A Security Mirage Believed by Many Big Tech Companies in Africa
Written by: Marcus W. Johnson
We currently live in the age of the fourth industrial revolution, an age of cutting-edge technology, where dumb devices fitted with super micro-sensors powered by novel AIs bringing alive almost any electronic device that previously was impossible to access the internet. We also see the automobile industry investing hugely in machine learning models algorithm to leverage the unharnessed potential this technology brings to the table; the ability of a computer system to learn without being programmed is yet another rare innovation milestone by mankind. When we move into the Operational Technology ICS/OT sector; a category of computing and communication systems to manage, monitor and control the safety of industrial operations with focus on the physical devices, processes and critical assets that use them. Traditionally, the Industrial Control System or Operational Technology (ICS/OT) industry where never designed from scratch with inter-connectivity and security in mind, but now this sector, has experienced a major technological makeover, being able to connect to the global internet and administered remotely, managing every single process pipeline from a central location across our vast digital space with just clicks that creates administrative ease, but this also introduces new threat vectors and vulnerability to the sector. The ICS/OT industry for example; transportation, oil & gas, mining, the utility industry (water, electricity) have all come alive to power our economy and relief to our modern way of life.
In recent times, I have also witnessed the fast adaptation of Application Programming Interface (API) technology by giant software companies and the developer communities. Because modern applications are complex and have a complex data structure, this technology has given developers limitless power to enable seamlessly integration with a variety of different applications and platforms. It allows the developer community to harness and leverage the power of rich data sources using this tool.
We also have a deep appreciation of what virtualization and cloud computing technologies have blessed us with, which typically comprise the backbone of modern data centres; this has reduced largely the cost of vendor-locked-in hardware or the hardware-centric mind-sets which have been inherently used in the technology space since the inception of technological advancements. Most corporate data centres were clogged with servers running at a fraction of their true capacity; with virtualization, opportunities are provided to enterprises to be able to consolidate, reduce and optimize process usage and other unused system resources. Power consumption which was a major bottleneck and cost factor for many large corporations and enterprises have now been minimised to the barest minimum by the power of virtualization and cloud technologies. large server farms which were primarily built off pre-stacked hardware server racks have also now been reduced to just a few stacked servers pioneered and powered by innovative Type 1 or Bare-metal virtualization technologies such as VMware Esxi, Citrix Hypervisor, Microsoft Hypervisor, Linux KVM, Red Hat KVM (RHV) and many others that have created limitless possibilities which allows for the decoupling from hardware to leveraging and distributing computing resources so that multiple operating system environments can provide optimum and efficient management process.
This kind of flexibility in my mind has addressed most of the major bottlenecks that the industry faced at the time;
- Manageability: Virtualization increases the effectiveness of data centre administrators by streamlining the management process.
- Scalability: By design, this enables the testing of new applications without the need of dedicating an entire hardware as was done traditionally but spine up a VM instance or a Docker container effortlessly.
I could go on and on recounting technologies that have revolutionized our very human existence but I intend to keep this article as brief as possible though it’s tempting to want to include other rare technologies but that would be detouring from the main goal of writing.
Reading through, you will realise that the advancement of these powerful technologies that have been mentioned above, have contributed to making our brief human lives much more easier and better than it used to be in the 60s. But you will agree also with me that with every new technological advancement there emerges also new threat surfaces and vectors. The perforated attack surface has also expanded over the last decade introducing new technological innovations in areas like the E-Sport Platforms, OT/ICS environments, Weaponization of AI, Drone Technology, IoT, Remote workspace, Satellite Communication Centres, Cryptominers, Crypto Wallets have all contributed to the complex threat landscape.
Come with me on this threat exposure journey as I try to demystify the falsehood and misconception of the idea of Absolute Security as believed by most of the big tech corporations in Africa. First of all the concept of absolute security is elusive and only exist as a mirage, if it were ever to be believed in the first place. These companies making such unfounded technological claims do not manufacture their own custom security solutions neither have they any control over the software packages that run on them, yet these solutions are deployed and used at every fibre of their infrastructure with the assumption that these products are flawless, without taking into account that every software designed and developed by a human factor has some form of vulnerability or bugs. I must reiterate this with the highest emphasis possible that absolutely no software is designed flawless or bugless if I must, and therefore I encourage decision makers and C-Level executives of these big corporations to begin to pay close attention to cyber security news outlets and threat intelligence sources to align adversary behaviour with MITRE ATT&CK Tactics, Techniques and Procedures (TTPs) that is specific to their organizations. They should also begin to invest heavily in ATT&CK expertise that build on adversary emulations, deploy them against the defenses they’ve put in place, and then use that information to efficiently optimize their security programs.
