Demystifying Africa's Cyber Security Poverty Line

Demystifying Africa’s Cyber Security Poverty Line

Tanzania Chapter The Africa Cyber Immersion Centre is a state-of-the-art research, innovation and training facility that seeks to address Africa’s ongoing and long-term future needs through unique education, training, research, and practical applications.

For more information Serianu Limited contact: [email protected] http://www.serianu.com Tanzania Cyber Security 3 Report Content

Editor’s Note and Acknowledgement Cost of Cyber Crime

We are excited to finally publish the 2nd edition of Tanzania We estimate that cyber-attacks cost Tanzanian 4 Cyber Security Report 2017. 54 businesses around $99.5 million a year. Foreword Sector Ranking in 2017 2017 has seen a jump in cyberattacks or cybercrimes. Cyber security is no longer a concern fof the Ransomware, DDoS attacks, data breaches were all financial & banking sectors only. 7 synonymous with 2017. 56 Executive Summary Home Security It is in our own best interests to make sure everyone – from the young to the old, on The global landscape of cyber threats is quickly changing. snapchat, facebook and twitter - know and 9 60 practice basic security habits. Top Trends Africa Cyber Security Framework We analysed incidents that occurred in 2017 and compiled Attackers are now launching increasingly a list of top trends that had a huge impact on the economic sophisticated attacks on everything from and social well-being of organisations and Tanzanian citizens. business critical infrastructure to everyday 13 69 devices such as mobile phones.

Top Priorities for 2018 Appendixes 19 We have highlighted key priorities for 2018. 71 Cyber Intelligence Statistics, Analysis, & Trends References We have monitored organisations’ network for malware and cyber threat attacks such as brute-force attacks 25 against the organisation’s servers. 74 2017 Tanzania Cyber Security Survey

This survey identifies current and future Cyber security needs within organisations and the most prominent 38 threats that they face. Tanzania 4 Cyber Security Report

Editor’s Note and Acknowledgement We are extremely pleased to publish the 2nd edition of the Tanzania Cyber Security Report. This report contains content from a variety of sources and covers highly critical topics in Cyber intelligence, Cyber security trends, industry risk ranking as well as home security.

Over the last 5 years, we have consistently strived to demystify the state of Cyber security in Brencil Kaimba Africa. In this edition themed Demystifying Africa’s Cyber Security Poverty Line, we take a deeper look at the financial limitations impacting many Tanzanian organisations. Our research is broken Editor-in-chief down into the following key areas:

Top Trends: We analysed incidents that Sector Risk Ranking: The risk appetite What can our readers look occurred in 2017 and compiled a list of for organisations varies. In this section, forward to in this report? top trends that had a huge impact on we rank different sectors based on their the economic and social well-being of risk appetite, number of previous attacks organisations and Tanzanian citizens. This reported, likelihood and impact of a This report gives section provides an in-depth analysis of successful attack. insightful analysis of these trends. Anatomy of a Cyber Heist: This section cyber security issues, Cyber Intelligence: This section highlights provides a wealth of intelligence about trends and threats various Cyber-attacks, technical how Cybercriminals operate, from in Africa. Its sections reconnaissance, gaining access, attacking methodologies, tools, and tactics that are well researched attackers leverage to compromise and covering their tracks. This section organisations. The compromise statistics is tailored to assist Security managers and structured to and indicators provided in this section identify pain points within the organisation. cater for the needs empower organisations to develop a of all organisational Home Security: In light of the increased proactive Cyber security posture and staff including bolster overall risk. residential internet penetration, smart phone use and cases of Cyber bullying, it Board Directors. has become necessary to raise awareness Survey Analysis: This section analyses on Cyber security matters at a non- The anatomy of a the responses we received from over 700 corporate level. This section highlights key cyber-heist was organisations surveyed across Africa. It challenges in the modern smart home and measures the challenges facing Tanzanian compiled with security sheds light on the growing issue of Cyber organisations, including low Cyber security bullying. implementers and budgets and inadequate security impact forensic investigators awareness that eventually translates to limited capabilities to anticipate, detect, Africa Cyber Security Framework (ACSF): in mind while the top respond and contain threats. In order to assist businesses in Africa, priorities section especially SMEs, we developed the Africa Cyber Security Framework (ACSF). This caters for Directors Cost of Cyber Crime Analysis: Here we section highlights the four (4) key domains closely examine the cost of Cybercrime in and Senior Executives. of ACSF which serves to help businesses Tanzanian organisations and in particular, to identify and prioritize specific risks plus gain a better appreciation of the costs to We have also highlighted other steps that can be taken to address these the local economy. We provide an estimate social issues such as home risks in a cost effective manner. of this cost, which includes direct damage security that plays an important plus post-attack disruption to the normal role away from the corporate course of business. standpoint.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 5 Report

Appreciation Commentaries

In developing the Tanzania Cyber Security Report 2017, the Serianu CyberThreat Aashiq Sharif Intelligence Team received invaluable collaboration and input from key partners as listed below; CEO - Raha - Liquid Telecom Tanzania Ltd Ben Roberts We partnered with Kabolik an IT and Business consulting firm based in Tanzania whose prime focus is enabling clients Chief Technical Officer, to get the best value from their information and IT assets Liquid Telecom Group by developing holistic end-to-end solutions that release customers to focus on their core business and activities. Dr. Carina Wangwe Kabolik provided immense support through research and Head, ICT - SSRA (Social Security provision of statistics, survey responses, local intelligence on Regulatory Authority) top issues and trends highlighted in the report. Dr. Edward Hoseah CEO - Hoseah & Co. Advocates, The USIU’s Centre for Informatics Research and Innovation Former DG-PCCB (Prevention and (CIRI) at the School of Science and Technology has been our Combating of Corruption Bureau) key research partner. They provided the necessary facilities, research analysts and technical resources to carry out the ASP Joshua Mwangasa extensive work that made this report possible. Deputy Head of Cybercrime Unit, TPF (Tanzania Police Force)

The ISACA-Tanzania Chapter provided immense support Eng. Peter Ulanga through its network of members spread across the country. Key statistics, survey responses, local intelligence on top CEO & Fund Manager, issues and trends highlighted in the report were as a result Universal Communications Service Access of our interaction with ISACA-Tanzania chapter members. Fund (UCSAF)

Adv. Josephat Mkizungo Senior State Attorney - The Serianu CyberThreat Attorney General’s Chambers Intelligence Team Joseph Mathenge We would like to single out individuals who worked tirelessly Chief Operating Officer, Serianu Limited and put in long hours to deliver the document. Olabode Olaoke Eric Ochaka Samuel Keige Mark Muema PricewaterhouseCoopers Dadi Masesa George Kiio Nabihah Rishad Barbara Munyendo Margaret Ndungu Dr. Peter Tobin Kevin Kimani Morris Ndungu Privacy and Compliance Expert, BDO Consulting, Mauritius USIU Team Jeff Karanja Ms. Paula Musuva Kigen Kuta Jamilla Uchi Information Security Consultant Folarin Adefemi Isaac

Demystifying Africa’s Cyber Security Poverty Line Tanzania 6 Cyber Security Report

Building Data Partnerships

In an effort to enrich the data we are collecting, Serianu continues to build corporate relationships with like-minded institutions. Recently, we partnered with The Honeynet Project ™ and other global Cyber intelligence organisations that share our vision to strengthen the continental resilience to cyber threats and attacks. As a result, Serianu has a regular pulse feeds on malicious activity into and across the continent. Through these collaborative efforts and using our Intelligent Analysis Engine, we are able to anticipate, detect and identify new and emerging threats. The analysis engine enables us identify new patterns and trends in the Cyber threat sphere that are unique to Tanzania.

Our new Serianu CyberThreat Command Centre (SC3) Initiative serves as an excellent platform in our mission to improve the state of Cyber security in Africa. It opens up collaborative opportunities for Cyber security projects in academia, industrial, commercial and government institutions.

For details on how to become a partner and how your organisation or institution can benefit from this initiative, email us at [email protected]

Design, layout and production: Tonn Kriation

Disclaimer

The views and opinions expressed in this report are those of the authors and do not necessarily reflect the official position of any specific organisation or government.

As new research and experience broaden our understanding, changes in research methods or professional practices, may become necessary. Practitioners and researchers should therefore also rely on their own experience and knowledge in evaluating and using any information described herein.

For more information contact:

Kabolik Company Limited, Plot 11, Kishapu Street, Kijitonyama, P. O. Box 31956, Dar es Salaam, Tanzania [email protected] | www.kabolik.com Tel: +255 623 000 850

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 7 Report

Foreword 2017, Quite a year in Cybersecurity

2017 has seen a jump in cyberattacks share information on cyber attacks or cybercrimes. Ransomware, and the solutions implemented. We DDoS attacks, data breaches were understand by now that the biggest all synonymous with 2017. From role we need to focus on is awareness. negligence by system administrators Kabolik believes in the fact that sharing to oversight by hardware of information is one step towards manufacturers, 2017 was a year of solving the root cause of the problem. Robert Matafu Cybersecurity incidents that have For example, if one institution gets stretched industry professionals and hit by Wannacry ransomware, that CEO this is predicted to rise in the coming information can help rescue the next Kabolik Company Limited, years. It is predicted globally that by institution or ensure the damage is Tanzania 2021, there will be a gap of over 3.5 managed before it is too late. At the million Cybersecurity professionals end of the day, it boils down to being (zero percent unemployment for the ahead of the attacker. cybersecurity industry). This means that every IT professional needs to be The culture of fearing judgement equipped in Cybersecurity skills. or stigmatization from the public or stakeholders needs to be managed information and have a response In 2017, we witnessed defacement of in order to effectively deal with Cyber and recovery framework to restore public institutions’ websites by some attacks. There is a common swahili stakeholders’ trust. disgruntled graduates in Tanzania. saying that goes like this: These may seem like incidents to We have to keep in mind that take for granted compared to mega the attackers are taking their job data breaches globally, but they are “Whoever hides seriously, a lot of money and valuable not. This is just the beginning as it is a disease or information is at stake here. According an indicator of things to come as our to Forbes.com’s 60 Cybersecurity country gets more digitized and young sickness, death Predictions for 2018, Artificial people get various cyber skills and lack Intelligence will be used by both areas to apply them. If we don’t start will expose him” attackers and defenders. Attackers preparing now, it is going to be a long will use Machine Learning to speed up which by then it will be too late. In journey fixing damages in the near the process of finding vulnerabilities this case, we need to apply the future. in commercial products, with the same caution in Cybersecurity, we end result being that attackers will need to understand that once we One of the major challenges we are use ever more new exploits without are compromised, it is no longer facing as cybersecurity professionals signaling that AI was involved in their a secret as someone else outside is lack of collaboration. Institutions creation. your organization knows. To shift the and individuals are not willing to advantage, find a way to share this

Demystifying Africa’s Cyber Security Poverty Line Tanzania 8 Cyber Security Report

On the defense side, AI will also increase the number The investment includes collaborating effectively through of qualified cybersecurity professionals as it lowers the the different platforms such as this report, the TCRA barriers of entry into the profession and allows less platform and other technology groups so as to anticipate trained individuals to still be effective on the front lines of attacks; analyzing the data and reports to identify focus the cybersecurity battle points and priority areas that have to be addressed given the limited resources; Developing strategies, tools, skills Back to Tanzania, everyone needs to understand that and expertise in addressing the identified challenges; and cyberattacks are getting more complex and there is no lastly creating cyber resilience across the nation. time to hide information when they happen to us. From an individual level all the way to the corporate level, As we finish 2017 and going into 2018 information sharing is one of the most critical ways to get advantage over the attackers. All the the attacks we and beyond, we need and have to invest witness today are founded on the basics as we know more resources into cybersecurity. Focus them: confidentiality, integrity and availability (CIA) of information systems. To sustain the CIA, we need skilled must be on skills, abilities, and knowledge. and prepared people, optimized processes and technology The rest will follow. Its high time that will be effectively utilized and dynamic enough to handle sophistication of attacks as they come. cybersecurity becomes one of the core strategy of any organization or nation. In order to move to the next level in ensuring a cybersecure future, we have to invest in Cybersecurity.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 9 Report

Executive Summary The global landscape of Cyber threats is quickly changing. The 2017 Cyber Security Report is part of our contribution to this shift as we help customers and the public better understand the nature of the threats in Tanzania. Our research is broken down into 8 key areas: Using the Africa Cyber Security Maturity Framework, we were able to establish the maturity levels of these organisations. • Top Attacks • Cyber Intelligence • Survey Analysis Levels of cyber maturity

• Home Security A comprehensive IT security program Excellent is an integral part of the culture. Status • Top Trends metrics for the IT security program are • Sector Risk Ranking 5 established and met. • Industry Analysis • Anatomy of a Cyber Heist Has a superior security program and is Intelligent extremely well positioned to defend its IT assets against advanced threats. As more business models move away from physical to 4 cyber operations, it’s become evident that the African cyber health is poor. The 2017 Cyber security survey shockingly reveals that over 90% of African businesses Has a well-developed security program are operating below the cyber ‘security poverty line’. Engaged and is well positioned to further improve its effectiveness. What is the Cyber security poverty line? 3

Many organisations particularly SMEs lack the basic Has generally implemented some security best “commodities” that would assure them of the minimum Informed practices and thus making progress in security required and with the same analogy, be providing sufficient protection for its IT assets. considered poor. 2

Falling well short of baseline security practices and In the context of a cyber-security poverty line there thus neglecting its responsibility to properly protect its are still numerous organisations particularly SMEs that Ignorant IT assets. Many enterprises lack a holistic do not have the skills, resources or funding to protect, understanding of their cyber risks and therefore, an detect and respond to cyber security threats. Many 1 effective strategy to address these risks. organisations and individuals fall below this line. We aim to demystify the cyber security poverty line within What is the impact of operating below the poverty line? Tanzania.

What are the characteristics of organisations The overall survey results found about 90% of respondents in operating below the poverty line? Tanzania have significant Cyber security risk exposure (with overall capabilities falling below under Ignorant capability). Firms rated their own capabilities by responding to 24 questions that covered the five key functions outlined in the Africa Cyber Security Framework: Anticipate, Detect, Respond, and Contain.

Demystifying Africa’s Cyber Security Poverty Line Tanzania 10 Cyber Security Report

General characteristics of organisations operating This approach creates below the Cyber security poverty line are: room for dialogue between business and IT. Years of • Lack the minimum requirement for fending off an experience in the Cyber opportunistic adversary. security field has shown • Are essentially waiting to get taken down by an that organisations with little attack. budgets can still maintain reasonable security levels • There’s also the idea of technical debt as a result of granted they understand the postponing important system updates. few critical areas that need to • Lack in-house expertise to maintain a decent level be protected the most. of security controls and monitoring • Tremendously dependent on third parties hence have less direct control over the security of the systems they use. What can our readers look forward to in this report? • They also end up relinquishing risk decisions to third parties that they ideally should be making This report gives insightful themselves. analysis of Cyber security • Lack resources to implement separate systems for threats, trends and issues different tasks, or different personnel to achieve in Tanzania. The report segregation of duties. sections are well researched to cater to the needs of all • They’ll use the cheapest software they can find organisational staff from the regardless of its quality or security. board to the general staff. • They’ll have all sorts of back doors to make The anatomy of a Cyber- administration easier for whoever they can convince heist is a section that was to do it. researched with security implementers and forensic What does the future hold for this problem? investigators in mind while the top priorities section caters for As Cyber-attacks continue to evolve, it is paramount boards and Executives within that organisations rise above the Cyber security poverty the organisations. We have line. In a world where buying a tool is considered a silver also highlighted other social bullet to solving Cyber security issues, its critical that we issues such as home security ask ourselves key questions: that plays an important role away from the corporate • What are my organisations top risks? standpoint. • What is the worst that can happen to my business? • What do I need to do to ensure that I have secured my systems against these threats?

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 11 Report

Key Highlights

Breakdown of key statistics for different countries:

Penetration Estimated Population GDP (2017) Estimated Cost of % Population No. of Certified (2017 Est.) in USD cyber-crime (2017) (2017) Professionals

1,300,000,000 $3.3T 35% $3.5B 10,000 Africa

Nigeria 195,875,237 $405B 50% $649M 1800

Tanzania 59,091,392 $47B 39% $99.5M 300

Kenya 50,950,879 $70.5B 85% $210M 1600

Uganda 44,270,563 $24B 43% $67M 350

Ghana 29,463,643 $43B 34% $54M 500

Namibia 2,587,801 $11B 31% * 75

Botswana 2,333,201 $15.6B 40% * 60

Lesotho 2,263,010 $2.3B 28% * 30

Mauritius 1,268,315 $12.2B 63% * 125

*Certified Professionals is limited to the following certifications: CISA, CISM, GIAC, SANS, CISSP, CEH, ISO 27001, PCI DSS QA and other relevant courses. *Economic and internet usage data extracted from respective country Internet regulator reports and World Bank site.

The past year was a particularly tough period for local organisations with respect to cyber security. The number of threats and data breaches increased with clear evidence that home grown cyber criminals are becoming more skilled and targeted.

