security practices e.g. ban use of Hotmailetc for government or corporate communication;

Insist on validated network equipment even if it ismore expensive at the start cheaper long term;

Note: Authorised insiders not hackers pose thegreatest threat to your IT systems;

Stringently vet vendor staff no spies may apply.


33/34


Make security breaches costly!Make security breaches costly!

US ChoicePoint fined $15m for failing to protectcustomer information; losing it to criminals;

UK HSBC Bank fined over 3m for not havingadequate controls to protect customers data;

UK PA Consultings 1.5m contract cancelled forlosing memory stick with 84,000 prisoner records;

UK Nationwide fined 1m over theft of employee

laptop containing sensitive customer data.


34/34

33

Dr. Frederick Wamala (Ph.D.), CISSPCybersecurity Specialist, UK

London, United Kingdom

Documents

Dr Frederick Wamala - BarCampAfricaUK 09 FINAL