Post-millennium bug era (Early 2000 – 2006), Cyber-Security had just become a relatively new concept, but had come to stay. Infact, there was only a handful of experts speaking on Security issues as at then. Today, we now hear of topics like Advanced Persistent Threats (APT), a term that was first coined by the United States Airforce. The US Airforce had used the word in 2006 to describe specific types of adversaries, exploits, and targets used for explicit strategic intelligence gathering goals. APT, however is no longer a term whose effects are limited to the US Airforce, neither does it connote attacks only emanating from China (considering the fact that our world is now a global village).
Recently, a South African news media outfit: fin24 reported a research carried out by IBM (read here). This report indicated that one billion pieces of personal data was lost in SA in 2014, leading to a cost of R432 256 000. But cyber thieves have escalated their activities in 2015, already costing local businesses R465 412 000, or an increase of 7.67%.
Considering the fact that 2015 has not ended yet, this statistic clearly indicates that the enemies are not just good at what they do, but, they keep getting better. From a security research perspective, it again further validates two common incorrect bias displayed by most security leaders, even in most organizations:
- That Host Behavior Baselines that look for scans on the network or invalid TCP flag patterns is sufficient to catch an Advanced Persistent Threat
- That Packet Signature systems that watch for bit patterns usually is an effective panacea at detecting an APT
One of the greatest challenges we see is that the most dangerous security holes in corporate IT infrastructure isn’t based on worms or viruses, it usually not also based on known vulnerabilities in application servers, but rather on vulnerabilities in the applications themselves (e.g. SAP/Oracle) either as a result of the way the application came from the OEM or resulting from the way the application was configured and/or implemented to suit the final end customer. One can only agree that once a vulnerability is exposed/published, it is an opportunity for the “bad guys” to plan a definite attack. As long as there is a successful attack on a subject company, it will only be re-used again and again until it is fixed.
South Africa like most African countries (Nigeria, Kenya, Zimbabwe, Angola) have become the next frontier for businesses (with a projection of having a larger workforce than china by 2040). With African businesses deploying applications like SAP and Oracle to help automate and introduce best practice into their business process challenges, A huge number continue to operate in strong denial of the potential Cyber-attacks that could go on via these business critical applications. Simply put, businesses exhibit and follow a trend of not adopting a layeres approach in their security initiative; refusing to embrace a “wholistic” culture on Cyber Risk. Infact, some only perform vulnerability assessments to fulfill the compliance “rituals” either because they do not have the necessary skill, tool and knowledge to do so or perhaps they just do not care enough.
Note that this staggering sum (almost 470 million ZAR) may perhaps increase on an upward trajectory to about 10.2% before the end of 2015.
Until organizations take a proactive approach to inculcate a framework and deploy tools that help combat APT on the business critical application space (SAP and/or Oracle), the attack surface will only continue to remain on the high, leaving most organizations with the possible risk and eventuality of successful security hacks/attacks which only further causes more damage to stakeholder value and at large: the economy of Africa at large.
It must also be noted however that there is absolutely no proven single technique to detecting APTs. A mix of Layered Security approach and defense-in-depth approach may be the best defense options.
In order to know more about protecting your Business Critical Application (SAP/Oracle) in Africa, be sure to write to us on firstname.lastname@example.org