Cost of cyber-attacks Fake News has hit Tanzania’s over are operating below media streams as we the security poverty $99.5M increasingly see unverified 90% line significantly and often conjured up news of Tanzanian exposing themselves annually being circulated through organisations to Cyber security risks various medium.

over Banking Sector is Most organisations’ Cyber security programs are 94.4% 90% still the most Cyber security of parents don’t understand what targeted industry incidents either go measures to take to protect their in Tanzania Tool Oriented unreported or children against in Cyber bullying unsolved

Demystifying Africa’s Cyber Security Poverty Line Tanzania

12 Industry Players Perspectives Cyber Security Report

Kindly highlight some of the top cyber Some who had end point security worked with security issues of 2017 and how these issues Antivirus owners to patch and recover the impacted you personally, your organisation information. or country. Considering the shortage of skilled • Malware with worm capabilities resources in Africa, how can we limit the • Basics – Endpoint security, patching impact of ransomware cases? • Weakness of mobile carriers • Overwhelming client with alerts Awareness, appropriate firewall that can • Adapting firewall to face new threats mitigate such attacks. • Monitoring |cloud configuration and Security Do you think organisations are spending enough Do you think fake news is a major problem in money on combating cyber-crime? your country or Africa? No. Yes. What can be done to encourage more If yes, who should be responsible for spending on cyber security issues? controlling the creation and distribution of fake More awareness and risks involved, and Aashiq Shariff news (government, end users, Telcos or ISPs or guidance on appropriate systems to suggest content owners)? comparing on the size of data and risks involved. CEO Initially government, Telco’s, end users – Based on our research the Africa cyber security collective efforts. market will be worth USD2 billion dollars by raha - Liquid Telecom Ltd 2020. Despite this opportunity, Africa has not Should regulators force influential produced a single commercially viable cyber platforms like Google and Facebook to security product or solution. remove fake news and other extreme forms of content from their platforms? In your opinion, what should African countries or universities focus on to What can be done to improve the general user encourage innovation in the development of awareness on the detection of fake news in the cyber security solutions? country? What role can the private sector and consumers of imported cyber security Platforms that can be confirmed – Government products play to ensure we can encourage sites, local players to start developing African Many governments in Africa are investing in grown cyber security products or solutions e-services (e-government, e-voting, e-tax or even services? systems and many other portals.) Conduct the awareness and ready with Do you think the African citizenry is ready to solutions. consume and utilize these systems without Ready solutions depending on the organisations the worry of privacy, security and fraud? or entity. What are some of the risks we face with the In your opinion and from an African introduction of government driven e-services context, what are the top 2018 cyber and do you have any examples of these cases security priorities for African countries and in your country? organisations?

If there is no appropriate firewalls in place the • Technical Trainings information can be gathered by wrong entity. • Awareness & Information Sharing • Collaboration – Government & Companies In 2017, we had several cases of cyber (Private) security attacks including ransomware • Government Policies attacks across the world–were you • Other collaboration – Universities, Cyber impacted by these attacks? security experts, research institute, media houses. If yes, how did you (company or country) respond to these cases?

Some ended up paying in order to get the data.

Demystifying Africa’s Cyber Security Poverty Line 13

Top Trends

Fake News: Insider Threat: The enemy within

Vulnerability of truth Insider threats still top our list when it comes In 2015/16 more than 7,000 to high risks. From the numerous cases cases of fake accounts reported this year, it’s clear that the group and false information were most implicated is administrators and other reported according to Tanzania privileged users, who are in the best position Communications Regulatory to carry out a malicious breach, and whose Authority. mistakes or negligence could have the most severe effects to the organisation. The key From January to June 2017, contributors to the success of these attacks 3,340 cases were reported were inadequate data protection strategies to the police stations. The real or solutions and a lack of privilege account impact of the growing interest monitoring. in fake news however has been the realization that the public Top insider threats: might not be well-equipped to • Administrator accounts separate true information from false information. • Privileged users accounts • Contractors, consultants and temporary It is paramount that workers. governments and social media platform owners lay down stringent measures to clamp down on fake news, none the less, we do appreciate that fabricated stories are not likely to go away as they have become a means for some writers to push their narrow agendas, manipulate emotions, make money and potentially influence public opinion.

Demystifying Africa’s Cyber Security Poverty Line Tanzania 14 Cyber Security Report

Ransomware: I don’t WannaCry

Key: Countries affected by Wannacry attack

Countries not affected by Wannacry attack

Worldwide attack map

Throughout the first half of 2017, one thing still The Polymorphic technique with minor stands: ransomware is here to stay. We have changes leads to unknown malware and seen an explosion of new variants, new attack greater obfuscation. For example, there tactics. is a PowerPoint malware that spreads by simply hovering a mouse pointer over a The level of sophistication in distribution tainted PowerPoint slide, WannaCry which methods and attack vectors have expanded spread itself within corporate networks and it’s no longer enough to just rely on without user interaction, by exploiting signatures and antiviruses, because, known vulnerabilities in Microsoft Windows. unfortunately, the data also shows no one is immune.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 15 Report

Skill Gap: What you don’t know will hurt you

The cost of Cybercrime grew by approximately 17% but the skill gap is widening. No one knows what they’re doing, majority of IT and security staff are downloading templates from the internet and applying these in their organisations. From our analysis, a key contributor to this is that organisations tend to look for people with traditional technology Mobile and Internet Related credentials — IT, Computer Science. But when you look Services. Battery is low is no at the matter, we need longer the only warning Technology analysts, Cyber Risk Engineers, data analysts, As the use of online services has risen - Risk experts most of which with more than half of the banking users do not necessarily warrant a using internet banking and three quarters technology course. Majority of using mobile banking services. Attackers organisations encourage their are now leveraging these platforms to IT teams to take up courses steal money from customers. that don’t necessarily add value to the security of the This year, several attacks reported organisations. indicated that hackers used dormant accounts to channel huge sums of money It is also concerning that from banks. Majority of the attackers companies would rather also leveraged the no-limit vulnerability poach talent from each other present in most internet banking systems and from training providers to channel out money. than develop it themselves. Mobile banking users have also become This points to the sad fact victims of social engineering attacks that businesses are thinking especially with the increased number of in the short term. Rather than betting and Ponzi schemes. cultivating the needed talent, organisations are continuously There is a clear need to bridge the relying on ready-made talent knowledge gap on mobile money pool. operations among security teams and to identify common security, fraud and It is critical that we develop money laundering challenges confronting the right skills for our IT team mobile money operations across the that will enhance the ability to financial services sector. Mobile money Anticipate, Detect, Respond users are also to be educated on and Contain Cyber threats. identifying and evading phishing scams.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

16 Industry Players Perspectives Cyber Security Report

Kindly highlight some of the top Cyber Regulators may not be well positioned to security issues of 2017 and how these force takedowns on platforms that they issues impacted you personally, your do not regulate. Communication regulatory bodies in Africa regulate traditional organisation or country. media, but have no jurisdiction to regulate Facebook, a foreign company. So they can Ransomware and particularly Wannacry force local media houses to take down a have made the most noise in Cyber security fake story from their websites, but they in 2017. But from our own experience, it is cannot ask Facebook to take down a fake social engineering, very sophisticated ‘spear story. Communication service providers fishing’ or ‘whaling’ (like phishing but aimed at in East Africa are regulated by the bigger fish- senior execs) that has bothered Communication Authority (CA) of course, us the most. This constant barrage of Ben Roberts but the service providers are completely emails, instant messages, phone calls, to technically unable in any way to selectively Chief Technical Officer get people to give up their passwords block content, web pages, hashtags on any Liquid Telecom Group voluntarily, is there all the time and is often of the social media or international news good enough to fool very savvy smart sites. So the CA would be unable to force people. An IT manager can secure his own service providers to block content, since it is company systems, only to find that people in totally impossible to do so. the organisation are using personal Gmail, or Skype, they get hacked and causing damage What can be done to improve the within the corporate organisation. The general user awareness on the motive for this kind of phishing is normally to conduct direct monetary theft. detection of fake news in the country?

Do you think fake news is a major All of us are responsible to assess problem in your country or Africa? information before passing it on; think about the source and whether we trust it, and whether the information seems feasible. Yes. It is easy to blame media, or social media platforms for fake news, but in fact society If yes, who should be responsible is to blame. I came across a really good for controlling the creation and campaign from Facebook about how to spot distribution of fake news (government, Fake news. It had 10 points of indicators end users, Telcos or ISPs or content that something might be fake news. It owners)? was a really good campaign, I republished the campaign on Twitter under hashtag Fake news has made headlines globally. #dontfwdfakenews,the important message But we need to distinguish between what’s was, if it looks like fake news, it is probably fake and what is not, and global leaders fake news, and don’t forward fake news. need to communicate responsibly. But yes, fake news in East Africa, particularly Nairobi Many governments in Africa are (where I live) has been terrible this year, investing in e-services (e-government, with the election season that has taken e-voting, e-tax systems and many place. WhatsApp was the worst platform other portals.) Do you think the African for circulating of completely fake news, citizenry is ready to consume and but the traditional media did a poor job on utilize these systems without the worry responsible election coverage. of privacy, security and fraud? Should regulators force influential platforms like Google and Facebook to remove fake news and other extreme forms of content from their platforms?

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 17 Report

African society may not yet have We were not impacted by ransomware What role can the private sector gained full trust in e-services, from at Liquid Telecom in 2017. But let us not and consumers of imported Cyber e-government to e-commerce. As pinpoint. I would consider myself a highly security products play to ensure they get used to using such services skilled experienced ICT professional, we can encourage local players and noticing improved service delivery, with long experience of leadership then the trust will grow. E-government in technology. Yet in 2013 I picked up to start developing African grown services are almost certain to be more a ransomware from a downloaded Cyber security products and accurate, more transparent and more Trojan and totally got my hard drive solutions or even services? efficient than existing manual systems wiped. Just from my own carelessness, which are often flawed with loopholes and lack of up to date antivirus tools I would refute that statement. leading to inefficiency, corruption and employed by my highly skilled IT financial loss. department in London. Thawte, a security certificate company founded by South African Mark What are some of the risks we Do you think organisations are Shuttleworth in South Africa was face with the introduction of spending enough money on a security company specializing in government driven e-services and combating Cyber-crime and what certificates for secure communications. do you have any examples of these can be done to encourage more Thawte was sold to Verisign for $575 cases in your country? spending on Cyber security issues? million in 1999 making Thawte the first African tech Unicorn. African innovators should be inspired by Mark, and look The main risk in implementing Organisations are yet to understand to create Cyber security solutions that e-government is having pushback what they should be spending on are well placed to deal with Cyber from cartels that are benefitting from combatting Cyber-crime, and even security issues in Africa at a price and corruption networks. If we look at where to spend it. Cyber Security and service level that is good for the local the technologies, E-government, IoT, associated risks need to be understood market. What about a WhatsApp bot Blockchain and big data, they have at board level, since the average that you can add to your groups that the ability to totally transform and cost of the impact of a Cyber breach will spot and delete fake news? African eradicate most forms of corruption, if (estimated 1.3M$ per breach in US innovators need to start with a problem implemented properly. But those cartels in 2017), is enough to bankrupt many then go out and solve it. that profit right now may do their best companies. But there are ways to be to frustrate the implementation of smart about Cyber security spending. In your opinion and from an African technology that will cut off their income. Deploying systems in trusted public cloud, may likely be more cost effective context, what are the top 2018 In 2017, we had several cases of than managing the risks of deploying Cyber security priorities for African Cyber security attacks including your own security on your premises. countries and organisations? ransomware attacks across the Cyber breach insurance will be a growing product that companies should world–were you impacted by these My top 3 priorities are, education, consider. education and, education. All attacks? companies need to do their best to Based on our research the Africa Cyber make sure the whole organisation If yes, how did you (company or security market will be worth USD2 understand and are aware of Cyber country) respond to these cases? billion dollars by 2020. Despite this security, both at home and at work. IT opportunity, Africa has not produced departments and Infosec officers need Considering the shortage of skilled a single commercially viable Cyber to be educated to the highest level, but resources in Africa, how can we security product/solution. Cybersecurity, just like physical security, limit the impact of ransomware is the responsibility of every member of cases? In your opinion, what should an organisation. African countries and universities focus on to encourage innovation in the development of Cyber security solutions?

Demystifying Africa’s Cyber Security Poverty Line Tanzania 18 Cyber Security Report

Network Architecture: Defense since education programs, awareness campaigns and In-depth product innovation on their The success of most attacks in 2017 own have failed. were in one way or another linked to one critical issue: Weak Security Architecture. Cyber Pyramid Successful ransomware attacks were Schemes: Easy mainly due to missing patches. For come, Easy go example In an economy where Wannacry exploited a vulnerability by A SIEM tool is a useless investment it’s so difficult to earn a not applying a patch) and for most cases, if auditing is not enabled in network living, many Tanzanians try out inadequate privilege account monitoring devices, no expertise exists pyramid schemes with the hope and third party risk management. Yet these for continuously analyzing and of making huge profit. 2017 saw organisations have invested heavily in the refining the alerts. Defense-in- the Bank of Tanzania and capital latest Antivirus programs or SIEM solutions. depth means, applying multiple market and Securities Authority countermeasures in a layered issue warning on ponzi scheme. or stepwise manner. Because there are ways around traditional We noted that these schemes protective systems such as firewall, rely on a constant flow of it is imperative that individual new investments to continue systems be hardened from the to provide returns to older Network, investors. When this flow runs out, the scheme falls apart. In Application, Endpoint and Database recent times, we have seen levels. This means, putting controls these schemes evolve to now in place for Remote Access (see include crypto currencies. appendix for Remote access tools list), Change and vulnerability System Integrity: management. Eroding Public Trust Phishing: The Weakest Link Government systems have become a target for hackers Phishing is one of the attacks that seeking to make news or disrupt leverages the inadequacies of service delivery. 2017 registered humans and remains worryingly the highest number of alleged effective. In quarter on 2017, election hacking in Africa, Europe Kaspersky Lab products blocked and America. Whether the 51million attempts to open a allegations for hacking are true phishing page. Over 20% of these or not, there is no denying that attacks targeted banks and other these systems have become High technology solutions installed on top credit and financial organisations. a juicy target for hackers. As of weak architecture only equals one thing With the evolution of phishing, it has such tighter controls need to A WHITE ELEPHANT. Most organisations become clear that basic awareness be in place to ensure that the in 2017 focused a large part of their IT training may not be sufficient to confidentiality, integrity and budgets on acquiring high end technologies safeguard your organisations. availability of these systems is but forget to set the foundation on which 2017 has proven that we need maintained. these technologies will effectively operate. to leverage technology especially

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 19 Report

Tanzania’s

Transitioning from 2017 to 2018, the journey of attaining a secure Cyber ecosystem is a long but optimistic one. Cyber- attacks will continue to grow and only the informed and prepared would survive with minimal losses. In 2018, Cyber threats and countermeasures are likely to take the following dimensions:

Continuous Monitoring: Askari Vigilance Database Security: 10 1 Secure the vault

Security Privileged User Architecture/ 9 2 Management: Engineer skill set: Who has access to Widen your the crown jewels employee gaze

Tanzania’s

The Board’s 8 3 Patch Changing Role: Management: Security begins at To patch or the top not to patch

Vendor/Third Party Unstructured Data Security: 7 4 Management: Bring Your Own There is no one Vulnerability size fits all

Employee Security Awareness: 6 Endpoint Security: Ignorance is not Bliss 5 Cyber security front-line

Demystifying Africa’s Cyber Security Poverty Line Tanzania 20 Cyber Security Report

Organisations must adopt a privileged Emails, medical records and contracts 1 account security strategy that includes are a few examples of unstructured data Database Security: proactive protection and monitoring of that exist in the organisation. Whereas Secure the vault all privileged credentials, including both most institutions have some form of passwords and SSH keys. unstructured data, it is the healthcare Database (DB) security concerns and insurance industries that top this the protection of data contained list with terabytes of data in file shares within databases from accidental or 3 Patch Management: and home directories. The security of intentional but unauthorized access, this data however remains an under- view, modification or deletion.Top priority To patch or not to patch recognized problem as these files and for security teams is to gain visibility on 75% of vulnerabilities identified within folders are left unsecured. This has activities on the databases particularly, local organisations were missing patches. resulted in often-unnecessary data direct and remote access to DB by In 2017 alone, we have seen vendors such exposure and unauthorized access. To privileged users. Fine grained auditing as Microsoft releasing over 300 patches help secure against the security risks of of these activities is essential to ensure for their windows systems. This presents unstructured data it is necessary that integrity of data. Going to 2018, database two obvious lessons: we; security should be a top priority that focuses on ensuring that access to the • The increased number of released • Identify critical unstructured database is based on a specific role, patches are choking organisations information assets limited to specific time and that auditing • Organisations have not developed • Identify which employees possess and continuous monitoring is enabled to comprehensive patch management critical unstructured data provide visibility. strategies and procedures. • Implement technology and process controls to protect data assets eg Now more than ever, organisations need DLP, Email Monitoring 2 Privileged User to narrow down to one critical thing: What Management: Who has do we patch? 5 access to the crown jewels Endpoint Security: Not all of the vulnerabilities that exist in Cyber security front-line products or technologies will affect you, The main obstacle between your 2018 presents a great opportunity for organisation’s crown jewels and hackers Often defined as end-user devices – organisations to strategize, focus more are privileged accounts. such as mobile devices and laptops, energy on identifying testing and applying endpoint devices are receiving more critical patches released. This may These accounts are found in every attention because of the profound require adoption of an automated patch networked device, database, application, change in the way computer networks management system. server and social media account and as are attacked. With so many pluggable such are a lucrative target for attackers. devices in the network, this creates new More often, privileged accounts go 4 areas of exposure. unmonitored and unreported and Unstructured Data • Unsecured USB devices leading to therefore unsecured. We anticipate that Management: There is no leakage of critical data, spread of in 2018, abuse of privileged accounts will one size fits all malware. worsen and it is therefore critical that • Missing security agents and organisations inventory all their privileged Unstructured data is information that patches accounts for 70% of all accounts, continuously review the users either does not have a pre-defined data misconfigurations within the network with these privileges and monitor their model or is not organized in a pre- allowing attackers to exploit well activities. defined manner. known vulnerabilities.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 21 Report

