Sanjay Bavisi is the co-founder and president of the EC-Council; a United States (US) based international certification body on security and e-business. In this interview, he tells Ben Uzor Jr about the latest trends in cyber security and what steps the council is taking in this regard. EC-Council The international Council of Electronic Commerce Consultants (EC-Council) is a member supported professional organisation. The purpose of EC-Council is to support and enhance the role of individuals and organisations that design, create, manage or market security and e-business solution. We support our members by providing Electronic Commerce Consultant Certification as well as educational, technical, placement, member advantage, and discounted services. We enhance our membership by providing a community where discussion and information exchange can operate freely in the context of mutual trust and benefit.
We are in partnership with New Horizons, a Nigerian Information Technology (IT) education and training centre and their job is primarily to provide knowledge. The main issue today and our greatest concern is that there are engineers coming out here in Nigeria that we refer to as ‘vendor certified’ engineers. Take for instance, if I am using a Microsoft product, will Microsoft tell an individual that their products have shortcomings? No they will not say that. This year in April, Steve Ballmer, chief executive officer, Microsoft incorporated came out and openly admitted that Microsoft Vista is an unfinished product. Can you believe it, Microsoft releasing an unfinished product? So when Microsoft gives you an MCSE (Microsoft Certified Systems Engineer) certification they cannot tell you that there are lots of problems in it because they have to sell products. They only teach you how to use these products. The problem is that hackers don’t follow that way; they look for other viable means. Who are the first people to buy anti-virus products? They are the hackers themselves. They buy it so they can reverse engineer and come up with new solutions. So therefore, what we do with New Horizons is very important. New Horizon serves to educate and train people but where do they get the content and expertise from; they get it from people like us. We research the content, we have 300 subject matter experts, and these are the guys that operate underground as well as aboveground. These are the guys that work in Eastern Europe, China, and America. They come up with what we call ‘exploits’ and they sell these ‘zero day codes’ in the open market. There is an auction that says if you want to exploit a hole in SAP system who wants to bid for the software. What we do is, we buy the software, we understand the gaps, we create the solutions and we give it to New Horizons and we say teach it.
The whole purpose of EC-Council is to reduce the gap but the problem is you have to recognise that there is a gap before you can reduce it. A lot of people feel that just because there is no hacking incidence reported in an organisation therefore hacking did not occur. Actually, the worst hacks are those residing in your computers, networks and organisation right now that have not been found out. In this regard, the high level of reported incidences of hacking is not as a result of EC-Council failing or the whole Information security community failing rather it is because of how proactive we are that you are getting to find these crimes out. So just because hacks are not reported in your company, it does not mean you are secure because there is something called a ‘backdoor’. Hackers reside here on your network and steal your information live and your organisation thinks it’s secure. So, the key indicators you see now, the increasing number of certified personnel, articles on cyber crime, the number of conferences. They all point to one thing; the whole world is becoming aware of these threats. The attention is a sign of the success that we are bringing this matter mainstream and we are doing something about it.
Mobile hacking is an issue that is beginning to assume a complex dimension. Look at some companies for instance that have got IT policies they call ‘no in no out policy’. This means that it is a tight and compact policy, you cannot bring in or take out any equipment. You will observe that mobile phones and ipods are allowed in. Mobile phones have Blue tooth while ipods have USB connectivity. This has serious implications because every single mobile phone is actually a small computer hard disk and you can bring in Trojans and hacking tools into an organisation. To live in a world where you think a mobile phone is harmless or an ipod is harmless is tantamount to getting hacked in the long term. Nigerian institutions probably need to understand that just by allowing an individual bring in a mobile phone into your organisation can be a big risk. They could steal your corporate data as well as install malicious software.