There is this question that most Tech Organizations in Africa that cling to the idea of Absolute Security have not been able to clearly answer and that is “what makes them so sure or how do they verify that their security controls that they so much trust is working as expected or intended?” Only relying on a vendor’s security product Manuel claims to determine how safe you are is a disservice to you as a company and your entire supply chain ecosystem. What has been a norm in the past is no longer feasible in today’s world with mass production of proliferated security technology solutions on the market, you are no longer safe to assume or to take vendors words as law-and-gospel. It’s too high a risk to just assume that just because a security vendor product says it can perform a certain function very well means it’s true. Most of these vendors deploy what I call, aggressive marketing strategies in selling their products. If extra steps are not taken to validate and verify vendor claims using trusted reports from independent testing sources like NSS Labs, Gartner Magic Quadrant to audit security controls, find protection failures and capability gaps, strengthen security posture and improve incident response capabilities using the new security technology; Breach and Attack-Simulation (BAS) platforms to perform important cybersecurity functions that discover faults in cyberdefense programs, breach will occur and may go unnoticed for a long period. There may also be a catastrophic loss of data or disruption in critical business operations if continuous control assessment-readiness is not made a culture that validates enterprise security systems are performing as originally intended, guaranteeing a return on investment.
Automated testing should be made a critical security culture in organizations in ensuring security effectiveness, that will ultimately reduce ambiguity in determining compliance requirements by using MITRE ATT&CK to map regulatory and compliance controls, conducting tests on an ongoing and continuous basis, mapping data from those tests to your compliance framework and focused security pipelines on what matters most. Once you understand that as a company with diverse asset portfolio, you will realize that you have some default level of threat exposure at scale. Therefore having real performance data from across your enterprise from both your internal and external security teams will help you make informed security decisions to invest not just in tested security technologies but also in human defense awareness training which will improve your overall effectiveness. Data generated from MITRE ATT&CK alongside an emulation platform will help you determine the state of your assets and how to drive greater Return on Investment (ROI).
It is also often believed that Security is a race between effective technologies and clever attack methodologies which is necessarily not the case. There has been an overlooked layer that can radically reduce an organization’s Vulnerability and threat exposure level which is: Security Awareness Training and Frequent Simulated Social Engineering Testing; phishing remains the #1 threat action used in most successful breaches linked to social engineering and malware attacks. Cyber criminals can successfully evade an organization’s so-called sophisticated security controls by using clever phishing or social engineering tactics that often rely on employee naivete. Emails, phone calls and other outreach methods, designed to persuade staff or end users to take steps that provide criminals with access to company data and funds. Humans are an indispensable component in every business and yet they are the most overlooked defense control and the weakest link in the security structure of many organizations. If much resources are not apportioned in this area to train our human workforce to be more aware of social engineering tricks, all the most advanced security technology and tools in a company’s arsenal will not be able to protect and defend them against breach and ransomware attacks.
We need to look at security differently now, threat actors are becoming more and more adept at what they do, we as defenders also need to evolve form reactive, point-in-time assessments to automated assessments that validate security controls at scale, getting a clear view into how security controls are functioning and how effective they are in production, you will then begin to experience and achieve a resilient cyber hygiene in your organization. But if these big corporations continue to exist in their narrow state of self-denial, hiding behind some so-called partnerships with big western tech names as their security fortress; when these very so-called big names they believe in are themselves being breached on daily basis. Believing absolute security exist in this era of extreme novel-malicious innovation is attempting to walk on water as the disciple tried to do same because he was with Jesus. Having partnerships with western tech giants is not absolute and therefore does not necessarily equate you to being breach-proof because they too get breached also, so it’s important to take charge of your own internal security by empowering your internal and local security teams through effective cyberdefense training programs that will upgrade their skillset to defend against potential future threats that could cause severe consequential and functional degradation if the organization falls victim to cyber-attack. It’s only a matter of time before you too get breached and have hackers sitting stealth in your system and exfiltrating critical and sensitive data from your organization to be sold on the Darkweb or end up being a victim of Ransomware. Having your organization’s critical data fallen into the wrong hands can be disastrous and disadvantageous to you, giving your competitors business edge over you. Without continuous testing this may go unnoticed for many years. The question then is, are you prepared and ready for the next attack?