• Unauthorized remote control Key questions that modern board software giving attackers full control 7 members should be asking themselves of the endpoint. Vendor/Third party are: • Unauthorized modems/wireless security: Bring Your Own access points Vulnerability ANTICIPATE What are our risks and how do we It is critical that before endpoints are In 2017, several attacks were launched mitigate them? granted network access, they should meet against organisations and these had one DETECT minimum security standards. Beyond this, thing in common; vendor involvement. Should these risks materialize, are we organisations should invest in endpoint Be it directly or indirectly, vendors able to detect them? security tools that provide capabilities introduce risks to organisations through RESPOND such as monitoring for and blocking risky or their interactions with critical data. We What would we do if we were hacked malicious activities. Focus areas: anticipate that in 2018, cases involving today? rogue vendors will increase; we will see CONTAIN • DISCOVER all devices that are rogue vendors: What strategies do we have in place to connected to a company’s network. ensure damage issues don’t reoccur? Including new or suspicious • Use privileged accounts to access connections, other network systems, • INVENTORY the OS, firmware and • Use remote access tools (RDP, 9 Security software versions running on each Teamviewer, Toad) to access critical endpoint. This information can also applications and databases Architecture/Engineer Skill help prioritize patching • Manipulate source code for critical Set: Widen your employee • MONITOR endpoints, files and the applications in order to perform gaze entire network for changes and malicious activities Majority of IT staff are tool analysts indicators of compromise. Organisations need to evaluate their focusing on understanding a tool instead • PROTECT the endpoints using potential vendor’s risk posture, ability of data processed within the tool. technologies such as Antivirus to protect information and provision of service level agreement. At the end of the day, when a breach occurs on your 10 Continuous 6 Employee Security vendor’s watch, regardless of fault, you Monitoring: Askari Vigilance shoulder the resulting legal obligations and Awareness: Ignorance is cost. There is need for continuous monitoring. not Bliss The predicted increased number of attacks in 2018 demand for a If infrastructure is the engine, staff 8 The Board’s Changing mechanism to detect and respond to awareness is the oil that ensures the threats and incidents. Even though most life of the engine. Uninformed staff or Role: Security begins at the organisations cannot adopt a real-time employees not familiar with basic IT top round the clock monitoring and reporting security best practices can become the The traditional role of boards in providing it is necessary that these organisations weak link for hackers to compromise your oversight continues to evolve. The impact look for alternate solutions and practices company’s security. Staff awareness is of Cyber attacks now requires board including managed services and day long key. member level participation. This proactive monitoring. and resilient approach requires those at the highest level of the organisation or government to prioritize the importance of avoiding and proactively mitigating risks.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

22 Industry Players Perspectives Cyber Security Report

Of the three triangle components in What has to be done in-order to cybersecurity, which one do you think ensure balance in the cybersecurity has the biggest impact or weight in triangle in Tanzania? Tanzania cybersecurity scene? More awareness, more training and I believe the component with the biggest encouraging discussions around the impact is people. End-users of technology effective management of cyber risks. need to continually be aware of the This can be done by not just highlighting risks and how they impact on them. IT horror stories about cybercrime – but also professionals need to use their talents encouraging the sharing of best practices professionally, and not be lazy when it within the country of effective cybersecurity comes to implementing the necessary management. Dr. Carina Wangwe security mechanisms in their roles. With the increasing incidences of cybercrime, every We have seen a substantial number Head, ICT person in an organization that is using IT of cyber crimes are conducted via systems cannot afford to be lax keeping mobile communication means; In Social Security Regulatory aware of the risks and in implementing the your opinion what drives criminals to necessary controls. Authority, Dar es Salaam commit cybercrime or cyber offenses? Which aspect of the cyber triangle I believe that easy gains with very little can be termed as the weakest link in investment and perceived low risk, are what Tanzania? drive cybercriminals. In addition, the ubiquity of mobile phones in Tanzania means that In Tanzania, there is still room for the population of potential targets is very improvement on all three components: high. people, process and technology. With people – the uptake of security What initiatives does the government certifications is still low. I do not see have in place to support the private sufficient interest from young university sector in combating cybersecurity graduates in enhancing their technical skills be sitting for certifications such as CSX, issues in the communication arena? CISSP, CISA and CISM. Within organizations, many processes are still carried out with a The government has put in place mentality of the manual processes of old, several pieces of legislation that and sufficient controls to deal with cyber address cybersecurity issues including risk are lacking. With regards to technology, the CyberCrime Act and the Electronic again uptake of any new technologies Transactions Act. Section 18 of the should be done with a consciousness of the Electronic Transactions Act lays out the attendant risks, and an articulation of what admissibility of electronic evidence, which is controls are being put in place to manage key in prosecuting cyber crimes. these risks. What do you think would be the best Do you think the private sector is approach to address the cybercrime investing enough in the cybersecurity issue in Tanzania focusing on the triangle: People, Process and cybersecurity triangle? Technology? My opinion is the best approach to One area where private sector could invest cybercrime in Tanzania, is to focus on more is on people. Training of employees is people, that is, both end users of the key to effective Cybersecurity. technology and on professionals who should be developing, and maintaining secure

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 23 Report

systems. People need to be aware of of course on the affected parties, Fake news, I believe relates to ethical the risks, and also the consequences of and also in the rising cost of cyber considerations and general laxity when Cybercrime. protection. using anonymous media platforms. This can tackled by awareness on the From an African context, what Unsophisticated Cybercrime is that kind penalties that are in laws relating to would be the top priority to perpetuated through mobile phones or Cybercrime. address cybersecurity across the social media for purposes of defrauding continent? individuals. There have been increased Many governments in Africa are incidents of such crime in the Tanzanian investing in e-services (e-government, media. e-voting, e-tax systems and many The priority for the African Continent other portals.) Do you think the African should be enhancing professional skills citizenry is ready to consume and utilize of all professionals, IT or otherwise, so Do you think fake news is a major these systems without the worry of that they can design and deliver secure problem in your country or Africa? privacy, security and fraud? systems, and keep these systems secure. In addition – deliberate efforts Fake news is a big a problem in Africa as African Citizenry is ready to consume need to be taken to align skills with it is for the rest to the world. Africa is just these systems; and are consuming ethics, such that professionals act with beginning to make progress with regards the systems especially those offered integrity and do not misuse the cyber to local or localized content on the web through familiar technologies like USSD skills that they may have. and social media, and this progress is going to be seriously threatened, if based services. The worry of privacy, security and fraud remains but I do not What is your prediction of the African content consumers now need to worry about veracity of the content. believe that it has an impact on uptake future in terms of cybersecurity? especially if the service is cheap and quick, thus the advantages outweighing If yes, who should be responsible I believe that it is going to get worse the perceived risks. before it gets better. The rise in for controlling the creation cybercrime I believe is set to continue, and distribution of fake news What are some of the risks we and thus it is imperative for all current (government, end users, Telcos or face with the introduction of security professionals to keep pushing ISPs or content owners)? government driven e-services and for more awareness and more risk management. do you have any examples of these The Government and the Content cases in your country? owners. End users should be able to Kindly highlight some of the top trust in news generated, or published cyber security issues of 2017 and through government sites and reputable One risk is the consistency of service. There are some Government agencies how these issues impacted you content owners such as media companies. where the e-services offered are personally, your organization or backed by a robust back office with all country? the necessary infrastructure to provide Should regulators force influential a seamless service, while in other cases Top Cyber Security Issues of 2017 platforms like Google and – the service level is inconsistent due to are rise in both sophisticated Facebook to remove fake news and inadequate backend processes and or and unsophisticated Cybercrime.. other extreme forms of content infrastructure. Sophisticated Cybercrime would be from their platforms? incidents such as the ransomware Another risk is the possibility of attacks that rocked the cyber landscape Definitely – if its is proven fake news – it persistent exclusion of certain segments in 2017. These have had both a positive should be removed. of the population who happen to be and negative impact. Positive in the disadvantaged because of their location, sense that, in my personal opinion, they What can be done to improve income levels or literacy level. have resulted in an unprecedented level the general user awareness on of awareness amongst Boards and CEOs who hitherto did not have much the detection of fake news in the interest in Cyber Issues. Negative Impact country?

Demystifying Africa’s Cyber Security Poverty Line Tanzania

24 Industry Players Perspectives Cyber Security Report

In 2017, we had several cases of cyber security Based on our research the Africa cyber security market will be attacks including ransomware attacks across the worth USD2 billion dollars by 2020. Despite this opportunity, world– were you impacted by these attacks? Africa has not produced a single commercially viable cyber security product or solution. No, we were not impacted. In your opinion, what should African countries or universities focus on to encourage innovation in the If yes, how did you (company or country) respond to development of cyber security solutions? these cases?

Innovation can be fostered by supporting the existing Considering the shortage of skilled resources in hubs, and by governments supporting the products from Africa, how can we limit the impact of ransomware these hubs. Both at a policy level, with stringent controls on cases? Intellectual Property, but also paying a fair fee for software products and services. A locally developed solution or service, There is a multitude of resources on online, that even with should be seen as being as valuable as those sourced out limited resources, we can utilize more effectively. Simple abroad, and especially since the local solution is likely to be actions like ensuring patches are done as required go a long better customized. way in offering protection. We need to subscribe to and follow technological news and updates, and share the limited What role can the private sector and consumers of resources and knowledge. This way we work within our means imported cyber security products play to ensure and still achieve some level of protection. we can encourage local players to start developing African grown cyber security products or solutions or Do you think organisations are spending enough even services? money on combating cyber-crime?

For my personal experience – No. Pay fair value.

What can be done to encourage more spending on In your opinion and from an African context, what cyber security issues? are the top 2018 cyber security priorities for African countries and organisations? Pushing for IT and Cyber Issues to form part of national and corporate agendas. Collaborating with professional and • Raise Awareness research organisations to put tangible figures to the losses • Cost, document and publish impact arising from cybersecurity issues. Publishing such statistics in • Encourage secure practices for all segments of the forums that have their audiences as CEOs and Policy makers population

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 25 Report

Cyber Intelligence Statistics, Analysis, & Trends

For the purposes of this report, we inspected network traffic THREAT CO R- MM BE A inside a representative of Tanzanian organisations, reviewed Y N C D

U C contents of online network monitoring sites such as Project E N N A I T honeyNet and reviewed information from several sensors deployed

R R

E E

S in Tanzania. The sensors perform the function of monitoring an

N N organisation’s network for malware and Cyber threat attacks I T I A C T such as brute-force attacks against the organisation’s servers. In IP N A O T C E • an effort to enrich the data we collected, we partnered with the • D ND ETE PO CT • RES Honeynet project and other global Cyber intelligence partners to receive regular feeds on malicious activity within the continent.

In this section, we highlight the malicious activity observed in the period under review. This data represents malicious activity captured by our sensors and publicly available intelligence.

Project Honeypot Intelligence Analysis

This section covers data from the honeynet project, a global database of malicious IP addresses.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

26 Industry Players Perspectives Cyber Security Report

Looking at the cyber security in Tanzania; Technology is existent to make the technology, people and processes way we do things more efficient, are integral, if we further magnify the contrary to the initial purpose; people three; people are the most key players modify processes through the use of in cyber security. Come to think of technology for personal gains. These best security measure (amounting to actions ultimately translate into cyber processes) and the best technology offenses (cybercrimes). Cybercriminals in the world combined, without skilled, are on the rise with an expectation to developed and committed people to secure finances illegally (major motive to thwart cyber security challenges we may commit cybercrimes), to gain fame from succumb to a cyber offense tragedies. professional peers, and the need for Just like San Tzu once said, “Victory revenge among many others. usually goes to the army that has better Dr. Edward Hoseah trained soldiers” summing it up in my Given that there are many variants of point of view; People, Processes and cybercrime and that they are on the CEO Technology are inseparable but having rise day in day out, there is a great need the last two without better trained set to increase efforts in the fight against Hoseah & Co. Advocates of personnel both in private and public cyber crime that include: training people, sector, the investment in the last two is having standardized best practices, and Former DG-PCCB worthless hence making people the most acquiring best technologies that target to (Prevention and vital component of the triad (People, solve the challenges at hand efficiently. Combating of Corruption Processes, and Technology). Bureau) With the rise of cybercrimes, there is As said above, people being the vital a great need to thwart these crimes component of the triad, they pose a great efficiently through the proper use of the amount of threat to the processes, and triad (entails having honest and skilled technologies that are meant to support people on deck, best technology and businesses and organizational endeavors well-defined and understood processes). should they (People) be compromised. Success in fighting conventional Furthermore, from the triad the later two cybercrimes will dictate how can one fight can be easily patched up and fixed but the contemporary cyber crimes now that people are hard to contain due to honesty the internet of things is booming. variation, skillset variation and industrial response variation. It is therefore very important to invest more in the people as much as it is important to do on the remaining two.

Kindly highlight some of the top cyber credentials. The identities of the persons who security issues of 2017 and how these cashed the cheques are normally fictitious. issues impacted you personally, your The person’s details can be retrieved online organisation or country? using social media or other sources such as the The key security issues are financial crimes. phase 1 ID cards that had all the details of the These include cheque, card fraud; and identity person on easy to read QR code. theft/fraud to mention just a few. This is based We need to invest in people. on the clients experiences I encountered. We need to give them knowledge, give them Pensioners for example have been a victim awareness, to give them the understanding of of such fraud. Especially those that travel what is happening because of Cybercrime. It from up-country to process their pension in is a border-less crime – it can be committed Dar es Salaam. Some of them end up finding from anywhere as long as someone has the someone has already cashed their cheques knowledge. using either forged or stolen identities and

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 27 Report

Do you think fake news is a major according to the recent data, is where everyday. Its difficult to fight the battle problem in your Country or Africa? big corruption happens; so in order to where you use the same old wine in new limit human contact, it is a good idea to bottle. If yes, who should be responsible for use e-services. However in every ideal controlling the creation and distribution situation, there are risks; one of the risks Based on our research the Africa cyber of fake news (government, end users, is fraud, Cyber fraud and not forgetting security market will be worth USD2 Telcos or ISPs or content owners)? counterfeits. billion dollars by 2020. Despite this opportunity, Africa has not produced Should regulators force influential Criminal gangs in the world use counterfeit a single commercially viable cyber platforms like Google and Facebook to goods to finance their operations by selling security product or solution. remove fake news and other extreme counterfeit goods online. forms of content from their platforms? In your opinion, what should African In Tanzania we need a lot of education, countries or universities focus on especially the private sector to disseminate What can be done to improve the to encourage innovation in the preventive measures, and techniques in general user awareness on the development of cyber security order to identify these threats in light of detection of fake news in the country? the unprecedented use of mobile phones solutions? On one hand, the constitution of by Tanzanians for different activities What role can the private sector Tanzania provides freedom of speech including purchasing goods. and consumers of imported and freedom of expression. These are In 2017, we had several cases of Cyber fundamental freedoms in any democratic cyber security products play to security attacks including ransomware state. In order to control fake news, one attacks across the world– were you ensure we can encourage local has to strike a balance between the impacted by these attacks? players to start developing African fundamental freedoms (freedom of grown cyber security products or speech, freedom of expression,...) that the If yes, how did you (company or solutions or even services? constitution guarantees. However, these country) respond to these cases? freedoms have limitations; that is they are accommodated within the democratic Considering the shortage of skilled At the continental level, the African Union principles (freedom not to offend others, resources in Africa, how can we limit has a specific organ for scientific innovation and scientific data should fund this initiative freedom not to injury another persons…) the impact of ransomware cases? therefore in that context, regulators may in order to come up with innovative play their roles by identifying those that I have not been impacted directly. However solutions. Its high time for Africa to spend have infringed the permissible limits of we should invest in public awareness more resources on scientific innovation those freedoms. There is always a delicate through the use of different media to and technology especially data. In Tanzania balance. It is the court that determines create awareness. we have a number of institutions and the the permissible limits. There is need to Commission for Science and Technology. Classification of information is also crucial They also need to invest in scientific raise awareness on these fundamental so that the needed security measures can freedoms and democratic principles. research and scientific data gathering on be utilized based on the importance of the the impact of Cybercrime in Tanzania. It Many governments in Africa are information. is not an easy task but it is high time we investing in e-services (e-government, Do you think organisations are invest on research on the current trends e-voting, e-tax systems and many spending enough money on combating that are happening on the Cyber world. other portals.) Do you think the African cyber-crime? In your opinion and from an African citizenry is ready to consume and context, what are the top 2018 cyber utilize these systems without the worry What can be done to encourage more security priorities for African countries of privacy, security and fraud? spending on cyber security issues? and organizations? What are some of the risks we face Big NO! with the introduction of government Cybercrime posses a great threat not driven e-services and do you have They have to accept to receive specialized only to the security and defense but any examples of these cases in your training both private and public also in social and economic spheres. country? organizations. They have to open doors Its an area we need to give priority for this knowledge. I recommend most because the world has been shrunk into E-services are fundamental facilities in our of the public institutions especially law a small minute that criminals can take modern age, without which bureaucratic enforcement should cooperate with private advantage. As we move to science and red-tape will continue to hinder smooth sector experts to exchange knowledge technology country, we should also take flow of business between private and and experience on impact of cybercafe, cognizance of the impact of Cybercrime. public sector. In the area of procurement, because criminals invent new techniques

