2017 Africa Cyber Security Report

Demystifying Africa’s Cyber Security Poverty Line

Botswana The Africa Cyber Immersion Centre is a state-of-the-art research, innovation and training facility that seeks to address Africa’s ongoing and long-term future needs through unique education, training, research, and practical applications.

For more information Serianu Limited contact; [email protected] http://www.serianu.com 3 Content

Editor’s Note and Acknowledgement Cost of Cyber Crime

We are excited to finally publish the 5th edition of Africa Cyber We estimate that cyber-attacks cost Africa 4 Security Report 2017. 58 businesses around $1.048 trillion a year. Foreword Sector Ranking in 2017

The global cyber security landscape is evolving and becoming Cyber security is no longer a concern for the 7 quite complex. 66 financial & banking sectors only. Executive Summary Home Security It is in our own best interests to make sure everyone – from the young to the old, on The global landscape of cyber threats is quickly changing. snapchat, facebook and twitter - know and 9 72 practice basic security habits. Top Trends Africa Cyber Security Framework We analysed incidents that occurred in 2017 and compiled Attackers are now launching increasingly a list of top trends that had a huge impact on the economic sophisticated attacks on everything from and social well-being of organisations and African citizens. business critical infrastructure to everyday 14 77 devices such as mobile phones.

Top Priorities for 2018 Appendixes 20 We have highlighted key priorities for 2018. 82 Cyber Intelligence Statistics, Analysis, & Trends References We have monitored organisations’ network for malware and cyber threat attacks such as brute-force attacks 29 against the organisation’s servers. 86 2017 Africa Cyber Security Survey

This survey identifies current and future Cyber security needs within organisations and the most prominent 43 threats that they face. 4

Editor’s Note and Acknowledgement We are excited to present the 5th edition of Africa Cyber Security Report. Over the last 5 years, we have consistently strived to demystify the state of cyber security in Africa. In this edition themed ‘Demystifying Africa’s Cyber Security Poverty Line’, we take a deeper look at the financial limitations impacting many African organisations. We also provide a comprehensive analysis of the top Cyber security questions for Board members and Executives. This report comes at a time when African organisations are grappling with evolutionary changes in their social, technological, economic and regulatory environments.

The report contains content from a variety of sources and covers highly critical topics in Cyber Brencil Kaimba Intelligence, Cyber Security trends, Industry Risk Ranking and Home Security. Editor-in-chief

Our research is broken down into the following key areas:

Top Trends: We analysed incidents that plus post-attack disruption to the normal What can our readers look occurred in 2017 and compiled a list of course of business. forward to in this report? top trends that had a huge impact on the economic and social well-being of Sector Risk Ranking: The risk appetite for organisations and African citizens. This organisations varies. In this section, we rank This report gives section provides an in-depth analysis of different sectors based on their risk appetite, insightful analysis of these trends. number of previous attacks reported, likelihood and impact of a successful attack. cyber security issues, Cyber Intelligence: This section highlights trends and threats various Cyber-attacks, technical Anatomy of a Cyber Heist: This section in Africa. Its sections methodologies, tools, and tactics that provides a wealth of intelligence about how are well researched attackers leverage to compromise Cybercriminals operate, from reconnaissance, organisations. The compromise statistics gaining access, attacking and covering their and structured to and indicators provided in this section tracks. This section is tailored to assist Security cater for the needs empower organisations to develop a managers identify pain points within the of all organisational organisation. proactive Cyber security posture and staff including Board bolster overall risk. Home Security: In light of the increased Directors. The anatomy Survey Analysis: This section analyses residential internet penetration, smart phone of a cyber-heist was use and cases of Cyber bullying, it has become the responses we received from over 700 compiled with security organisations surveyed across Africa. It necessary to raise awareness on Cyber measures the challenges facing African security matters at a non-corporate level. This implementers and organisations, including low Cyber security section highlights key challenges in the modern forensic investigators smart home and sheds light on the growing budgets and inadequate security impact in mind while the top awareness that eventually translates to issue of Cyber bullying. limited capabilities to anticipate, detect, priorities section respond and contain threats. Africa Cyber Security Framework (ACSF): In caters for Directors order to assist businesses in Africa, especially and Senior Executives. Cost of Cyber Crime Analysis: Here we SMEs, we developed the Africa Cyber Security closely examine the cost of Cybercrime in Framework (ACSF). This section highlights the We have also highlighted other African organisations and in particular, to four (4) key domains of ACSF which serves to social issues such as home security gain a better appreciation of the costs to help businesses identify and prioritize specific that plays an important role away the local economy. We provide an estimate risks plus steps that can be taken to address from the corporate standpoint. of this cost, which includes direct damage these risks in a cost effective manner.

Demystifying Africa’s Cyber Security Poverty Line 5

Appreciation Commentaries

In developing the Africa Cyber Security Report 2017, the Eng. Haru Al Hassan Serianu CyberThreat Intelligence Team received invaluable Director, New Media and Information Security Department, collaboration and input from key partners as listed below; Nigerian Communications Commission - Nigeria

Kaleem Ahmed Usmani Officer in Charge, Mauritian National Computer Security Incident Response Team, Mauritius

The USIU’s Centre for Informatics Research and Innovation Aashiq Shariff (CIRI) at the School of Science and Technology has been our CEO, Raha - Liquid Telecom Limited, Tanzania key research partner. They provided the necessary facilities, research analysts and technical resources to carry out the Henry Kayiza extensive work that made this report possible. Ag. Assistant Commissioner, Cyber Crime Unit, Uganda Police

Ibrahim Lamorde Our key partners in the various countries in scope provided immense support through their network of members spread Commisioner of Police, Police Special Fraud Unit, Lagos- Nigeria across Africa. Key statistics, survey responses, local intelligence on top issues and trends highlighted in the report were as a John Sergon result of our partnership. These are: Ag, Chief Executive Officer, ICT Authority, Kenya

Fredric Bobo IT Audit Manager, African Organisation of English-speaking Supreme Audit Institutions, South Africa

John Ayora Director, Information Systems Security, Bank of Africa Group, Botswana Senegal

Shimelis Gebremedhin Kassa The Serianu CyberThreat CISA, MSCS,CEH - General Manager, MASSK Consulting PLC, Intelligence Team Ethiopia

Baidy Sy We would like to single out individuals who worked tirelessly Associate Director, Digital Transformation and Cybersecurity and put in long hours to deliver the document. Lead of Finetech Groupe, Senegal Joseph Mathenge Faith Mueni Morris Ndung’u Ben Roberts Jackie Madowo Stephen Wanjuki Margaret Ndung’u Chief Technical Officer, Liquid Telecom Group, Kenya Kevin Kimani Jeff Karanja Paul Ingari Martin Mwangi Nabihah Rishad Ayub Mwangi Arnold Mangemi Barbara Munyendo Samuel Keige Samuel Momanyi Director Information Security, National Information Technology Authority Uganda (NITA-U) - Uganda Daniel Ndegwa George Kiio Bonface Shisakha Kenneth Ogwang USIU Team Group Head of IT, East African Breweries Limited (EABL), Osemeke Onyibe Shalom Lucy Nathan a subsidiary of Diageo PLC, Kenya Stephen Maina Kuta, Jamilla Uchi Dr. Peter Tobin Gitau Polly Mugure Privacy and Compliance Expert, BDO Consulting, Mauritius

Demystifying Africa’s Cyber Security Poverty Line 6

Building Data Partnerships

In an effort to enrich the data we are collecting, Serianu continues to build corporate relationships with like- minded institutions. Recently, we partnered with The Honeynet Project ™ and other global Cyber intelligence organisations that share our vision to strengthen the continental resilience to cyber threats and attacks. As a result, Serianu has a regular pulse feeds on malicious activity into and across the continent. Through these collaborative efforts and using our Intelligent Analysis Engine, we are able to anticipate, detect and identify new and emerging threats. The analysis engine enables us identify new patterns and trends in the Cyber threat sphere that are unique to Africa.

Our new Serianu CyberThreat Command Centre (SC3) Initiative serves as an excellent platform in our mission to improve the state of Cyber security in Africa. It opens up collaborative opportunities for Cyber security projects in academia, industrial, commercial and government institutions.

For details on how to become a partner and how your organisation or institution can benefit from this initiative, email us at [email protected]

Design, layout and production: Tonn Kriation

Disclaimer

The views and opinions expressed in this report are those of the authors and do not necessarily reflect the official position of any specific organisation or government.

As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers should therefore also rely on their own experience and knowledge in evaluating and using any information described herein.

For more information contact:

Serianu Limited:

[email protected] | www.serianu.com

Demystifying Africa’s Cyber Security Poverty Line 7

Foreword

The global cyber security landscape is evolving and becoming complex. This evolution is largely being driven by the rapid change and quick adoption of technology innovations. Since the launch of our inaugural report in 2012, the Africa Cyber Security Report (ACSR) has focused on unravelling the African Cyber security landscape. We have focused on understanding how African organisations in private and public sector perceive and respond to the cyber security challenge. This approach has enabled us to influence and enhance the quality of discussions around cyber security across the continent.

Through six years of research, we then cross-examined their annual have grappled with a critical question expenditure on Cyber security. The that still puzzles the cyber security findings from this survey shockingly industry across the world. What is point that most businesses, especially the right level of cyber security for SMEs, are struggling to put in place an organisation? One clear output basic cyber security structures. More of our research is that most African than 95% of African organisations organisations perceive Cyber security in private and public sectors are as a very technical and expensive either operating on or below the affair. They are struggling to “Security Poverty Line”. Most of these determine the right level of security organisations spend a maximum of The 2017 Cyber and adequate budgets for security USD 1,500 annually on cyber security initiatives. These questions, coupled technologies and services. security survey with numerous requests from readers of our reports across Africa informed In Africa, Small and Medium shockingly reveals our 2017 cyber security report Enterprises (SMEs) create around theme; Demystifying the Africa Cyber 80% of the continent’s employment that over 95% of Security Poverty Line. The theme (World Economic Forum, 2010), borrowed from the term “Security which clearly shows the importance African businesses Poverty Line.” The Security Poverty of SMEs to African economies. The Line means the point below which an lack of adequate Cyber security are operating organisation cannot effectively protect controls in these organisations is an itself against losses to cyber attackers. economic threat that the entire SME sector must address. Businesses below the cyber within the SME sector are continually automating their processes and as ‘security poverty a result their continued dependency 10 700 12 on technology is driving them deeper line’. countries in africa respondents Industry Sectors into risk. Our research reveals that the most vulnerable SMEs are those in In our quest to answer this question, the financial services sector such as we surveyed over 700 business cooperatives, Saccos, micro-finance William Makatiani professionals from various businesses institutions, Fin-tech service providers CEO, Serianu Limited in 10 countries across Africa. We and mobile money transfer services.

Demystifying Africa’s Cyber Security Poverty Line 8

The 2017 Ransomware attack is for these companies to adopt a good case in point, where many complex Cyber security frameworks, cyber security professionals in Africa leaving them exposed and were contracted by established vulnerable to attacks. organisations. At the height of the crisis, the small Cyber security The 2017 Africa Cyber security professionals’ talent pool were report is a call to action. The snapped up by huge multi-nationals African Cyber security ecosystem – that offered better incentives. government, consultants, vendors, This left the vulnerable SME sector academia – need to find cheaper completely at the Cyber criminals’ and practical ways to address mercy. Considering the skills and the continent’s cyber security technical resource challenge in the challenges. The continued reliance continent, who was taking care of on overly expensive and elaborate the SMEs? frameworks is not working for 95% of the key constituents – SMEs. We SMEs in Africa are facing a several need to develop new approaches challenges including the prohibitive and attitudes towards the problem cost of Cyber security solutions and build self-reliance and self- and services, limited budgets, lack sufficiency to adequately address of skilled personnel. With these the Cyber security challenge in the challenges, it’s become prohibitive continent.

Demystifying Africa’s Cyber Security Poverty Line 9

Executive Summary The global landscape of cyber threats is quickly changing. The 2017 Cyber Security Report is part of our contribution to this shift as we help customers and the public better understand the nature of the threats in Africa.

Our research is broken down into 8 key areas: Using the Africa Cyber Security Maturity Framework, we were able to establish the maturity levels of these organisations. • Top Attacks • Cyber Intelligence • Survey Analysis Levels of cyber maturity • Home Security • Top Trends A comprehensive IT security program Excellent is an integral part of the culture. Status • Sector Risk Ranking metrics for the IT security program are established and met. • Industry Analysis 5 • Anatomy of a Cyber Heist Has a superior security program and is Intelligent extremely well positioned to defend its IT As more business models move away from physical to assets against advanced threats. cyber operations, it’s become evident that the African 4 cyber health is poor. The 2017 Cyber security survey shockingly reveals that over 90% of African businesses are operating below the cyber ‘security poverty line’. Has a well-developed security program Engaged and is well positioned to further improve its effectiveness. What is the cyber security poverty line? 3 Many organisations particularly SMEs lack the basic Has generally implemented some security best “commodities” that would assure them of the minimum Informed practices and thus making progress in security required and with the same analogy, be providing sufficient protection for its IT assets. considered poor. 2

In the context of a cyber-security poverty line there Falling well short of baseline security practices and thus neglecting its responsibility to properly protect its are still numerous organisations particularly SMEs that Ignorant IT assets. Many enterprises lack a holistic do not have the skills, resources or funding to protect, understanding of their cyber risks and therefore, an detect and respond to cyber security threats. Many 1 effective strategy to address these risks. organisations and individuals fall below this line. We aim to demystify the cyber security poverty line within Africa.

What are the characteristics of organisations What is the impact of operating below the poverty line? operating below the poverty line? The overall survey results found about 90% of respondents in Firms rated their own capabilities by responding to 24 Africa have significant Cyber security risk exposure (with overall questions that covered the four key functions outlined in capabilities falling below under Ignorant capability). the Africa Cyber Security Framework: Anticipate, Detect, Respond, and Contain.

Demystifying Africa’s Cyber Security Poverty Line 10

General characteristics of What does the future hold organisations operating below the for this problem? Cyber security poverty line are: As cyber-attacks continue to • Lack the minimum requirement evolve, it’s paramount that for fending off an opportunistic organisations rise above the adversary. cyber security poverty line. In • Are essentially waiting to get taken a world where buying a tool down by an attack. is considered a silver bullet to solving cyber security issues, it’s • There’s also the idea of technical critical that we ask ourselves debt as a result of postponing key questions: important system updates. • What are my organisations • Lack in-house expertise to maintain top risks? a decent level of security controls and monitoring • What is the worst that can happen to my business? • Tremendously dependent on third parties hence have less direct control • What do I need to do to over the security of the systems they ensure that I have secured use. my systems against these threats? • They also end up relinquishing risk decisions to third parties that they This approach creates room ideally should be making themselves. for dialogue between business • Lack resources to implement and IT. Years of experience in separate systems for different tasks, the Cyber security field has or different personnel to achieve shown that organisations with segregation of duties. little budgets can still maintain reasonable security levels • They’ll use the cheapest software granted they understand the they can find regardless of its quality few critical areas that need to or security. be protected the most. • They’ll have all sorts of back doors to make administration easier for whoever they can convince to do it.

Demystifying Africa’s Cyber Security Poverty Line 11

Key Highlights

Breakdown of key statistics for different countries:

Penetration Estimated Population GDP (2017) Estimated Cost of % Population No. of Certified (2017 Est.) in USD cyber-crime (2017) (2017) Professionals

1,300,000,000 $3.3T 35% $3.5B 10,000 Africa

Nigeria 195,875,237 $405B 50% $649M 1800

Tanzania 59,091,392 $47B 39% $99M 300

Kenya 50,950,879 $70.5B 85% $210M 1600

Uganda 44,270,563 $24B 43% $67M 350

Ghana 29,463,643 $43B 34% $54M 500

Namibia 2,587,801 $11B 31% * 75

Botswana 2,333,201 $15.6B 40% * 60

Lesotho 2,263,010 $2.3B 28% * 30

Mauritius 1,268,315 $12.2B 63% * 125

*Certified Professionals is limited to the following certifications: CISA, CISM, GIAC, SANS, CISSP, CEH, ISO 27001, PCI DSS QA and other relevant courses. *Economic and internet usage data extracted from respective country Internet regulator reports and World Bank site.

The past year was a particularly tough period for local organisations with respect to cyber security. The number of threats and data breaches increased with clear evidence that home grown cyber criminals are becoming more skilled and targeted.

Cost of cyber-attacks Fake News has hit Africa’s over are operating below media streams as we the security poverty $3.5B increasingly see unverified 90% line significantly and often conjured up news of African exposing themselves annually being circulated through organisations to Cyber security risks various medium.

over Banking Sector is Most organisations’ Cyber security programs are 96% 90% still the most Cyber security of parents don’t understand what targeted industry incidents either go measures to take to protect their in Africa Tool Oriented unreported or children against in Cyber bullying unsolved

Demystifying Africa’s Cyber Security Poverty Line 12 Industry Players Perspectives

What is fake news? What happens when fake news spreads?

Written and published news with the intent to What actions can people take to verify mislead in order to damage an entity or person news stories, photographs and of online and/or gain financially. information?

How did fake news become such a big It is very difficult to verify information on the problem? internet, preventive and proactive measures taken through collaboration with all relevant People believe what they see in the public stakeholders would be the best way to prevent domain, especially on popular information the spread of fake news. Counter narratives sharing sites. Because it was designed to using the same media, but indicating authentic instigate outrage and shock, some readers or credible sources may help in certain Eng. Haru Al Hassan share it on Facebook, twitter, or other types of circumstances. social media without questioning it or with the Director, New Media and purpose of helping others. We do everything online - book doctors’ Information Security appointments, manage our bank accounts Department Fake news is a problem because it is aided by and find dates. Do you think we are ready to speed and large number of audience in the vote from our PCs or smartphones? Explain. Nigerian Communications social media domain. Commission No. The stakes are higher in the case of voting What will ultimately get brands to fight as compared to other online endeavors. Nigeria fake news? Moreover, availability of network services in most remote areas will be a challenge to Google now work with international fact- contend with. Even where there are services checking network, IFCN, in three main ways: and people have smart phones, we have to increasing the number of verified fact checking make sure that the people are in control of in the world, expanding the code of principles their own computers as far as security is into new regions, and offering free fact concerned. checking tools. It should be encouraged in other climes too, countries should enter into There are two major concerns when it comes partnership with content providers to find to security: the vulnerabilities of voters’ solutions to this problem. personal computers, and the vulnerabilities of the servers and back-end systems that would Should regulators force influential power the online voting infrastructure and host platforms like Google and Facebook to the websites for particular jurisdictions. remove fake news and other extreme forms of content from their platforms? The fears on the server side concern hackers. The biggest fears there revolve around users Yes, though both companies already have being redirected to fake sites and servers, thus strict policies for their ad networks, it is also causing a vote to go to the wrong place and important to reach an agreement with these leading to inaccurate tallying. But the security companies on what to remove as fake news. of those systems are easier to control than By removing a potential revenue stream, it citizens’ computers. makes the business of fake news a bit less lucrative. It’s clear that it’s not just about What is the highest risk that we face by influencing people’s conviction, they also take moving to electronic voting? advantage of social networks to make money using fake news. If Facebook, Twitter, Google In any elections, verification or validation and News and other website flagged inappropriate anonymity of votes is very important. Voting content, then there would be no reason to away from polls also raises the spectra of vote create fake news sites in the first place. manipulation. The major issue at stake will be ignorance and lack of awareness, which can lead to one internet savvy ‘expert’ voting on behalf of many.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 13

What are some of the pros? How often do you transact using your Based on your experience, mobile phone? approximately how many times do • It will make collation of election results organisations within the country carry much easier. out comprehensive Cyber security • People can vote from anywhere. Daily. audits annually? • Ransomware. Have you ever been a victim of online/ Why is Ransomware so effective? mobile scam? Once a year, albeit rarely.