In order to support these claims that absolutely no company is breach-proof in today’s world of extreme malicious sophistication, we shall examine a few cases and I shall be pulling my data form verified and recognized industry sources, I shall also premise my analytics on the Cyber Security and Infrastructure Security Agency (CISA) reports, highlighting ongoing malicious cyber activity across big, sophisticated Utility companies, that supposedly should have all the best financial and human resource power to deploy some of the best in-class-grade security technology products. I shall also touch on the critical infrastructure industry being also a major target by both known and unknown threat actors and groups. I shall reference from time to time the Red Canary 2021 Threat Dection Report, Knowbe4 phishing report 2020, th4ts3cur1ty, Fortinet Global Threat Landscape report and other recognised cyber news outlet and threat intelligence sources from around the globe.
Let us look at supply chain attacks and you will understand why this one of the easiest way threat actors gain foothold on many of the big organisations. It is practically impossible for any particular company to be breached-proof. Supply chain attacks makes this very clear to us. Supply Chain attacks were up by 78% in 2019. (Symantec) and are now thought to make up 65% of cyber-attacks! This will change over time and so will the attacks, the vectors, the preventions and the reactions. Supply chain attacks are so impactful because of the level of trust between the different parties. It isn’t feasible to expect any one company to reinvent the wheel and provide everything in house. We procure services from other particular companies and outsource certain jobs, services or task that are out of the scope of our professional and expert pool because of the lack of specialism in-house i.e. online food delivery and purchases, the list can go on and on endlessly.
What is this supply chain attack?
Almost all businesses use third-party software and services in-house in order to operate. Those software and services then become a part of the supply chain of that business. A supply chain attack seeks to damage a business by targeting less-secure elements (suppliers) within the supply chain. In other words they go for the very low hanging fruits, they don’t bug themselves or have direct confrontations with the big companies or organizations that have significant resources (money, employees, technical defences) enabling them to defend against attacks particularly well. However there is another option, a threat actor could prey on the less protected, smaller, less secure supplier and less technologically sophisticated organization to gain foothold into the trusted supply chain ecosystem end-goal target. If a bad actor can compromise a service that is a part of a critical business function supply chain (software, applications, services), that can advance his attack on a wider scale and incorporate the entire consumer base of that application, which makes his end-goal target vulnerable and exploitable. Attackers typically target software developers, suppliers of software, service providers etc.; compromising any one of these components in the supply chain becomes potentially dangerous for compromising any end consumer of that service.
Let’s look at another interesting method through which a threat actor can circumvent any modern so-called sophisticated security technology known as Social Engineering using specific TTPs such as Spearfishing [T1566].
Spearphishing is one of the most prevalent techniques used for initial access to IT networks. Personnel and their potential lack of cyber awareness are a vulnerability within an organization. Personnel may open malicious attachments or links to execute malicious payloads contained in emails from threat actors that have successfully bypassed email filtering controls. When organizations integrate IT with OT systems, attackers can gain access—either purposefully or inadvertently—to OT assets after the IT network has been compromised through Spearphishing and other techniques. Exploitation of internet-connected services and applications that enable remote access to Water and Wastewater Systems (WWS) [T1210] and other enterprise networks.
Some popular examples of Hacks that were as a result of supply chain attacks or employee being social engineered:
- SolarWinds is a large IT and software provider, hackers broke into ‘Orion’, a SolarWinds system, added malicious code and waited for SolarWinds to send out updates to their customers, which they ultimately did, infecting a broad base of their own customers who installed or updated the software on their systems. The code created a backdoor to customers’ IT systems, which hackers then used to launch further malicious activity. Solarwinds are thought to be used by over 30 thousand businesses, needless to say, this is a brilliant example of how and why software suppliers, in particular, are targeted. Thankfully this attack opened some much-needed dialogue about software suppliers and supply chain security.