Demystifying Africa’s Cyber Security Poverty Line Malware Petya Attacks Ransomware has spread BankBot Trojan internationally, Targeting Over 420 wreaking havoc. Banking Apps A new variant of Hackers Steal Marcher Android Payment Card Data sophisticated From Over 1,150 Inter banking malware Continental Hotels disguised as

New Malware strain Major Malware Backdoor Gazer TeamSpy Malware Bad Rabbit targeting Linux-based ‘Xavier’ hits play transforms Ransomware systems store infecting Ransom Lukitus Teamviewer into a 800 Android Spying software IoT Reaper CoinMiner False Guide malware apps. IKARUS dilapidated

2017 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

PDF file containing New Variant Macro Malware for ZeuS/ZbotPCRat/Gh0st Ransomware down- GhostCtrl of KillDisk is MacOS users loader Android-information Ransomware Stealer Malware with Gh0st Torrent Locker PowerPoint Malicious Ransomware Ransomware Hover Vulnerability capabilities CCleaner Malware: DNSMessenger Wannacry Ransomware FruitFly malware Locky Ransomware malware affects more than variant. Variants 200,000 computers in New Ransom- 150 countries Android.Bankbot.211.o Gazer Backdoor- ware-as-a-service rigin targeting Program, Dot Ransom- Fireball Malware infects governments ware 250 million computers SambaCry Variant- CowerShell OakBot banking Trojan harvests financial information Malware Petya Attacks Ransomware has spread BankBot Trojan internationally, Targeting Over 420 wreaking havoc. Banking Apps A new variant of Hackers Steal Marcher Android Payment Card Data sophisticated From Over 1,150 Inter banking malware Continental Hotels disguised as

2017 JAN FEB MAR APR MAY JUN JUL AUG SEP OCT NOV DEC

30 Industry Players Perspectives Cyber Security Report

Highlight some of the top cyber security in the government and private sector, issues of 2017 and how these issues campaigns be initiated to drive awareness impacted you personally, your organisation on the detection of fake news in the country or country? including online platforms, television and radio shows and regular tests to check the Irresponsible sharing of personal information effectiveness of the awareness campaigns. on social which has led to successful criminal activities. Many governments in Africa are investing in e-services (e-government, e-voting, Password sharing which has led to misuse of e-tax systems and many other portals.) Do other people’s information or profiles. you think the African citizenry is ready to consume and utilize these systems without the worry of privacy, security and fraud? Use of personal devices for official matters ASP Joshua which has exposed official matters to What are some of the risks we face with Mwangasa unauthorized people. the introduction of government driven e-services and do you have any examples Deputy Head of Lack of confidentiality in the work place of these cases in your country? Cybercrime Unit, which has led to breach of trust between TPF (Tanzania Police Force) employer and employees. Yes, they are ready. The most important step is to create awareness among the Leakage of top secret documents or citizens on how they can securely use these information with unauthorized people or systems and on how to protect themselves public which has caused mistrust between and their devices. the related parties as a result of the information leaked. Fraud of by some opportunists who take advantage of citizens with little knowledge Do you think fake news is a major problem on how to use the government e-driven in your country or Africa? services making it seem like the government has given them the mandate to render the If yes, who should be responsible service. for controlling the creation and distribution of fake news (government, In 2017, we had several cases of cyber end users, Telcos or ISPs or content security attacks including ransomware attacks across the world–were you owners)? impacted by these attacks? Should regulators force influential If yes, how did you (company or country) platforms like Google and Facebook to respond to these cases? remove fake news and other extreme forms of content from their platforms? Considering the shortage of skilled resources in Africa, how can we limit the What can be done to improve the general impact of ransomware cases? user awareness on the detection of fake news in the country? Yes, we experience such an attack. Through collaboration with other government Yes, the responsibility rests with the owner institutions and also consulting experts, we of the content. were able to effectively respond to these cases. Yes, the regulator should force influential platforms like Google and Facebook to We can limit the impact of ransomware by remove fake news and other extreme forms ensuring there is frequent offline backup of content from their platforms that is tested appropriately in case of any attack, we’re able to get back online soonest With collaboration among stake holders possible.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 31 Report

Do you think organisations are They can also encourage the local In your opinion what drives criminals to spending enough money on combating developers by clearly communicating commit cybercrime or cyber offenses? cybercrime? the quality of solutions they are looking for. Opportunities. What can be done to encourage more spending on cyber security issues? In your opinion and from an African What initiatives does the government context, what are the top 2018 cyber have in place to support the private This depends on the nature of the security priorities for African countries sector in combating cybersecurity business and the level of automation in and organisations? issues? organisations. Develop Cybersecurity skills through Ongoing of drafting National We should create awareness to the creation of awareness and setting Cybersecurity strategy. top management to understand the up research and security operations importance of cyber security. centers with modern equipment. What do you think would be the best approach to address the cybercrime Based on our research the Africa cyber Creation of awareness to the end user. issue in Tanzania focusing on the security market will be worth USD2 cybersecurity triangle? billion dollars by 2020. Despite this One of our key theme is opportunity, Africa has not produced “Understanding the cybersecurity Creation of awareness on the different a single commercially viable cyber triangle: People, Process, and kinds of technology available to combat security product or solution. Technology.” Which do you think cybercrime. has the biggest impact or weight in In your opinion, what should African From an African context, what Tanzania cybersecurity scene? countries or universities focus on would be the top priority to address to encourage innovation in the Technology. cybersecurity across the continent? development of cyber security solutions? Which aspect of the cyber triangle To understand different technologies available and how they can be What role can the private sector can be termed as the weakest link in effectively customized and used to and consumers of imported cyber Tanzania? combat the various cybersecurity issues security products play to ensure we People. can encourage local players to start What is your prediction of the future in developing African grown cyber Do you think the private sector is terms of cybersecurity? security products or solutions or even investing enough in the cybersecurity services? triangle: People, Process and The future is looking promising as more Technology? people are talking about it and there To invest much on cyber security are more opportunities to learn and in terms of skills and equipment by No as we continue to see the existing implement what we are learning. There first understanding our landscape gap in people’s capability, processes is a lot of room for growth and that is a considering what is happening through and technology. great thing. research. What has to be done in-order to ensure The private sector and consumers of balance in the cybersecurity triangle in imported cyber security products can Tanzania? encourage local players by starting to buy the solutions after making sure To put clear policy and create that they are effective and they are awareness. addressing the cybersecurity problems.

Demystifying Africa’s Cyber Security Poverty Line Demystifying Africa’s Cyber Security Poverty Line Tanzania 32 Cyber Security Report

Threat Intelligence The main aim of this phase was to identify active systems easily accessible online and using this information identify areas of weaknesses and attack vectors that can be leveraged by malicious players to cause harm.

We broke down the findings into the following sections:

• Open Ports • Operating Systems • Top Vulnerabilities by Application or Services

Open Ports

There is a total of 65,535 TCP ports and another 65,535 • commonly targeted as a means of gaining access to the UDP ports, we examined risky network ports based on application server and the database. Attacks commonly related applications, vulnerabilities, and attacks. used include SQL injections, cross-site request forgeries, cross-site scripting, buffer overruns and Man-in-the- 65,535 65,535 Middle attacks. TCP ports UDP ports • TCP/UDP port 53 for DNS offers a good exit strategy Top Open Ports for attackers. Since DNS is rarely monitored or filtered, an attacker simply turns data into DNS traffic and Port 80 HTTP 28% sends it through the DNS server

Port 23 TELNET 13% • TCP port 23 and 2323 is a legacy service that’s fundamentally unsafe. Telnet sends data in clear text Port 443 HTTPS 18% allowing attackers to listen in, watch for credentials, inject commands via [man-in-the-middle] attacks, and Port 22 SSH 15% ultimately perform Remote Code Executions (RCE). Port 21 FTP 7% • UDP port 22 is a common target by attackers since its primary function is to manage network Port 53 DNS 3% devices securely at the command level. Attackers Port 25 SMTP 2% commonly used brute-force and dictionary attacks to obtain the server credentials therefore Port 110 POP3 2% gaining remote access to the server and deface websites or use the device as a botnet - a Port 143 IMAP 2% collection of compromised computers remotely controlled by an attacker. Port 993 IMAP 1% • TCP port 21 connects FTP servers to the internet. Port 995 POP3s 1% FTP servers carry numerous vulnerabilities such as anonymous authentication capabilities, directory Port 7547 CWMP 7% traversals, and cross-site scripting, making port 21 an ideal target. • TCP port 80, 8080 and 443 support web transmissions via HTTP and HTTPS respectively. HTTP transmits unencrypted data while HTTPS transmits encrypted data. Ports 25 and 143 also transmit unencrypted data therefore requiring the enforcement of encryption. These ports are

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 33 Report

Heartbleed Vulnerability Top Content Management System

The Heartbleed Bug is a serious vulnerability in the Vulnerabilities popular OpenSSL cryptographic software library. Many of the vulnerabilities of web content management This weakness allows stealing the information such as systems are not specific to web content management user names and passwords, instant messages, emails but inherent to web technologies, server environments, and business critical documents and communication and protocols as a whole. protected that under normal conditions, is encrypted by the SSL or TLS encryption. As long as the vulnerable 1. Privilege escalation exploits version of OpenSSL is in use it can be abused. Fixed OpenSSL has been released and now it has to be 2. Social engineering attacks deployed. 3. Cross-site scripting (XSS), combines weaknesses in the client side execution environment creatively with backend flaws of eg. lack of verification of parameters and content.

Nigeria 27% Top Content Management System Vulnerabilities Kenya 27%

WordPress 40% Ghana 11% Xampp 45%

Phpmyadmin Tanzania 11% 14% Wamp 1% Mauritius 9%

Uganda 7% Hacker puts malicious code Script is sent to server which XSS forces browser to into vulnerable website via cashes malicious page for run script whenever entry fields other users visiting the page any user accesses page Namibia 7%

When user sees infected Bad script infects visitor’s page, web browser runs bad profile, allows retrieval of code from infected website information from user’s profile

Demystifying Africa’s Cyber Security Poverty Line Tanzania 34 Cyber Security Report

Top Web Servers with Vulnerabilities Top Spam Servers Top Web Servers with

Vulnerabilities Spam Servers IPs

Vulnerable Upto Date 196.46.108.187 7% Apache http server 36% 3% 41.221.61.186 1% Microsoft IIS 1% 64% 196.46.108.248 14% Nginx 22% 1% 196.46.108.237 16% Lighttpd 41% 31% 196.46.109.97 14% Apache is the most commonly used web server. Key vulnerabilities associated with web servers include remote 196.43.64.167 16% code execution, SQL injection, format string vulnerabilities, cross site scripting (XSS). Majority of these are as a result 196.46.108.184 21% of not applying patches. There is need for constantly 196.46.109.18 11% upgrading to the updated web server patches. *Spam - Electronic junk mail Top Routers *A spam server- The computer used by a spam- mer in order to send messages

35% Top Dictionary 60% Attackers

Dictionary Attacker IPs 196.46.108.187 7% 3% 41.221.61.186 1% 196.46.108.248 14% Thttpd 2% 196.46.108.237 16% 196.46.109.97 14% Mini web server F660 196.43.64.167 16% 1% 1% 196.46.108.184 21%

In 2017, we witnessed a number of bugs and hacks such 196.46.109.18 11% as MikroTik routers hacked to infect Windows PCs and *Dictionary Attack - A dictionary attack involves making up a MikroTik Routers defaced due to default passwords. Cisco number of email addresses, sending mail to them, and and Huawei also recorded a number of security issues. Its seeing what is delivered. paramount that users, regardless of the router, keep up Dictionary attackers typically send to common usernames to date with security patches.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 35 Report

Kindly highlight some of the top cyber not demand it from the developers. For the security issues of 2017 and how these normal user it is very complex. And we are issues impacted you personally, your victims of complexity already. Complexity is our biggest enemy in 2017 and if you follow organisation or country? the comments of hacking victims they did not even know they could be hacked since 2017 brings out a very interesting complexity the system become too complex. At times of technologies making someone vulnerable. until the hacker informs them that they were The more complex the technology is, the hacked. more difficult to cope with the development in technology and to secure it. On an Do you think fake news is a major average week, each and every device one problem in your country or Africa? owns has an update and these updates Eng. Peter Ulanga have many things and one has a fuzzy knowledge of them and you have to make a If yes, who should be responsible CEO & Fund Manager decision should I update or not. Most of us for controlling the creation and take the default position of just updating. distribution of fake news (government, Universal In my humble opinion, with increasing end users, Telcos or ISPs or content Communications complexity, there willl be a time where our owners)? Service Access Fund very own user, it will be difficult to confirm (UCSAF) that they have an informed consent in most To begin with, fake news did not start on of the things they do. the internet. Let us get the context right, fake news is a big problem now but it did How? On a security point of view, your not start today. According to history, fake device gives you your digital life or existence news affected us from the start of the with your personal information. Installing a first printing press to present. The internet software in your device is like inviting a guest brought two aspects. It brought tools to into your house. If there is any vulnerabilities check the authencity and unprecedented in any of the softwares, somebody can take opportunity to push the news to the ends of advantage of that. I am not even talking the world. about apps that are spyware or malware; I am talking about legit apps but due to the The internet gives a person the opportunity complexity in development of technology, to publish whatever they want; be it true or these apps can be compromised by fake or a variation of the two. On the other someone who knows how they work. A good hand, information posted on different media ancient example is the misuse of Microsoft can have its authencity (facts) checked Word Macros. throught the internet. The dual nature of the internet, it gives you the opportunity if The philosophy behind updates includes you have the time to check the facts and it adding features and that is how the thing also an opporutnity to feed people with fake breaks. If you update too many times there news. will be a day you will forget and something will break. Taking for instance Linux, one is Before the internet, we had “media required to disable and remove everything houses” that are by structure bustiones that doesnt belong to the machine they are of information (they control what they tell using. This is to ensure security since the people). Media houses had open editorial hanging, unused handles can be the source policy to inform people. They also had closed of vulnerability to be compromised by editorial policies for a certain purpose and hackers. But people rarely do this anymore people consumed what was given to them. due to complexity. With the internet its completely different. One puts up information on their social Complexity is affecting security, and account and friends go through a very because we do not even talk about it; we do elaborate and exquiste voting process, they

Demystifying Africa’s Cyber Security Poverty Line Tanzania 36 Cyber Security Report

read thorugh the post; if they like it, they forward (otherwise This is the mistake that we in the technology sector make. We they reject the post) ultimately it goes viral. want to think on the behalf of other people and we patronize them in a very bad way. This is when we are faced with a The underlying thing is these people vote on the quality, challenge and take the end user as not ready. By doing so authencity and emotional aspect of the post, thus they we are abdicating our duty. Our duty is to make it simple. We become their own editorial policies. We have democratized remove the technology from the equation and we look at the editorial policies by being the ones who choose what we send service delivery. to our friends. People still work on the traditional sense. They do not do fact checking on fake news and if they do then they If we really want to bridge the ICT literacy gap, we should look do not trust their own intuition on fact checking. at ourselves. What have we done to make ICT simple? If cars were that complicated we would have very few drivers. Should regulators force influential platforms like Google and Facebook to remove fake news and other Ultimately we all lose since in the knowledge economy extreme forms of content from their platforms? everyone who joins brings in new knowledge.

Thinking traditionally, this will suffice. This is because the How do we ensure security of these services? information is now on an individual level. In 2017, we had several cases of cyber security What can be done to improve the general user attacks including ransomware attacks across the awareness on the detection of fake news in the world– were you impacted by these attacks? country? If yes, how did your company or country respond to The solution is training people on what they need to know these cases? about technological development. We live in an informational society with a highly uninformed society. Considering the shortage of skilled resources in Africa, how can we limit the impact of ransomware The use of the acronym people, process and technology is cases? very nice but at what point do you separate them? We live in a world of emerged reality where these can be in one person No. or device. We need homegrown techinical experts who will take a look We have the knowledge worker and knowledge economy in at this new and fast evolving landscape and formulate ways 2017. Processes as we know them are out of the roof. to take advantage of the development and at the same time use the information acquired by our experts and use Right now we have VUCA – Volatility; Uncertainiity; Complexity; the information acquired by our experts to protect all of the Ambiguity. society.

Lets leverage AI to atleast help in solving and addressing the Due to the lack of informed consent, we need experts that will challenges in complexity. look into this and advice people.

Many governments in Africa are investing in e-services Do you think organisations are spending enough (e-government, e-voting, e-tax systems and many money on combating cybercrime? other portals.) Do you think the African citizenry is ready to consume and utilize these systems without What can be done to encourage more spending on the worry of privacy, security and fraud? cyber security issues?

What are some of the risks we face with the That is not the right question. It looks more or less a sales introduction of government driven e-services and pitch. For research lets put money aside. The IT officers do you have any examples of these cases in your always complain of lacking enough funding but in my opinion country? they are not doing enough.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 37 Report

There are enough free tools for someone to use. If one You are putting the cart before the horse. Let us focus on can develop their own security measures that are not training the experts. They should be very versatile in using standardized, they are more secure since the tools are not the tools and testing them. This can happen in universities known. that are doing cutting edge research in cybersecurity matters otherwise we are wasting time. In the private sector we have There is no correlation between the amount of money used vendors and not software companies. E-Governement has to fight cybercrime with the outcome. programmers, but there is lack of a sharing and collaboration ecosystem thus are crippled. Based on our research the Africa cyber security market will be worth USD2 billion dollars by 2020. In your opinion and from an African context, what Despite this opportunity, Africa has not produced a are the top 2018 cyber security priorities for African single commercially viable cyber security product or countries and organisations? solution. Training. We need passionate experts in the field. In your opinion, what should African countries or universities focus on to encourage innovation in the development of cyber security solutions?