Ransomware displays intimidating No. Where would you rate the Cyber messages that will induce a victim not to security maturity levels of the ask for help, it is done in such a way that a Why does the cyber skills shortage victim is meant to believe the only option organisations you have interacted need immediate attention? he/she has is to pay the ransom, in order with? to disinfect your system. The authors of • To help in the combat against cyber • High Ransomware tend to instill fear and panic criminals in the country. • Medium into their victims, causing them to click on • To enhance security and confidence in • Low a link or pay a ransom, and users systems the use of cyberspace. can become infected with malware. In your opinion were there more cyber- Social engineering concepts are also used How many unfilled security jobs are attacks in the year 2017 as compared in some cases to convince a target to estimated to exist today? to previous years? succumb to ransomware attack. The low availability of professionals Yes. What is the possible impact of with specialized cyber skills is one of the biggest issues facing organisations Ransomware? Which categories of Cyber security looking to defend their core business systems against cyber-attacks. A recent should organisations be most keen on? Ransomware not only targets home users; report from Information Systems Audit businesses can also become infected • Vulnerability assessment and and Control Association (ISACA) one with Ransomware, leading to negative penetration testing services. of our important stakeholders, titled consequences, including; • Cybersecurity risk audit services. “The Growing Cyber Security Skill Crisis,” • Forensics and investigations • temporary or permanent loss of estimated that there are as many as 1 services. million unfilled security jobs worldwide. sensitive or proprietary information, • Managed security services. • disruption to regular operations, • financial losses incurred to restore How does collaboration help enrich the Which sector releases the highest systems and files, and students’ learning? number of cyber security tenders • potential harm to an organisation’s within the country? reputation. It serves as an avenue for knowledge • Financial sector Paying the ransom does not guarantee sharing - learning new concepts, • Manufacturing sector the encrypted files will be released; techniques, solutions and services • Hospitality it only guarantees that the malicious rendered by relevant stakeholders. • Government institutions actors receive the victim’s money, and in • Others some cases, their banking information. In In the year 2017, what were the key addition, decrypting files does not mean Cyber security consultancy services Based on your previous experience, the malware infection itself has been that the industry need the most? what are the most critical Cyber removed. security challenges being faced by • Vulnerability Assessments local market? Have you or know someone you know • Forensics • Budget or Management buy–in. been affected by Ransomware? • Audit Services • Risk Management Programs • Lack of awareness. No.

Demystifying Africa’s Cyber Security Poverty Line 14

Top Trends

Fake News: Insider Threat: The enemy within

Vulnerability of truth Insider threats still top our list when it comes A lie can travel half way around to high risks. From the numerous cases the world while the truth is reported this year, it’s clear that the group most putting on its shoes’, they say. implicated is administrators and other privileged users, who are in the best position to carry out a malicious breach, and whose mistakes or In 2017 our media platforms negligence could have the most severe effects were overwhelmed by rogue to the organisation. The key contributors to the politics, misinformation and success of these attacks were inadequate data dubious claims. From videos of protection strategies or solutions and a lack of post-election violence to news privilege account monitoring. about politicians who have deflated from their political parties, the real impact of Top insider threats: the growing interest in fake • Administrator accounts news has been the realization that the public might not be • Privileged users accounts well-equipped to separate quality information from false • Contractors, consultants and temporary information. workers.

It is paramount that governments and social media owners lay down stringent measures to clamp down on fake news. We however appreciate that fabricated stories are not likely to disappear soon as they have become a means for some writers to push their agendas, manipulate emotions, make money and potentially influence public opinion.

Demystifying Africa’s Cyber Security Poverty Line 15

Ransomware: I don’t WannaCry

Key: Countries affected by Wannacry attack

Countries not affected by Wannacry attack

Worldwide attack map

Throughout the first half of 2017, one thing still The Polymorphic technique with minor changes leads stood: ransomware is here to stay. We have seen to unknown malware and greater obfuscation. For an explosion of new variants, new attack tactics. example, there is a PowerPoint malware that spreads by simply hovering a mouse pointer over a tainted The level of sophistication in distribution methods PowerPoint slide, WannaCry which spread itself within and attack vectors have expanded and it’s no corporate networks without user interaction, by longer enough to just rely on signatures and exploiting known vulnerabilities in Microsoft Windows. antiviruses, because, unfortunately, the data also shows no one is immune.

Demystifying Africa’s Cyber Security Poverty Line 16

Cyber bullying: It takes the It is critical that we develop the right skills for our IT team that will enhance entire Cyber Community to the ability to Anticipate, Detect, raise a child Respond and Contain Cyber threats. From cases of ordinary citizens Mobile and Internet related committing suicide to popular artists services. Battery is low is no claiming to be victims of Cyber bullying, it goes without saying that the longer the only warning uncontrolled liberty to write messages on social media has brought with it As the use of online services has risen social injustices. - with more than half of the banking users using internet banking and three quarters using mobile banking services. Attackers are now leveraging these platforms to steal money from customers.

Skill gap: What you do not This year, several attacks reported indicated that hackers used dormant know will hurt you accounts to channel huge sums of money from banks. Majority of the The cost of Cybercrime grew by attackers also leveraged the no-limit approximately 20% but the skill gap is vulnerability present in most internet widening. Very few people know what banking systems to channel out money. they’re doing, most IT and security staff are downloading templates from Mobile banking users have also become the internet and applying these in their victims of social engineering attacks organisations. From our analysis, a key especially with the increased number of contributor to this is that organisations betting and Ponzi schemes. tend to look for people with traditional technology credentials — IT, Computer There is a clear need to bridge the Science. But when you look at the knowledge gap on mobile money matter, we need Technology analysts, operations among security teams and Cyber Risk Engineers, data analysts, to identify common security, fraud Risk experts most of which do not and money laundering challenges Blue Whale Challenge is an example necessarily warrant a technology confronting mobile money operations of an evolved Cyber bullying course. Majority of organisations across the financial services sector. mechanism targeting vulnerable encourage their IT teams to take up Mobile money users are also to be teenagers. The game assigned courses that don’t necessarily add value educated on identifying and evading to the security of the organisations. daily tasks for 50 days, thereafter phishing scams. encouraged the user to commit suicide. A number of children fell It is also concerning that companies victim to this game- one teenager in would rather poach talent from each Kenya. other and from training providers than develop it themselves. It is critical that African organisations formulate laws to criminalize cyber This points to the sad fact that buying. A number of countries businesses are thinking in the short term. Rather than cultivating the have made strides in this and have needed talent, organisations are criminalized Cyber bullying. continuously relying on ready-made talent pool.

Demystifying Africa’s Cyber Security Poverty Line 17

Network Architecture: We have noted a few initiatives from the Defense In-depth private sector including the “Nigeria Blockchain The success of most attacks in 2017 Alliance” (NBA) which brings were in one way or another linked to one together law enforcement critical issue: Weak Security Architecture. agents, legal practitioners, Successful ransomware attacks were forensic investigators and mainly due to missing patches. Other government in the fight cases involved inadequate privilege against crypto currency account monitoring and poor third party related crimes and the CBK risk management. in Kenya and the Bank of Tanzania and capital market Yet these organisations have invested This means, putting controls in place for Remote Access (see appendix and Securities Authority issue heavily in the latest Antivirus programs or warning on ponzi scheme. More SIEM solutions. for Remote access tools list), Change and vulnerability management. awareness and initiatives needs to be put in place to ensure that Phishing: The weakest Link citizens are protected from these scams. Phishing is one of the attacks that leverages the inadequacies of System Integrity: humans and remains worryingly Eroding Public Trust effective. In quarter on 2017, Kaspersky Lab products blocked 51 Government systems have million attempts to open a phishing become a target for hackers page. Over 20% of these attacks seeking to make news or disrupt targeted banks and other credit service delivery. From Electoral and financial organisations. With the systems to Integrated Financial evolution of phishing, it has become Management Information System clear that basic awareness training (IFMIS), 2017 registered the may not be sufficient to safeguard highest number of alleged election your organisations. 2017 has proven hacking in Africa, Europe and High technology solutions installed on top that we need to leverage technology America. Whether the allegations of weak architecture only equals one thing especially since education programs, for hacking are true or not, there A WHITE ELEPHANT. Most organisations in awareness campaigns and product is no denying that these systems 2017 focused a large part of their IT budgets innovation on their own have failed. have become a juicy for hackers. on acquiring high end technologies but As such tighter controls need forget to set the foundation on which these Cyber Pyramid Schemes: to be in place to ensure that technologies will effectively operate. Easy come, Easy go the confidentiality, integrity and availability of these systems are A SIEM tool is a useless investment if auditing 2017 has seen a fair share of Ponzi maintained. is not enabled in network devices, no expertise schemes. Notable example in Kenya exists for continuously analyzing and refining is Public likes which cost Kenyans the alerts. Defense-in-depth means, applying roughly Ksh. 2 trillion, D9 ponzi multiple countermeasures in a layered or scheme in Tanzania, and crypto stepwise manner. Because there are ways currency scams in Nigeria. These around traditional protective systems such as schemes rely on a constant flow firewall, it is imperative that individual systems of new investments to continue to be hardened from the Network, Application, provide returns to older investors. Endpoint and Database levels. When this flow runs out, the scheme falls apart. In recent times, we have seen these schemes evolve to now include crypto currencies.

Demystifying Africa’s Cyber Security Poverty Line Demystifying Africa’s Cyber Security Poverty Line 18 Industry Players Perspectives

In your opinion, what was the key cyber Should regulators force influential security issue facing your country or platforms like Google and Facebook to Africa, what is being done to address remove fake news and other extreme this issue? forms of content from their platforms?

Wannacry and petya Ransomware were the It varies from country to country. For biggest. Mauritius, whenever we identify these messages or fake news, we liaise with the We took the following steps: relevant platform owners (Google/Facebook) to remove the messages. At times we are • Advisory: We circulated an advisory to successful. For continued effectiveness, we organisations and people in the country need to enhance the relationship between 3-4 times. Kaleem Ahmed Usmani law enforcement, private sector and • We actively monitored key systems government. within the country for any malicious Officer in Charge indicators of compromise What can be done to improve the • We engaged with our partners in the Mauritian National country to gather more intelligence on general user awareness on the Computer Security Incident key indicators of compromise, statistics detection of fake news in the country? Response Team and patching of systems. Education is crucial. We conducted a number Mauritius Do you think fake news is a major of campaigns all year round for parents, problem in your country or Africa? senior citizens and children to sensitize them. We also liaise with various vendors such as Yes it’s a problem, especially on social media. IBM, Symantec to gather better intelligence Our internet penetration is well over 50% and action on these. and majority of these users have access to social media. Social media has been used to Many governments in Africa are spread false information and ignite unrest in investing in e-services (e-government, the country. e-voting, e-tax systems and many other portals.) Do you think the African Who should be responsible for citizenry is ready to consume and controlling the creation and utilize these systems without the worry distribution of fake news (government, of privacy, security and fraud? end users, Telcos or ISPs or content owners)? We are in the digital transformation age where such automation is expected in order This is a collective responsibility. Given that to improve efficiency and service delivery. the channels used to transmit fake news There are a number of e-services that are are privately owned, Telcos only provide the working properly and some which still need connectivity and the privacy of users has to to be secured. be maintained at the end of the day. This needs the combined effort of all involved In Mauritius particularly, we have made a stakeholders. We need to educate people number of strides in this regard, we are and have systems in place to detect them. ranked 6th best in the world rankings, The police in Mauritius have done a good job and we have strong legislations and cyber ensuring that they inform people accordingly. security strategy that we are implementing. E-government strategy addresses the security of systems. Security can never be 100% however, so we are continuously reviewing our strategies to minimize our cyber threat exposure.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 19

In 2017, we had several cases of Do you think organisations are In your opinion, what should cyber security attacks including spending enough money on African countries/universities ransomware attacks across the combating cyber-crime? focus on to encourage innovation world– were you impacted by in the development of cyber these attacks? This is subjective as it depends on the security solutions? country. The Mauritian government Yes, mostly by the ransomware is committed to ensuring that It is important that we develop Wannacry and petya. organisations are secure by putting frameworks that support innovation in proper policies in place. Many within our countries and universities. If yes, how did you (company or organisations have different priorities, Platforms such as COMESA, SADC but over the years they have now country) respond to these cases? should also be leveraged to promote started paying attention. Government partnerships for innovations in the cyber • Advisory: We circulated an advisory budget has also increased in recent space. to organisations and people in the years. country 3-4 times. In your opinion and from an African • We actively monitored key systems Based on our research the Africa context, what are the top 2018 within the country for any malicious cyber security market will be cyber security priorities for African indicators of compromise worth USD2 billion dollars by countries and organisations? • We engaged with our partners in the 2020. Despite this opportunity, country to gather more intelligence Africa has not produced a single on key indicators of compromise, We are lagging behind in legislation, statistics and patching of systems. commercially viable cyber security organisational and national strategies, product/solution. capacity building of professionals, Considering the shortage of skilled alignment of our legislations with resources in Africa, how can we This is true. African universities don’t international standards, international limit the impact of ransomware have specialized courses for cyber cooperation. cases? security while at the same time, we do not promote the culture of cyber Cyber security attacks are borderless, Education is key. We need to empower security. As a country, Mauritius is if we have a harmonized legislation (AU, people with basic knowledge to working to address this challenge SADC), it will be easier to contain these understand what to do for example through its Software development threats. with an email attachment which is a strategy that is currently in draft. This ransomware. We also need to train will provide a framework for software our cyber security experts to have the development within the country. capacity and competence to manage such cases.

Demystifying Africa’s Cyber Security Poverty Line 20

Africa’s

Transitioning from 2017 to 2018, the journey of attaining a secure cyber ecosystem is a long but optimistic one. Cyber- attacks will continue to grow and only the informed and prepared would survive with minimal losses. In 2018, cyber threats and counter measures are likely to take the following dimensions:

Continuous Monitoring: Askari Vigilance Database Security: 10 1 Secure the vault

Security Privileged User Architecture/ 9 2 Management: Engineer skill set: Who has access to Widen your the crown jewels employee gaze

Africa’s

The Board’s Patch Changing Role: 8 3 Management: Security begins at To patch or the top not to patch

Vendor/Third Party Unstructured Data Security: 7 4 Management: Bring Your Own There is no one Vulnerability size fits all

Employee Security Awareness: 6 Endpoint Security: Ignorance is not Bliss 5 Cyber security front-line

Demystifying Africa’s Cyber Security Poverty Line 21

Organisations must adopt a privileged Emails, medical records and contracts 1 account security strategy that includes are a few examples of unstructured data Database Security: proactive protection and monitoring of that exist in the organisation. Whereas Secure the vault all privileged credentials, including both most institutions have some form of passwords and SSH keys. unstructured data, it’s the healthcare and Database (DB) security concerns insurance industries that top this list with the protection of data contained terabytes of data in file shares and home within databases from accidental or 3 Patch Management: directories. The security of this data intentional but unauthorized access, however remains an under-recognized view, modification or deletion.Top priority To patch or not to patch problem as these files and folders are for security teams is to gain visibility on 75% of vulnerabilities identified within left unsecured. This has resulted in activities on the databases particularly, local organisations were missing patches. often-unnecessary data exposure and direct and remote access to DB by In 2017 alone, we have seen vendors such unauthorized access. To help secure privileged users. Fine grained auditing as Microsoft releasing over 300 patches against the security risks of unstructured of these activities is essential to ensure for their windows systems. This presents data it’s necessary that we; Continuous Monitoring: integrity of data. Going to 2018, database Askari Vigilance Database Security: two obvious lessons: 10 1 Secure the vault security should be a top priority that • Identify critical unstructured focuses on ensuring that access to the • The increased number of released information assets database is based on a specific role, patches are choking organisations • Identify which employees possess limited to specific time and that auditing • Organisations have not developed critical unstructured data and continuous monitoring is enabled to comprehensive patch management • Implement technology and process Security Privileged User provide visibility. strategies and procedures. Architecture/ controls to protect data assets eg 9 2 Management: DLP, Email Monitoring Engineer skill set: Who has access to Now more than ever, organisations need Widen your the crown jewels 2 employee gaze Privileged User to narrow down to one critical thing: What 5 Management: Who has do we patch? Endpoint Security: Cyber security front-line Africa’s access to the crown jewels Not all of the vulnerabilities that exist in products or technologies will affect you, The main obstacle between your Often defined as end-user devices – 2018 presents a great opportunity for organisation’s crown jewels and hackers such as mobile devices and laptops, The Board’s Patch organisations to strategize, focus more 8 3 are privileged accounts. endpoint devices are receiving more Changing Role: Management: energy on identifying testing and applying To patch or attention because of the profound Security begins at critical patches released. This may the top not to patch These accounts are found in every change in the way computer networks require adoption of an automated patch networked device, database, application, are attacked. With so many pluggable management system. server and social media account and as devices in the network, this creates new such are a lucrative target for attackers. areas of exposure. More often, privileged accounts go 4 • Unsecured USB devices leading to unmonitored and unreported and Unstructured Data Vendor/Third Party leakage of critical data, spread of Unstructured Data therefore unsecured. We anticipate that Management: There is no Security: 7 Management: malware. Bring Your Own 4 in 2018, abuse of privileged accounts There is no one one size fits all • Missing security agents and Vulnerability will worsen and it’s therefore critical that size fits all patches accounts for 70% of all organisations inventory all their privileged Unstructured data is information that misconfigurations within the network accounts, continuously review the users either does not have a pre-defined data allowing attackers to exploit well Employee Security with these privileges and monitor their model or is not organized in a pre- Endpoint Security: known vulnerabilities. Awareness: 6 activities. defined manner. Ignorance is not Bliss 5 Cyber security front-line

