cyber crime 101

Cyber Crime 101: The Impact of Cyber Crime on Higher Education in South Africa

Higher Education Conference 20115 September 2011

Adv Jacqueline Fick

www.pwc.com

PwC

Agenda

Meet Jack le Hack

Cyber crime defined

The online entrepreneur

How to protect data

Implementing a pro-active strategy in your organisation

Practical guidelines and tips

Closing remarks

2

September 2011Cyber crime 101: The impact of cyber crime on Higher Education in South Africa

PwC

Meet Jack le Hack

Cyber crime 101: The impact of cyber crime on Higher Education in South Africa

3

September 2011

PwC

Meet Jack le HackThird year student : University of Cyberfucious

Putting knowledge into practice

It is Monday afternoon after a rough weekend for Jack. He is sure he failed the test he wrote that morning as the beers he consumed made him suffer from memory loss and he forgot to study. His finances are also shot as he had to sponsor some of his friends for their social activities. To boot his professor also made some comments about the quality of his work which Jack felt was not appropriate. Jack also assists with some classes for first year students and realises that he still has to prepare for a lecture for the next day.

He goes to the office that was assigned to him. He shares the office with one of the admin clerks of the faculty. When he walks past her desk, he notices that she did not log of her computer. Jack decides that it is time to put his master plan into action...

4


PwC


Putting knowledge into practice ...

Jack has a fair knowledge of computers and has long since been toying with the idea of putting this knowledge to good use.

He firstly uses the admin clerks’ mailbox to send the offending professor a message, stating that his day will come and that he knows where he lives and has intimate knowledge of the professor’s family. He also stated that a bomb will go off within the next week in the professor’s classroom.

Secondly, he logs into the shared folders of the faculty where he knows the results of the test he wrote are kept. Jack decides that he certainly deserves a better mark than he received that morning.

5


PwC



When studying the test results, he sees that he was not the only one that failed. Jack realises that this could present an opportunity to deal with his financial difficulties. He phones some of the other students and offers a deal to them to change their marks for a small donation.

A few days pass and Jack’s business kicks off beyond his own expectations. He is also approached by students that have financial difficulties and cannot pay their class fees. With a little research and questions posed in chat rooms, he acquires the necessary information to hack into the financial system of the university. He installs a key logger on one of the financial clerk’s computer and so gains access to his password. He once again accesses the system from the admin clerk’s computer.

6


PwC



Jack is so impressed with his own efforts that he posts this information on Facebook and Twitter and also uses Skype to tell his friends in the UK about his endeavours. Because his data bundle expired, he posts this information from a computer connected to the university network and also installed Skype on the computer. He did, however, remove Skype from the computer later.

Life is good for our Jack le Hack.

7


PwC

Cyber crime defined


8

September 2011

PwC

Cyber crime defined

• Move in South African law to the use of the term cyber crime whichis wide enough to encompass all illegal activities in respect ofcomputers, information networks and cyberspace.

• Most important legislation is the Electronic Communications and Transactions Act 25 of 2002.

• 'access' includes the actions of a person who, after taking note of any data, becomes aware of the fact that he or she is not authorised to access that data and still continues to access that data.

• 'data message' means data generated, sent, received or stored byelectronic means and includes-

(a) voice, where the voice is used in an automated transaction; and

(b) a stored record;

9


PwC

Cyber crime defined

Common types of cyber crime

• Unauthorised access (s86(1))

• Unauthorised modification of data and various forms of malicious code (s86(2))

• Denial of Service Attacks (S86(5))

• Devices used to gain unauthorised access to data (s86(4))

• Child pornography, cyber obscenity and cyber stalking

• Computer-related fraud

• Copyright infringement

• Industrial espionage

• Piracy

• Online gambling

10


PwC

Cyber crime defined

Common types of cyber crime (cont.)

• For 15 consecutive months South Africa has been amongst the top three target countries in the world for mass phishing attacks.

• Identity theft remains the most common type of cyber crime in South Africa.

• “ Identity theft is a serious crime. It occurs when your personal information (name, social security number, date of birth, credit card number, or bank account number) is stolen and used without your knowledge to commit fraud or other crimes. Identity theft can cost you time and money. It can destroy your credit and ruin your good name.” USA Federal Trade Commission

11


PwC



12

September 2011

PwC


Possible cyber crimes identified from Jack le Hack

• Unauthorised access to data

• Unauthorised modification of data

• Computer-related fraud

• False bomb threat, intimidation

• Using a device to gain unauthorised access to data

• Furthermore:

- Exposing network to vulnerabilities – chat rooms, Skype.

- Reputational risk to university and publicity about what Jack had done.

- Possible loss of investors.

13


PwC

How to protect your data


14

September 2011

PwC


• Protecting data starts with each user of a computer on your campus and is not only related to the functions and responsibilities of the IT department.

• Your responsibilities include:

- Protecting the university property stored on your computer, including information about staff, faculty, students, and alumni.

- Accessing only that information which you are authorised to access in the course of your duties. Your ability to access other information does not imply any right to view, change, or share information.