What role can the private sector and consumers of imported cyber security products play to ensure we can encourage local players to start developing African grown cyber security products or solutions or even services?

Demystifying Africa’s Cyber Security Poverty Line Tanzania 38 Cyber Security Report

2017 Tanzania Cyber Security Survey

The goal of the 2017 Tanzanian report was to explore the evolving threat landscape and the thousands of Cyber-attacks that have been forged against individuals, SMEs and large organisations within Tanzania. Cybercriminals continue to take advantage of the vulnerabilities that exist within systems in Tanzania and the low awareness levels. Tanzania 150 12 This survey identifies current and future Cyber respondents Industry Sectors security needs within organisations and the most prominent threats that they face.

About the Survey The respondents who participated in This survey was this survey included Academic prepared based on data Insurance technical respondents collected from over 150 (predominantly chief respondents across information officers, organisations in Tanzania. chief information security They included companies Banking officers, IT managers and IT from the following sectors: directors) and non-technical Legal Advisory respondents (procurement managers, senior Financial executives, board members, Services finance professionals Professional and office managers). Services The survey measures the challenges facing Tanzanian organisations Government and the security awareness and expectations of their employees. Healthcare Telecommunications Services

Others

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 39 Report

Summary of Findings

According to the survey findings, 99.4% of respondents have a general understanding of what Cybercrime is. With the many advances in information technology and the transition of social and economic interactions from the physical world to Cyberspace, it is expected that majority of individuals have a general idea of what Cybercrime is.

1. Nature Of The Survey Group The Mirai botnet exploited poorly secured IoT devices to perform the largest ever distributed denial-of-service 54% of the respondents of this research worked for attack. companies with 500 or more employees, and worked However, a large percentage of the respondents who within the government and banking sectors. The rest of utilize these services, 60%, indicated that they do not the respondents were scattered across various sectors have policies in place to govern the usage of these of the economy. technologies. How many employees are you in your organisation? Security concerns involving these emerging of the respondents technologies are rapidly evolving – with our are employees of cybersecurity research this year indicating a marked 54% organisations with 500+ growth in the number of attacks and malware targeting employees. These were cloud infrastructures and IoTs. mostly from the Banking and Government sectors. Does your organization allow or utilize Cloud Services or Internet of Things Tech (Big Data Analytics)?

0 - 100 18% Organisations that allow or utilize Cloud Services or IoTs Tech 67% 101 - 500 28% Does your organization have a best practice policy for IoT and Cloud Services? 501 - 1000 15% lack policies to govern the usage 1000+ 39% of Cloud Services 60% or IoTs Tech

2. Cloud and IoT 3. Cybercrime

Respondents were asked about Cloud Services Cybercriminal related activity affected about 32% of and Internet of Things Tech (Big Data Analytics) our respondents, majority of whom were affected at and whether or not they utilize these services in a personal capacity. This suggests that attackers are their organizations. Of the organizations surveyed, preying on individuals personally and also directing their 32.9%, utilize these services. This is an increase in the efforts towards organizations by targeting individuals adoption of cloud and IoT usage within the country with within these organizations. It is noteworthy that about users such as Vodacom investing in Narrowband and 65% of the respondents reported not being victims of other customized Internet of Things (IoT) or Machine- cybercriminal activities. to-Machine (M2M) solutions and cloud computing services.

Demystifying Africa’s Cyber Security Poverty Line Tanzania 40 Cyber Security Report

However, from our analysis, majority of people do not 5. Reporting of Cybercrime understand what qualifies as cybercrime; and therefore a huge percentage of people lack the ability to recognize Internet-related crime, like any other crime, should be a cybercrime when it occurs. reported to appropriate law enforcement or investigative authorities. Citizens who are aware of federal crimes Have you been a victim of any cybercriminal activity in should report them to local offices of law enforcement. the last 5 years? In what capacity? 57.7%, indicated that they did not report the cyber-crime to the law enforcement. of the respondents have been victims of Cybercriminal activities 32.4% of the respondents took the matter to the law 32% enforcement, only 9.9% of this reports led to successful Personal Capacity prosecution – however this is an 8% improvement from 20% 2016. This is a result of inadequate laws concerning Cybersecurity and lack of technical expertise to Through Work 12% investigate incidents of cybercrime. Also of concern is that about 10% had no idea of how to report the Never 3% incidences to the law enforcement.

No 65% If you have been a victim of cybercrime, what action followed?

4. Impact of Cybercrime Reported cyber crime to the Loss of Money, System downtime and Inconvenience authorities were identified as the top impacts of cybercrime. This 32.4% presents one conclusion that majority of attacks in Tanzania are motivated by financial gain – suggesting Did not report to the police reasons why financial institutions, Saccos and 57.7% organisations that deal with transaction processing are Reported to the police with primary targets for the Cyberattacks. no further action 14.1% Reported to the police, who How has Cybercrime impacted on you? contacted me / organisation 2.8% but no further action Reported to the police, who Majority of the respondents have had followed it up to successful 9.9% prosecution an impact of cybercrime Reported to the police, who followed it up but no 5.6% successful prosecution System Downtime 22% Didn’t know how to report to the Police 9.9% Money Lost 28%

Inconvenience 20%

Others 30%

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 41 Report

6. Cyber security Spending 7. Managing Cyber Security

Investment in cyber security products is increasing. In 79.3% of organisations manage their cyber security 2017, we have seen a slight improvement of 4% reported inhouse as follows- 17.9% being handled by a dedicated to have spent less than $5000 on cyber security from in-house CERT and 61.4% handled by an individual in 55% to 51%. Further analysis also revealed that majority of charge of security within the organisation. This is an organisations which spend USD 10,000+ came from the increase of 8.3% from last year. Banking and Financial sectors. Only 6.4% have outsourced this services to an external This is not surprising since these industries are the most party(MSSP or ISP). More and more companies are targeted. now developing inhouse capabilities to manage cyber security, this is particularly the case with banking and Approximately how much does your organisation financial institutions . spend annually on cyber security? Our survey revealed that majority of respondents (55%) spend less who did not know how their cyber security was managed came from the Government sector. This was closely US $5000 followed by Insurance(11%) then Academia(10%). on cyber security 51% How is your organisation’s cyber security managed? Don’t know their organisation’s cyber security expenditure 50% of the respondents Spend US $ 1 - 1000 7.9% outsource the entire 6.4% security function for Spend US $ 1001 - 5000 12.1% their organisations Managed in-house by someone incharge of Spend US $ 5001 - 10000 5% Security policies 61.4% Outsourced to Internet Spend US $ 10000+ 19.3% Service Provider 5% Outsourced to Managed Spend US $ 0 13% Services Provider 1.4% Managed by in-house CERT 17.9%

Don’t Know 6.4%

Demystifying Africa’s Cyber Security Poverty Line Tanzania 42 Cyber Security Report

8. Cyber Security Testing Techniques 9. Cyber Security Awareness

Security testing is a process that is performed with the The level of awareness in Tanzania is still low with 17% of intention of revealing flaws in security mechanisms organisations not having an established cyber security and finding the vulnerabilities or weaknesses in the training program. Most organisations (32.9%) are also still environment. Recent security breaches of systems very reactive when it comes to cyber security training, underscore the importance of ensuring that your security these organisations train their staff only when there is testing efforts are up to date. an incident. This is worrying considering 40% of all cyber attacks reported in the survey was through work. In 2017 From the survey, 32% of respondents perform a alone, over 50% of the malware reported was spread combination of Vulnerability assessments, penetration through some form of social engineering. testing and Audits. 4% perform Penetration testing while 23% perfrom Audits. All these testing techniques are not On the other hand, Its important to point out that 55% of independent and in fact work best when they are applied respondents reported to have a regular training program concurrently. in place. The importance of having regular security training for employees cannot be over emphasised. Which of the following security testing techniques does your organization use? How often are staff trained on cybersecurity risks?

of the respondents carry of the respondents out security testing are regularly trained techniques in their 55% 68% organisation while 12.1% of organisations Vulnerability assessments, DO NOT train their staff on penetration testing and 32% cyber security Audits Yearly 33.6% Penetration testing 4% Monthly Audits 23% 17.9% Vulnerability Weekly 3.6% Assessments 9% Only if there is a problem Don’t know 32% 32.9% Never 12.1%

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 43 Report

10. Information Sharing 11. Concern about cybercrime in Tanzania

Few organizations can really work in a vacuum and no 86.4% were of the opinion that cyber-crime related single organization can see all of the threats laying in activities had been on the increase in the 2017; and a wait on the internet. Despite this, our survey revealed majority 97.1% of the respondents expressed some form that 47% of organisations do not keep up to date with of concern about cybercrime within their organization. cyber security trends and attacks. This shows that organisations and individuals are starting to be aware of the threat posed by the cyber space. This has resulted in duplication of attacks in various industries especially with the recent Wannacry and Petya What is your concern about cybercrime in Tanzania? ransomwares. think that cyber On the other hand, many organizations are wary of crime has increased sharing sensitive cybersecurity information, especially 86.4% in Tanzania in the with governments, regulators and peers. Not only can last year such information jeopardize the security posture of an Has increased in the organization, it can damage customer impressions of a last year 86.4% company and even affect stock values. Has not changed since last year 7.9% Still, it is important for organisations, regulators to put in place infrastructures that will ensure safe shairing of Not much of an issue 5% information. Has reduced in the past year 0.7% Is there a dedicated role or person within your organisation assigned to distributing or communicating latest cybersecurity updates?

of the respondents keep upto date with 75% cyber security news from various sources

Do not keep upto date 47%

Specialised news sources 24% Generic newspapers and news broadcasters 9% Social media networks contacts 11%

Outsourced services 3%

Consulting companies 5%

Demystifying Africa’s Cyber Security Poverty Line Tanzania 44 Cyber Security Report

12. Causes of cybercrime in Tanzania 14. Topics we should conduct research on to make the Internet a safer place Inadequate security training, education and awareness was thought to be the root problem with cybercrime 24% of the respondents indicated that research should by 35%, this is because a large number of individuals be conducted on educating users about the Internet were unaware of concepts of security. 25% thought that and security as this will help make them aware of the technology and the rapid advancements were the cause, possible vulnerabilities while using the Internet. while greed and economic gain were thought to be the cause by about 20%. Better understanding of the society and the cyber community was thought to be a key social research area What is the underlying cause of cybercrime? by 22% to ensure safety of the Internet while 16% were of the opinion that investment in Technology research was of the respondents a major candidate. believed cyber crime is 25% rooted in technology What research should we focus on?

Technology 25% of the respondents believe we should conduct Security Education 13% research on better laws and Training and Awareness 35% regulations to make the Economic Interests Internet a safer place (Financial gain) 20% Better Education of Business Competition Users of The Internet 24% Sabotage, IP theft 9% Improved Understanding of The Society and The 22% Lack of Intergrity Cyber Community (Corruption) 12% Improved Technology of Our Networks and Operating Systems 16% Better Encryption and 13. The use of BYOD in organisations. Improved Piracy 14% Better Laws and Does you organisation allow the use of BYOD and do Regulations 13% you have best practise policies for them? Better Metrics and Statistics on Cybercrime 10% of organisation allow the use of 41% Bring Your Own Devices

while

of the respondents have a best practice 59% policy for BYOD in their oganistions

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 45 Report

Key Trends From 2016 and 2017 2016 2017 Conduct Research on Cybercrime 75% 53%

Training on Cybercrime 32% 33%

Allow BYOD 61% 67%

Lack BYOD policies 59% 60%

Experienced Cybercrime 20% 32%

Prosecution of Cybercrime 3% 6%

Expenditure on Cyber Security above $10,000 2% 5%

Outsourced Management of Cyber 15% 21% Security

Demystifying Africa’s Cyber Security Poverty Line Tanzania

46 Industry Players Perspectives Cyber Security Report

Technology in the modern era Cybercrimes Act is penal and created cyber space where people substantial in nature having 26 engage in almost everything which offences ranging from; computer was previously done physically. related, content related, Intellectual Communication, financial transactions property to; offences against and even auctions are conducted in confidentiality, integrity and use. the cyberspace in recent years. Few Before 2007, electronic evidence years down the road, transactions was not admissible in court which through this technology seemed could have rendered impossible to as alternative. This cannot be prove cybercrimes even if Legislation spoken confidently today. With this against such ill acts was in place. changing trend therefore security Adv. Josephat must be placed at the centre Regardless of the admissibility stage. Technology by itself however, of such evidence, the laws were Mkizungo cannot play protective role in the not clear as to how to weigh such Senior State Attorney cyberspace. It is a misconception that evidence once admitted. Electronic cyber security should only depend on Transactions Act came to clear such Attorney General’s technology. People and process must a lacuna by providing criteria for Chambers go hand in hand. authenticating electronic evidence. But, the above is not a guarantee In the wake of such trend, countries that every offender will be arrested have put in place legal frameworks and prosecuted since there are so to regulate the use of cyberspace. many challenges in between including; Tanzania not being an exception, obtaining evidence or the offender enacted two crucial legislation in as he might be sitting in another 2015, Cybercrimes Act and Electronic jurisdiction. On the other hand Transactions Act No 14 and 13 authenticating electronic evidence respectively. Cybercrimes Act makes also requires knowledge, expertise provisions for criminalizing offences and equipments which most related to computer systems developing countries lack. and information communication technologies; to provide for It should be noted that all these investigation, collection and use of legislation condemning cybercrimes electronic evidence and for matters plays as a last resort measure to the related therewith. On the other hand victim of such offences. Mindful of this Electronic Transactions Act provides note, we should not only depend on for the legal recognition of electronic technology and legal frameworks as transactions, e-Government pillars to safe heaven. Every security services, the use of information starts with oneself! and communication technologies in collection of evidence, admissibility of electronic evidence, facilitation of use of secure electronic signatures and other related issues.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 47 Report

In your opinion, what are the key Yes, but it is very difficult to filter the If yes, how did you (company or country) Cyber security issues facing the same. However if there is a way it’s one respond to these cases? your country or Africa, what is good way. being done to address these issues Considering the shortage of skilled What can be done to improve and what is the best way forward? resources in Africa, how can we the general user awareness on limit the impact of ransomware • Illegal access the detection of fake news in the cases? • Fraud country? • Impersonation Increase awareness to end users, hire At the outset the society is not very Sensitization. resources from countries with expertise aware about Cyber security issue and long term plan is create our own until they fall victim of the above. Many governments in Africa resources. Sensitization is being done to different are investing in e-services groups but most of them they do not (e-government, e-voting, e-tax Do you think organizations are pay much attention unless and until they systems and many other portals.) spending enough money on are victims. Companies are securing Do you think the African citizenry combating Cybercrime? their systems and regulatory authorities are now becoming robust to penalize is ready to consume and utilize No those with vulnerabilities in their these systems without the worry of processes or systems privacy, security and fraud? What can be done to encourage Kindly highlight some of the top Most of the citizens are still in the dark, more spending on Cyber security Cyber security issues of 2017 and they do not understand much about issues? how these issues impacted you Cyber issues. The worry of privacy personally, your organization or infringement is not their primary Make decision makers conscious about concern. Fraud creates a bit of a worry the risk. country? as many have fallen victims to this due • Ignorance to the spread of the use of money Based on our research the Africa • Lack of awareness on Cyber transfer through m-pesa, tigo pesa etc. Cyber security market will be security concern worth USD2 billion dollars by • Lack of resources What are some of the risks we 2020. Despite this opportunity, face with the introduction of Do you think fake news is a major Africa has not produced a single government driven e-services and problem in your country or Africa? commercially viable Cyber security do you have any examples of these product or solution. In your opinion, cases in your country? Yes. what should African countries or universities focus on to encourage If yes, who should be responsible The main is a security concern, even innovation in the development of USA is said to suffer that during Cyber security solutions? for controlling the creation elections. Vulnerability of systems is the and distribution of fake news main concern. (government, end users, Telcos or First Government through Universities should put more focus on this faculty ISPs or content owners)? Example: None while creating a friendly environment for innovation. All, however Content owners, In 2017, we had several cases of Government and users play a greater Cyber security attacks including role. What role can the private sector ransomware attacks across the and consumers of imported world–were you impacted by these Cyber security products play to Should regulators force influential attacks? platforms like Google and ensure we can encourage local players to start developing African Facebook to remove fake news No. and other extreme forms of grown Cyber security products or content from their platforms? solutions or even services?