Demystifying Africa’s Cyber Security Poverty Line 22

• Unauthorized remote control Key questions that modern board software giving attackers full control 7 members should be asking themselves of the endpoint. Vendor/Third party are: • Unauthorized modems/wireless security: Bring Your Own access points Vulnerability ANTICIPATE What are our risks and how do we It is critical that before endpoints are In 2017, several attacks were launched mitigate them? granted network access, they should meet against organisations and these had one DETECT minimum security standards. Beyond this, thing in common; vendor involvement. Should these risks materialize, are we organisations should invest in endpoint Be it directly or indirectly, vendors able to detect them? security tools that provide capabilities introduce risks to organisations through RESPOND such as monitoring for and blocking risky or their interactions with critical data. We What would we do if we were hacked malicious activities. Focus areas: anticipate that in 2018, cases involving today? rogue vendors will increase; we will see CONTAIN • DISCOVER all devices that are rogue vendors: What strategies do we have in place to connected to a company’s network. ensure damage issues don’t reoccur? Including new or suspicious • Use privileged accounts to access connections, other network systems, • INVENTORY the OS, firmware and • Use remote access tools (RDP, 9 Security software versions running on each Teamviewer, Toad) to access critical endpoint. This information can also applications and databases Architecture/Engineer Skill help prioritize patching • Manipulate source code for critical Set: Widen your employee • MONITOR endpoints, files and the applications in order to perform gaze entire network for changes and malicious activities Majority of IT staff are tool analysts indicators of compromise. Organisations need to evaluate their focusing on understanding a tool instead • PROTECT the endpoints using potential vendor’s risk posture, ability of data processed within the tool. technologies such as Antivirus to protect information and provision of service level agreement. At the end of the day, when a breach occurs on your 10 Continuous 6 Employee Security vendor’s watch, regardless of fault, you Monitoring: Askari Vigilance shoulder the resulting legal obligations and Awareness: Ignorance is cost. There is need for continuous monitoring. not Bliss The predicted increased number of attacks in 2018 demand for a If infrastructure is the engine, staff 8 The Board’s Changing mechanism to detect and respond to awareness is the oil that ensures the threats and incidents. Even though most life of the engine. Uninformed staff or Role: Security begins at the organisations cannot adopt a real-time employees not familiar with basic IT top round the clock monitoring and reporting security best practices can become the The traditional role of boards in providing it’s necessary that these organisations weak link for hackers to compromise your oversight continues to evolve. The impact look for alternate solutions and practices company’s security. Staff awareness is of Cyber attacks now requires board including managed services and day long key. member level participation. This proactive monitoring. and resilient approach requires those at the highest level of the organisation or government to prioritize the importance of avoiding and proactively mitigating risks.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 23

Kindly highlight some of the Do you think the African More awareness and risks top cyber security issues of citizenry is ready to consume involved, and guidance on 2017 and how these issues and utilize these systems appropriate systems to impacted you personally, without the worry of privacy, suggest comparing on the size your organisation or country. security and fraud? of data and risks involved. • Malware with worm What are some of the risks we Based on our research the capabilities face with the introduction of Africa cyber security market will • Basics – Endpoint security, government driven e-services be worth USD2 billion dollars by patching and do you have any examples 2020. Despite this opportunity, • Weakness of mobile Africa has not produced a of these cases in your country? carriers single commercially viable cyber • Overwhelming client with security product/solution. alerts If there is no appropriate • Adapting firewall to face firewalls in place the In your opinion, what ashiq hariff information can be gathered by A S new threats should African countries wrong entity. • Monitoring |cloud or universities focus on to CEO configuration and Security encourage innovation in In 2017, we had several Do you think fake news is the development of cyber cases of cyber security raha - Liquid Telecom Ltd a major problem in Your security solutions? attacks including country or Africa? ransomware attacks Tanzania What role can the private across the world–were you sector and consumers of Ye s impacted by these attacks? imported cyber security If yes, who should be products play to ensure If yes, how did you (company responsible for controlling we can encourage local or country) respond to these the creation and distribution players to start developing cases? of fake news (government, African grown cyber security end users, Telcos or ISPs or products or solutions or even content owners)? Some ended up paying in order services? to get the data.

Initially government, Telco’s, end Conduct the awareness and Some who had end point users – collective efforts. ready with solutions. security worked with Antivirus owners to patch and recover Should regulators force the information. Ready solutions depending on influential platforms like the organisations/entity. Google and Facebook to Considering the shortage of remove fake news and other skilled resources in Africa, In your opinion and from extreme forms of content how can we limit the impact an African context, what from their platforms? of ransomware cases? are the top 2018 cyber security priorities for African What can be done to improve countries and organisations? the general user awareness on Awareness, appropriate firewall the detection of fake news in that can mitigate such attacks. • Technical Trainings the country? • Awareness & Information Do you think organisations are Sharing spending enough money on • Collaboration – Platforms that can be combating cyber-crime? Government & Companies confirmed – Government sites, (Private) No. • Government Policies Many governments in Africa • Other collaboration – are investing in e-services What can be done to Universities, Cyber security (e-government, e-voting, encourage more spending experts, research institute, e-tax systems and many media houses. on cyber security issues? other portals.)

Demystifying Africa’s Cyber Security Poverty Line 24

Engaging Board Members in African Organisations

Top Cyber Security Questions

and foremost identify all your assets Organisations need to be aware of and prioritize these based on their the kinds of connectivity allowed from business need. both internal and external sources and have management policies and ANTICIPATE What are my institution’s key procedures around them. business assets? Do I have The first core cyber security adequate protection for them? How are staff at my institution function is to identify your identifying risks, and providing organisation’s cyber security risk, To adequately assess risk to your me with accurate and timely which is the amount of risk posed organisation, you must first identify information about those risks? by your institution’s activities, what your organisation’s “crown jewels” are, their location, and how At any given time your institution connections, and operational they are being protected. These can could be exposed to several different procedures. be employees or customers, property types of information security (both tangible and intangible), or threats such as internal threats, like Questions Executive’s should ask: information (databases, software malicious or unaware employees; code, records). Physical threats by a potential Does my institution fully intruder; and Internet threats, such understand what information it What types of connections as hackers. Consider the threats manages, where the information does my institution have (VPNs, your organisation is exposed to and is stored, how sensitive is the wireless, LAN, etc.) and how are we the vulnerabilities that may exist information, and who has access managing these connections? surrounding these threats. to it? A leak of confidential data whether To identify risks that your organisation accidental or through thieving could is exposed to require that you first lead to significant company losses.

Demystifying Africa’s Cyber Security Poverty Line 25

What is our ability to mitigate program enables organisations to There is need for executive leaders those risks? improve their security posture by to be aware of the costs of cyber offering employees the knowledge risks to the business. There should 60% of all identified vulnerabilities they need to better protect the be a defined set of metrics used in go un-remediated/unmitigated. organisation’s information through reporting and making information While 50% of successful attacks are proactive, security-conscious security related business decisions. as a result of previously identified behavior. vulnerabilities. It’s critical that for Are we prepared to prevent or every vulnerability identified, the Do they have an understanding of limit the damage caused by these organisation evaluates its ability to risk from their actions? attacks? mitigate the risks There is need to conduct organisation There is need for organisations to How is my institution connecting to wide training on cyber security carry out risk assessments so as to third parties and ensuring they are awareness. Employees need to identify critical business assets as well managing cyber security controls? comprehend the significance of as their associated vulnerabilities. This protecting company confidential will help in prioritizing risks as well as Third party vendors not only have and client confidential information. resource allocation. access to internal network but also They need to be aware of the sensitive data. There is need for consequences of their actions as well Engaging Board Members in African Organisations third party vendor assessment as the penalties involved. and development of a third party management program.

How effective are my RESPOND organisation’s policies and procedures for monitoring DETECT Effective incidence response is information inventory? the backbone of any successful Although prevention is ideal, not Cyber Security Program. It is There is need to validate that policies all attacks can be prevented, important that organisations and procedures for information adequately prepare for a cybersecurity exist, are up to date and making compromise inevitable. security incident, and this includes reflect the organisation’s current Therefore, a better approach to operating environment. security is timely detection of the knowing how you will respond attack detection that will contain once an incident occurs. To do Do my IT personnel have the and control the damage. this, organisations must have an appropriate knowledge or skills to incident response plan. protect against a potential cyber- Breaches are often detected attack? after weeks, months or even Where to Start in Developing an years. Detecting breaches Incident Response Plan. The IT team needs to be equipped happening right now would of with skills and techniques that they course be very desirable. Questions Executives should ask: can leverage against cyber attackers. Have we created an effective Questions Executives should ask: Are my staff informed about cyber incident response plan? threats? How is our executive leadership It is crucial that as an executive, informed about the current level The people in an organisation are you ensure that there is an incident and business impact of cyber risks the weakest link when it comes to response plan and team to support it. cyber security. A security awareness to our company? At a minimum, the incident response

Demystifying Africa’s Cyber Security Poverty Line 26

plan should address the preservation Do we have a plan to inform A good incidence response plan will of evidence, step by step guide on internal and external stakeholders? contain a step by step plan for: handling different incidents and optimum duration for incident handling • Rebuilding network devices that Stakeholders need to be defined and escalation. may have been compromised and and documented. A communication restoring baseline configurations. mechanism needs to be established How often is it tested? • Restoring the integrity of data that and documented in an incidence may have been compromised response plan. • Restoring normal business critical Regular testing of the Incidence operations response plan ensures timely Conduct preparedness training for containment of security incidents. When did we last test our incident the incident response team. Testing of the Incident response response plan? plan ensures that it remains current There is need for Training and and useful. Testing may include the Testing of the incidence response resource requirements need to be following steps; plan should be done at least annually defined. The incident response team or whenever any major changes occur needs to be aware of the action plan 1. Updating the contact lists for in the business environment. This that is to be executed when a crisis is incidence response team, vendors ensures that the plan and its user’s discovered. remains updated on the activities 2. Performing table top exercises that are critical for business process what are facilitated recovery.

3. Carrying out discussion based How will we communicate with exercises where employees get internal staff, customers, third to discuss their various roles parties, regulators and law CONTAIN and responsibilities in case of a enforcement of a data breach at disaster. my organisation? Getting to the root cause involves What would we do if we were a level of understanding beyond A good response plan should hacked today? that of simply identifying that a provide details of how and what to system in infected. communicate during an incident. This The incidence response plan should should cover the following: cover steps provide an answer Executives need to understand • Proper Incident notification channels to this very critical question. The what specifically enabled or • Communication to customers, following are three steps that should facilitated the infection or be addressed within the Incident regulators, media, law enforcement, compromise. Identifying the root response plan: and other stakeholders. cause allows us to understand • Evaluation of the event and 1. Evaluation of the Cyber-event; why the malicious activity documentation – Evaluation is done answer the following critical succeeded. This is then followed by answering and recording critical questions such as were high value by precise measures to prevent questions, such as were high-value assets compromised? Were any the reoccurrence of the issue. assets compromised? Were any data altered/stolen? data altered? Questions Executives should ask: 2. Invoke the Incident Response Plan; this steps helps to prevent Does my organisation’s incident further damage or loss. More response plan include steps for often than not, at this points it’s recovering after a cyber-attack? often too late to develop the right procedures.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 27

In your opinion, what was the key • The anonymity that comes with the cyber security issue facing your Internet makes criminals feel more country/Africa, what is being done to secure when committing the crime. address this issue? • Cybercrime in its nature is not hampered by physical borders or territorial jurisdictions. Yes, indeed. • Malice If yes, what do you think is the main • Espionage cause of the Cyber security problem? • Egoism

• The Laws are relatively new and Do you think the government has put have been already challenged in the in place processes and infrastructure Henry Kayiza Constitutional court (e.g. the computer misuse act was challenged in UG vs. to support the private sector in combating cyber security issues? Assistant Commissioner Dr.Stella Nyanzi among others) • Limited knowledge about cybercrime / Cyber Crime Unit, Uganda security Yes there are laws in Uganda:- Police • Technological advancement is good • Computer Misuse Act but criminals are taking advantage. It’s • Electronic Signatures Act easier to commit ‘old crimes’ such as • Lawful Interception Act fraud There are also government parastatals in What can be done to improve the place:- situational awareness in the country? • NITA-U • Public – private partnerships are vital to • UCC carryout awareness campaigns. Do you personally know of a company • Improve on the laws to close the gaps or individual who’s been affected by that criminals are taking advantage of. cyber-crime? • Increase expenditure on information systems security. Yes. Several individuals, companies, banks, NGOs, Service Providers and including Do you think the private sector is government ministries have all reported investing enough in cyber security? to us cases such as electronic fraud, impersonations, defamations, unlawful • I don’t think so because most of the access hacking and pyramid scheme cases I have handled, the companies scheme fraud. use third vendor system products which can also be accessed by criminals to analyse them and capitalise on their vulnerabilities to commit crime where they are being used. • Private sector businesses tend to spend less on I.T security so as to as to minimise costs in the short run but end up losing more in the long run.

In your opinion, what drives criminals to commit cyber crime? • The financial gain is high and it comes with less physical danger

Demystifying Africa’s Cyber Security Poverty Line 28 Industry Players Perspectives

Were these cases reported to providers (mobile money platforms), government authorities and government ministries, NGOs as prosecuted? having most affected in terms of the huge sums of money they lose annually. Then individuals and savings Yes most of the cases are reported groups have lost more in terms of the and prosecuted; however financial number of cases reported and when institutions tend to hide their cases summed up they also make huge preferring ‘the insurance solution’ to amounts of losses. reimburse their client victims so as not to alarm their other clients. From an African context, what What do you think would be the would be the top priority to best approach to address the address cyber crime across the cyber crime issue in Africa? continent? • Enact and harmonise laws on The best approach is a combined cybercrime across the Continent approach, partnerships such as borrowing from more advanced international, regional, governmental, countries in the World but public and private are very vital and domesticating them to the local should be emphasized to fight this new situations. trend of crime which is increasing at • MOUs for cooperation among an alarming rate not only in Africa but countries should be established. globally as well. No one can fight Cyber This is because cybercrime cuts crime as a single entity. across borders/territories and jurisdictions. According to you, what is the • Invest more resources on training most affected sector in the cyber security and investigation country regarding cyber crime? experts. • Public and Private Organisations to When you say ‘most affected’, it intensify awareness campaigns. sounds relative because you have to consider two things:- • Investment should be increased in securing I.T systems. • In terms of amounts involved • In terms of number cases (quantity) Therefore according to my experience; I have cases of banks, service

Demystifying Africa’s Cyber Security Poverty Line 29

Cyber Intelligence Statistics, Analysis, & Trends

For the purposes of this report, we inspected network traffic THREAT CO R- MM BE A inside a representative of African Organisations, reviewed contents Y N C D

U C of online network monitoring sites such as Project honeypot and E N N A I T reviewed information from several sensors deployed in Africa.

R R

E E

S The sensors perform the function of monitoring an organisation’s

N N network for malware, and cyber threat attacks such as brute- I T I A C T force attacks against the organisation’s servers. In an effort to IP N A O T C E • enrich the data we collected, we partnered with the Honeynet • D ND ETE PO CT • RES project and other global cyber intelligence partners to receive regular feeds on malicious activity within the continent.

In this section, we highlight the malicious activity observed in the period under review. This data represents malicious activity captured by our sensors and publicly available intelligence.

Project Honeypot Intelligence Analysis

This section covers data from the honeynet project, a global database of malicious IP addresses.

Demystifying Africa’s Cyber Security Poverty Line Cyber Attack Timeline Brazilian investor operates cyber scam in Uganda Bank of Uganda warns of Cyber-attacks in commercial Banks Public Likes scam costs Man charged with Kenyans hacking KRA and Ksh. 2 trillion causing Sh4b loss Personal Data Protection Act to block Man suspected of Kenya bans ‘Blue dissemination of ill West African hacking into Whale Challenge’ information and Examinations Safaricom’s after Nairobi teen facilitate prosecution Council (WAEC) systems suicide of cyber-crimes website hacked Two Arrested for Hacking Into Ministry of Centenary Bank, Finance, Uganda Uganda, Accounts website hacked impacting service delivery

MAR MAY JUL SEP 2017 FEB APR JUN AUG NOV

Detectives link Uganda’s tech Ugandan Ronnie Alleged hacking regulator (UCC) Nsale to Kenyan IEBC of JAMB worried as foreign hacking website hackers expand frontiers Ugandan editors Nigerian Man arrested over ‘fake Uganda Hacked Thousands news’ on alleged ranked 7th highest Makerere system of Global Oil & Gas Uganda-Rwanda All Not So risk country Uganda’s tech hacked, 50 and Energy Firms tension Quiet On the globally regulator worried students deleted Business as foreign hackers from 2017 Fraudsters allegedly Front As expand frontiers hack Nigeria Security graduation list Cyber Crime and Civil Defence Slowly Takes Maersk apm Uganda still regarded a Corps (NSCDC’s) Cyber- bullying to Shape terminal systems 3 men allegedly high-risk nation website earn you 10 years in hacked operations hack bank for prison grounded account, steal Cyber-attacks. N39m Cyber Attack Timeline Brazilian investor operates cyber scam in Uganda Bank of Uganda warns of Cyber-attacks in commercial Banks Public Likes scam costs Man charged with Kenyans hacking KRA and Ksh. 2 trillion causing Sh4b loss Personal Data Protection Act to block Man suspected of Kenya bans ‘Blue dissemination of ill West African hacking into Whale Challenge’ information and Examinations Safaricom’s after Nairobi teen facilitate prosecution Council (WAEC) systems suicide of cyber-crimes website hacked Two Arrested for Hacking Into Ministry of Centenary Bank, Finance, Uganda Uganda, Accounts website hacked impacting service delivery

MAR MAY JUL SEP 2017 FEB APR JUN AUG NOV

What is fake news? What will ultimately get brands to fight fake news? This in our view is false or distorted information, or stories usually initiated on Public apathy, consumer resistance and electronic media mostly to smear targeted mass platform boycott. individuals or entities, gain financially or politically advantage, or influence public Should regulator force influential opinion. Significant information available platforms like Google and Facebook to on Nigerian social media contains such remove fake news and other extreme deliberate, unsubstantiated and often negative content. forms of content from their platforms?

How did fake news become such a big This concern is not completely applicable Ibrahim Lamorde problem? to the Nigerian context, as all level 3 Internet platforms – Google, LinkedIn, Yahoo, Commissioner of Police, Facebook, Twitter, Instagram, WhatsApp etc. Special Fraud Unit The problem has assumed alarming are conveniently located outside Nigeria to proportion in Nigeria due to the easy access avoid national oversight by our regulators. Lagos, Nigeria to smartphones and Internet.There are over There is no available evidence that they 147 million registered GSM phones (mostly have shared direct investigation related Internet capable) to quickly spread any information with Nigerian regulators or law scandalous fake news. enforcement.