To a hacker, vulnerabilities on a network are hidden, high valued assets. When exposed, these vulnerabilities can be targeted for exploitation, which may result in unauthorised entry into a network, can expose confidential information, provide fuel for stolen identities, trigger theft of business secrets, violate privacy provision of laws and regulation, or paralyse business operations. Hackers are constantly scanning IP (Internet Protocol) addresses, looking for vulnerabilities that can be exploited. The Code Red Virus, which was distributed in late 2001, infected over 250, 000 web servers in the first nine hours and caused over $2.6 billion in damages. The patch to protect servers from this worm was released six weeks prior to the start of its spread. Also, firewalls, antiviruses’ software intrusion detection system (IDS) and other security products can give IT administrators a false sense of security, of believing they are shielded from intrusion. Web based attacks that targets web and data base servers can bypass firewalls and virus scanners, using techniques such as SQL injection and buffer overflow opportunities. A tool hacker’s use quite frequently is the virus re-construction kit. It is basically a software to put it in lame mans term and what it does is it has a bank of viruses and worms and it allows the user to basically with a click of a button split regularly known viruses and take their payload and different signature to form a new virus. This virus formed will have characteristics of different viruses; it will have different payloads to do different things.
Enterprise vulnerability management
Every organisation needs to perform timely identification and remediation of network vulnerabilities to prevent hackers and disgruntled insiders from exploiting these network weaknesses.Â
In the past, vulnerability assessment was performed manually for auditing purpose. This process would take from one to several weeks and the report produced were out of date by the time they were delivered, while vulnerability management has evolved from simply running a scanner on an application computer on network, to detect common weaknesses. It is rather defined as the process of identifying vulnerabilities, evaluating risks, remediation and reporting. In more simple terms, it is the deregulated, continuous use of specialised security tools and workflow that actively help to eliminate exploitable risk. The process is continuous and creates a closed feedback loop for ongoing network threat management.
I think electronic Jihad is not just for Nigeria. I think it is a global issue and the challenges that a nation would face if it is attacked is serious economic recession. The electronic Jihad could bring a lot of mayhem. At some point in time there could be some kind of conflict between nations. Take for instance, in 2007, the case of Estonia, one of the most internet savvy states in the European Union (EU). The country faced severe attacks from hackers and this was linked to the Russian riots sparked in late April by the removal of a Soviet war memorial from Tallin city centre. The websites of the tiny Baltic States government, political parties, media and business community had to shut down temporarily after being hit by denial-of-service attacks, which swamp them with external requests. Every nation faces some kind of conflict and when you are faced with such conflicts it is not always the army, navy or air force that will be able to attack or defend you. Cyber warfare can be a very salient and dangerous method of bringing a government and economy down. I think that is one area the Nigerian government needs to be cautious about. Electronic Jihad is just one of the examples; it is not necessarily that you would be susceptible to it. There are groups out there that hack for a purpose; they do this because they want to put forth an agenda. So theses are the issues the country needs to be concerned about. Â
War on cybercime
The global government institutions are really trying their best to combat cyber crime. EC-Council is hosting an Asia-pacific round table in Kuala Lumpur in November. We have confirmed participation from various departments of defence, Ministry of defence in Singapore, we have the Strike force in Malaysia, and we also have participation from Hong-Kong. So, there a lot of regional based institutions coming forward to try to combat the scourge and come up with a global solution and answer. In addition, if you look at various government, the US government for instance, our accreditation by the National Security Agency (NSA) our works with the Department of Defence. These are the kinds of solutions we are trying to bring forward to the Nigerian government. I think the global solution will have to begin in the area of human capital. This is because without human capital, proper methodology and training we are not going to win this war on cybercrime. So regardless of whatever technologies a country acquires, regardless of how many billions of dollars is invested in security equipments, Nigeria should not be subjected to ‘Equipment Based Security Syndrome (EBSS)’.
The whole idea of Equipment Based Security Syndrome (EBSS) is all about equating the level of investments made to the level of security acquired. For example, whenever, you have conversations with chief security officers (CSO) and the conversation goes a long the line of my organisation is secure because we spend $50 million a year on IT security, that’s a vivid sign of EBSS. There a lot of people that come up with security matrix, they try to actually calculate the risk of return on investment; I personally find that difficult to calculate. Infact I am totally against that because how do you calculate a risk factor or put a number to the level to something you are not sure is there. Hacking is not necessarily a ‘blue screen’, hacking can occur when everything is functioning perfectly.