Demystifying Africa’s Cyber Security Poverty Line Tanzania

48 Industry Players Perspectives Cyber Security Report

First they should start by embracing What has to be done in-order From an African context, what and trusting local resources then they to ensure balance in the would be the top priority to should create an environment which Cybersecurity triangle in Tanzania? address Cybercrime across the encourage innovation eg sponsoring continent? hubs for people with such skills and talent to share such experience also Raise consciousness especially to encourage Research and Development decision makers. Cooperation. of such solutions in education centers, innovation hubs etc In your opinion what drives criminals to commit Cybercrime or In your opinion and from an African Cyber offenses? context, what are the top 2018 Cyber security priorities for African Some are due to ignorance especially countries and organizations? for those content related offenses, others are greedy. • Sensitization • Training What do you think would be the Our theme is “Understanding the best approach to address the Cybersecurity triangle: People, Cybercrime issue in Tanzania? Process, and Technology.” Which • Sensitization on how to avoid do you think has the biggest Cybercrime to the general public impact or weight in Tanzania? • Setting minimum security standards for systems including processes People. • Training • Cooperation local and international • Legal framework

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 49 Report

Summarized Findings Report – What are Cybersecurity Gaps in Tanzania? *Reporting approach adopted from Cyberroad-project and survey

Theme Scenario Consequence(s) Mitigation Identified Gap(s) Limited visibility on 1. Fraudulent database 24/7 monitoring of activities How can Tanzanian activities on the postings! within databases. companies improve visibility databases. on DB activities at a cost 2. Loss of sensitive Limit and monitor access to effective and resource Database information! database. Security friendly manner? Audit and review privileged access to DB.

Compromised Unauthorized access to Audit the activities of privileged How can organisations administrator accounts. critical systems within the users within the network. implement segregation of organisations! duties when resources (staff) are limited? Privileged User Management

Missing patches Exploitation of missing Remediation roadmaps that How can Tanzanian contribute 70% of patches to compromise ensure that critical patches are organisations maintain vulnerabilities identified. confidentiality, integrity applied while medium and low risk a patch management 60% of these are never and availability of critical vulnerabilities are fixed within a program without exhausting Patch mitigated. informational assets! stipulated agreed upon period. resources? Management Employees are trained Employees fall victims of Regular employee training How can organisations ensure only after an incident. social engineering attacks! programs that have an employees understand effectiveness measuring metric. the concepts taught during awareness workshops/ trainings?

IT Training is done on IT teams lack the expertise Regular training on both How can IT teams widen specific tools. for defensive and defensive and offensive Cyber their gaze from being offensive security! security concepts. “tool analysts” to network engineers and architects? Training and Awareness Board members Lack of visibility on actual Board training to involve How can Board members lack Cyber security Cyber security posture! reporting metrics for enhanced shift from the traditional expertise and rely on visibility that can provide a basis “oversight” role into the standard audit reports No standard way of and guide on future decision proactive Cyber security to understand the measuring progress and making. role? security posture of ROI on IT investments! organisations.

Limited expertise Networks are Organisations to invest in or Where can organisations in the country on misconfigured to allow outsource security engineers/ get specialized training Security Architecture/ easy manipulation and architects for network design on security architecture/ Engineering skill set. system sabotage! purposes. Engineering? Network Security Engineering

Demystifying Africa’s Cyber Security Poverty Line Tanzania 50 Cyber Security Report

Theme Scenario Consequence(s) Mitigation Identified Gap(s) Greedy and Disgruntled Compromise of Audit and monitor activities of How can Tanzanian employees are being administrator accounts privileged accounts organisations share recruited by cartels to information on malicious Privilege escalation Insider Threats launch attacks insiders? Malicious transaction Segregation of duties posting Develop a user access matrix Data exfiltration Sabotage of critical systems

Multiplicity - Remote Compromise of Multiplicity as an Indicator of Access to critical confidentiality, Integrity Compromise – Establish a system after business and Availability baseline for what is normal. hours goes undetected Continuous Monitoring Velocity – Multiple failed Compromise of Velocity as an Indicator of logins to critical system confidentiality, Integrity Compromise - Establish a within a short period of and Availability baseline for what frequency is time goes undetected normal for the organisations. by security teams Volume – Bulk Compromise of Volume as an Indicator of How can Tanzanian transactions go confidentiality, Integrity Compromise - Establish a organisations establish a undetected by security and Availability baseline for what number, baseline for what “normal” is. teams bandwidth or utilization metric is normal for the organisations. Limits - Security Malicious postings of Limits as an Indicator of personnel are unable transactions Compromise - Establish a to determine a baseline baseline for what threshold is for understanding normal for the organisations limits as an indicator of compromise.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 51 Report

Inter Industry Analysis - Africa

Banking and SECTOR Financial Telecommu- Other Services Government nications Industries YEAR ‘16 ‘17 ‘16 ‘17 ‘16 ‘17 ‘16 ‘17 Been victims of any 59% 55% 63% 67% 67% 65% 48% 51% cybercriminal activity in the last 5 years; Through work

Organisations spending 33% 30% 45% 45% 30% 27% 48% 50% below $1,000 USD annually on cyber security

Organisations with 63% 55% 58% 58% 71% 71% 40% 48% Cyber Security managed In-house

Yearly training staff on 39% 45% 45% 47% 55% 57% 38% 33% Cyber Security risks

Organisations that 20% 26% 60% 61% 49% 40% 60% 60% allow Bring Your Own Devices (BYODs) usage

Organisations who 30% 35% 74% 74% 60% 56% 57% 55% lack BYOD policy

Organisations utilizing * 46% * 43% * 40% * 58% Cloud Services or Internet of Things Tech (Big Data Analytics)

Organisations * 35% * 71% * 54% * 54% which lack an IoT and Cloud Policy

* No statistical analysis done in 2016 on this section.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

52 Industry Players Perspectives Cyber Security Report

Approach in Raising Cyber Security Poverty Line

Poverty as is loosely defined is the inability • Can we measure during attack extent of to meet basic needs. Unfortunately event? here in Africa we have experienced the overwhelming sense of hopelessness in Have resilience and ability to recover being unable to meet any one life basic from cyber event needs. • What is the organisations ability to In our report we build on the concept operate during an attack? of the Security poverty line in which an organization is seen to be unable to • Is there a documented recovery effectively protect itself from a cyber methodology? threat. • Are their resources (data backup and In 2018 all organization needs to measure Joseph Mathenge alternative systems) to help recover? whether they have adequately invested to Chief Operating Officer protect, detect, respond and recover to • How often are these tested to measure cyber events. So in discussing poverty in effectiveness? Serianu Limited cyber security one will need to understand what are basic cyber security needs. In no order of priority, basic cyber security In reading through this one may ask what functions will include: tools are available to measure each of the above areas. There are several resources Ability to Identify threats. available to help assess these areas. Beginning with perhaps the simplest and least expensive is a self-assessment using • What can attack the organization? template or questionnaire downloaded from resources such as NIST or the SANS • How would they attack? Institute. An organization without internal resources with expertise in technology Actively protect information assets. or cyber security might struggle working through the terminologies found in • What would they attack? such templates. However they innately understand their operating environment • What are my information assets? and have the best knowledge in identifying impact a threat may have on the business. • What is the value to my organization? The next level would be engaging an external third party to conduct an Ability to detect cyber incident. assessment. Most organizations contract external parties to conduct a Vulnerability assessment and Penetration test (VAPT). • Are there alerts to detect cyber events? These assessments, while are good and indicative of vulnerable areas may not • How long does it take to detect events? fully explore all the areas required to ensure Cyber Security basic needs are Understand how to respond and met. Additionally the output tends to be contain cyber event. technical in nature showing systems and vulnerabilities in terms of lack of patching or • In receiving the alerts is there a misconfiguration of systems. It is imperative methodology to responding? that the output is contextualized in terms of business critical process to help create and • Does the organization have roles and implement and effective remediation plan. responsibility defined for cyber events?

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 53 Report

Having measured your organization against each of the above needs where should one begin? Particularly if all indicate that the organization scores poorly in each area, is there one area that should be prioritized?

Security practitioners and academicians would probably offer convincing arguments and positions on what is most important. I offer the following as a practitioner from my experience on which I have been successful in improving global organizations in raising their cyber security posture.

• Ability to detect cyber security incident and classify its impact.

• Ability to respond and contain event.

• Build the ability to exercise resilience during the event and quickly recover from the event.

In concentrating limited resources in building the above capabilities, I have realised exceptional value in protecting and organizations information assets.

Additionally I have found a clearer path in associating the above activities to key business goals around risk management. This becomes essential in making the business cases to business leaders and having them avail budgets in order to raise an organization cyber security posture.

Demystifying Africa’s Cyber Security Poverty Line Tanzania 54 Cyber Security Report

Cost of Cyber Crime Analysis – 2017

In this section, we look Methodology A significant proportion of this cost more closely at the cost comes from the insider threat, of Cybercrime in Tanzania, in Our assessments are, essentially, based which we estimate at $29.9M per particular, to gain a better on reported incidents of Cyber crime, annum. In all probability, and in line appreciation of the costs to our insider knowledge when handling with our worst-case scenarios, the local economy. cases of Cybercrime, estimates and the real impact of Cyber crime assumptions. is likely to be much greater. As From our research and analysis, we for measuring costs, this report estimate that Cyber-attacks cost We have drawn from information in the decomposes the cost based on Tanzania businesses around $99.5 public domain, law enforcement and these 4 categories: million a year, which includes direct economics experts from a range of damage plus post-attack disruption public and private-sector organisations • Costs in anticipation of to the normal course of business. and our tremendous knowledge of Cybercrime, such as antivirus numerous incedents. software, insurance and compliance. With this said, the boundary between traditional crime and Cybercrime • Costs as a consequence of remains fluid. Therefore for our research, Cybercrime, such as direct the term Cyber-crime refers to: losses and indirect costs such as weakened competitiveness as a result of intellectual property The traditional forms compromise. Tanzania of crime committed • Costs in response to Cybercrime, Cost of such as compensation payments cyber-attacks over electronic to victims and fines paid to $99.5m communication networks regulatory bodies. annually and information systems • Indirect costs such as reputational damage to firms, and crimes unique to loss of confidence in Cyber transactions by individuals and electronic networks, businesses, reduced public-sector e.g. attacks against revenues and the growth of the underground economy. information systems, denial of service and hacking.

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 55 Report

Type & Cost of Cyber Crime in Tanzania

Insider Threat 30% $29.9M

Attacks on Computer Systems (Unauthorized 20% Access and Malware) $19.9M

Email Spam & 15% Phishing $14.9M

Social Engineering 12% and Identity Theft $11.9M

Online Fraud 10% Scams $9.9M

8% Data Exfiltration $8M

Ransomware 5% $5M

TOTAL $99.5M

Demystifying Africa’s Cyber Security Poverty Line Tanzania 56 Cyber Security Report

Sector Ranking

Telecommunications Financial Services Banking Mobile Money From millions of phone numbers, identification Mobile money revolution has seen Cyber criminals are going numbers, PIN numbers etc, the Sh43 trillion being transferred directly to where the money is telecommunication industry holds through mobile phones annually – the Banking sector. Banks and a lot of personal data. As a result, - equivalent to 47 per cent of the financial firms are big targets these organisations are now an gross domestic product. for cybercrime particularly from attractive prospect for those with malicious insiders. Attacks seen malicious intent. Globally and in Majority of banks, merchants over the year include Direct DB the past few years, we have seen and service industry firms in manipulation, email phishing and several high-profile breaches Tanzania are now adopting mobile compromise of critical systems to involving the theft of data from money services to serve as one cause downtime. numerous telecom companies of their alternative channels. The such as Talk Talk and France’s continuous integration of Mobile The increased adoption of Orange. It is critical that Telcos money into other sectors such as newer (and potentially high-risk) adopt advanced security solutions hospitality, banking, transportation, technologies including mobile to withstand these attacks. It is telecommunication, E-commerce, and internet banking further notable that majority of Telecoms government and other financial puts these institutions at risk. manage their cybersecurity in- sectors opens up a number of Majority of the banks do not have house. challenges that attackers are now controls in place for maintaining leveraging. Users are not educated transaction limits. It should on how they need to secure their however be pointed out that, out mobile phones, how to avoid social of all industries in Tanzania, the engineering that leads to monetary banking sector has put in more loss etc. controls and spends more to ensure their cyber security as It is critical for organisations to compared to the other industries. secure their integration points with Mobile money and also educate their users on how to stay safe to avoid social engineering scams that lead them to lose money. Tanzania Cyber Security 57 Report

Cyber security is no longer a concern for the financial & banking sector only. As the adoption of Internet use and automated services increases across all industries, Cyber security comes along as part of the package. In Tanzania, as in the rest of the world, there have been instances of Cyber compromise, attacks and attempts that have raised Cyber security to a critical level. Cyber security keeps metamorphosing across a wide range of fields. Here is a most current ranking of different sectors facing different Cyber risks.

E-Commerce Hospitality & Sacco’s, Penetration of e-retailers Retail Cooperatives including online shopping and malls such as Jumia, E-Bay, The hospitality industry is primarily Microfinance OLX among others has client facing and as such deals with increased significantly. More a great deal of sensitive customer companies in the different information. Processes ranging These institutions are rapidly sectors of their economy are from reservation details, payment, growing in Tanzania. However, taking their marketing and travel, personal information are they are so focused on customer distribution of goods to online now automated and we are seeing satisfaction and reducing costs, sites as well. This growth, introduction of services such as they tend to neglect investment paired with the services of digital conference facilities, smart in cybercrime prevention. This has 24/7 delivery companies like room keys and mobile applications made them a popular target for G4S, DHL have increased which enable the client to perform cybercriminals. Larger institutions confidence in online shopping. a wide range of otherwise manual have invested more in cyber Due to system vulnerabilities, processes. However, information security in comparison to smaller an increase in the number security aspects tend to be institutions hence making them an of online scams, fraudulent neglected as most of the focus is on easier attack target. transactions and breach automation. This leads to a myriad of consumers’ personal of risks ranging from information information has been noted. theft, data breaches and credit Merchants need to be card theft. Malware targeting these aware of the risks electronic businesses are now being seen in transactions carry, and POS (point-of-sale) terminals to work towards securing the steal credit card data and targeted systems to the highest attacks against hotel systems to standards. steal confidential data. This has both financial and reputational impact on these organisations as customers quickly lose trust in them. Tanzania

58 Industry Players Perspectives Cyber Security Report

Kindly highlight some of the top cyber What can be done to improve the security issues of 2017 and how these general user awareness on the issues impacted you personally, your detection of fake news in the country? organisation or country? Create platforms that can objectively fact- 2017 was the year of the Ransomware. check such fake news and aggressively There was a global meltdown of ransomware promote them untill they become de facto attacks each one improving on the success sources for news validation by anyone who and challenges of the previous. Something truly cares to check became more apparent with this wave of sophisticated ransomware attacks Many governments in Africa are across the globe; patching will always lag investing in e-services (e-government, behind causing a perpetual security gap. Olabode Olaoke e-voting, e-tax systems and many Detection and Incident response still remains other portals.) Do you think the African a capability yet to fully mature in most PWC citizenry is ready to consume and organisations. For me, it was an opportunity to get the attention of very senior leadership utilize these systems without the worry within organisations. In my country (Nigeria) of privacy, security and fraud? however, too many organisations were too ashamed to disclose that they had been hit We are not ready as most countries in - a bad day for the cybersecurity community Africa are not sufficiently prepared for as we did not get an opportunity to correctly the risk associated with data collection, measure our exposure and capabilities to handling, storage and protection. Where deal with the reality. laws/regulation around the management and security of such data exists, they are Do you think fake news is a major very limited in scope with almost zero problem in your country or Africa? enforcement capability.

Well, to some extent yes. What are some of the risks we face with the introduction of government If yes, who should be responsible driven e-services and do you have for controlling the creation and any examples of these cases in your distribution of fake news (government, country? end users, Telcos or ISPs or content owners)? First problem is that we have limited or no knowledge of how the data is handled, stored, protected and accessed. There is Content owners. Fake or real, consumers absolutely no insight into what is happening of news should develop the capability to to all the data and information associated validate the content they consume. with these services, we have no way of knowing who is accessing the data, when Should regulators force influential where, for what purpose etc. yet, we are platforms like Google and Facebook to expected to trust government to do the right remove fake news and other extreme thing with the services even when we often forms of content from their platforms? don’t trust the government itself. We risk having a lot of personally identifiable data No, I believe in net neutrality and freedom and information fall in the wrong hands and of Internet content. However, organisations have absolutely have no way of protecting like Google, Facebook etc. should determine ourselves when this happens. what kind of content they ‘permit or air’ on their platforms.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 59 Report

In 2017, we had several cases of What can be done to encourage What role can the private sector cyber security attacks including more spending on cyber security and consumers of imported ransomware attacks across the issues? cyber security products play to world–were you impacted by these ensure we can encourage local attacks? More “evangelizing” by those of us in players to start developing African the profession as well as professionals grown cyber security products or Not directly. I however had to help with stepping up to the game. Too many solutions or even services? a few cases where professional incident organisations are not getting the right return for their cybersecurity response was required. Promote competition for the investments and therefore struggle development of local products, subsequently to make the appropriate If yes, how did you (company or patronise them and invest in local investments. country) respond to these cases? capability. Demand excellence and quality from local products Based on our research the Africa We had quite a lot of security advisory from relevant government agencies cyber security market will be In your opinion and from an African and professional services firms and worth USD2 billion dollars by context, what are the top 2018 associations. That was really all that 2020. Despite this opportunity, cyber security priorities for African happened. Africa has not produced a single countries and organisations? commercially viable cyber security Considering the shortage of skilled product or solution. Establishment of sound laws, regulatory resources in Africa, how can we frameworks around cybercrime, limit the impact of ransomware In your opinion, what should data protection 2. Implementation of cases? African countries or universities cybersecurity frameworks aimed at focus on to encourage innovation identification, protection, detection, Awareness, awareness, awareness! in the development of cyber response and recovery of e-Services Also, organizations should embrace security solutions? with capabilities up to detection and practicing good information security and response at a minimum. Organisations should focus heavily on building a where possible ensure that they are Invest substantially in research. human-firewall through effectively making the right amount of investment Research is the soul of cybersecurity; it targeted TEA (training, education in cybersecurity as informed by a is a big part of the investment required and awareness) initiatives as well credible risk management process. yet, we focus only on consumption as developing technical capabilities Sometimes, ist easier to simply of what’s already created. Research for detection and response to outsource to competent hands. software, research data and analytics, cybersecurity incidents. build analysis engines etc. Do you think organisations are spending enough money on combating cyber-crime?