Some print and electronic media do not They and their users are also greatly averse confirm information before publication, to any regulation or control, to sustain the thus falling prey to planted stories, which concept of freedom of the Internet. the undiscerning public, fascinated with melodrama circulate. Sensational headlines However, victims in other Countries with improve numbers of active online visitors strong Internet legislation have recourse to blogs and websites, thus boosting their to civil action against originators of fake advertisement income. news and the platform providers in specific cases. Public apologies, takedown of injurious Industry regulators do not check the vicious publications and even damages have been circle of fake news, online followers and awarded in favor victims. advertisement income, as practically no sanction or deterrence has been recorded. What happens when fake news spreads? What actions can people Some online and print journalism are controlled and financed by non- takes to varify news stories, professionals, whose primary goal is to photographs and other sources of promote personal interests not obliged to online information? follow any ethical standard, such as editing and confirmation of stories. Once fake news appears on any medium, it is inevitable that it is swiftly disseminated Anonymity of fake news purveyors is further electronically to millions of people through enhanced by the overseas location of any of the available mainstream or social platforms, website owners and domain name media. The story is copies and pasted on providers, while local regulators and law other websites, becoming amorphous and enforcement agencies possess inadequate uncontrollable. Intellectual property rights or technical capacity to track origins of fake original source becomes opaque. The more news posts. scandalous, disastrous or fantastic the story appears; the faster it spreads.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 33

Verification cannot be done through What is the highest risk that we Have you ever been a victim of any online platform at this stage, since face by moving to electronic online or mobile scam? all search engines will only replicate voting? the same negative story in their No. top searches. Credible verification, • Hacking confirmation or corroboration can • Rejection of electoral result by only be safely done manually through skeptical voters Why does the cyber skills shortage hard copy document reviews and • Disenfranchisement of illiterate need immediate attention? comparison, direct interviews, visitations voters who are unable to utilize and physical checks with concerned computers, tablets and smart For law enforcement, critical mass entities. phones to vote is urgently needed to design vital • Technical issue such as disruption, intelligence, investigation and We do everything online - book malfunctioning of portal, software, public education strategies, as well as doctors’ appointments, manage Internet connectivity and servers criminal databases archiving. our bank accounts and find dates during voting exercise How many unfilled security jobs - Do you think we are ready to vote What are some of the pros? from our PCs or smartphones? are estimated to exist today? Explain Digital bulk data is always easier to store, retrieve, process, analyze and Unknown. The electronic verification through the protect against theft or destruction. digital card readers at the 2015 general How does collaboration help elections clearly demonstrates that Why is ransomware so effective? enrich the students’ learning? the Independent National Electoral • Practical skill acquisition for Commission will be able to conduct Targets sometime want to pay the successful field operations. online voting through voting machines, money demanded quickly, and avoid • Focusing on specialized areas of PCs and smartphones in the near contact with law enforcement. comparative advantage. future. • Task de-confliction. We believe that ransomeware attacks in It is however imperative to improvethe Nigeria are grossly under reported. technical capacity of the national and state electoral bodies to transmit, What is the possible impact of secure, authenticate or repudiate digital Ransomware? signatures that electronic voting entails. Financial and personal data loss. Development of indigenous software and servers required for such critical endeavor will prevent remote backdoor Have you or know someone access by foreign parties. you know been affected by Ransomware? Our telecommunication and power infrastructure also needs to be No. upgraded to support nationwide electronic voting. How often do you transact using your mobile phone? Citizens’ education is key towards public acceptability of electronic voting Rarely. system.

Demystifying Africa’s Cyber Security Poverty Line Malware Petya Attacks Ransomware has spread BankBot Trojan internationally, Targeting Over 420 wreaking havoc. Banking Apps A new variant of Hackers Steal Marcher Android Payment Card Data sophisticated From Over 1,150 Inter banking malware Continental Hotels disguised as

New Malware strain Major Malware Backdoor Gazer TeamSpy Malware Bad Rabbit targeting Linux-based ‘Xavier’ hits play transforms Ransomware systems store infecting Ransom Lukitus Teamviewer into a 800 Android Spying software IoT Reaper CoinMiner False Guide malware apps. IKARUS dilapidated

2017 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

PDF file containing New Variant Macro Malware for ZeuS/ZbotPCRat/Gh0st Ransomware down- GhostCtrl of KillDisk is MacOS users loader Android-information Ransomware Stealer Malware with Gh0st Torrent Locker PowerPoint Malicious Ransomware Ransomware Hover Vulnerability capabilities CCleaner Malware: DNSMessenger Wannacry Ransomware FruitFly malware Locky Ransomware malware affects more than variant. Variants 200,000 computers in New Ransom- 150 countries Android.Bankbot.211.o Gazer Backdoor- ware-as-a-service rigin targeting Program, Dot Ransom- Fireball Malware infects governments ware 250 million computers SambaCry Variant- CowerShell OakBot banking Trojan harvests financial information Malware Petya Attacks Ransomware has spread BankBot Trojan internationally, Targeting Over 420 wreaking havoc. Banking Apps A new variant of Hackers Steal Marcher Android Payment Card Data sophisticated From Over 1,150 Inter banking malware Continental Hotels disguised as

2017 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

Kindly highlight some of the top cyber governments have not invested in proper security issues of 2017 and how these security solutions thereby putting the issues impacted you personally, your citizenry data at risk of data breaches. organisation or country? In 2017, we had several cases of • Attack on SWIFT Money Transfer cyber security attacks including System ransomware attacks across the • Ransomware Attacks world– were you impacted by these • Fake News attacks? Do you think fake news is a major problem in Africa? Yes.

John Ayora Yes. If yes, how did you (company or country) respond to these cases? Director, Information Systems Who should be responsible Security for controlling the creation We had several cases of Ransomware and distribution of fake news attacks across our subsidiaries. Directors Bank of Africa Group (government, end users, Telcos or were the main targets. We carried out user awareness programs, upgraded and ISPs or content owners)? Senegal updated the Windows OS, applied patches issued by Microsoft and issued each Should regulators force influential director with an external hard drive to back platforms like Google and Facebook to up their data. For the affected ones, we remove fake news and other extreme did not recover the data as we didn’t pay forms of content from their platforms? the ransomware. We simply issued new computers to the affected individuals. Yes. Considering the shortage of skilled What can be done to improve the resources in Africa, how can we limit general user awareness on the the impact of ransomware cases? detection of fake news in the country? User awareness is key. Organisations and Users should use traditional methods users need to carry out patching as soon like Radio and Newspapers for news as critical vulnerabilities are discovered verification. While online, users can follow and patches issued. It is also important news especially on the verified accounts. that users have effective Anti-malware applications. Many governments in Africa are investing in e-services (e-government, Do you think organisations are e-voting, e-tax systems and many spending enough money on other portals.) Do you think the African combating cyber-crime? citizenry is ready to consume and utilize these systems without the No. worry of privacy, security and fraud? What can be done to encourage more The e-services have made service delivery spending on cyber security issues? quicker. However, many African nations are still not very well covered technologically. Organisations view security solutions as an Privacy is a major concern especially expense with no real return on investment when the e-systems are hacked. Many and this is where the problem lies. Security

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 37

solutions are an investment that is put in place to protect the organisation’s key resources and properties.

Based on our research the Africa cyber security market will be worth USD2 billion dollars by 2020. Despite this opportunity, Africa has not produced a single commercially viable cyber security product or solution.

In your opinion, what should African countries and universities focus on to encourage innovation in the development of cyber security solutions? • Invest in up to date research centers and labs • Send students and researchers for exchange programs across various countries. What role can the private sector and consumers of imported cyber security products play to ensure we can encourage local players to start developing African grown cyber security products and solutions or even services?

The private sector and consumers should give an opportunity to the African Grown Cyber-security products in their sectors.

In your opinion and from an African context, what are the top 2018 cyber security priorities for African countries and organisations? • Invest in user training and awareness programs • Update and or upgrade outdated systems, especially the non- supported Microsoft Systems • Invest in effective Cyber security products and solutions.

Demystifying Africa’s Cyber Security Poverty Line 38

Threat Intelligence The main aim of this phase was to identify active systems easily accessible online and using this information identify areas of weaknesses and attack vectors that can be leveraged by malicious players to cause harm.

We broke down the findings into the following sections:

• Open Ports • Operating Systems • Top Vulnerabilities by Application or Services

Open Ports

There is a total of 65,535 TCP ports and another 65,535 UDP ports, we examined risky network ports based on related applications, vulnerabilities, and attacks.

65,535 TCP ports 65,535 UDP ports

TCP PORTS Kenya Tanzania Ghana Uganda Nigeria Namibia Mauritius

Port 80 29% 28% 24% 22% 29% 23% 26%

Port 23 19% 13% 6% 16% 10% 6% 9%

Port 443 18% 18% 15% 15% 16% 20% 20%

Port 8080 3% 9% 4% 3% 2% 3% 2%

Port 22 14% 15% 12% 10% 10% 18% 16%

Port 21 6% 7% 10% 4% 6% 11% 12%

Port 53 4% 3% 4% 18% 3% 5% 5%

Port 445 1% 1% 3% 3% 2% 3% 2%

Port 135 1% 2% 3% 3% 2% 3% 4%

Port 25 3% 2% 1% 4% 10% 5% 2%

Port 110 2% 2% 1% 2% 10% 3% 2%

Demystifying Africa’s Cyber Security Poverty Line 39

• TCP port 80, 8080 and 443 support web transmissions via fundamentally unsafe. Telnet sends data in clear text HTTP and HTTPS respectively. HTTP transmits unencrypted allowing attackers to listen in, watch for credentials, inject data while HTTPS transmits encrypted data. Ports such as commands via [man-in-the-middle] attacks, and ultimately 25 and 143 are also transmit unencrypted data therefore perform Remote Code Executions (RCE). requiring the enforcement of encryption. These ports are • UDP port 22 is a common target by attackers since its commonly targeted as a means of gaining access to the primary function is to manage network devices securely at application server and the database. Attacks commonly the command level. Attackers commonly used brute-force used include SQL injections, cross-site request forgeries, and dictionary attacks to obtain the server credentials cross-site scripting, buffer overruns and Man-in-the-Middle therefore gaining remote access to the server and deface attacks. websites or use the device as a botnet - a collection of • TCP/UDP port 53 for DNS offers a good exit strategy for compromised computers remotely controlled by an attacker. attackers. Since DNS is rarely monitored or filtered, an • TCP port 21 connects FTP servers to the internet. FTP attacker simply turns data into DNS traffic and sends it servers carry numerous vulnerabilities such as anonymous through the DNS server authentication capabilities, directory traversals, and cross- • TCP port 23 and 2323 is a legacy service that’s site scripting, making port 21 an ideal target.

65,535 TCP ports 65,535 UDP ports Heartbleed Vulnerability The Heartbleed Bug is a serious vulnerability in the popular OpenSSL cryptographic software library. This weakness allows stealing the information protected, under normal conditions, by the SSL/TLS encryption used to secure the TCP Internet. PORTS Kenya Tanzania Ghana Uganda Nigeria Namibia Mauritius

Port 80 29% 28% 24% 22% 29% 23% 26%

Port 23 19% 13% 6% 16% 10% 6% 9% Nigeria Kenya Ghana Tanzania Mauritius Uganda Namibia Port 443 18% 18% 15% 15% 16% 20% 20% % 27% 27% 11% 11% 9% 7% 7% Port 8080 3% 9% 4% 3% 2% 3% 2%

Port 22 14% 15% 12% 10% 10% 18% 16% Vulnerable OS

Port 21 6% 7% 10% 4% 6% 11% 12% A computer running XP today is a castle with doors flung open. Microsoft first introduced in 2001 and hasn’t supported since 2014. Hackers have targeted XP for years. Its lack of defenses and persistent popularity make it a popular target. Port 53 4% 3% 4% 18% 3% 5% 5%

Port 445 1% 1% 3% 3% 2% 3% 2%

Port 135 1% 2% 3% 3% 2% 3% 4% Nigeria Kenya Ghana Mauritius Tanzania Uganda Namibia Port 25 3% 2% 1% 4% 10% 5% 2% 26% 25% 18% 13% 11% 6% 1% Port 110 2% 2% 1% 2% 10% 3% 2% %

Demystifying Africa’s Cyber Security Poverty Line 40

Web Defacements in 2016 and 2017 Open DNS Resolvers

Nigeria was the most affected by web defacement in 2017 Open DNS Resolvers ‘16 ‘17 %change Port 53/DNS 38% 11% -28% Kenya Ghana 29%

11% 23% 12% Kenya 27% Nigeria Nigeria 26% 2% 7% 5% Ghana Mauritius 10% Tanzania 3% 17% 5% -12% Tanzania Uganda 3%

11% 23% 12% Namibia Uganda 2%

Lesotho 1% 2% 1% 1% Mauritius Why is an Open DNS resolver a bad thing?

An Open DNS Resolver is any DNS resolver that is publicly 12% 18% 6% accessible, and willing to resolve recursive queries for Namibia anyone on the internet. While this sounds like the good Samaritan thing to do, the DNS protocol is one of a few that can turn a very small query into a large response (in 2% 2% -1% both size, and required computing power). Because of this, Lesotho having an open resolver opens your server up to be used in DNS Amplification Attacks. 2% 2% 4% Ethiopia

2% 3% 1% Rwanda

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 41

Kindly highlight some of the top cyber have the ability to remove the fake news. It security issues of 2017 and how these is also possible to use filters and different issues impacted you personally, your technologies that can assist in fixing this issue. organisation or country? What can be done to improve the No formal information or statistics are general user awareness on the available. However, based on the informal information that I receive and my personal detection of fake news in the country? experience, the impact of cyber security is crippling. I think the main solution is enhancing awareness using different mechanisms like The following are issues that we faced in radio, TV’s, journals, magazine, telephone 2017: SMS etc both by government and private Shimelis Gebremedhin organisations. In addition, for highly Kassa • Compromise or misuse of personal and susceptible and sensitive organisations like companies files/data due to malwares, financial industries, airlines, medical centers CISA, MSCS, CEH - General Worms, viruses etc etc, the government/regulators should Manager • Individuals personal information theft set some enforcement to create regular (like copy of films, music, book etc) awareness on how to use their products by MASSK Consulting PLC • Insiders attack attempted on some customers/ end users. financial institutions of the country in collaboration with outsiders. Ethiopia Many governments in Africa are • We are aware of the ransom ware investing in e-services (e-government, attacks which happened during May 2017,though did not impact our country. e-voting, e-tax systems and many other portals.) Do you think the African Do you think fake news is a major citizenry is ready to without the worry problem in your country or Africa? of privacy, security and fraud?

Yes, to some extent. Consuming and utilizing these systems without considering the risk of security, If yes, who should be responsible for fraud and privacy issues is not praiseworthy. controlling the creation and distribution Organisations often rush to implement of fake news (government, end users, complex technologies without considering Telcos/ISPs or content owners)? the Cyber security risks present. As a result, most of these projects tend to be exploited Actually, depending on the situation, by Cyber attackers to commit fraud. everyone would bear the responsibility. End users are usually responsible for the creation What are some of the risks faced with and distribution of fake news, government, the introduction of government driven Media and ISPs will take second degree e-services and do you have any examples responsibility in relation to stopping the of these cases in your country? distribution. Most of the African countries including Should regulators force influential Ethiopia are now moving to E-services platforms like Google and Face book to without considering the security gaps and remove fake news and other extreme attack vectors such as denial of service, forms of content from their platforms? disruption, loss of critical customers, loss of confidential information and loss of user interest in general. A good example is the In our case, regulators do not have direct dissatisfaction created by school net and influence on these sites. However, they woreda net e-service projects. can report such cases to the platform owners (Google/Facebook) who in turn

Demystifying Africa’s Cyber Security Poverty Line 42 Industry Players Perspectives

In 2017, we had several cases of • Need to create strong collaboration In your opinion, what should African cyber security attacks including between professionals throughout countries/universities focus on ransomware attacks across the Africa. to encourage innovation in the • Establish professional security world– were you impacted by development of cyber security associations to defend security solutions? these attacks? issues together and share experiences Cyber security is a global issue and NO, we were not affected directly. This • Create current status security no country/continent (Africa, Asia, is because of a number of reasons key awareness frequently through Europe or America) can manage on being lack of e-commerce, credit card publications like Serianu’s journal their own. We need to collaborate. facilities and the strict financial policy (Africans Cyber Security Report). that we have. Also, Cyber security not only requires Do you think organisations are knowledge but also skill, talent and Also, banks have enforced a number spending enough money on interest. So, engaging youngsters and of controls that ensure loss of money combating cyber-crime? kids will improve our innovation. Further, is reduced. For example the Limited government should organize different security innovation competition and amount of fund transfer/withdrawal No, most organisations invest a lot on encourage private investors in the area. which was enforced. It was made technology implementation without mandatory that users had to inform considering the security aspect. the central bank to withdraw more than In your opinion and from an African 7,500USD/200,000ETB, lengthening Based on our research the Africa context, what are the top 2018 authorization process. Limits were cyber security market will be cyber security priorities for African also set such that it’s only possible worth USD 2 billion dollars by countries and organisations? to withdraw from ATM terminals a maximum of 10,000ETB/370USD. 2020. Despite this opportunity, Africa has not produced a single I think Ransomware will get the first attention in African then, DDOS, Social commercially viable cyber security Considering the shortage of skilled engineering, Email phishing attack will resources in Africa, how can we product or solution. take next priority on 2018. limit the impact of ransomware cases?

Demystifying Africa’s Cyber Security Poverty Line 43

2017 Africa Cyber Security Survey

The goal of the 2017 Africa report was to explore the evolving threat landscape and the thousands of Cyber-attacks that have been perpetrated against individuals, SMEs and large organisations within Africa. Cybercriminals continue to take advantage of the vulnerabilities that exist within Africa 700 12 systems in Africa and the low awareness levels. This respondents Industry Sectors survey identifies current and future Cyber security needs within African organisations and the most prominent threats that they face.

About the Survey The respondents who participated in This survey was prepared this survey included Academic based on data collected Insurance technical respondents from a survey of over (predominantly chief 700 respondents across information officers, organisations in Africa. chief information security Banking officers, IT managers and This included companies IT directors) and non- from the following sectors: Legal Advisory technical respondents (procurement managers, Cyber Security senior executives, board members, finance Professional professionals and office Services managers). The survey measures the challenges Financial facing African organisations Services and the security awareness and expectations of their Telecommunication employees.

Government

Others

Healthcare Services

Demystifying Africa’s Cyber Security Poverty Line 44

Summary of Findings

According to the survey findings, 99.4% of respondents have a general understanding of what cybercrime is. With the many advances in information technology and the transition of social and economic interactions from the physical world to cyberspace, it is expected that majority of individuals have a general idea of what cybercrime is.

Majority of the respondents were from the 62% of the organisations allow the use of IoTs government sector Organisations that Government 30% allow/utilize Cloud Services or IoTs Tech 62% Banking & Financial Services 29% lack policies to Insurance 15% govern the usage of Cloud Services or Telecommunication 10% 58% IoTs Tech

Others 9% It is paramount that organisations which have adopted cloud and IoT services implement policies and Manufacturing 7% procedures to govern the adoption, maintenance and retirement of these technologies. 25% of the respondents are organisations with 1000+ employees 58% of organisations are concerned about cybercrime of the respondents extremely are employees of concerned about 25% organisations with cybercrime in their 1000+ employees 58% organisation

0 - 100 22% The telecommunications sector experienced a 2% decrease of cybercrime in their organisations 101 - 500 25% there was a relative increase in cyber crime in 2017

501 - 1000 28% Banking 55% 59%

1000+ 25% Government 63% 67% Telecommu- nications 67% 65% Others 48% 51%

2016 2017

Demystifying Africa’s Cyber Security Poverty Line 45

this can be attributed to two main issues: 90% of organisations spend less than US $10000 annually for cyber security. Majority of these • Internet penetration in Africa is still low organisations came from the Banking and Financial • majority of people do not understand what qualifies sectors as Cyber-crime. As such, a huge percentage of people lack the ability to recognize a Cyber-attack spend less when it occurs.