- Not establishing access privileges for yourself or others outside of formal approval processes.

15


PwC


- Adhering to procedures and business rules governing access and changes to the data for which you are a custodian.

- Expect all stewards and custodians of administrative data to manage, access, and utilise this data in a manner that is consistent with the need for security and confidentiality.

• Correlation between physical and network security.

(Computer Security at Cornell: Secure your Computer on and off Campus 2009 (http://www.cit.cornell.edu))

16


http://www.cit.cornell.edu/

PwC



17

September 2011

PwC


• Cyber security is just as important as physical security.

• Relationship between physical and network security.

• Know and understand your organisation:

• This includes an understanding of the external environment andthe threats facing the organisation. It also refers to a thoroughunderstanding of the internal environment and the way theorganisation operates – its employees, levels of staff morale,business partners of the organisation, service providers, etc.

18


PwC


• Define security roles and responsibilities:

• Although security should be everyone within an organisation’sconcern, ownership of information security should be assigned tospecific individuals, coupled with the necessary levels of authorityand accountability. To assist with the process it is recommendedthat security roles and responsibilities be incorporated into jobdescriptions and that performance in terms of these areas bemeasured accordingly.

• Ensure that you have proper policies and procedures in place for the use of IT.

• Establish clear processes to enable end-users to report suspected cyber crimes.

19


PwC


• Effective public private partnerships.

• Value of intelligence: Exchange information with law enforcement agencies and other organisations. Know your opponent and use the information to develop and update security policies. Think like a hacker.

20


PwC


• Stay up to date:

• Maintain awareness of new developments in both technology andservices. Use a risk-based approach to determine when it wouldbe necessary to upgrade or adapt current systems and processes toaccommodate new developments.

• Continuous auditing and assessment of process:

• It is recommended that a process of continuous auditing beimplemented to ensure that the strategy remains aligned tobusiness objectives, adapts to changes in technology or identifiedthreats, and to allow for the analysis of information that isgathered from the different implemented controls.

21


PwC


“The vast majority of computer breaches that we have investigated over the past few years have been the result of poor personal choices, weak computer practices, and less-than-satisfactory data-handling

procedures.”

Steve Shuster, director of IT Security at Cornell


22

September 2011

PwC


• Email is more than messages. It contains personal information,contact lists, sensitive company information, etc. Email policies:

• Do not open suspicious emails.

• Use spam filters.

• Encrypt important files or records.

• Choose complex passwords and change your password regularly.The Post-it problem.

• Back up regularly.

• Install powerful anti-virus and firewall software and keep it up todate. Regularly update security patches.

23


PwC


• Create good habits such as deleting your temporary internet filesand cookies. This protects against hackers who can access youraccounts from where you have been on the internet.

• Turn off your computer and modem/disconnect from the internetwhen not in use.

• Know what information you have, where it is stored and who hasaccess thereto.

• Be wary to provide personal information via a website you are notfamiliar with.

• Never allow strange or unfamiliar individuals to use your computer,not even if they say they are from the IT department!

24


PwC


• Where practicable, do not grant administrative or root/super userprivileges to end-users.

• Educate users:

• Teach IT users how to identify cyber threats and how to respond.

• Share security information with all users of IT in the organisation.

• Read up on the latest ways hackers create phishing scams to gainaccess to your personal information.

25


PwC


• Campus executives and data stewards should know:

- What/where is my data?

- How sensitive is it?

- Who is responsible for it?

- Who has access to it?

- Do I need to keep it?

- What if it gets into the wrong hands?

26


PwC

Closing remarks

• Need to realise the true value of information.

• Cyber criminals steal INFORMATION.

• We can only effectively combat cyber crime if we share information and collaborate.

• Know your opponent.

• Be pro-active and not re-active.

• Implement good information governance principles in your organisation.

• Educate all IT users.

• Protect your information with the same vigour as you protect physical property, brand names, money, etc!

27


“It takes more than anti-virus software to safeguard your computing resources and data. It takes you. Taking steps to secure your computer

not only helps keep your data safe, it demonstrates your commitment to protecting the university network and all data created, stored,

and shared over the network by the campus community.”

This publication has been prepared for general guidance on matters of interest only, and does not constitute professional advice. You should not act

upon the information contained in this publication without obtaining specific professional advice. No representation or warranty (express or implied) is

given as to the accuracy or completeness of the information contained in this publication, and, to the extent permitted by law, PwC, its members,

employees and agents do not accept or assume any liability, responsibility or duty of care for any consequences of you or anyone else acting, or

refraining to act, in reliance on the information contained in this publication or for any decision based on it.

© 2011 PricewaterhouseCoopers (“PwC”), the South African firm. All rights reserved. In this document, “PwC” refers to PricewaterhouseCoopers in

South Africa, which is a member firm of PricewaterhouseCoopers International Limited (PwCIL), each member firm of which is a separate legal entity

and does not act as an agent of PwCIL.

cyber crime 101

Law