NO!

Demystifying Africa’s Cyber Security Poverty Line 60

Security Begins Home Security at Home Home-owners and Our culture, Pan Africanism, emphasises on the need TO BE MINDFUL OF essentially anyone FELLOW AFRICANS. We’re all connected via the shared network we call the Internet. It is in our own best interests to make sure everyone – FROM with property in THE YOUNG TO THE OLD, ON SNAPCHAT, FACEBOOK AND TWITTER - KNOW and practice basic security habits. Africa, locks their doors without This section highlights top trends and security issues and corrective measures for security in our homes. thinking twice. African parents IP Cameras/Nannny Cams they come with certain risks. In October, hackers took over 100,000 are well known for For young parents, a baby monitor is IoT devices and used them to block monitoring who an essential device to check on the traffic to well-known websites, baby’s welfare. Majority of these devices including Twitter and Netflix. their children are are misconfigured and have default passwords. This means a hacker or a Home Routers associating with, pervert could potentially gain access and the language they monitor your child or play eerie music. When buying a home router, no This calls for home owners to be vigilant consideration is put on the security use around other in securing their electronic devices. of these devices. Recent research has shown that your home routers people and so on. Smart Homes can be used by malicious outsiders to launch attacks against websites But millions of users IoT is changing our traditional approach belonging to other organisationss around Africa still to how we live and interract with our without your direct involvement. homes. A number of houses, apartments don’t have the same and estates in Dar es Salaam have As a home owner, you run the risk CCTV surveillance, Smart TVs, DVRs and of being blocked by certain sites, mentality about their connected thermostats that you can your internet speed may be slow monitor and handle from any part of the due to the excessive bandwith digital presence. world. These gadgets add convenience utilization and you will incur higher like locking your door or shutting off the costs. lights all from a smartphone app, but

Security Tips Buy from Connect to a Change trusted guest network brands

Install Disable unused default updates passwords Use all included features right away security features

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 61 Report

Securing the Child Children in particular have unprecedented access to computers and mobile technologies, and have in recent decades tended to adopt these from an early age, resulting in ICTs becoming thoroughly embedded in their lives. To ensure security of the child online, it is necessary for parents to position and equip themselves with the right tools as follows: Teach Yourself Get Them Offline

Educate yourself about the It is key to remind children apps they’re using in order that there’s a whole world Parents should educate themselved on to make informed decisions offline too. This is important detecting when their child is being bullied and about what they’re able to in a number of way, most do on those apps. important being to help ways of helping them through this.Here are dampen the impact of some other examples of behavior that could Check Privacy Settings potential Cyberbullying. It is cross the line into Cyberbullying: important to remind children Take advantage of built-in to have fun in other ways off • Sending or posting mean things to or about parental controls. Major mobile phones. someone apps and services – like Facebook or your DSTV box Cyber Bullying • Creating a hostile environment in an online – have ways of restricting world or game access for young people, so With the statistics and check through the settings games such as blue whale thoroughly before letting piling up, it has become Parents can your child onto a device. increasingly clear that the cruelties inflicted by • Talk about bullying with their kids and Parents can also leverage Cyberbullying have become have other family members share their technologies meant to a devastating reality for experiences. secure kids online such many teens.This can cause • Remove the bait. If it is lunch money or Google’s Kiddle, this presents damaging self-esteem a colorful space-themed issues, depression, self- gadgets that the school bully is after. page with a filtered search harm, feelings of isolation • Don’t try to fight the battle yourself. bar to ensure only kid that hinder performance friendly content is displayed. in school, social skills, and general well-being.

Demystifying Africa’s Cyber Security Poverty Line Tanzania

62 Industry Players Perspectives Cyber Security Report

Love it or hate it, the GDPR is here to stay!

Historical context for the GDPR countries have data privacy legislation, with an additional 14 countries working on Global recognition of the importance of legislation, leaving a balance of 24 currently data privacy can be traced back to the having taken no action so far. There are United Nations (UN) which has a long history some leading examples in Africa, such as of promoting the right to privacy through Mauritius which passed the Mauritius Data its Human Rights treaties. This includes Protection Act (MDPA) in late 2017, swiftly article 12 of the Universal Declaration of brought the MDPA into full force in January Human Rights in 1948 and article 17 of the 2018 and thus positioned itself as a leading International Covenant on Civil and Political nation in Africa and the Indian ocean Rights in 1966. More recently in July 2015 the island states in terms of alignment with UN appointed a “Special Rapporteur on the the European Union and its General Data Dr. Peter Tobin right to privacy” to bring additional focus to Protection Regulation (GDPR). the importance of data privacy. Supporting Privacy and Compliance the UN is the Organisation for Economic Co- So what is the European Union GDPR? Expert operation and Development (OECD) which in 1980 issued its “Guidelines on the Protection BDO IT Consulting Ltd of Privacy and Transborder Flows of Personal Data” which were revised and re- issued in 2013, just as the POPI Act (POPIA) Mauritius was gazetted in South Africa, allowing that country to join the growing list of those forming part of the African community of nations that have embraced personal data protection legislation. Following the UN and OECD initiatives, nearly one hundred countries and territories have established or are developing data protection laws.

African personal data privacy and protection developments During 2016 the General Data Protection Regulation In Africa, the African Union (AU) Commission and the Economic Commission for Africa – commonly known as have spearheaded the development the GDPR – was finalised, of the AU Convention on Cybersecurity and Personal Data Protection, which was with a transition period to adopted by the AU Heads of States and Governments Summit in June 2014 in full compliance required Malabo, Equatorial Guinea. Eight Countries by those organisations had already signed the convention by July 2016 according to AU Commission: Benin, impacted - those Chad, Congo, Guinea Bissau, Mauritania, processing directly Sierra Leone, Sao Tome & Principe and Zambia. At a regional level in Africa there (controllers) or indirectly are also several initiatives, notably the ECOWAS Cybersecurity guidelines and (processors) the personal the SADC Model Law on data protection, data or EU residents - by e-transactions and cybercrime. There is also the HIPSSA initiative (Harmonization of the May 2018. ICT Policies in Sub-Saharan Africa) which covers 30 countries across the continent. Latest estimates show that 16 African

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 63 Report

The GDPR has potentially wide- In the case of the United Kingdom Controllers. Some of the chapters of ranging implications for companies (UK), there were strong indications the GDPR are really only of interest based outside the EU (increasingly at the time of writing this article that to the supervisory and regulatory often in Africa) trading with the EU the UK would fully align itself with the authorities (such as chapters 6, 7, 10 member states. Of particular interest GDPR even post “BREXIT” (the exit of and 11), whilst others discuss important is the following extract from the the UK from the EU). The GDPR has issues such as remedies, liability and GDPR document: “The [European] 173 introductory clauses (sometimes penalties (Chapter 8) which can have Commission may decide with effect for referred to as the recitals, a form of serious consequences for Controllers the entire Union that a third country, explanatory pre-amble), with the main or Processors who do not meet the a territory or specified sector within regulation body comprising 11 chapters requirements of the GDPR. a third country, or an international made up of 99 Articles which come organisation, offers an adequate level to over 400 numbered paragraphs. Key changes in the GDPR of data protection, thus providing legal It is important to remember that the certainty and uniformity throughout GDPR works in conjunction with other Compared to the earlier EU-wide the Union as regards the third country EU directives and regulations at an EU directive of 1995, the GDPR contains a or international organisation which is level, and may be complemented by number of key changes. These include considered to provide such level of local legislation, whether in EU member the increased territorial scope of the protection. In such cases, transfers of states or in African countries that are GDPR (extra-territorial or non-EU personal data to that third country or seeking to align themselves to the member state applicability; significant international organisation may take GDPR. increases in potential penalties (rising place without the need to obtain any to up to 2% to 4% of global turnover further authorisation. The Commission After chapter 1 which contains a series of either or both of the Controller may also decide, having given notice and of general provisions and definitions, or Processor found at fault by the a full statement setting out the reasons chapter 2 covers the principles of data supervisory authorities). There have also to the third country or international processing, which have been refined been changes to the nature of consent organisation, to revoke such a decision.” since the previous EU personal data which can be used as a justification of This opens the door to leading practice protection directive of 1995. Chapter lawful processing, including expanded nations and sectors stealing a march 3 addresses the “Rights of the Data requirements in terms of the record over their competitors in the global Subject”, those EU-resident individuals keeping for consent given, refused marketplace for information services whose personal data may be processed or withdrawn. Whilst some countries provision where personal data is by one of more the main parties who have already implemented strict rules processed. need to comply with the GDPR: the around data breach notification, the Controller (typically an organisation such GDPR emphasises to requirement So what, briefly, is the GDPR (www. as a business or arm of government) to normally notify the supervisory eugdpr.org)? that determines and controls the authorities within 72 hours of a data processing of the personal data and breach being confirmed (perhaps the Processor, a service provider which after an initial check that the data The GDPR is a renders personal data processing breach is real and not imagined or only services to one or more Controllers. suspected). Data subject rights have single regulation There are other Third Parties that may also been clarified and expanded to be involved, such as those organisations include the much-discussed “right to be that automatically where the Controller shares personal forgotten” (erasure of personal data) data for a variety of legitimate reasons. as well as the right to data portability, applies to all Chapter 4 looks at the duties of the such as when moving between service Controller and Processor. providers. “Privacy by design and default” also represents not only a new current and future Chapter 5 addresses the Transfer requirement but one which addresses of Personal Data to 3rd Countries the approach to personal data privacy European Union or International Organisations, an as “built-in” not just “added-on”. The last important consideration when dealing major change highlighted by the EU is members states with countries in Africa that, for the enhanced and expanded (broader example, host outsourced personal and deeper) role of the Data Protection from May 2018. data processing services for EU-based Officer (DPO).

Demystifying Africa’s Cyber Security Poverty Line Tanzania

64 Industry Players Perspectives Cyber Security Report

Beyond the vanilla GDPR 4. You have provided all necessary authority? (Article 33: Notification information at point of collection? of a personal data breach to the It is important to be aware that the (Article 13: Information to be supervisory authority) GDPR in its basic format has already provided) been complemented by a number 12. You have a policy, process and publications by the group that will 5. You have a policy, process and procedures for data breach over time become the collective body procedures to ensure a) right notification to the data subject? for supervisory authorities in the EU of access; b) to rectification; c) (Article 34: Communication of a (European Data Protection Board, to erasure; d) to restriction of personal data breach to the data established under Article 68 of the processing; by the data subject? subject) GDPR), although operating at the (Article 15 - 18: Right of access; time of writing under the “Article 29 to rectification; to erasure; to 13. You have conducted data DPWP” branding (perhaps somewhat restriction of processing) protection impact assessments confusingly, that’s Article 29 under the where necessary according to the 1995 directive and not under the GDPR). Further guidance is already planned in 6. You are meeting all the screening rules? (Article 35: Data areas such as consent, transparency, responsibilities of the controller? protection impact assessment) profiling, high risk processing, (Article 24: Responsibility of the certification, administrative fines, breach controller) 14. You have, where necessary, notification and data transfers. appointed an appropriate data 7. You have data protection by protection officer following the EU So how is your compliance status? design and by default? requirements? (Article 39: Tasks (Article 25: Data protection by of the data protection officer) Here’s a quick review of some of the key design and by default) considerations when preparing for (or 15. You have appropriate safeguards maintaining) compliance with the GDPR. 8. You have a representative in the for cross-border transfers? Can you prove that: EU? (Article 27: Representatives (Article 46: Transfers subject to of controllers not established in appropriate safeguards) 1. You comply with the 6 principles the Union) relating to personal data 16. You have trained your staff in all processing? (Article 5: Principles 9. You have adequate records of of the above aspects and more relating to personal data processing? (Article 30: Records (Article 39: Tasks of the data processing) of processing activities) protection officer)

2. You comply with the lawfulness 10. You have adequate security of of processing rules? (Article 6: processing? (Article 32: Security Lawfulness of processing) of processing)

3. You have records of consent that 11. You have a policy, process and meet the required conditions? procedures for data breach (Article 7: Conditions for consent) notification to the supervisory

So maybe you didn’t score full marks and are beginning to hate the idea of all the effort it might take to climb the GDPR mountain if you need to. But perhaps it’s also time to look on the bright side, and learn to love the GDPR. It might just be that the next big contract you land with a client in Europe or service work you perform for an organisation outside the EU but with clients in the EU, provides the bonus you have been promising yourself all year. One way or the other, love it or hate it, the GDPR is here to stay!

Demystifying Africa’s Cyber Security Poverty Line MULTIPLICITY • Scanning from external IP • Traffic to core VLAN from extenal IP • Dormant account activity • Logs deleted VELOCITY • Bruteforce attempts • Multiple posting on DB • Bulk transaction • System unavailable VOLUME • Excessive DNS queries • Remote Access tool detected processing • AV disabled INDICATORS OF COMPROMISE LIMITS • IP conflicts • Auditry disabled • Transaction over limit

KEY SYSTEMS

Firewall Antivirus Active Directory

ATTACK STAGES

RECONNAISSANCE GAINING ACCESS ATTACK HIDE TRACKS

Stage 1

Stage 2 Social Engineering and Identity Theft File Data Exfiltration Gaining DB Server Access Attack Users

Document Stage 3 Malicious DB ATM/POS/MPESA Management Manipulation • Admin credentials Systems Admin Servers • Customer account Stage 4 Email

Malware Server

Cyber Hide Erasing logs to Criminal Using Tracks TOR/Proxy remove evidence Server to Web Defacement hide actual IP

Clean PC

Sending money to multiple recipients Tanzania

66 Industry Players Perspectives Cyber Security Report

Ransomware: A Growing Threat data so the user can gain back access to their data. This last step One of the most debilitating attack vectors is not guaranteed. we are experiencing today via ransomware. This, coupled with the fact that malware Organisational Challenges authors are opting to use custom-written libraries and methods instead of reusing Organisations across the board are facing off-the-shelf packages, presents a very strenuous challenges as they strive to formidable challenge to individuals, security enhance their security posture. Below are researchers, and organisations at large. the top challenges we have observed since our last report: Anatomy of a Ransomware Attack Jeff Karanja • Budget allocation – One of the primary 1. The malware author generates prohibitive obstacles to developing Information Security an encryption key pair and and sustaining a robust Cybersecurity Consultant incorporates the public key in the ecosystem. malware’s code. • Low Cybersecurity Maturity Posture – 2. The malware is deployed using Lack of skilled professionals to develop, any number of delivery strategies, spearhead and implement customized e.g. targeted spear phishing, spam Cybersecurity roadmaps for their e-mail, Trojan download, malicious organisations. URL, e-mail attachment. • Network Architecture – Poor and 3. Once the malware is on the system, inconsistent network design without it starts by generating a random proper segmentation or access control. symmetric key and encrypts the victim’s data using that key. • Cloud Deployment – Lack of awareness 4. The public key, inserted into when it comes to service provider malware by threat actor, is then security control implementation. Hire a used to encrypt the symmetric key competent firm to perform a SAS 70 that was generated in Step 3. Audit and request for a Type II Service Auditor’s Report beforehand. 5. The malware proceeds to lock the screen and puts up on the screen Counter Measures a ransom note with instructions on how to pay the ransom, including a 1. Implement security awareness deadline countdown timer. training for the entire organisation. 6. The victim sends a unique, 2. Implement patching policies and asymmetric ciphertext (generated supporting infrastructure to test by the malware) and proof of and deploy patches within your payment to the attacker. organisation. 7. The attacker receives payment 3. Employ Anti-virus/Anti-malware and proceeds to decrypt the solutions that carry out heuristic asymmetric ciphertext using their analysis and rootkit detection private key. to tackle evasion techniques such as the use of oligomorphic, 8. The attacker sends a unique polymorphic, and metamorphic symmetric key to the victim that will engines be used to decrypt the encrypted

Demystifying Africa’s Cyber Security Poverty Line Tanzania

Cyber Security Industry Players Perspectives 67 Report

History of Ransomware 4. Actively monitor privileged 1989 – AIDS Trojan: Distributed via 20,000 infected diskettes. account usage on your

network to identify outliers 2006 – Archievus: Use of RSA encryption to encrypt files. and anomalous activity on your network. 2011 – Unnamed Trojan: mainstream anonymous payment services.

5. Implement strict access 2012 – Reveton: the rise of “police-based” ransomware . controls on sensitive resources in your network. 2013 – Cryptolocker: uses e-mail as primary attack vector. 2013 – Locker: Extorted $150 ransom, payable via Perfect Money or QIWI Visa Virtual Card number. 6. Implement e-mail filters to 2013 – CryptorBit: corrupts the first 1,024 bytes of data on any file. Leverages Tor and Bitcoin for anonymity and payment. block spam, phishing and spoofed e-mails. Employ 2014 – CBT-Locker (Curve-Tor-Bitcoin Locker): communicates with C2 server directly via Tor. technologies such as SPF, 2014 – SynoLocker: Attacked Synology NAS devices by encrypting files individually. DKIM and DMARC collectively 2014 – Simplocker: first mobile ransomware that actually encrypted files (images, documents, and video) using AES encryption. to complement existing e-mail 2014 – Cryptodefense: Uses Tor and Bitcoin for anonymity. Uses Windows built-in encryption CryptoAPIs using 2048-bit RSA security controls. encryption. 2014 – CryptoWall: Exploited Java vulnerability. Also delivered via exploit kits such as Angler. 7. Stay informed 2014 – Cryptoblocked: only encrypts files less than 100MB. Skips Windows or Program Files folders on C: drive and uses AES encryption. 8. Ensure your organisation has 2014 – OphionLocker: Uses ECC (Elliptical Curve Cryptography) encryption. a business continuity plan and 2014 – Sypeng: One of the first Android-based ransomware delivered via fake Adobe Flash updates in SMS messages. an IT disaster recovery plan. 2014 – Koler: Considered the first “Lockerworm” as it contained self-propagating techniques within the code.