90% have been impacted by cybercrime US $10000 90% on cyber security Dont know their organisation’s of the respondents have cyber security expenditure 43% had an impact of Cyber 90% crime Spend US $ 1 - 1000 22%

Spend US $ 1001 - 5000 17% Money Lost 40% Spend US $ 5001 - 10000 16% System Downtime 32% Spend US $ 10000+ 2% All of the above 18%

Reputation damage 10% 75% of the organisations manage their entire security functions inhouse Financial institutions, Saccos and organisations that deal with transaction processing are the primary targets for of the respondents the Cyber-attacks. outsource the entire 25% security function for 72% did not report cybercrime to the authorities their organisations Manage Cyber Security inhouse 75% Reported cyber crime to the police and followed it Outsourced to Internet Service Provider 14% 5% through to successfull prosecution Outsourced to Managed Services Provider 11% Did not report to the police 72% Reported to the police with no further action 14% Reported to the police, who contacted me /organisation 6% but no further action Reported to the police, who followed it up to successful 5% prosecution Reported to the police, who followed it up but no 4% successful prosecution

Demystifying Africa’s Cyber Security Poverty Line 46

75% of the organisations do not carry out a 72% believe that cyber crime has increased in Africa combination of security testing techniques DO NOT think that cyber of the respondents carry crime has increased in out security testing 28% Africa 25% techniques in their organisations Has increased in the simultaneously last year 72% Audits 30% Has not changed since last year 15% Penetration testing, Vulnerability Assessments 25% Not much of an issue 9% and Audits Has reduced in the Vulnerability past year 4% Assessments 25%

Penetration testing 66% of the respondents do not believe that cyber 20% crime is rooted in technology

of the respondents 15% of the organisations do not train their employees believed cyber crime is on cyber security isssues 34% rooted in technology of organisations do not have an established Technology Cyber security training 34% 50% program on cyber risks Security Education 22% Staff trained yearly 35% Economic Interests Staff trained only if (Financial gain) 17% 35% there is a problem Business Competition Sabotage, IP theft 15% Staff trained monthly 15% Lack of Intergrity Staff never trained 15% (Corruption) 12%

59% of organisations have a best practise policy for 40% of the respondents do not keep upto date with BYOD cyber security news of organisations in of organisations allow Africa do not keep up the use of to date with Cyber 41% Bring Your Own Devices 60% security trends and attacks while I do not keep upto date 22% of the respondents have a best practice Specialised news sources 18% 59% policy for BYOD in their oganistions Generic newspapers and news broadcasters 16% Social media networks contacts 15%

Outsourced services 15%

Consulting companies 14% Industry Players Perspectives 47

Kindly highlight some of the top cyber All institutions should have general user security issues of 2017 and how these awareness on issues that impact them issues impacted you personally, your through the society. They should be organisation or country? taught how to identify fake news.

We saw attacks on systems in general, Many governments in Africa are Information theft especially from the investing in e-services (e-government, financial institutions and hackers going e-voting, e-tax systems and many ahead to use this information to further other portals.) Do you think the African cybercrime. citizenry is ready to consume and utilize these systems without the worry John Sergon Do you think fake news is a major of privacy, security and fraud? problem in your country? Ag, Chief Executive Officer People have adapted to using these It is an issue in this country. Social media systems. However, the rapid use has ICT Authority news is very versatile we seem not to be been without the thought, is my data ready for it. It is hard to tell the source safe? Kenya a lot of times. The fake news “industry” growing and wanting to be felt. What are some of the risks we face with the introduction of government If yes, who should be responsible for driven e-services and do you have controlling the creation and distribution any examples of these cases in your of fake news (government, end users, country? Telcos/ISPs or content owners)? There are risks but people trust the Every organisation should have a government with their data. responsibility to counter fake news seen on social media that regards them. Fake In 2017, we had several cases of cyber news is actually a threat to organisations security attacks including ransomware that users need to learn how to identify. attacks across the world – were you impacted by these attacks? Should regulators force influential platforms like Google and Facebook to No. We were not impacted, but there remove fake news and other extreme were reports of attacks elsewhere. forms of content from their platforms? Considering the shortage of skilled Regulators should put responsibility on resources in Africa, how can we limit these platforms for accountability and to the impact of ransomware cases? ability to follow up on custodians on these platforms who should be accountable Awareness and build capacity be able to for the content they post. Regulators deal with such incidences. should put in place mechanisms to know from these platforms to know who these Do you think organisations are people are. spending enough money on combating cyber-crime? What can be done to improve the general user awareness on the No. First of all it is very expensive and detection of fake news in the country? second they don’t know it is an issue to prioritize on.

Demystifying Africa’s Cyber Security Poverty Line 48 Industry Players Perspectives

What can be done to encourage Putting in more effort in research and to produce local cyber security more spending on cyber security development and allocating resources solutions. issues? for this. Already existing innovation centers should also dedicate In your opinion and from an African Create awareness for all involved resources solely for cyber security context, what are the top 2018 stakeholders as encourage people to research and development, say a lab cyber security priorities for African push up the agenda of why investing solely for cyber security practice. countries and organisations? in cyber security is important. What role can the private sector I am not in a positions to fully Based on our research the Africa and consumers of imported cyber comment on this, but I believe cyber security market will be worth security products play to ensure going forward there needs to be USD2 billion dollars by 2020. Despite we can encourage local players frameworks through government to this opportunity, Africa has not to start developing African grown private sector that cut through the produced a single commercially viable cyber security products/solutions cyber security space. cyber security product/solution. or even services? Cyber security is an area we cannot In your opinion, what should African As local consumers it is our ignore anymore, and since technology countries/universities focus on responsibility to “Buy Kenya, Grow is always growing, people need to to encourage innovation in the kenya”. The government also needs always catch up cyber security wise. development of cyber security to encourage local players through solutions? policies to ensure there is a capacity

Demystifying Africa’s Cyber Security Poverty Line 49

Summarized Findings Report – What are Cybersecurity Gaps in Africa?

*Reporting approach adopted from cyberroad-project and survey

Theme Scenario Consequence(s) Mitigation Identified Gap(s) Limited visibility on 1. Fraudulent database Continuous monitoring of How can African companies activities on the postings! activities within databases. improve visibility on DB databases. activities at a cost effective 2. Loss of sensitive Limit and monitor access to and resource friendly Database information! database. Security manner? Audit and review privileged access to DB.

Compromised Unauthorized access to Audit the activities of privileged How can organisations administrator accounts. critical systems within the users within the network. implement segregation of organisations! duties when resources (staff) are limited? Privileged User Management

Missing patches Exploitation of missing Remediation roadmaps that How can African contribute 70% of patches to compromise ensure that critical patches are organisations maintain vulnerabilities identified. confidentiality, integrity applied while medium and low risk a patch management 60% of these are never and availability of critical vulnerabilities are fixed within a program without exhausting Patch mitigated. informational assets! stipulated agreed upon period. resources? Management Employees are trained Employees fall victims of Regular employee training How can organisations ensure only after an incident. social engineering attacks! programs that have an employees understand effectiveness measuring metric. the concepts taught during awareness workshops and trainings?

IT Training is done on IT teams lack the expertise Regular training on both How can IT teams transform specific tools. for defensive and defensive and offensive cyber from being “tool analysts” offensive security! security concepts. to network engineers and architects? Training and Awareness Board members Lack of visibility on actual Board training to involve How can Board members lack cyber security cyber security posture! reporting metrics for enhanced shift from the traditional expertise and rely on visibility that can provide a basis “oversight” role into the standard audit reports No standard way of and guide on future decision proactive cyber security role? to understand the measuring progress and making. security posture of ROI on IT investments! organisations.

Limited expertise Networks are Organisations to invest in or Where can organisations in the country on misconfigured to allow outsource security engineers/ get specialized training on Security Architecture/ easy manipulation and architects for network design security architecture and Engineering skill set. system sabotage! purposes. Engineering? Network Security Engineering

Demystifying Africa’s Cyber Security Poverty Line 50

Theme Scenario Consequence(s) Mitigation Identified Gap(s) Greedy and Disgruntled Compromise of Audit and monitor activities of How can African employees are being administrator accounts privileged accounts organisations share recruited by cartels to information on malicious Privilege escalation Insider Threats launch attacks insiders? Malicious transaction Segregation of duties posting Develop a user access matrix Data exfiltration Sabotage of critical systems

Multiplicity - Remote Compromise of Multiplicity as an Indicator of Access to critical confidentiality, Integrity Compromise – Establish a system after business and Availability baseline for what is normal. hours goes undetected Continuous Monitoring Velocity – Multiple failed Compromise of Velocity as an Indicator of logins to critical system confidentiality, Integrity Compromise - Establish a within a short period of and Availability baseline for what frequency is time goes undetected normal for the organisations. by security teams

Volume – Bulk Compromise of Volume as an Indicator of How can African transactions go confidentiality, Integrity Compromise - Establish a organisations establish a undetected by security and Availability baseline for what number, baseline for what “normal” is. teams bandwidth or utilization metric is normal for the organisations.

Limits - Security Malicious postings of Limits as an Indicator of personnel are unable transactions Compromise - Establish a to determine a baseline baseline for what threshold is for understanding normal for the organisations limits as an indicator of compromise.

Demystifying Africa’s Cyber Security Poverty Line 51

Inter Industry Analysis - Africa

Banking and SECTOR Financial Telecommu- Other Services Government nication Industries YEAR ‘16 ‘17 ‘16 ‘17 ‘16 ‘17 ‘16 ‘17 Been victims of any 55% 59% 63% 67% 67% 65% 48% 51% cybercriminal activity in the last 5 years; Through work

Organisations spending 33% 30% 45% 45% 30% 27% 48% 50% below $1,000 USD annually on cyber security

Organisations with 63% 55% 58% 58% 71% 71% 40% 48% Cyber Security managed In-house

Yearly training staff on 39% 45% 45% 47% 55% 57% 38% 33% Cyber Security risks

Organisations that 20% 26% 60% 61% 49% 40% 60% 60% allow Bring Your Own Devices (BYODs) usage

Organisations who 30% 35% 74% 74% 60% 56% 57% 55% lack BYOD policy

Organisations utilizing * 46% * 43% * 40% * 58% Cloud Services or Internet of Things Tech (Big Data Analytics)

Organisations * 35% * 71% * 54% * 54% which lack an IoT and Cloud Policy

* No statistical analysis done in 2016 on this section.

Demystifying Africa’s Cyber Security Poverty Line 52 Industry Players Perspectives

Kindly highlight some of the top cyber What can be done to improve the general security issues of 2017 and how these user awareness on the detection of fake issues impacted you personally, your news in the country? organisation or country? We need more campaigns that incorporate Senegalese companies seldom share the Cyber awareness from as early as primary Cyber security issues that they face. The and secondary school. We also need to rare cases known to the general public are create a culture and sense of responsibility those on whom legal action has been taken by the media and information sector actors. and for which media is aware. Many governments in Africa are investing in e-services (e-government, Baidy Sy Of these cases we can mention the case of a high school student named Assane Lopy e-voting, e-tax systems and many charged for fraudulent intrusion into bank other portals.) Do you think the African Associate Director accounts. citizenry is ready to consume and Digital Transformation and utilize these systems without the worry In early 2017, one of the major banks in of privacy, security and fraud? Cybersecurity Lead of Senegal called CBAO GAWB fell victim to a Finetech Groupe vast network of cyber criminals aided by an African citizens are actually ready to fully insider that resulted in brand erosion and digitize their operations. However, limited Senegal financial loss. knowledge and training has provided opportunities for cyber criminals to exploit Do you think fake news is a major vulnerabilities and weaknesses in these problem in Africa? digitized platforms. Most of the crimes committed against these systems include Fake news is currently one of the biggest data leakage, defacement and fraud. nuisances of the cyber space, especially in the online press and social networks. In 2017, we had several cases of cyber security attacks including ransomware If yes, who should be responsible for attacks across the world– were you controlling the creation and distribution impacted by these attacks? of fake news (government, end users, Telcos or ISPs or content owners)? During the WannaCry attack, Senegal was affected 4 hours after the first case was First of all there should be a state regulator detected. As mentioned earlier, it is possible in-charge of following up and investigating many more companies were affected but such cases. In Senegal for example, a due to the low rate of information sharing, new press code was voted in the National many did not report. Assembly this year after eight years of negotiations. One point, in particular, was Considering the shortage of skilled blocking the discussion: specific measures resources in Africa, how can we limit the of deprivation of liberty for press offenders impact of ransomware cases? resulting in possible “liberticidal” shift from professionalism. This code also gives rise to better supervision of the online press, Beyond the skills, African countries should as Senegal has more than 200 news sites. invest more in raising awareness and training Most online sites tend to pick information end-users who are, as always, the weakest from other media - without citing them. link of the chain. Offline backups, Disaster Others simply broadcast “fake news” and Recovering Plan and Business Continuity unsubstantiated rumors. Plan are also important.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 53

Do you think organisations are Based on our research the Africa In your opinion and from an African spending enough money on cyber security market will be context, what are the top 2018 combating cyber-crime? worth USD2 billion dollars by cyber security priorities for African 2020. Despite this opportunity, countries and organisations? Not enough unfortunately. Africa has not produced a single commercially viable cyber security The top 2018 cyber security priorities for What can be done to encourage product or solution. African countries are to: more spending on cyber security • define a national cyber security plan. issues? In your opinion, what should African • create a national cyber security countries or universities focus on agency. Train security managers and directors. to encourage innovation in the • set up a national CERT (Computer development of Cyber security Emergency Response Team). Educate the technical teams on how to solutions? • identify and protect national critical communicate to the Board of Directors infrastructure. to show return on investment for Cyber In my opinion, African countries must • awareness and training. Security spending. invest in university training and research centers specializing in Cyber security. They also need to develop national cyber security cultures. 54

Inter Country Analysis - Africa

Country Kenya Uganda Tanzania Nigeria Ghana

% of organisations who Conduct Regular 64% 60% 55% 50% 55% Training of Employees

% of organisations who allow Bring Your Own Devices (BYODs) 73% 62% 67% 65% 67% usage

% of organisations who lack BYOD 48% 58% 60% 50% 58% policy

% of people who have experienced 72% 40% 32% 80% 30% cyber crime

% of successful prosecutions per 11% 4% 6% 4% 4% country

% of organisations who have Zero (0) budget allocation for cyber 10% 15% 13% 43% 43% security products

Demystifying Africa’s Cyber Security Poverty Line 55

Trend Analysis - Africa

Country Kenya Nigeria Ghana Tanzania Uganda

Year ‘16 ‘17 ‘16 ‘17 ‘16 ‘17 ‘16 ‘17 ‘16 ‘17

% of organisations who Conduct Regular 58% 64% 40% 50% 48% 55% 45% 55% * 60% Training of Employees

% of organisations who allow Bring Your Own Devices (BYODs) 62% 73% 56% 65% 61% 67% 56% 67% * 62% usage

% of organisations who lack BYOD policy 49% 48% 53% 50% 59% 58% 61% 60% * 58%

% of people who have experienced cyber crime 71% 72% 37% 80% 20% 30% 64% 32% * 40%

% of successful prosecutions per 3% 11% 7% 4% 1% 4% 9% 6% * 4% country

% of organisations who have Zero (0) budget 6% 10% 41% 43% 42% 43% 11% 13% * 15% allocation for cyber security products

* No statistical analysis done in 2016 on this section.

Demystifying Africa’s Cyber Security Poverty Line 56 Industry Players Perspectives

Kindly highlight some of the top cyber Regulators may not be well positioned to security issues of 2017 and how these force takedowns on platforms that they issues impacted you personally, your do not regulate. Communication regulatory bodies in Africa regulate traditional organisation or country. media, but have no jurisdiction to regulate Facebook, a foreign company. So they can Ransomware and particularly Wannacry force local media houses to take down a have made the most noise in cyber security fake story from their websites, but they in 2017. But from our own experience, it is cannot ask Facebook to take down a fake social engineering, very sophisticated ‘spear story. Communication service providers fishing’ or ‘whaling’ (like phishing but aimed at in East Africa are regulated by the bigger fish- senior execs) that has bothered Communication Authority (CA) of course, us the most. This constant barrage of Ben Roberts but the service providers are completely emails, instant messages, phone calls, to technically unable in any way to selectively Chief Technical Officer get people to give up their passwords block content, web pages, hashtags on any voluntarily, is there all the time and is often of the social media or international news good enough to fool very savvy smart Liquid Telecom Group sites. So the CA would be unable to force people. An IT manager can secure his own service providers to block content, since it is company systems, only to find that people in totally impossible to do so. Kenya the organisation are using personal Gmail, or Skype, they get hacked and causing damage What can be done to improve the within the corporate organisation. The general user awareness on the detection motive for this kind of phishing is normally to of fake news in the country? conduct direct monetary theft.

Do you think fake news is a major All of us are responsible to assess information before passing it on; think about problem in your country or Africa? the source and whether we trust it, and whether the information seems feasible. Yes. It’s easy to blame media, or social media platforms for fake news, but in fact society is If yes, who should be responsible for to blame. Just before the Kenyan elections, controlling the creation and distribution I came across really good campaign from of fake news (government, end users, Facebook about how to spot Fake news. It Telcos/ISPs or content owners)? had 10 points of indicators that something might be fake news. It was a really good Fake news has made headlines globally. campaign from Facebook, and its targeting But we need to distinguish between what’s towards Kenyan audience was well meaning. fake and what is not, and global leaders I republished the campaign on Twitter under need to communicate responsibly. But yes, hashtag #dontfwdfakenews, the important fake news in East Africa, particularly Kenya message was, if it looks like fake news, it’s (where I live) has been terrible this year, probably fake news, and don’t forward fake with the election season that has taken news. place. WhatsApp was the worst platform for circulating of completely fake news, Many governments in Africa are but the traditional media did a poor job on investing in e-services (e-government, responsible election coverage. e-voting, e-tax systems and many other portals.) Do you think the African Should regulators force influential citizenry is ready to consume and platforms like Google and Facebook to utilize these systems without the worry remove fake news and other extreme of privacy, security and fraud? forms of content from their platforms?

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 57

African society may not yet have We were not impacted by ransomware What role can the private sector gained full trust in e-services, from at Liquid Telecom in 2017. But let us not and consumers of imported cyber e-government to e-commerce. As pinpoint. I would consider myself a highly security products play to ensure they get used to using such services skilled experienced ICT professional, we can encourage local players and noticing improved service delivery, with long experience of leadership then the trust will grow. E-government in technology. Yet in 2013 I picked up to start developing African grown services are almost certain to be more a ransomware from a downloaded cyber security products and accurate, more transparent and more Trojan and totally got my hard drive solutions or even services? efficient than existing manual systems wiped. Just from my own carelessness, which are often flawed with loopholes and lack of up to date antivirus tools I would refute that statement. leading to inefficiency, corruption and employed by my highly skilled IT financial loss. department in London. Thawte, a security certificate company founded by South African Mark What are some of the risks we face Do you think organisations are Shuttleworth in South Africa was with the introduction of government spending enough money on a security company specializing in driven e-services and do you have combating cyber-crime and what certificates for secure communications. any examples of these cases in your can be done to encourage more Thawte was sold to Verisign for $575 country? spending on cyber security issues? million in 1999 making Thawte the first African tech Unicorn. African innovators The main risk in implementing should be inspired by Mark, and look Organisations are yet to understand to create cyber security solutions that e-government is having pushback what they should be spending on from cartels that are benefitting from are well placed to deal with cyber combatting cyber-crime, and even security issues in Africa at a price and corruption networks. If we look at where to spend it. Cyber Security and the technologies, E-government, IoT, service level that is good for the local associated risks need to be understood market. What about a WhatsApp bot Blockchain and big data, they have at board level, since the average the ability to totally transform and that you can add to your groups that cost of the impact of a cyber breach will spot and delete fake news? African eradicate most forms of corruption, if (estimated 1.3M$ per breach in US implemented properly. But those cartels innovators need to start with a problem in 2017), is enough to bankrupt many then go out and solve it. that profit right now may do their best companies. But there are ways to be to frustrate the implementation of smart about Cyber security spending. In your opinion and from an African technology that will cut off their income. Deploying systems in trusted public cloud, may likely be more cost effective context, what are the top 2018 In 2017, we had several cases of than managing the risks of deploying cyber security priorities for African cyber security attacks including your own security on your premises. countries and organisations? ransomware attacks across the Cyber breach insurance will be a world–were you impacted by these growing product that companies should My top 3 priorities are, education, attacks? consider. education and, education. All companies need to do their best to If yes, how did you (company or Based on our research the Africa cyber make sure the whole organisation understand and are aware of cyber country) respond to these cases? security market will be worth USD2 billion dollars by 2020. Despite this security, both at home and at work. IT opportunity, Africa has not produced a departments and Infosec officers need Considering the shortage of skilled single commercially viable cyber security to be educated to the highest level, but resources in Africa, how can we limit product/solution. Cybersecurity, just like physical security, the impact of ransomware cases? is the responsibility of every member of In your opinion, what should an organisation. African countries and universities focus on to encourage innovation in the development of cyber security solutions?