- Target provides us with one of the best examples of supply chain attack dangers. Attackers compromised ‘Fazio Mechanical Services, a supplier of HVAC services (heating, ventilation and air conditioning) to target stores, due to a lack of network segregation in the stores those same attackers were able to access point of sale devices (POS) which enabled them to infect those devices with malware that stole shoppers payment card data from the memory of the devices. This attack resulted in 40million payment card details of target customers being stolen.
Microsoft confirms they were hacked by Lapsus$
- Microsoft has confirmed that one of their employees was compromised by the Lapsus$ hacking group, allowing the threat actors to access and steal portions of their source code. The Lapsus$ gang released 37GB of source code stolen from Microsoft’s Azure DevOps server. The source code is for various internal Microsoft projects, including for Bing, Cortana, and Bing Maps. In new blog post published, Microsoft has confirmed that one of their employee’s accounts was compromised by Lapsus$, providing limited access to source code repositories. “No customer code or data was involved in the observed activities. Investigation has found a single account had been compromised, granting limited access. Microsoft Cybersecurity response teams quickly engaged to remediate the compromised account and prevent further activity,” explained Microsoft in an advisory about the Lapsus$ threat actors.
This is just one of the many big tech name with all of its highly technical and financial sophistication, yet gets hacked by a nefarious threat group known as Lapsus$— who else can’t get hacked?
A major telecom company in Africa that partners with AT&T and Verizon has been hacked:
Another classical example of a major breach that hit a tech giant in Africa known as Syniverse in May, 2016 which was not discovered until May, 2021. This is not only a South African brand but also a telecommunication giant that also partners with western tech companies such as AT&T, Verizon and T-Mobile, reasonably one would think that the partnership would have automatically translated into an overall cyberdefense program that would act as a security control validation for them, unfortunately these partnerships were not able to prevent Syniverse from being hacked! The company said the breach compromised login information for 235 of its clients and that the company contacted its clients who had been affected and had notified law enforcement. In previous press releases, Syniverse has described itself as a company that “fuels mobile communications for nearly every person and device in the world. “I say this to mean that the mare fact that you have a partnership with a foreign tech giant doesn’t necessarily put you behind a security fortress, you are under the duty of taking charge of your local security strategy deployment portfolios
MTN Uganda’s mobile money fraud hack:
A major hack that compromised Uganda’s mobile money network has plunged the country’s telecoms and banking sectors into crisis. The Oct. 3 hack was a result of a security breach on a consumer finance aggregator, Pegasus Technologies, which mainly affected bank to mobile wallet transfers, according to an Oct. 8 statement by MTN Uganda, the country’s largest mobile phone company. Kampala-based Pegasus Technologies provides financial and billing solutions for various companies including all the affected entities. At least $3.2 million is estimated to have been stolen in this latest incident with some reports quoting a much higher figure. The hackers used around 2,000 mobile SIM cards to gain access to the mobile money payment system. According to MTN Uganda, only transactions via Stanbic Bank Uganda, MTN to Airtel and Sendwave, a cross-border payments service operating in six African countries including Kenya, Uganda, Tanzania, Ghana, Nigeria, Senegal, and Liberia are affected.
In conclusion to my assertion that the concept of absolute security is only a mirage and does not hold water can be vividly seen based on the few extensive research examples thrown at you with link references for your review. If not for the fact that I do not wish to bore you with lengthy and verbose text that would alter your taste for reading, I could go on and on providing you with an endless list of well-known tech giant companies that we thought were breach-proof, yet got hacked and some even never recovered, and went into bankruptcy. Its high time tech companies especially those in Africa move away from their technological pride, sitting on their high horses believing that they are protected and well covered in all aspect of technological advancement and begin to reinvest and repositioning themselves to allocating resources for employee cybercrime awareness training, as they are the weakest links that can be exploited to circumvent any modern and advanced security technology or tools any one company can have in their asset arsenal. Employee training should now be a priority and security looked at as a global digital epidemic and seen as oxygen and life-blood for their business survival.