9. Implement Application 2015 – Pclock: Encrypts files within a user’s profile. Deletes and disables volume shadow copies. Whitelisting 2015 – TeslaCrypt: CryptoWall variant that targets popular video game files 2015 – LowLevel04: Spreads via brute force attacks on hosts with Remote Desktop or Terminal Services. Encrypts files using 10. Implement a SIEM or open- AES encryption; encrypts key using RSA encryption source solution with similar 2015 – Chimera: the hackers threaten to publish the victim’s encrypted files on the internet if the victim does not pay. reporting capability (e.g. OSSEC) 2016 – Ransom32: First ransomware written in JavaScript for cross-platform capability on Linux, Mac OSX, and Windows. 2016 – 7ev3n: Payment demand was one of the highest (13 Bitcoin) and was specifically developed with capabilities to ensure 11. If a host on your network has there was no possible way of recovering encrypted files. been infected, immediately 2016 – L0cky: Aggressively spread via spear phishing campaigns and leveraging the Dridex infrastructure. disconnect it from the network 2016 – SamSam/SAMAS: The threat actors specifically distributed it to vulnerable JBoss servers after vulnerability (physically) to prevent further assessment using JexBoss tool. spreading before malware 2016 – KeRanger: First official Mac OSX-based ransomware. Delivered via a Transmission BitTorrent client and signed with a MAC development certificate, effectively bypassing Apple’s GateKeeper security software. removal. 2016 – Petya: Delivered via DropBox and overwrote the MBR (Master Boot Record). Used a fake CHKDSK prompt while 12. In case of ransomware encrypting the drive. infection, do not pay the 2016 – Maktub: Used a Crypter. Performed offline encryption using Windows CryptoAPI. 2016 – Jigsaw: Threatened to delete a file every 60 minutes if the $150 ransom was not paid. ransom. Restore from 2016 – CryptXXX: Spread via multiple exploit kits, primarily Angler. Includes ability to monitor mouse activity, Anti-Sandbox backups. There is no detection, custom C2 communication protocols, and payment through Tor. guarantee you will get your 2016 – Zcryptor: One of the first “CryptoWorms”, primarily spread through spam email. data back. Paying the ransom 2016 – Cerber: Leverages Ransomware-as-a-Service (RaaS) model whereby malware author nets 40% of paid ransom and only achieves to guarantee affiliates keep 60% via Bitcoin and Tor. Uses RC4 and RSA algorithms for encryption. a successful POC (Proof of 2016 – Petya: Infected Master Boot Record (MBR) used by NTFS file systems. Installs a payload that encrypts the file tables the Concept) extortion exercise next time the system is booted, essentially blocking the system from booting into Windows until the ransom is paid. for the threat actor. 2017 – WannaCry: Rapidly spread through the internet by leveraging the EternalBlue exploit. 2017 – NotPetya: It erases the first sectors of a disk, and although it demands a ransom to be paid, victims have little to no chance of recovering their data even if the ransom is paid as the MBR is completely overwritten and not encrypted like Petya does.

Demystifying Africa’s Cyber Security Poverty Line

Tanzania Cyber Security 69 Report

Africa Cyber Security Framework

Cybercrime in the African With the increasing business continent particularly within the requirements of the 21st century Small Medium Enterprises (SMEs) businesses and the inadequate setting is a growing concern. SMEs budget allocated to IT, it has are especially expanding the use become expensive especially for of cloud, mobile devices, smart small and medium sized companies technologies and work force to adopt complex and international mobility techniques. This reliance Cyber security frameworks. As has however unlocked the doors such, Cybercrime prevention is to vulnerabilities and Cybercrime. often neglected within SMEs. This Attackers are now launching has resulted in a situation whereby increasingly sophisticated attacks SMEs are now one of the popular on everything from business targets of Cyber criminals. While critical infrastructure to everyday at the same time, the SMEs lack devices such as mobile phones. a comprehensive framework that Malware threats, Insider threats, will help them determine their risk data breaches resulting from exposure and provide visibility to poor access controls and system their security landscape without misconfigurations are some of the necessarily adding to the strained ways that attackers are now using costs. to deploy coordinated attacks against these organisations.

Solution

In order to assist businesses in Africa particularly SMEs, we developed the Serianu Cyber Security Framework. The Framework serves to help businesses in Africa particularly SMEs to identify and prioritize specific risks and steps that can be taken to address them in a cost effective manner. The baseline controls developed within the framework, when implemented, will help to significantly reduce Cyber related security incidences, enable IT security to proactively monitor activities on their key ICT infrastructure and provide assurance that business operations will resume in the appropriate time in case of an attack or disruption.

Demystifying Africa’s Cyber Security Poverty Line Domains of the Africa Cyber Security Framework security Ri ber sk M Cy a : na 1 g in e a Anticipate Risks - m m e o Assess Risks and Implement n D Controls t

This requires an organisation to know exactly what it needs to protect (the ‘crown jewels’) and rehearse appropriate responses to likely attack/ incident scenarios (including accidents. This provides confidence in an organisation’s its ability to handle more predictable threats and unexpected attacks; i.e., ‘anticipate’ cyber-attacks.

ity Vulne cur rab e il rs it e Detect y b M y Vulnerabilities – a C Track and Correct n : a 2 Vulnerabilities g e n i m

a The average lag time e

before a breach is n

t D detected is between 205 – urity Inci to – 265 days. Early sec de detection of vulnerabilities r nt be M can prevent escalation to y Respond a an incident. C n : to Incidents – a 3 g n e i Identify and Mitigate m a Incidents e

m n

t D Continuous management of risks, remediation and root cause analysis is what enables organisations to effectively manage threats within ity V ecur isibi the network. rs lity be M y a C n : a 4 Contain – g n e i Communicate and m a Enhance Cyber Resilience e m n o t D Detection cannot fully protect an organisation from malicious threat actors. This must be complemented by a resilient response capability. Quick response to cyber threat minimizes the cost of breach. Tanzania Domains of the Cyber Security 71 Africa Cyber Security Report Framework curity erse Risk yb M C an 1: a in g Appendix e a Anticipate Risks - m m e o Assess Risks and Implement n List of Remote Access Tools for Database D Controls t

This requires an organisation to know exactly what it needs to protect (the ‘crown jewels’) and rehearse appropriate responses to likely attack/ incident scenarios Product License Windows Mac OS X Linux Oracle MySQL PostgreSQL MS SQL Server ODBC JDBC SQLite (including accidents. This provides Adminer Apache License or GPL Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s confidence in an organisation’s its Advanced Query Tool (AQT) Proprietary Ye s No No Ye s Ye s Ye s Ye s Ye s ability to handle more predictable DaDaBIK Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s No No Ye s threats and unexpected attacks; i.e., ‘anticipate’ cyber-attacks. Database Deployment Manager LGPL Ye s No Ye s Ye s DatabaseSpy Proprietary Ye s No No Ye s Ye s Ye s Ye s Ye s Ye s ity Vulne Database Tour Pro[4] Proprietary Ye s No No Ye s Ye s Ye s Ye s Ye s No Ye s cur rab se ili Database Workbench Proprietary Ye s Ye s Ye s Ye s Ye s r Detect ty e b M DataGrip Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s No Ye s Ye s y Vulnerabilities – a C Track and Correct n DBeaver Apache License Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s : a 2 Vulnerabilities g DBEdit GPL Ye s Ye s Ye s Ye s Ye s Ye s Ye s No Ye s Ye s e n i m Epictetus Proprietary Ye s Ye s Ye s Ye s Ye s Ye s

a The average lag time e

before a breach is n HeidiSQL GPL Ye s Ye s Ye s Ye s

o t

D detected is between 205 – Jailer Relational Data Browser[5] Apache License Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s y to – 265 days. Early curit Incid Maatkit GPL Ye s Ye s Ye s Ye s rse en detection of vulnerabilities e t Microsoft SQL Server Management b M can prevent escalation to Proprietary Ye s No No Ye s y Respond a an incident. Studio C n : to Incidents – a ModelRight Proprietary Ye s No No Ye s Ye s Ye s Ye s 3 g n e i Identify and Mitigate Community Ed: GPL m a Incidents MySQL Workbench Ye s Ye s Ye s Ye s e Standard Ed: Commercial m n Proprietary

o t

D Continuous management of Navicat Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s risks, remediation and root cause analysis is what enables Navicat Data Modeler Proprietary Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s organisations to effectively Oracle Enterprise Manager Proprietary Ye s No Ye s Ye s Ye s Ye s manage threats within ity V ecur isibi Oracle SQL Developer Proprietary Ye s Ye s Ye s Ye s Ye s No Ye s Ye s Ye s the network. rs lity be M Orbada GPL Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s y a C n : a pgAdmin III PostgreSQL License Ye s Ye s Ye s 4 Contain – g n e pgAdmin4 PostgreSQL License Ye s i Communicate and m a phpLiteAdmin GPL Ye s Ye s Ye s No No No No No No Ye s Enhance Cyber Resilience e m n o phpMyAdmin GPL Ye s Ye s Ye s Ye s t D Detection cannot fully protect SQL Database Studio Proprietary Ye s No No No No No Ye s an organisation from malicious threat actors. This SQLyog GPLv2 Ye s Ye s must be complemented by a SQuirreL SQL GPLv2 & LGPLv2 Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s Ye s resilient response capability. TablePlus Proprietary No Ye s No No Ye s Ye s Ye s No No Ye s Quick response to cyber threat minimizes the cost of Toad Proprietary Ye s No No Ye s Ye s Ye s Ye s breach. Toad Data Modeler Proprietary Ye s No No Ye s Ye s Ye s Ye s TOra GPL Ye s Ye s Ye s Ye s Ye s Ye s

Demystifying Africa’s Cyber Security Poverty Line Tanzania 72 Cyber Security Report

Remote Access tools for Endpoints Software Protocols License Free for Free for personal use commercial use AetherPal Proprietary Proprietary No No

Ammyy Admin Proprietary Proprietary Ye s No

AnyDesk Proprietary Proprietary Ye s No

Anyplace Control Proprietary Proprietary No No

AnywhereTS RDP, ICA Proprietary Ye s Ye s

Apple Remote Desktop RFB (VNC) Proprietary No No

Apple Screen Sharing (iChat) Proprietary, RFB (VNC) Proprietary Ye s Ye s

AppliDis RDP Proprietary No No

BeAnywhere Support Express Proprietary Proprietary No No

Bomgar Proprietary Proprietary No No

Cendio ThinLinc RFB (VNC) Proprietary Yes[a] Yes[a]

Chicken of the VNC RFB (VNC) GPL Ye s Ye s

Chrome Remote Desktop Chromoting BSD Client, Proprietary Ye s Ye s Server CloudBerry Lab (CloudBerry Remote Assistant) Proprietary Proprietary Ye s Ye s

Citrix XenApp/Presentation Server/MetaFrame/ RDP, ICA Proprietary No No WinFrame Fog Creek Copilot RFB (VNC) Proprietary No No

GO-Global Proprietary Proprietary No No

GoToMyPC Proprietary Proprietary No No

HP Remote Graphics Software (RGS) HP RGS Proprietary Yes[b] Yes[b]

HOB HOBLink JWT RDP Proprietary No No

HOB HOB MacGate RDP Proprietary No No

IBM Director Remote Control Proprietary Proprietary No No

I'm InTouch Proprietary Proprietary No No

iTALC RFB (VNC) GPL Ye s Ye s

KDE RFB (VNC), RDP GPL Ye s Ye s

LiteManager Proprietary Proprietary Yes[d] Yes[d]

LogMeIn Proprietary Proprietary No No

Mikogo Proprietary Proprietary Ye s No

Netop Remote Control Proprietary Proprietary No No

NetSupport Manager Proprietary Proprietary No No

Netviewer Proprietary Proprietary No No

NoMachine NX Proprietary Ye s Yes[e]

OpenText Exceed onDemand Proprietary Proprietary No No

Open Virtual Desktop RDP GPL Client, Proprietary No No Server

Demystifying Africa’s Cyber Security Poverty Line Tanzania Cyber Security 73 Report

Software Protocols License Free for Free for personal use commercial use Oracle Secure Global Desktop Software/Sun VDI AIP Proprietary No No

Proxy Networks Proprietary Proprietary No No

Pilixo Remote Access Proprietary Proprietary No No

QVD NX and HTTP GPL Ye s Ye s

rdesktop RDP GPL Ye s Ye s

RealVNC Open RFB (VNC) GPL Ye s Ye s

RealVNC RFB (VNC) Proprietary Yes[e] No

Remmina RDP, RFB GPL Ye s Ye s (VNC), SPICE, XDMCP, SSH Remote Desktop Services/Terminal Services RDP Proprietary Ye s Yes[g]

ScreenConnect Proprietary Proprietary No No

Splashtop Remote Proprietary Proprietary Ye s No

SSH with X forwarding X11 BSD Ye s Ye s

Sun Ray/SRSS ALP Proprietary ? ?

Symantec pcAnywhere Proprietary Proprietary No No

TeamViewer Proprietary Proprietary Ye s No

Techinline RDP Proprietary No No

Teradici PCoIP Proprietary No No

Thinc Thinc GPL Ye s Ye s

TigerVNC RFB (VNC) GPL Ye s Ye s

TightVNC RFB (VNC) GPL Ye s Ye s

Timbuktu Proprietary Proprietary ? ?

TurboVNC RFB (VNC) GPL Ye s Ye s

Ulterius RFB (VNC) GPL Ye s Ye s

UltraVNC RFB (VNC) GPL Ye s Ye s

Vinagre RFB (VNC), SPICE, RDP, SSH GPL Ye s Ye s

XDMCP X11 MIT Ye s Ye s

xpra Bencode-based, rencode- GPL Ye s Ye s based, YAML-based, RFB (VNC) for desktop mode X11vnc RFB (VNC) GPL Ye s Ye s

X2Go NX GPL Ye s Ye s

x2vnc RFB (VNC) BSD Ye s Ye s

x2vnc Ulterius (VNC) BSD Ye s Ye s

x2x X11 BSD Ye s Ye s

Software Protocol License Free for personal Free for use commercial use

Demystifying Africa’s Cyber Security Poverty Line Tanzania 74 Cyber Security Report

References

Top Issues https://securityintelligence.com/the-enemy-within-identifying-insider-threats-in-your-organisation/ https://portland-communications.com/pdf/The-Reality-of-Fake-News-in-Tanzania.pdf The Computer and Cybercrimes Bill, 2017 - Tanzania Law http://www.ke-cirt.go.ke

Attacks https://www.standardmedia.co.ke/business/article/2000228978/shame-as-Tanzania-s-internet-regulator- websitehacked https://www.standardmedia.co.ke/business/article/2001249724/how-Tanzanians-were-lured-into-sh2-trillion-public- likesscam

Cyber Intelligence https://www.google.com/search?q=heartbleed+vulnerability&oq=heartbleed+vulnerability&aqs=chrome..69i57j0l5.6115j0j9 &sourceid=chrome&ie=UTF-8 https://www.projecthoneypot.org/list_of_ips.php?t=h

List of Open Source Tools Vulnerability Scanners

1. OpenVAS 4. Nexpose Community Edition OpenVAS isn’t the easiest and quickest scanner to install and use, Nexpose Community Edition can scan networks, operating but it is one of the most feature-rich, broad IT security scanners systems, web applications, databases, and virtual environments. that you can find for free. It scans for thousands of vulnerabilities, The Community Edition, however, limits you to scanning up to 32 supports concurrent scan tasks, and scheduled scans. It also IPs at a time. offers note and false positive management of the scan results. However, it does require Linux at least for the main component. 5. SecureCheq

2. Retina CS Community SecureCheq can perform local scans on Windows desktops and servers, identifying various insecure advanced Windows settings Retina CS Community provides vulnerability scanning and like defined by CIS, ISO or COBIT standards. patching for Microsoft and common third-party applications, such as Adobe and Firefox, for up to 256 IPs free. 6. Qualys FreeScan

3. Microsoft Baseline Security Analyzer (MBSA) Qualys FreeScan provides up to 10 free scans of URLs or IPs of Internet facing or local servers or machines. Microsoft Baseline Security Analyzer (MBSA) can perform local or remote scans on Windows desktops and servers, identifying any missing service packs, security patches, and common security misconfigurations.

Demystifying Africa’s Cyber Security Poverty Line Hands on Cyber Security Training for Professionals

Cyber Immersion is Serianu’s premier training program that aims to arm private and public organisations with the necessary know-how to counter cyber threats in a holistic manner, helping them mitigate the risks and costs associated with cyber disruptions. [email protected] | www.serianu.com

CYBER SECURITY REPORT 2016

Achieving Cyber Security Resilience: Enhancing Visibility and Increasing Awareness

port