Demystifying Africa’s Cyber Security Poverty Line 58

Cost of Cyber Crime Estimating the Cost of Cyber Crime for the Countries in Scope Cost of As internet and device penetration in Africa rises, so does the rate cyber-attacks of cybercrime. Individuals, groups and countries with malicious intent are now targeting sensitive information generated by different organisations/entities. Past estimates of the cost of cybercrime have failed to address the breadth of the problem and have not been able to provide a justifiable estimate of economic impact. In this section, we look more closely at the cost of $3.5B cybercrime in Africa and try to gain better insights of the costs to annually the African economy.

From our research and analysis, we estimate that Cyber-attacks cost African businesses $3.5 Billion. Further analysis of cost of Cybercrime for the countries; Nigeria, Kenya, Ghana, Uganda and Tanzania was estimated at $1.078 Billion a year, which includes direct damage and loss, post-attack disruption to the normal course of business and reputational loss.

Analysis A significant proportion of • Costs as a consequence Methodology the $ 1.08 Billion losses is of cybercrime, such as attributed to insider threats, direct losses and indirect Our analysis is based The traditional forms which we estimate at $216 costs such as weakened on information in the Million (50% of all direct competitiveness as a public domain, law of crime committed costs) and result of intellectual enforcement and over electronic $352 Million (33% of property compromise. economics experts overall costs) per annum. • Costs in response to from a range of public communication In all probability, and in cybercrime, such as and private-sector line with our worst-case compensation payments organisations and our networks and scenarios, the real impact to victims and fines paid tremendous knowledge information systems of cybercrime is likely to be to regulatory bodies. much greater. of numerous cyber • Indirect costs such as security attacks in the and crimes unique to reputational damage to As for measuring costs, region. firms, loss of confidence electronic networks, this report decomposes in cyber transactions the cost based on these 4 e.g. attacks against by individuals and With this said, the categories: boundary between information systems, businesses, reduced traditional crime and • Costs in anticipation public-sector revenues cybercrime remains denial of service and of cybercrime, such and the growth of the fluid. Therefore for our as antivirus software, underground economy. research, the term hacking. insurance and cyber-crime refers to: compliance.

Demystifying Africa’s Cyber Security Poverty Line 59

Total Cost of cyber attacks Breakdown of Direct Cost of cyber attacks

Cost of cyber-attacks $431 Million

Compensations to Victims of Breaches 43% $185M

Money withdrawn 43% $185M from victim accounts $1.078B Investigation and annually Remediation Costs 14% $61M

Direct Cost $431 Million 40% Types of Cyber Crime by Cost Indirect Cost $647 Million 60% $216M - 50% $136M - 21% Breakdown of Indirect Cost of cyber attacks Insider Threat $352M - 33%

$95M- 22%

Attacks on Computer $201M - 31% $647 Million Systems (Unauthorized Access and Malware) $295M - 27%

Technical Controls 46% $304M $43M - 10% $123M - 19% Security Consulting Social Engineering 22% $142M and Identity Theft Services $166M - 15% Loss of trust in e-services 16% $103M $30M - 7% $78M - 12% Training 11% $71M Email Spam & Phishing $108M - 10%

Reputational Damage 3% $19M $30M - 7% Insurance and 1% $6M $45M - 7% Compliance Costs Data Exfiltration $75M - 7%

$17M - 4% $65M- 10% Online Fraud Scams $82M - 8%

Direct Loss Indirect Loss Total Loss

Demystifying Africa’s Cyber Security Poverty Line 60

Cyber crime cost for Industry Analysis Type of cost: Direct/indirect costs. 1. Insider threat 23% 2. Investments in technologies to detect and prevent

Banking & Financial $248M cybercrimes such as Antivirus, SIEM Tools, IDS/IPS. Services 3. Banking malware (Keyloggers and other malware) 4. ATM Skimming 19% 5. Audit and compliance with regulators Government $204M Cost of Cyber crime to African Governments $ 16% 19% E-Commerce $173M Government $205M 13%

Mobile based Source: Reported losses resulting from: transactions/ $140M e-commerce/e-payment 1. Tax fraud 11% 2. Benefits fraud 3. Local-government fraud Telecommunications $119M 4. Website defacements and 5. Ransom demands 18% Although we have used the most up-to-date information Other Sectors/ Industries $194M available, we believe that this is an underestimation of the total level of cybercrime against government systems. With many cases of tax evasion being reported such TOTAL 100% as the panama papers scandal, we believe that African $1B governments are losing much more.

Cost of Cyber crime to E-commerce Breakdown of the Statistical Analysis per Industry $ 16% For our statistical analysis, we computed the number $173M of reported incidents *the average cost of an incident E-commerce *estimate number of under-reporting (we estimated that only one in 15 incidents are reported i.e. 7%). Type of cost: Direct cost Cost of Cyber crime to Banking Sector 1. Online fraud 2. Credit card fraud 23% 3. Social Engineering

Banking & Financial $248M Services

Demystifying Africa’s Cyber Security Poverty Line 61

Cost of Cyber crime to mobile based Cost of Cyber crime to other sectors transactions 18% 13% Other Sectors/ $194M Industries Mobile based $140M transactions/ e-commerce/e-payment Source: Information from budget declarations, investments analysis and interviews with aviation experts. Type of cost: Direct consequence of cybercrime. These were: Type of Cost: Costs in anticipation of cybercrime, such as:

1. SIM Card Swiping 1. Antivirus software and endpoint protection 2. Social Engineering 2. Cyber insurance, 3. Insider Fraud 3. Adoption of NED (network extension device) solutions 4. Applying encryption standards Cost of Cyber crime to Telecommunication 5. Securing communication technologies such as the Sector flight management system (FMS).

11%

Telecommunication $119M

Type of cost: Direct/Indirect cost

1. Advanced Persistent threats 2. Spam 3. DoS

Demystifying Africa’s Cyber Security Poverty Line 62 Industry Players Perspectives

Do you think Cyber security is a major i. Provide a conceptual structure for problem in Uganda/Africa? guiding information security activities

Yes. ii. Provide a common risk based approach for addressing information security issues If yes, what do you think is the main cause of the Cyber security problem? iii. Secure Government of Uganda information and other assets Yes, Cyber security is a major problem in Africa in general and Uganda in particular. iv. Improve understanding of information security risk, roles and The main causes of the cyber security responsibilities Arnold Mangeni problem are; • Governance. In Uganda’s public sector v. Guarantee information security Director, Information Security cyber security is still not on the agenda compliance by critical national of top management. There is lack of information infrastructure operators National Information accountability for and treatment of Technology Authority Uganda cyber security as a corporate – level vi. Improve information security (NITA-U) risk. There are no personnel with cyber governance and the environment security responsibilities and majority of Uganda end users lack adequate awareness, The framework encompasses the domains education as well as training. of Governance, Information security, • Institutions lack cyber security Physical security and personnel security. strategizes and policies to guide Below is a brief on what each domain matters cyber security. Security addresses; incidents are not reported both internally and externally. Cybersecurity i. Governance; Structures must be is more reactive than proactive. created to enable people perform • There is inadequate skilled cyber specified roles and responsibilities. security professionals to continually The first step, thus, is to ensure that meet the cyber security needs in the organisations create clear structures country to enable staff at all levels to perform information security & risk • Inadequate risk assessment and roles effectively. compliance of organisations

What can be done to improve the ii. Information Security; Organisations situational awareness in the country? must protect both the information they handle internally and that which they share with external partners. 4. First and foremost at the heart of Assuring the confidentiality, integrity improving the situational awareness and availability of information is a in the country has been the National corporate-level concern because Information Security Framework security incidents threaten (NISF). A framework that places cyber organisational reputations, legal security at the top of the agenda of positions and the ability to conduct top management. Organisations, must business operations. assume accountability for and treat information security as a corporate – level risk.

Ultimately the NISF seeks to achieve the following amongst others;

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 63

iii. Personnel Security; Employees i. Enhancing private public 8. Make the most out of our are the most important asset partnership in development of international and regional for any organisation. However, cyber security capacity; collaboration on cyber security staff could also be potent threat with a number of liked minded sources and actors. Indeed, ii. Ensuring trust and confidence of organisations and governments. changes in national information citizens in the use of Information These include; Korea Internet security policies worldwide have Technology enabled services; Security Agency (KISA), the roots in high-profile accidental Government of Estonia, International and deliberate disclosures of iii. Taking into consideration Security Forum (ISF), Global sensitive national security and international collaboration due to Forum on Cyber Expertise (GFCE) personal information. Therefore, the borderless nature of cyber , amongst others. Out of these it is vital to reduce the likelihood space; collaborations is skilling of our of staff exploiting legitimate information security professionals, access to critical infrastructure iv. Promoting a culture of cyber technical support, information facilities, sites, information and security across all levels of sharing, amongst other benefits. staff for unauthorised use. society; Personnel security is important 9. Maximize the benefits from the in the context of defending the v. Promoting continuous National Information Security cyber supply chain against State improvement in cyber security Advisory Group (NISAG), whose and industrial espionage threats. and; mandate is to advise, protect and respond to the nation’s critical iv. Physical Security; Managing infrastructure, we are achieving vi. Promoting responsibility and unauthorised physical access, collaboration with the private action amongst CII operators damage, and interference sector who run majority of the as regards Cyber Security to information, premises and nation’s critical infrastructure. This readiness. resources by a range of physical ensures robust Cybersecurity security threats including crime, implementations. 7. Utilize the national Computer espionage, natural disasters Emergency Response Team / and acts of terrorism, must be Co-ordination Center (CERT / CC) Do you think the private sector is of paramount importance to (established in 2014) to: investing enough in cyber security? organisations. Physical security also protects personnel against Naturally, the private sector investment violence and other sorts of harm. i. Ensure the protection of the nation’s Critical Information is guided by amongst others, the Infrastructures through incident principal of return on Investment 5. Education, training and awareness management amongst other (ROI). In the private sector, security sessions are routinely being carried measures; professionals are still struggling out. Plans are underway to carry out to demonstrate business value of massive nationwide awareness and investment in security to senior training for the Financial Year 17/18. ii. Assist in drafting the overall plan on the country’s approach to management. Management would be cyber security related issues; and more willing to deal with consequences 6. Adoption of the National Cyber than mitigations. This is heavily affecting Security Strategy (NCSS) which has private sector investment in cyber iii. Serve as a focal point for further been drafted following the revision security. of the National Information Security building and implementing the National Culture of Cyber Strategy (NISS). The NISS was In your opinion, what drives implemented in 2011, to address security. criminals to commit cyber-crime? matters of Information Security. Currently the NISS has been revised The National CERT/CC is complimented to establish the NCSS. The guiding with sub sector CERTs to cater i. Monetary gain; like is the case principles for the National Cyber for constituents that have unique with many crimes committed Security Strategy include but are requirements for example, the outside the internet, financial not limited to the following: communications and telecom sector. gain is a big motivator for many cyber criminals. Case in point; the

Demystifying Africa’s Cyber Security Poverty Line 64 Industry Players Perspectives

Ransomware attackers that were c. The Computer Misuse Act (2011) 6. Establishment of the Uganda Police asking for payment in Bitcoin, to prevent unlawful access, abuse Cyber Crime Unit, whose is to; banking systems that are hacked or misuse of information systems a. provide enforcement of cyber into. including computers and to make security related laws provision for securing the conduct b. provide efficient cybercrime ii. Hacktivism; activists have of electronic transactions investigation increasingly taken to breaking into in a trustworthy electronic c. ensure collaboration with similar computer systems demonstrate environment. international institutions for political or social causes. 2. National Information Security Do you personally know of a iii. Industrial Espionage; illegally and Advisory Group (NISAG). This NISAG company or individual who’s been unethically obtaining confidential encourages collaboration between affected by cybercrime? information from competitors public and private stakeholders to ensure robust Cybersecurity is with the intention of using Ye s the said information to gain a implementated. competitive edge. Were these cases reported to 3. The National Information Security government authorities and Framework (NISF) with its 6 security iv. State Espionage; State prosecuted? sponsored cyber espionage is standards; becoming a common occurrence a. SS1 - Technical Risk Assessment and is being used as a form of Yes. b. SS2 – Risk Management & intelligence gathering. Accreditation The Computer Misuse Act (2011) has so c. SS3 – Security Classification Do you think the government far been used to prosecute a number d. SS4 – Personnel Security of cybercrime cases. has put in place processes and e. SS5 – Physical Security infrastructure to support the f. SS6- Incident Management Some Notable case below: private sector in combating cyber The NISF incorporates risk management security issues? as a delivery area within the Uganda v. Sentongo & 4 others criminal executive management (both public session case 123 of 2012) [2017] Yes, included among the initiatives is; and private enterprises) provides a UGHCACD 1 (14 February 2017) strong foundation for cyber security 1. An Enabling legal and Regulatory implementation covering the areas of Electronic fraud C/S 19 of the Computer environment. Included are the cyber people, process and technology. Misuse Act, 2011 laws; 4. Capacity development on the Unauthorized disclosure of access a. The Electronic Transactions application of the cyber laws for codes C/S 17 of the Computer Misuse Act (2011) to make provision both investigating and prosecuting Act, 2011. for and to regulate the use officers. Application of these cyber of electronic signatures, to laws should be guided by adhering to Court ruled that “For an offence to provide for the use, security, principles of digital forensics as well be committed, the disclosure must be facilitation and regulation of as chain of custody. unauthorized and likely to cause loss.” electronic communications and transactions; 5. Through the CERT/CC Identification What do you think would be the and prioritization of key resources best approach to address the b. The Electronic Signatures Act is being done. This is aimed at cyber-crime issue in Africa? (2011) to encourage the use of improving the country’s security, e-Government and to make resilience, operational capacities to • Enabling environment. Enact laws provision for the safety and effectively manage and respond to and regulations to comprehensively security of electronic transactions cyber incidents as well as protect address Cyber issues. This should and information systems; and against ever persistent threats. be reinforced with awareness and

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 65

support through initiatives like (the Convention) adopted in July capacity building for investigating, 2014. Unfortunately only Senegal prosecuting and judicial officers. has ratified the convention out • Actively support institutions of the required 15. If ratified this with a role and mandate to play convention will go a long way in in the cyber-crime prevention the harmonization of the African ecosystem. For example, Police, Cybersecurity policies. Judiciary, sector regulators. • Harmonization of the cybercrime This support can be in form of laws at regional and continental financial resources or other forms level. of resources, collaboration, and • Establishment of missions capacity development. to strengthen police and law • Promotion of a culture of good enforcement capacities in practices like responsible sharing, handling, investigating and reporting of incidents, education prosecuting cybercrime. and awareness, amongst others. • Provision of mutual Legal • Encourage and focus on Assistance cooperation and collaboration »» Collaboration during amongst (domestic, regional, and others: international) amongst the various »» Investigations stakeholders. »» Prosecutions »» Capacity building According to you, what is the »» Bench marking most affected sector in the »» Formulation of laws country regarding cybercrime? »» Incident response • Establishment of regional cyber • Banking and Financial Services security centres to address the • Telecommunication escalating cyber threats • Government From an African context, what would be the top priority to address cybercrime across the continent? • African states need to work closely and directly through the African Union and other regional frameworks to implement enhanced measures for cooperation, mutual assistance and coordination among security agencies, prosecutors and judges. • A positive step was made during the development of the AU convention on Cyber Security and Data Protection

Demystifying Africa’s Cyber Security Poverty Line 66

Sector Ranking

Banking

Banks are top on our list of risk by sector. These institutions face two main issues: On one hand, they Government are increasingly being targeted by attackers and on the other, those who are attempting to stay African government have ahead of the attackers are pulled automated most of their back by malicious insiders and too systems: - IFMIS in Kenya, many “false positives”. This means online visa applications, issues being flagged that aren’t e-government platforms. Financial actually fraudulent activities, This shift has made the Services taking up valuable analyst time. government to become a This year more attacks targeting prime target for Cyber- In 2017, the number banks ranging from insider attacks. These systems of successful attacks threats to spear phishing and hold vast amounts of launched against financial ransomware attacks were noted. personal data, process services doubled. Sacco’s, Banks are getting hit through their vast amounts of Cooperatives and web applications, Internet and transactions making them microfinance institutions Mobile banking platforms. While a lucrative attack point for have seen rapid growth the attack vectors may differ, the attackers. Although the in Africa, however, these execution of the attacks often government has heightened institutions, for the longest the same. It is paramount that Cyber monitoring and time, have not prioritized local banks continue to sharpen surveillance mechanisms, Cyber security. This has their Cyber resilience capabilities there is still need for made them a popular in order to Anticipate, Detect, security awareness, target for Cybercriminals. Recover and contain Cybercrime. hardening of systems and implementation of Larger institutions have policies and laws around invested more in Cyber Cybercrime. security in comparison to smaller institutions hence making them an easier attack target. 67

Cyber security is no longer a concern for the financial & banking sector only. As the adoption of Internet use and automated services increases across various industries, Cyber security comes along as part of the package. In Africa, as in the rest of the world, there have been instances of Cyber compromise, attacks and attempts that have raised Cyber security to a critical level. Cyber security keeps metamorphosing across a wide range of fields. Here is a most current ranking of different sectors facing different Cyber risks.