Before I sign out please allow me leave you with these few risk-snacks to munch on;
U.S. utilities are in the crosshairs. The May 2021 Colonial Pipeline attack shut down the company’s gas pipelines, which transport 2.5 million barrels to the Eastern Seaboard daily. The attack received a great deal of attention because of its impact on fuel delivery to a large swath of the U.S. But it’s the tip of the iceberg. Verizon’s 2021 Data Breach Investigations Report counts 545 other cybersecurity incidents in 2021 throughout the mining, quarrying, oil and gas extraction, and utilities industries — 44 percent of which were ransomware attacks.
Healthcare is under persistent attack. The Verizon report cites 655 cybersecurity incidents targeting healthcare companies, adding: “Financially motivated organized criminal groups continue to target [the healthcare] sector, with the deployment of ransomware being a favoured tactic.” A May 2021 Sophos study found that 34 percent of healthcare organizations had been hit by ransomware in the past year, and another 41 percent expected to be hit in the future.
Industrial Cybersecurity ICS/OT Hacks:
In August 2021, malicious cyber actors used Ghost variant ransomware against a California-based WWS facility. The ransomware variant had been in the system for about a month and was discovered when three supervisory control and data acquisition (SCADA) servers displayed a ransomware message.
In July 2021, cyber actors used remote access to introduce ZuCaNo ransomware onto a Maine-based WWS facility’s wastewater SCADA computer. The treatment system was run manually until the SCADA computer was restored using local control and more frequent operator rounds.
In March 2021, cyber actors used an unknown ransomware variant against a Nevada-based WWS facility. The ransomware affected the victim’s SCADA system and backup systems. The SCADA system provides visibility and monitoring but is not a full industrial control system (ICS).
In September 2020, personnel at a New Jersey-based WWS facility discovered potential Makop ransomware had compromised files within their system.
In March 2019, a former employee at Kansas-based WWS facility unsuccessfully attempted to threaten drinking water safety by using his user credentials, which had not been revoked at the time of his resignation, to remotely access a facility computer.
My recommendation to you as a company that need to stay in business and maintain your brand reputation and avoid huge fines, you should invest in the following;
- Having an effective roadmap and policy for regular employee or human resource cybercrime awareness training as part of their cyberdefense programme strategy.
- Assuming breach of the infrastructure and planning for the highest risk known threats using the MITRE ATT&CK® framework in combination with breach and attack simulation.
- Reviewing, rationalizing, and investing in security controls to defend data and applications, and to optimize processes.
- Validating the effectiveness of cyberdefenses by testing them continuously against real- world threats using an automated platform versus manual testing that is infrequent and expensive.
Finally, it has always been a good advice to watch before you leap, that is to say, you can now have your security solutions tested for you by an independent testing entity to validate if claims made by vendors are indeed true before making purchase. You no longer have to assume that your latest security technology solutions in your arsenal are really doing as designed originally out of the box. Security controls fail everywhere and all-the-time and they do so constantly and silently, it is risky to just believe that these configurations and pipeline control settings can’t go wrong. In most cases when controls fail, either through misconfiguration or operational execution, it can go unnoticed for a very long time. These security solutions must be validated against vendor claims, capabilities and existing threats in conjunction with MITRE ATT&CK cyber security framework and whether they can stand up to certain specific threat actors or threat groups Tactics, Techniques and Procedures (TTPs) to make sure these controls are working and performing as intended. MITRE ATT&CK can be instrumental in evolving your security strategy to one of threat-informed defense—your best option in beating adversaries at their own game.
Last but not least, people are a critical layer within the fabric of our security programs, therefore your employees are your last line of defense, 91% of successful data breaches started with a Spearphishing attack, Losses to CEO Fraud (aka Business Email Compromise) increased by 48% Q2 2020, W-2 Scams social engineer Accounting/HR to send tax forms to bad guys, Ransomware damage costs predicted to reach $20 billion by end of 2022, this is to say all of your latest and most advanced technology solution can’t and won’t save you if your employees as your last line of defense are not given proper and comprehensive cybercrime awareness training that would expose them to the dangers of the internet and erase their false sense of security and believe that their anti-virus has them covered, 7 – 10% of all malicious link make it past these solution filters. If you ever thought you were a hundred percent safe and covered across your entire technological infrastructure then you need to think again because the bad guys are also working overtime and have found new and different ways circumvent your latest security controls.