Mobile Money

The revolution of Mobile Money in Africa comes with unprecedented levels of fraud. Of the top twenty (20) Hospitality & countries in the world that Retail are leading in mobile money usage, fifteen (15) are in Africa. These services have The hospitality industry is primarily been integrated fully into client facing and as such deals with numerous platforms such a great deal of sensitive customer as banking, insurance and information. Processes ranging e-commerce, among others. from reservation details, payment, Unfortunately, the adoption travel, personal information are of these technologies has now automated and we are seeing not been supplemented by introduction of services such as digital secure controls, with most conference facilities, smart room mobile money applications keys and mobile applications which lacking basic security controls enable the client to perform a wide such as encryption of data. range of otherwise manual processes. However, information security aspects tends to be neglected as most of the focus is on automation. This leads to a myriad of risks ranging from information theft, data breaches and credit card theft. Malware targeting these businesses are now being seen in POS (point-of-sale) terminals to steal credit card data and targeted attacks against hotel systems to steal confidential data. This has both financial and reputational impact on these organisations as customers quickly lose trust in them. 68 Industry Players Perspectives

In your opinion, what are the key point of security weakness. Based on this, cyber security issues facing Kenya/ ransomware was a big issue. The increase Africa, what is being done to address in number and nature of attacks was a cause of worry to many organisations. these issues and what is the best way Two technologies have emerged in recent forward?. years to mitigate the risks of malware and other malicious behavior on PCs and mobile I regard the following as the significant risks devices. Endpoint Detection & Response with respect to Cyber Security:- Denial (EDR) software complements antivirus of Service, Supplier Compromise due to software on PCs and uses machine learning inherent weaknesses with our partners, to identify and stop malicious behavior Securing our assets in the era of digital (e.g., ransomware). And with the growth explosion, theft/loss of information, IP or of “mobile first” strategies, organisations Kenneth Ogwang corporate data and lastly system or data need to respond to growing mobile threats. manipulation. Mobile Threat Defense (MTD) software also CIO uses machine learning to identify and stop It is not helpful to look at these in isolation. malicious behavior. East African Breweries Ltd Firstly, an organisation needs to have a broad Cyber Security strategy that then In addition, with all the automation informs the execution of the plans. Overall, Kenya happening in Industries, a major area of the ownership of Cyber Security and her concern is on Operational Technology inherent risks need to lie at the highest level (OT) which encompasses industrial control either at the board level or within the Senior systems. This is at the heart of the Supply Executive Leadership Team. This is to ensure Chain Operations of any organisation that the funding and drive is made at the and more focus is needed to address the right level with the right agility in terms of growing number of cybersecurity breaches execution. in OT. I will refer to an article where a petro chemical company was hit by a Cyber- All this is in the context that Cyber Security attack. The aim of the attack was to trigger is not an IT responsibility but since it is an an explosion. The implications of this are enterprise wide risk, then the appropriate huge. To address this growing threat, we ownership within the business must be are seeing that information cyber-security established. IT though remains a significant is beginning to merge with OT security partner in terms of driving the agenda as to ensure the availability and integrity of the expertise on such matters usually rests manufacturing processes. with IT. It is important for the IT teams to demystify Cyber Security and break it down On a personal front, I still meet several in the simplest of terms. people with default WiFi passwords at their homes. If you consider that you connect One cannot take ownership of something your TV (some with camera), Mobile devices, one may not comprehend and therefore CCTV equipment on that, you can imagine cannot measure. how much information can be stolen if it is hacked. Home automation technologies Kindly highlight some of the top cyber make it easy to control a number of home security issues of 2017 and how these functions such as home entertainment issues impacted you personally, your systems, heating, lighting, and even exterior organisation or country? door locks. Home owners need to follow best practices to secure these devices and manufacturers of home automation There has been a great focus on end user systems need to ensure their devices can and end user technology such as emails, provide security or they will not survive. computers and mobile devices as the

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 69

Do you think fake news is a major What can be done to improve If yes, how did you (company or problem in Your Country? the general user awareness on country) respond to these cases? the detection of fake news in the If yes, who should be responsible country? Considering the shortage of skilled for controlling the creation resources in Africa, how can we and distribution of fake news Same as above. Social Media platforms limit the impact of ransomware (government, end users, Telcos/ISPs should make it possible for users to cases? or content owners)? quickly indicate whether content is fake or not similar to the concept of ‘likes’. • Have a broad Cyber Security Strategy In my opinion, definitely. The concept of A robust Social media PR mechanism • Assign the rightful ownership and fake news is nothing new. Pre-digital era should be in place to tackle fake news accountability and even now, it was manifest in society affecting a government institution or an • Assess your organisation and through rumors carried orally from one organisation. mitigate the risks both from legal person to the other. During the print and technical side. era, it could be used as a propaganda Many governments in Africa • Continuous User Awareness tool against certain persons/ are investing in e-services including simulated phishing attacks. organisations. More credible print (e-government, e-voting, e-tax I cannot emphasize this enough. It institutions though confirm accuracy systems and many other portals.) starts with the user. before printing. However with digitization Do you think the African citizenry • Have an IT DRP and BCP in place and proliferation of social media, there is ready to consume and utilize and routinely test these so that are hardly any safe guards. The ease of these systems without the worry of in the event of an attack, you are creating an account and the pseudo- aware of what to do. anonymity of social media makes it easy privacy, security and fraud? for lots of people to engage in this. Do you think organisations are I do believe the citizens are ready, spending enough money on however, more awareness is needed. Fake news will never be ended but each combating cyber-crime? of us should have the responsibility Blind trust could mean laxity by of fact checking before sharing any government and her agencies in Organisations are beginning to wake up fake content. It is easy to verify facts establishing the right controls. Citizens to the reality of Cybercrime. This trend even through a simple google check. need to understand what to look out for needs to be upped to match with the Social Media platforms should make in terms of data privacy and demand rapid evolution of the nature of cyber it possible for users to quickly indicate for such if the standards don’t match security threats. Cybercrime is not whether content is fake or not similar up. For example, your address and ID only growing rapidly, it is also becoming to the concept of ‘likes’. A robust should not be shared with any external organized, sophisticated, well-funded, Social media PR mechanism should parties without consent of the owner. and focused on profit making attacks. be in place to react to any fake news Do citizens know this? Although cybersecurity budgets are affecting a government institution or growing, it will be a challenge to keep up an organisation. These are some of the  What are some of the risks we face with the growth of cybercrime. ideas I could share to control fake news. with the introduction of government driven e-services and do you have What can be done to encourage Should regulators force influential any examples of these cases in your country? more spending on cyber security platforms like Google and issues? Facebook to remove fake news Breach in data privacy as mentioned and other extreme forms of above. Ensuring you have a Cyber Security content from their platforms? Strategy and assigning the right In 2017, we had several cases of ownership and accountabilities. For extreme forms of content such as cyber security attacks including terrorism, I do agree. On fake news, my ransomware attacks across the opinion is to let the users identify this, get marked as fake and for everyone to world– were you impacted by move on. these attacks?

Demystifying Africa’s Cyber Security Poverty Line 70 Industry Players Perspectives

This makes it easier to apportion The nature of Cyber Security threat In your opinion and from an African budgets where needed. is a global one; the assets targeted context, what are the top 2018 that are of the highest risk are global in cyber security priorities for African nature hence I would not encourage an Remember it is not an IT department countries and organisations? accountability. It could be the African centric solution to drive this on a responsibility of IT to execute the separate path and re-invent the wheel approved technical plans but the overall but rather a consolidated effort. Cyber Implementing a robust Cyber Security accountability lies within the business Security attacks are evolving fast and Strategy with clearly defined vision, leadership. The business needs to collaboration with all players. goals and objectives both at the understand the growing cybersecurity national and organisational level. threats to their information security The real focus in Africa should be on and operational technology. Security legal and regulatory fronts. Putting in To those African countries that have professionals need to present the place laws, policies, regulations that done so, enforcing what is on paper real risks to their organisation and the help drive the National Cyber Security and that will need ensuring the agencies potential consequences and financial awareness, prevention and control. It responsible are well skilled and funded impacts if appropriate security controls should be mandatory for example for to handle the increasing threat. are not implemented. organisations to report a significant breach and for institutions to enforce For enterprises, continuously assessing Based on our research the Africa data privacy. Also, heavy punishment the environment for additional threats cyber security market will be for those caught in the act of Cyber- and fine tuning internal plans to adopt to those threats. As mentioned earlier, worth USD2 billion dollars by attacks should be inflicted to discourage the vice. Bi lateral agreements should be this could extend to the manufacturing 2020. Despite this opportunity, in place to ensure even those remotely sites. Lastly, it all begins with the Africa has not produced a single culpable are brought to book. individual person. Keep them informed! commercially viable cyber security product/solution. What role can the private sector and consumers of imported cyber In your opinion, what should African security products play to ensure we countries/universities focus on can encourage local players to start to encourage innovation in the developing African grown cyber development of cyber security security products/solutions or even solutions? services?

I would differ on this with the majority.

Demystifying Africa’s Cyber Security Poverty Line MULTIPLICITY • Scanning from external IP • Traffic to core VLAN from extenal IP • Dormant account activity • Logs deleted VELOCITY • Bruteforce attempts • Multiple posting on DB • Bulk transaction • System unavailable VOLUME • Excessive DNS queries • Remote Access tool detected processing • AV disabled INDICATORS OF COMPROMISE LIMITS • IP conflicts • Auditry disabled • Transaction over limit

KEY SYSTEMS

Firewall Antivirus Active Directory

ATTACK STAGES

RECONNAISSANCE GAINING ACCESS ATTACK HIDE TRACKS

Stage 1

Stage 2 Social Engineering and Identity Theft File Data Exfiltration Gaining DB Server Access Attack Users

Document Stage 3 Malicious DB ATM/POS/MPESA Management Manipulation • Admin credentials Systems Admin Servers • Customer account Stage 4 Email

Malware Server

Cyber Hide Erasing logs to Criminal Using Tracks TOR/Proxy remove evidence Server to Web Defacement hide actual IP

Clean PC

Sending money to multiple recipients 72

Security Begins Home Security at Home Home-owners and Our culture, Pan Africanism, emphasises on the need TO BE MINDFUL OF essentially anyone FELLOW AFRICANS. We’re all connected via the shared network we call the Internet. It is in our own best interests to make sure everyone – FROM with property in THE YOUNG TO THE OLD, ON SNAPCHAT, FACEBOOK AND TWITTER - KNOW and practice basic security habits. Africa, locks their doors without This section highlights top trends and security issues and corrective measures for security in our homes. thinking twice. African parents IP Cameras/Nannny Cams they come with certain risks. In October, hackers took over 100,000 are well known for For young parents, a baby monitor is IoT devices and used them to block monitoring who an essential device to check on the traffic to well-known websites, baby’s welfare. Majority of these devices including Twitter and Netflix. their children are are misconfigured and have default passwords. This means a hacker or a Home Routers associating with, pervert could potentially gain access and the language they monitor your child or play eerie music. When buying a home router, no This calls for home owners to be vigilant consideration is put on the security use around other in securing their electronic devices. of these devices. Recent research has shown that your home routers people and so on. Smart Homes can be used by malicious outsiders to launch attacks against websites But millions of users IoT is changing our traditional approach belonging to other organisationss around Africa still to how we live and interract with our without your direct involvement. homes. A number of houses, apartments don’t have the same and estates in Kampala have CCTV As a home owner, you run the risk surveillance, Smart TVs, DVRs and of being blocked by certain sites, mentality about their connected thermostats that you can your internet speed may be slow monitor and handle from any part of the due to the excessive bandwith digital presence. world. These gadgets add convenience utilization and you will incur higher like locking your door or shutting off the costs. lights all from a smartphone app, but

Security Tips Buy from Connect to a Change trusted guest network brands

Install Disable unused default updates passwords Use all included features right away security features

Demystifying Africa’s Cyber Security Poverty Line 73

Securing the Child Children in particular have unprecedented access to computers and mobile technologies, and have in recent decades tended to adopt these from an early age, resulting in ICTs becoming thoroughly embedded in their lives. To ensure security of the child online, it is necessary for parents to position and equip themselves with the right tools as follows: Teach Yourself Get them offline

Educate yourself about the It’s key to remind children apps they’re using in order that there’s a whole world Parents should educate themselved on detecting to make informed decisions offline too. This is important when their child is being bullied and ways of about what they’re able to in a number of way, most do on those apps. important being to help helping them through this.Here are some other dampen the impact of examples of behavior that could cross the line into Check Privacy Settings potential cyberbullying. It’s cyberbullying: important to remind children Take advantage of built-in to have fun in other ways off • Sending or posting mean things to or about parental controls. Major mobile phones. someone apps and services – like Facebook or your DSTV box Cyber Bullying • Creating a hostile environment in an online – have ways of restricting world or game access for young people, so With the statistics and check through the settings games such as blue whale thoroughly before letting piling up, it has become Parents can your child onto a device. increasingly clear that the cruelties inflicted by • Talk about bullying with their kids and Parents can also leverage cyberbullying have become have other family members share their technologies meant to a devastating reality for experiences. secure kids online such many teens.This can cause • Remove the bait. If it’s lunch money or Google’s Kiddle, this presents damaging self-esteem a colorful space-themed issues, depression, self- gadgets that the school bully is after. page with a filtered search harm, feelings of isolation • Don’t try to fight the battle yourself. bar to ensure only kid that hinder performance friendly content is displayed. in school, social skills, and general well-being.

Demystifying Africa’s Cyber Security Poverty Line 74 Industry Players Perspectives

Love it or hate it, the GDPR is here to stay!

Historical context for the GDPR countries have data privacy legislation, with an additional 14 countries working on Global recognition of the importance of legislation, leaving a balance of 24 currently data privacy can be traced back to the having taken no action so far. There are United Nations (UN) which has a long history some leading examples in Africa, such as of promoting the right to privacy through Mauritius which passed the Mauritius Data its Human Rights treaties. This includes Protection Act (MDPA) in late 2017, swiftly article 12 of the Universal Declaration of brought the MDPA into full force in January Human Rights in 1948 and article 17 of the 2018 and thus positioned itself as a leading International Covenant on Civil and Political nation in Africa and the Indian ocean Rights in 1966. More recently in July 2015 the island states in terms of alignment with UN appointed a “Special Rapporteur on the the European Union and its General Data Dr. Peter Tobin right to privacy” to bring additional focus to Protection Regulation (GDPR). the importance of data privacy. Supporting Privacy and Compliance the UN is the Organisation for Economic Co- So what is the European Union GDPR? Expert operation and Development (OECD) which in 1980 issued its “Guidelines on the Protection BDO IT Consulting Ltd of Privacy and Transborder Flows of Personal Data” which were revised and re- issued in 2013, just as the POPI Act (POPIA) Mauritius was gazetted in South Africa, allowing that country to join the growing list of those forming part of the African community of nations that have embraced personal data protection legislation. Following the UN and OECD initiatives, nearly one hundred countries and territories have established or are developing data protection laws.

African personal data privacy and protection developments During 2016 the General Data Protection Regulation In Africa, the African Union (AU) Commission and the Economic Commission for Africa – commonly known as have spearheaded the development the GDPR – was finalised, of the AU Convention on Cybersecurity and Personal Data Protection, which was with a transition period to adopted by the AU Heads of States and Governments Summit in June 2014 in full compliance required Malabo, Equatorial Guinea. Eight Countries by those organisations had already signed the convention by July 2016 according to AU Commission: Benin, impacted - those Chad, Congo, Guinea Bissau, Mauritania, processing directly Sierra Leone, Sao Tome & Principe and Zambia. At a regional level in Africa there (controllers) or indirectly are also several initiatives, notably the ECOWAS Cybersecurity guidelines and (processors) the personal the SADC Model Law on data protection, data or EU residents - by e-transactions and cybercrime. There is also the HIPSSA initiative (Harmonization of the May 2018. ICT Policies in Sub-Saharan Africa) which covers 30 countries across the continent. Latest estimates show that 16 African

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 75

The GDPR has potentially wide- In the case of the United Kingdom Controllers. Some of the chapters of ranging implications for companies (UK), there were strong indications the GDPR are really only of interest based outside the EU (increasingly at the time of writing this article that to the supervisory and regulatory often in Africa) trading with the EU the UK would fully align itself with the authorities (such as chapters 6, 7, 10 member states. Of particular interest GDPR even post “BREXIT” (the exit of and 11), whilst others discuss important is the following extract from the the UK from the EU). The GDPR has issues such as remedies, liability and GDPR document: “The [European] 173 introductory clauses (sometimes penalties (Chapter 8) which can have Commission may decide with effect for referred to as the recitals, a form of serious consequences for Controllers the entire Union that a third country, explanatory pre-amble), with the main or Processors who do not meet the a territory or specified sector within regulation body comprising 11 chapters requirements of the GDPR. a third country, or an international made up of 99 Articles which come organisation, offers an adequate level to over 400 numbered paragraphs. Key changes in the GDPR of data protection, thus providing legal It is important to remember that the certainty and uniformity throughout GDPR works in conjunction with other Compared to the earlier EU-wide the Union as regards the third country EU directives and regulations at an EU directive of 1995, the GDPR contains a or international organisation which is level, and may be complemented by number of key changes. These include considered to provide such level of local legislation, whether in EU member the increased territorial scope of the protection. In such cases, transfers of states or in African countries that are GDPR (extra-territorial or non-EU personal data to that third country or seeking to align themselves to the member state applicability; significant international organisation may take GDPR. increases in potential penalties (rising place without the need to obtain any to up to 2% to 4% of global turnover further authorisation. The Commission After chapter 1 which contains a series of either or both of the Controller may also decide, having given notice and of general provisions and definitions, or Processor found at fault by the a full statement setting out the reasons chapter 2 covers the principles of data supervisory authorities). There have also to the third country or international processing, which have been refined been changes to the nature of consent organisation, to revoke such a decision.” since the previous EU personal data which can be used as a justification of This opens the door to leading practice protection directive of 1995. Chapter lawful processing, including expanded nations and sectors stealing a march 3 addresses the “Rights of the Data requirements in terms of the record over their competitors in the global Subject”, those EU-resident individuals keeping for consent given, refused marketplace for information services whose personal data may be processed or withdrawn. Whilst some countries provision where personal data is by one of more the main parties who have already implemented strict rules processed. need to comply with the GDPR: the around data breach notification, the Controller (typically an organisation such GDPR emphasises to requirement So what, briefly, is the GDPR (www. as a business or arm of government) to normally notify the supervisory eugdpr.org)? that determines and controls the authorities within 72 hours of a data processing of the personal data and breach being confirmed (perhaps the Processor, a service provider which after an initial check that the data The GDPR is a renders personal data processing breach is real and not imagined or only services to one or more Controllers. suspected). Data subject rights have single regulation There are other Third Parties that may also been clarified and expanded to be involved, such as those organisations include the much-discussed “right to be that automatically where the Controller shares personal forgotten” (erasure of personal data) data for a variety of legitimate reasons. as well as the right to data portability, applies to all Chapter 4 looks at the duties of the such as when moving between service Controller and Processor. providers. “Privacy by design and default” also represents not only a new current and future Chapter 5 addresses the Transfer requirement but one which addresses of Personal Data to 3rd Countries the approach to personal data privacy European Union or International Organisations, an as “built-in” not just “added-on”. The last important consideration when dealing major change highlighted by the EU is members states with countries in Africa that, for the enhanced and expanded (broader example, host outsourced personal and deeper) role of the Data Protection from May 2018. data processing services for EU-based Officer (DPO).

Demystifying Africa’s Cyber Security Poverty Line 76 Industry Players Perspectives

Beyond the vanilla GDPR 4. You have provided all necessary authority? (Article 33: Notification information at point of collection? of a personal data breach to the It is important to be aware that the (Article 13: Information to be supervisory authority) GDPR in its basic format has already provided) been complemented by a number 12. You have a policy, process and publications by the group that will 5. You have a policy, process and procedures for data breach over time become the collective body procedures to ensure a) right notification to the data subject? for supervisory authorities in the EU of access; b) to rectification; c) (Article 34: Communication of a (European Data Protection Board, to erasure; d) to restriction of personal data breach to the data established under Article 68 of the processing; by the data subject? subject) GDPR), although operating at the (Article 15 - 18: Right of access; time of writing under the “Article 29 to rectification; to erasure; to 13. You have conducted data DPWP” branding (perhaps somewhat restriction of processing) protection impact assessments confusingly, that’s Article 29 under the where necessary according to the 1995 directive and not under the GDPR). Further guidance is already planned in 6. You are meeting all the screening rules? (Article 35: Data areas such as consent, transparency, responsibilities of the controller? protection impact assessment) profiling, high risk processing, (Article 24: Responsibility of the certification, administrative fines, breach controller) 14. You have, where necessary, notification and data transfers. appointed an appropriate data 7. You have data protection by protection officer following the EU So how is your compliance status? design and by default? requirements? (Article 39: Tasks (Article 25: Data protection by of the data protection officer) Here’s a quick review of some of the key design and by default) considerations when preparing for (or 15. You have appropriate safeguards maintaining) compliance with the GDPR. 8. You have a representative in the for cross-border transfers? Can you prove that: EU? (Article 27: Representatives (Article 46: Transfers subject to of controllers not established in appropriate safeguards) 1. You comply with the 6 principles the Union) relating to personal data 16. You have trained your staff in all processing? (Article 5: Principles 9. You have adequate records of of the above aspects and more relating to personal data processing? (Article 30: Records (Article 39: Tasks of the data processing) of processing activities) protection officer)

2. You comply with the lawfulness 10. You have adequate security of of processing rules? (Article 6: processing? (Article 32: Security Lawfulness of processing) of processing)

3. You have records of consent that 11. You have a policy, process and meet the required conditions? procedures for data breach (Article 7: Conditions for consent) notification to the supervisory

So maybe you didn’t score full marks and are beginning to hate the idea of all the effort it might take to climb the GDPR mountain if you need to. But perhaps it’s also time to look on the bright side, and learn to love the GDPR. It might just be that the next big contract you land with a client in Europe or service work you perform for an organisation outside the EU but with clients in the EU, provides the bonus you have been promising yourself all year. One way or the other, love it or hate it, the GDPR is here to stay!

Demystifying Africa’s Cyber Security Poverty Line 77

Africa Cyber Security Framework

Cybercrime in the African With the increasing business continent particularly within the requirements of the 21st century Small Medium Enterprises (SMEs) businesses and the inadequate setting is a growing concern. SMEs budget allocated to IT, it has are especially expanding the use become expensive especially for of cloud, mobile devices, smart small and medium sized companies technologies and work force to adopt complex and international mobility techniques. This reliance cyber security frameworks. As has however unlocked the doors such, cybercrime prevention is to vulnerabilities and cybercrime. often neglected within SMEs. This Attackers are now launching has resulted in a situation whereby increasingly sophisticated attacks SMEs are now one of the popular on everything from business targets of cyber criminals. While critical infrastructure to everyday at the same time, the SMEs lack devices such as mobile phones. a comprehensive framework that Malware threats, Insider threats, will help them determine their risk data breaches resulting from exposure and provide visibility to poor access controls and system their security landscape without misconfigurations are some of the necessarily adding to the strained ways that attackers are now using costs. to deploy coordinated attacks against these organisations.

Solution

In order to assist businesses in Africa particularly SMEs, we developed the Serianu Cyber Security Framework. The Framework serves to help businesses in Africa particularly SMEs to identify and prioritize specific risks and steps that can be taken to address them in a cost effective manner. The baseline controls developed within the framework, when implemented, will help to significantly reduce cyber related security incidences, enable IT security to proactively monitor activities on their key ICT infrastructure and provide assurance that business operations will resume in the appropriate time in case of an attack or disruption.

Demystifying Africa’s Cyber Security Poverty Line 78 Functions of the Africa Cyber Security Framework rsecurity R be isk Cy Ma 1: n n a o g ti e c Anticipate Risks - m n e u Assess Risks and Implement n F Controls t

This requires an organisation to know exactly what it needs to protect (the ‘crown jewels’) and rehearse appropriate responses to likely attack/ incident scenarios (including accidents. This provides confidence in an organisation’s its ability to handle more predictable threats and unexpected attacks; i.e., ‘anticipate’ cyber-attacks. V urity ulner ec ab rs ili e Detect ty b y Vulnerabilities – M a C : Track and Correct n a 2 Vulnerabilities g n e o i m t The average lag time

before a breach is n u

detected is between 205 – t V F to – 265 days. Early urity ulner ec ab detection of vulnerabilities rs ili can prevent escalation to e ty b Respond an incident. y M a C to Incidents – : n 3 Identify and Mitigate a

g n Incidents e o

i m

t c

Continuous management of e

u risks, remediation and root t

F cause analysis is what enables organisations to effectively manage threats within curity Incid the network. rse en e t M yb a C n : a 4 Contain – g n e Communicate and m io t e c Enhance Cyber Resilience n n t u Detection cannot fully protect F an organisation from malicious threat actors. This must be complemented by a resilient response capability. Quick response to cyber threat minimizes the cost of breach.

Demystifying Africa’s Cyber Security Poverty Line

80 Industry Players Perspectives

Kindly highlight some of the top cyber With the advent of social media and security issues of 2017 and how these increased internet penetration year on year issues impacted you personally, your I only see fake news increasing. organisation or country? Any entity should be free to create and distribute news, but not fake news. One of the major cyber issues related to Regulators should not force influential leaking personal information of millions of platforms only, but all platforms to remove people. This raises the question of whether fake news. But to do that, the regulators there are adequate systems and laws to must first define what fake news is in their safeguard personal data. jurisdictions, according to their laws.

WannaCry ransomware was another top We need the main stream media houses Fredrick M. Bobo issue in the year. Luckily my organisation and journalists to rise to the occasion and or myself were not hit by it but numerous be a true north when it comes to news IT Audit Manager organisations in South Africa were hit. reporting. It is disheartening when fake news is disseminated by an established news African Organisation of From an overall perspective, the top cyber house. English-speaking Supreme security issue anywhere probably remains Audit Institutions human gullibility. Very few attacks are Many governments in Africa are based on technological weakness but social investing in e-services (e-government, South Africa engineering. What is needed, is education, training and awareness of cyber security. e-voting, e-tax systems and many other portals.) Do you think the African Do you think fake news is a major citizenry is ready to consume and problem in Your Country/Africa? utilize these systems without the worry of privacy, security and fraud? If yes, who should be responsible for controlling the creation and distribution What are some of the risks we face of fake news (government, end users, with the introduction of government Telcos/ISPs or content owners)? driven e-services and do you have any examples of these cases in your country? Should regulators force influential platforms like Google and Facebook to I believe the citizenry is ready to consume remove fake news and other extreme these systems owing to the efficiency forms of content from their platforms? brought about by them. Additionally, I think going that direction is inevitable. What I think needs to be importantly What can be done to improve the worked on is matching legal frameworks general user awareness on the detection and fundamentals to support e-service of fake news in the country? provision. These fundamentals include such things as internet access, computing devices Certainly, fake news is a problem etc. everywhere. What even makes it worse is that corrected positions are never publicized The threat of privacy security and fraud will as much as the fake news. What is required, always be there, and the level will differ on is for people to understand that news is not the platform as well as services provided, beyond reasonable doubt just because it is e.g. e-voting with our current African online. politics will be a serious challenge. The right thing to do is implement it properly and Fake news really is something that does not ensuring feasibility before the projects are have an immediate solution. implemented.

Demystifying Africa’s Cyber Security Poverty Line Industry Players Perspectives 81

In 2017, we had several cases of What can be done to encourage commercially viable cyber security cyber security attacks including more spending on cyber security product/solution. ransomware attacks across the issues? world– were you impacted by In your opinion, what should African these attacks? Working in a public space across Africa, countries/universities focus on it is clear the public sector is not treating to encourage innovation in the If yes, how did you (company or Cyber crime with the seriousness it development of cyber security country) respond to these cases? deserves. We have seen a few countries solutions? change legislation and put in structures, but I think most governments are I am biased to think that a lot of work Considering the shortage of skilled waiting to be hit hard before they put in needs to be done on cyber security in resources in Africa, how can we limit mitigating measures. the impact of ransomware cases? public sector

One way we can encourage appropriate What role can the private sector Not affected by it spending on cyber security issues is to increase awareness. There is currently and consumers of imported cyber A good way that we can limit impact is very little focus on cyber security in security products play to ensure going back to basics, awareness and governments of Africa. We lack proper we can encourage local players training. This is so often underrated but public statistics on cybercrimes and to start developing African grown very cardinal in limiting ransomware losses. I suspect a good number may cyber security products/solutions cases. As ransomware is based on be going unnoticed and it pains me or even services? cryptography algorithms, stopping it in to think of how much money our poor advance like a basic virus is not possible. governments may have lost. In your opinion and from an African context, what are the top 2018 Do you think organisations are Based on our research the Africa cyber security priorities for African spending enough money on cyber security market will be countries and organisations? combating cyber-crime? worth USD2 billion dollars by 2020. Despite this opportunity, • Legislative reform Africa has not produced a single • Structures & processes to combat cyber crimes

Demystifying Africa’s Cyber Security Poverty Line 82 Appendix List of Remote Access Tools for Database Product License Windows Mac OS X Linux Oracle MySQL PostgreSQL MS SQL Server ODBC JDBC SQLite

Adminer Apache License or GPL Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Advanced Query Tool (AQT) Proprietary Ye s No No Ye s Ye s Ye s Ye s Ye s DaDaBIK Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s No No Ye s Database Deployment Manager LGPL Ye s No Ye s Ye s DatabaseSpy Proprietary Ye s No No Ye s Ye s Ye s Ye s Ye s Ye s Database Tour Pro[4] Proprietary Ye s No No Ye s Ye s Ye s Ye s Ye s No Ye s Database Workbench Proprietary Ye s Ye s Ye s Ye s Ye s DataGrip Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s No Ye s Ye s DBeaver Apache License Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s DBEdit GPL Ye s Ye s Ye s Ye s Ye s Ye s Ye s No Ye s Ye s Epictetus Proprietary Ye s Ye s Ye s Ye s Ye s Ye s HeidiSQL GPL Ye s Ye s Ye s Ye s Jailer Relational Data Browser[5] Apache License Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Maatkit GPL Ye s Ye s Ye s Ye s Microsoft SQL Server Management Proprietary Ye s No No Ye s Studio ModelRight Proprietary Ye s No No Ye s Ye s Ye s Ye s Community Ed: GPL MySQL Workbench Standard Ed: Commercial Ye s Ye s Ye s Ye s Proprietary Navicat Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Navicat Data Modeler Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Oracle Enterprise Manager Proprietary Ye s No Ye s Ye s Ye s Ye s Oracle SQL Developer Proprietary Ye s Ye s Ye s Ye s Ye s No Ye s Ye s Ye s Orbada GPL Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s

pgAdmin III PostgreSQL License Ye s Ye s Ye s pgAdmin4 PostgreSQL License Ye s phpLiteAdmin GPL Ye s Ye s Ye s No No No No No No Ye s phpMyAdmin GPL Ye s Ye s Ye s Ye s SQL Database Studio Proprietary Ye s No No No No No Ye s SQLyog GPLv2 Ye s Ye s SQuirreL SQL GPLv2 & LGPLv2 Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s TablePlus Proprietary No Ye s No No Ye s Ye s Ye s No No Ye s Toad Proprietary Ye s No No Ye s Ye s Ye s Ye s Toad Data Modeler Proprietary Ye s No No Ye s Ye s Ye s Ye s TOra GPL Ye s Ye s Ye s Ye s Ye s Ye s

Demystifying Africa’s Cyber Security Poverty Line 83

Remote Access tools for Endpoints Software Protocols License Free for Free for personal use commercial use AetherPal Proprietary Proprietary No No

Ammyy Admin Proprietary Proprietary Ye s No

AnyDesk Proprietary Proprietary Ye s No

Anyplace Control Proprietary Proprietary No No

AnywhereTS RDP, ICA Proprietary Ye s Ye s

Apple Remote Desktop RFB (VNC) Proprietary No No

Apple Screen Sharing (iChat) Proprietary, RFB (VNC) Proprietary Ye s Ye s

AppliDis RDP Proprietary No No

BeAnywhere Support Express Proprietary Proprietary No No

Bomgar Proprietary Proprietary No No

Cendio ThinLinc RFB (VNC) Proprietary Yes[a] Yes[a]

Chicken of the VNC RFB (VNC) GPL Ye s Ye s

Chrome Remote Desktop Chromoting BSD Client, Proprietary Ye s Ye s Server CloudBerry Lab (CloudBerry Remote Assistant) Proprietary Proprietary Ye s Ye s

Citrix XenApp/Presentation Server/MetaFrame/ RDP, ICA Proprietary No No WinFrame Fog Creek Copilot RFB (VNC) Proprietary No No

GO-Global Proprietary Proprietary No No

GoToMyPC Proprietary Proprietary No No

HP Remote Graphics Software (RGS) HP RGS Proprietary Yes[b] Yes[b]

HOB HOBLink JWT RDP Proprietary No No

HOB HOB MacGate RDP Proprietary No No

IBM Director Remote Control Proprietary Proprietary No No

I'm InTouch Proprietary Proprietary No No

iTALC RFB (VNC) GPL Ye s Ye s

KDE RFB (VNC), RDP GPL Ye s Ye s

LiteManager Proprietary Proprietary Yes[d] Yes[d]

LogMeIn Proprietary Proprietary No No

Mikogo Proprietary Proprietary Ye s No

Netop Remote Control Proprietary Proprietary No No

NetSupport Manager Proprietary Proprietary No No

Netviewer Proprietary Proprietary No No

NoMachine NX Proprietary Ye s Yes[e]

OpenText Exceed onDemand Proprietary Proprietary No No

Open Virtual Desktop RDP GPL Client, Proprietary No No Server

Demystifying Africa’s Cyber Security Poverty Line 84

Software Protocols License Free for Free for personal use commercial use Oracle Secure Global Desktop Software/Sun VDI AIP Proprietary No No

Proxy Networks Proprietary Proprietary No No

Pilixo Remote Access Proprietary Proprietary No No

QVD NX and HTTP GPL Ye s Ye s

rdesktop RDP GPL Ye s Ye s

RealVNC Open RFB (VNC) GPL Ye s Ye s

RealVNC RFB (VNC) Proprietary Yes[e] No

Remmina RDP, RFB GPL Ye s Ye s (VNC), SPICE, XDMCP, SSH Remote Desktop Services/Terminal Services RDP Proprietary Ye s Yes[g]

ScreenConnect Proprietary Proprietary No No

Splashtop Remote Proprietary Proprietary Ye s No

SSH with X forwarding X11 BSD Ye s Ye s

Sun Ray/SRSS ALP Proprietary ? ?

Symantec pcAnywhere Proprietary Proprietary No No

TeamViewer Proprietary Proprietary Ye s No

Techinline RDP Proprietary No No

Teradici PCoIP Proprietary No No

Thinc Thinc GPL Ye s Ye s

TigerVNC RFB (VNC) GPL Ye s Ye s

TightVNC RFB (VNC) GPL Ye s Ye s

Timbuktu Proprietary Proprietary ? ?

TurboVNC RFB (VNC) GPL Ye s Ye s

Ulterius RFB (VNC) GPL Ye s Ye s

UltraVNC RFB (VNC) GPL Ye s Ye s

Vinagre RFB (VNC), SPICE, RDP, SSH GPL Ye s Ye s

XDMCP X11 MIT Ye s Ye s

xpra Bencode-based, rencode- GPL Ye s Ye s based, YAML-based, RFB (VNC) for desktop mode X11vnc RFB (VNC) GPL Ye s Ye s

X2Go NX GPL Ye s Ye s

x2vnc RFB (VNC) BSD Ye s Ye s

x2vnc Ulterius (VNC) BSD Ye s Ye s

x2x X11 BSD Ye s Ye s

Software Protocol License Free for personal Free for use commercial use

Demystifying Africa’s Cyber Security Poverty Line 85

List of Open Source Tools Vulnerability Scanners

1. OpenVAS

OpenVAS isn’t the easiest and quickest scanner to install and use, but it’s one of the most feature-rich, broad IT security scanners that you can find for free. It scans for thousands of vulnerabilities, supports concurrent scan tasks, and scheduled scans. It also offers note and false positive management of the scan results. However, it does require Linux at least for the main component.

2. Retina CS Community

Retina CS Community provides vulnerability scanning and patching for Microsoft and common third-party applications, such as Adobe and Firefox, for up to 256 IPs free.

3. Microsoft Baseline Security Analyzer (MBSA)

Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on Windows desktops and servers, identifying any missing service packs, security patches, and common security misconfigurations.

4. Nexpose Community Edition

Nexpose Community Edition can scan networks, operating systems, web applications, databases, and virtual environments. The Community Edition, however, limits you to scanning up to 32 IPs at a time.

5. SecureCheq

SecureCheq can perform local scans on Windows desktops and servers, identifying various insecure advanced Windows settings like defined by CIS, ISO or COBIT standards.

6. Qualys FreeScan

Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local servers or machines.

Demystifying Africa’s Cyber Security Poverty Line 86

References

Top Issues

https://securityintelligence.com/the-enemy-within-identifying-insider-threats-in-your-organisation/

https://portland-communications.com/pdf/The-Reality-of-Fake-News-in-Kenya.pdf

The Computer and Cybercrimes Bill, 2017 - Kenya Law

http://www.ke-cirt.go.ke

CYBERCRIMES (PROHIBITION, PREVENTION, ETC) ACT, 2015 ...

https://www.itu.int/en/ITU-D/Cybersecurity/Pages/GCI.aspx

339_The Cybercrimes Acts, 2015-1

Attacks

https://www.standardmedia.co.ke/business/article/2000228978/shame-as-kenya-s-internet-regulator-website- hacked

https://www.standardmedia.co.ke/business/article/2001249724/how-kenyans-were-lured-into-sh2-trillion-public-likes- scam

https://www.vanguardngr.com/2017/06/maersk-apm-terminal-systems-hacked-operations-grounded/

https://www.hackread.com/nigeria-man-hacked-global-oil-gas-and-energy-firms/ Hands on Cyber Security Training for Professionals Cyber Intelligence https://www.google.com/search?q=heartbleed+vulnerability&oq=heartbleed+vulnerability&aqs=chrome..69i57j0l5.6115j0j9 Cyber Immersion is Serianu’s premier training program &sourceid=chrome&ie=UTF-8 that aims to arm private and public organisations with the https://www.projecthoneypot.org/list_of_ips.php?t=h necessary know-how to counter cyber threats in a holistic manner, helping them mitigate the risks and costs associated with cyber disruptions.

[email protected] | www.serianu.com

Demystifying Africa’s Cyber Security Poverty Line © Serianu Ltd © Cyber Immersion Hands on Cyber Security Training for Professionals

Cyber Immersion is Serianu’s premier training program that aims to arm private and public organisations with the necessary know-how to counter cyber threats in a holistic manner, helping them mitigate the risks and costs associated with cyber disruptions. [email protected] | www.serianu.com